Nice tut about finding the jump to OEP in aspack 2.11. This hardware breakpoint on ESP value method also works for v2.12.
The difference between v2.11 and v2.12 is that in v2.11 you can't find the signature bytes for the jump to OEP. It seems to me that the section for the signature bytes in v2.11 will be decrypted by the unpacking routine. (I see this is already explained here: http://exetools.com/forum/showthread.php?t=4072&highlight=ASPACK)
I downloaded GetDataBack for NTFS v2.25. When debugging I see this XOR code:
Quote:
0063C516 3C A9 CMP AL,0A9
0063C518 338F 0A4FC73A XOR ECX,DWORD PTR DS:[EDI+3AC74F0A]
|
But after I put a breakpoint on it, Olly didn't break.
So if possible, upload the exe you used in your previous section and I'll try to inline patch it.
Or can someone explain how to break on the XOR code?