Thread: Entrypoint < 400000 ,then how to dump?[ASProtect 1.22 - 1.23 Beta 21]
View Single Post
  #1  
Old 12-12-2005, 15:15
winndy winndy is offline
VIP
  
Join Date: Sep 2005
Posts: 236
Rept. Given: 104
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 27
Thanks Rcvd at 16 Times in 13 Posts
winndy Reputation: 26
Entrypoint < 400000 ,then how to dump?[ASProtect 1.22 - 1.23 Beta 21]
I an trying to unpack "HandyFile Find and Replace Text Aid Kit" protected by ASProtect 1.22 - 1.23 Beta 21.
hxxp://www.silveragesoftware.com/

I guess this is the entrypoint:
[edit]:I was wrong,this is not entrypoint.when I trace in 003E3310,there is
a lot of jumps just like aspr 1.23 RC4.very confused,
Code:
003F4858     55                    push ebp                        ; HFFR.0045C3FC
003F4859     8BEC                mov ebp,esp
003F485B     83C4 B4            add esp,-4C
003F485E     B8 38473F00      mov eax,3F4738
003F4863     E8 B007FFFF     call 003E5018
003F4868     E8 A3EAFEFF     call 003E3310
003F486D     8D40 00            lea eax,dword ptr ds:[eax]
003F4870     0000                add byte ptr ds:[eax],al
003F4872     0000                add byte ptr ds:[eax],al
003F4874     0000                add byte ptr ds:[eax],al
003F4876     0000                add byte ptr ds:[eax],al
003F4878     0000                add byte ptr ds:[eax],al
The Imagebase is 00400000.
I could not use OllyDump nor LordPE to dump the 003XXXX code.

Another similar question,I have read tut
"Unpacking_ASProtect_1.23-1.3.08.24_RC4_Adding_Section_By_Ferrari".
Why We cannot dump the section that is added?
When aspr unpacked the code,there add many sections,Could we dump
all the sections,so we need not to "add section" to repair the crash?

Regards

A confused poor guy..
Last edited by winndy; 12-12-2005 at 15:54.
Reply With Quote