Entrypoint < 400000 ,then how to dump?[ASProtect 1.22 - 1.23 Beta 21]
 

I an trying to unpack "HandyFile Find and Replace Text Aid Kit" protected by ASProtect 1.22 - 1.23 Beta 21.
hxxp://www.silveragesoftware.com/

I guess this is the entrypoint:
[edit]:I was wrong,this is not entrypoint.when I trace in 003E3310,there is
a lot of jumps just like aspr 1.23 RC4.very confused, :confused:
The Imagebase is 00400000.
I could not use OllyDump nor LordPE to dump the 003XXXX code.

Another similar question,I have read tut
"Unpacking_ASProtect_1.23-1.3.08.24_RC4_Adding_Section_By_Ferrari".
Why We cannot dump the section that is added?
When aspr unpacked the code,there add many sections,Could we dump
all the sections,so we need not to "add section" to repair the crash?

Regards

A confused poor guy..

target version 3.2 sr6
MD5= 063220da662761f8ab27c92d57f68a49 ; HFFR.exe


last exception:
03A12CF2 31C0 XOR EAX,EAX
03A12CF4 64:FF30 PUSH DWORD PTR FS:[EAX]
03A12CF7 64:8920 MOV DWORD PTR FS:[EAX],ESP
03A12CFA 3100 XOR DWORD PTR DS:[EAX],EAX

Dunno what you have been doing , but i put memory bp on 2nd section , passed last exception to program i landed here:

oep:
00432236 55 PUSH EBP
00432237 8BEC MOV EBP,ESP
00432239 6A FF PUSH -1
0043223B 68 F04A4000 PUSH HFFR.00404AF0
00432240 68 FA214300 PUSH HFFR.004321FA ; JMP to msvcrt._except_handler3
00432245 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0043224B 50 PUSH EAX
0043224C 64:8925 0000000>MOV DWORD PTR FS:[0],ESP
00432253 83EC 68 SUB ESP,68
00432256 53 PUSH EBX
00432257 56 PUSH ESI
00432258 57 PUSH EDI
00432259 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
0043225C 33DB XOR EBX,EBX
0043225E 895D FC MOV DWORD PTR SS:[EBP-4],EBX
00432261 6A 02 PUSH 2
00432263 FF15 E8174000 CALL DWORD PTR DS:[4017E8] ; msvcrt.__set_app_type

MS VC target...

anti-dump
004222EA FFD0 CALL EAX //nop it

otherwise you will get funny MsgBox:
"Shame On You"
"Protection not found !"

But when I press F9,It runs,No exception!
My OD's exception configuration meets trouble?

I ticked all the checkbox in exception configuration panel.
And add such customer exceptions:

[0]=000006BA,000006BA
[1]=0009B25C,0009B25C
[2]=0012FB14,0012FB14
[3]=0082A9A0,0082A9A0
[4]=00953D74,00953D74
[5]=0EEDFADE,0EEDFADE
[6]=80000002,80000002
[7]=80000004,80000004
[8]=C0000008,C0000008
[9]=C000001E,C000001E

BTW:my target is Text Aid Kit edition.


Thanks,hosiminh,I love you,:).

regards

Under Options -> Debugging options -> tick only "Ignore memory access vilation in KERNEL32" ...

Next time check "Log window" when your target runs...

I got it!
Once again a brave knight saved a pooy guy...

And I moved the Nag.

Regards

About those address where aspr reads user name (if/when regged) ... is there any generic way to find this particular asm instruction:
mov e??,dword ptr ds:[someaddress] ?

well debug and run and access violation will happen due there will be 0 address so you must put some there where you puted nick for example with hiew

This is just asprotect virtual .exe extracted by aspr itself into memory, same as secure.dll in armadillo. All protection is in it, so dumping it and analyzing it is a good way to understand how asprotect works.

That's at least my approach on every asprotected target.

But the imagebase is 003XXXXX,< 00400000,
OllyDump and LordPE could not dump it.
That's a problem troubled me.

The second is that could you explain more details about virtual .exe you mentioned.
Need some tuts. :D


------------
Regards

The problem is How you could find the exact access violation where you
can put you nick name.And whether there is a general method.
I think hosiminh means that.

you mean in ollydbg ? if yes then you can try this out
right click-->search for--> all commands
type in there mov r32,dword ptr ds:[const]
and hit find

ollydbg will pop up another window with all those calls that matches the pattern

if you just prefer only those that are moved to eax
change the command to
mov eax,dword ptr ds:[const]
and so on viz i searched for for register ebp below


hope thats what you were looking for

You can dump that part of memory but here are a few tricks:
1st virtual.exe is extracted by aspack before original asprotect gains control
2nd when you reach that entrypoint you may use dump regions to dump code from lordpe
3rd now when you have dumped region you have to fix peheader, actually you have to add completely new PE header b/c in dump there is no peheader (deleted)
4th fix imports by examing aspack import loading process and we know that aspack keeps whole import table, so dump it, and apply that to newly dumped file, fix import RVA in peheader and voila you can load that exe in IDA with all imports:D

here is example of virtual.exe used in Serv-u asprotect 2.1 ske :
http://rapidshare.de/files/8713096/dumped.rar.html

"The second is that could you explain more details about virtual .exe you mentioned."
These protections hold the protection code into a true executable image, that performs the dirty work.
You could trace aspr OEP protection (very funny) for the version you mention by locating the pushed address execution list and analysing the last one, the one that mingles with OEP protection.

OK.
I'll take a careful look at the code.

Thanks all.

Regards