Hi,
The method that is mentioned by Spiteful is very nice.
But if the packer is Aspack you can have another method for inline patching.
This is where you have your OEP
Code:
005DB3B0 61 POPAD
005DB3B1 75 08 JNZ SHORT SystemSh.005DB3BB
005DB3B3 B8 01000000 MOV EAX,1
005DB3B8 C2 0C00 RETN 0C
005DB3BB 68 18315700 PUSH SystemSh.00573118
005DB3C0 C3 RETN
Now check these lines:
Code:
005DB3B0 61 POPAD
005DB3B1 75 08 JNZ SHORT SystemSh.005DB3BB
005DB3B3 B8 01000000 MOV EAX,1
005DB3B8 C2 0C00 RETN 0C
005DB3BB 68 18315700 PUSH SystemSh.00573118
005DB3C0 C3 RETN
005DB3C1 8B85 26040000 MOV EAX,DWORD PTR SS:[EBP+426]
005DB3C7 8D8D 3B040000 LEA ECX,DWORD PTR SS:[EBP+43B]
005DB3CD 51 PUSH ECX
005DB3CE 50 PUSH EAX
005DB3CF FF95 480F0000 CALL DWORD PTR SS:[EBP+F48]
005DB3D5 8985 54050000 MOV DWORD PTR SS:[EBP+554],EAX
005DB3DB 8D85 47040000 LEA EAX,DWORD PTR SS:[EBP+447]
005DB3E1 50 PUSH EAX
005DB3E2 FF95 500F0000 CALL DWORD PTR SS:[EBP+F50]
005DB3E8 8985 2A040000 MOV DWORD PTR SS:[EBP+42A],EAX
005DB3EE 8D8D 52040000 LEA ECX,DWORD PTR SS:[EBP+452]
005DB3F4 51 PUSH ECX
005DB3F5 50 PUSH EAX
005DB3F6 FF95 480F0000 CALL DWORD PTR SS:[EBP+F48]
005DB3FC 8985 58050000 MOV DWORD PTR SS:[EBP+558],EAX
005DB402 8B85 2A040000 MOV EAX,DWORD PTR SS:[EBP+42A]
005DB408 8D8D 5E040000 LEA ECX,DWORD PTR SS:[EBP+45E]
005DB40E 51 PUSH ECX
005DB40F 50 PUSH EAX
005DB410 FF95 480F0000 CALL DWORD PTR SS:[EBP+F48]
005DB416 FFD0 CALL EAX
005DB418 83C4 10 ADD ESP,10
005DB41B 5F POP EDI ; kernel32.77E814C7
005DB41C 6A 30 PUSH 30
005DB41E 8D9D 68040000 LEA EBX,DWORD PTR SS:[EBP+468]
005DB424 53 PUSH EBX
005DB425 57 PUSH EDI
005DB426 6A 00 PUSH 0
005DB428 FF95 58050000 CALL DWORD PTR SS:[EBP+558]
005DB42E 6A FF PUSH -1
005DB430 FF95 54050000 CALL DWORD PTR SS:[EBP+554]
In every aspacked file from
005DB3C1 8B85 26040000 MOV EAX,DWORD PTR SS:[EBP+426]
To
005DB430 FF95 54050000 CALL DWORD PTR SS:[EBP+554]
Is always the same.
I mean you have the same code for all the time.
So searching for these bytes will lead you to the OEP.
But the fact is that these lines are just JUNK CODES.
So you can easily change them to any code you like.
The result is a huge space for inline patching.
But be careful of this command:
005DB436 0000 ADD BYTE PTR DS:[EAX],AL
This command is very critical and shouldn't be touched.
I mean this command is you limitation line.
never change it and commands after this line are critical also.
So you line patch will be like this:
Code:
005DB3A8 0BC9 OR ECX,ECX ; ntdll.77F532FA
005DB3AA 90 NOP
005DB3AB 90 NOP
005DB3AC 90 NOP
005DB3AD 90 NOP
005DB3AE 90 NOP
005DB3AF 90 NOP
005DB3B0 61 POPAD
005DB3B1 75 08 JNZ SHORT SystemSh.005DB3BB
005DB3B3 B8 01000000 MOV EAX,1
005DB3B8 C2 0C00 RETN 0C
005DB3BB C705 6CC05500 8>MOV DWORD PTR DS:[55C06C],90DC458B
005DB3C5 C605 70C05500 3>MOV BYTE PTR DS:[55C070],3E
005DB3CC 68 18315700 PUSH SystemSh.00573118
005DB3D1 C3 RETN
005DB3D2 90 NOP
005DB3D3 90 NOP
005DB3D4 90 NOP
I paste the bytes that you should change.
Just copy and paste these bytes to see the result.
C7 05 6C C0 55 00 8B 45 DC 90 C6 05 70 C0 55 00 3E 68 18 31 57 00 C3 90 90 90
I hope this method is useful for further inline patching ASpack.
Best Regards,
Android.