Hi ferrari,
I found this info, posted by mEtAl (search
):
Quote:
The program you have is packed with ASPack v2.11, this version is abit different then 2.12, but acually not...
And you won't find the signature bytes in version 2.11
Signature bytes:
Push 00000000 ; will push the OEP
Ret ; Will go to the OEP
I think you patch this to a JMP or so for version 2.12 and then you insert your inlinepatch where the JMP jumps to in the exe right?
ok, these bytes you won't find in the exe code of aspack 2.11.
I could write you a little tut, or else I could send you a program i coded togheter with a friend which is able to inlinepatch programs packed with ASPack.
|
I think this post is very clear about that there's a difference between v2.11 and 2.12 for the jump to OEP. Signature bytes couldn't be found.
Btw, when looking for the OEP, Olly says it's 0057AF44 while PEiD says it's 004D2574...
Quote:
|
Originally Posted by ferrari
@ TheDutchJewel:
Hi,
A similar topic was posted long time before(search). Anyways, unpacking and Inline patching ASPACK is fun. But if you wanna have more fun  then try inline patching this one
http://runtime.org/gdbnt.zip
Here are the bytes to patch:
004F93A2 /74 0C JE SHORT gdbnt.004F93B0
Change To
004F93A2 /EB 24 JMP SHORT gdbnt.004F93C8
Let me know how you did it plz
Regards, |