Damaged stolen bytes

[*RemedY*]

Hi everybody,

I recently came across a program packed with "ASProtect 1.23 RC4 - 1.3.08.24 -> Alexey Solodovnikov" and I tried to unpack it manually. "Nothing special", I thought and went through the usual process. I found the fake-OEP, insert the stolen bytes (12), dumped the victim and finally rebuilt the IAT. All went OK - but the dumped program refused to run (and still do so)! After a lot of hours of war against this prog I decided to load it in Stripper 2.07. Stripper was able to unpack it, but the prog shows only the nag at the beginning and collapses then. So I looked at the log from Stripper and there it says "stolen bytes were damaged by alexey". My eyes are still question marks ´cause I´ve never come across "damaged stolen bytes" so far. Can you tell me please, what these stolen bytes are? What is different from "normal" ASProtect and maybe a hint how to handle it.
Thanks a lot in advance

Regards *RemedY*

Head over to RCE & search for it

[*RemedY*]

I will be glad doing so - but I don't have any idea what RCE is.
Maybe I have to apologize for my lack of knowledge but I would be very happy if you tell me who or what RCE is.
Thank you

Regards *RemedY*

I'm sorry, I see you meant the woodman- forum (never realized the "RCE"). I searched the forum for "damaged stolen bytes" and all I found was a thread where the guy who dared to ask about this topic got answers in a very rude way. So I have still no idea what it is.

[JMI]

*RemedY*:

If you actually read the whole thread on the RCE/Woodmann Forum you should/would have learned that using pre-fabricated "unpackers/strippers" is no guarantee that they are going to give you the correct information or perform their tasks properly. Has it occurred to you that the makers of the protection systems obtain copies of these "tools" and intentionally attempt to make them fail?

If you actually know about manual unpacking, you should know that an incorrect IAT reconstruction is generally the cause of the program failing to run if you have properly stripped the aspr shell and correctly re-adjusted the stolen bytes.

What is clear is that you apparently have failed to actually investigate why the program may now be crashing and where. That is what a debugger is designed to help you do. Why not try it and see if you can determing what the problem might be.

Regards,

@RemedY
get hiewdemo, open it and load a exe file
in your windows parent, now press F4 decode,
now F8 and next F5, you will be at EntryPoint (OEP)
Every linker generates other bytes !
Example 55 8b and so on
or another linker 6a 70 and so on,
these bytes are the stolen bytes.
They were executed (sometimes emulated) after unpack
and before the jump to main exe file.
OK
(get packer demo, pack notepad, and see what's happening)

[*RemedY*]

First of all I have to apologize if I sound rude now, but sometimes I think that no one with less than 100 posts is taken serious here.

@JMI
Actually I examined the dumped and fixed .exe with Olly. It lead me to an "Access violation". When I fixed it, it lead me to another. After 17 fixes I can see the programm´s main-gui. But that was not the problem. Everything I wanted to know was an explanation what the hell damaged stolen bytes are. It would have been much more friendly to say "hey mate, damaged stolen bytes doesn´t really exist. most of the time something goes wrong with the IAT, check it", than to state that I´m just plain stupid (that´s the way I understand your reply!). I simply wanted to know, if there is something called "damaged stolen bytes" known to someone. The only reason why I used "Stripper" was that I wanted to know if a tool can do what i can´t do manually. Then I saw this damaged thing. Huh!

I thought that a board is a place to ask questions (as long as they make sense to someone) and I´m sorry for not being perfect.

@freddy2002
Thank you, mate for your efforts. I already own a copy of HIEW and I double-checked the stolen bytes (actually I checked them 7-times) but i can´t find something wrong. Now, I´m going to check it one more time and if i fail again I will go the hard way through fixing it with ASM.

Regards *RemedY*

[MaRKuS-DJM]

Quote:

Originally Posted by *RemedY*

I found the fake-OEP, insert the stolen bytes (12), dumped the victim and finally rebuilt the IAT.

So I looked at the log from Stripper and there it says "stolen bytes were damaged by alexey".

what do you mean? "stolen bytes were damaged by alexey" means nothing different than they are stolen from OEP and inserted somewhere else, but with lots of junk code. i think for you it also says "look at last section". there you can find them, but i think you already found them, because you say you inserted the stolen bytes (12). nothing special

they aren't damaged, they are junked