Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page Help with ASProtect 1.23 RC4
Register Forum Rules FAQ Calendar Mark Forums Read

Notices

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #6  
Old 06-08-2004, 20:26
Perdition
 
Posts: n/a
Thanks for your replies,

britedream :

You are absolutely correct, I followed the call and indeed it moves eax into ebx right at the beginning of the proc! I should have checked that but I know now for next time

SvensK :

I'm sure I have but perhaps missing something, will explain in a moment.

All :

I apologise if I'm missing something simple (still learning) but I'm still not getting it right and I think I'm not doing something properly with ImpRec. I will break down exactly what I've done so far so you can kick me where I've missed something!


In Olly 1.10 before inserting stolen bytes :

00575DFE 57 PUSH EDI
00575DFF 0000 ADD BYTE PTR DS:[EAX],AL <--- This is why I thought OEP = 575DFF
00575E01 0000 ADD BYTE PTR DS:[EAX],AL
00575E03 0000 ADD BYTE PTR DS:[EAX],AL
00575E05 0000 ADD BYTE PTR DS:[EAX],AL
00575E07 0000 ADD BYTE PTR DS:[EAX],AL
00575E09 0000 ADD BYTE PTR DS:[EAX],AL
00575E0B E8 5C11E9FF CALL AddressB.00406F6C

In Olly after stolen bytes :

00575DFE 57 PUSH EDI
00575DFF 90 NOP <--- This is the extra byte I was talking about
00575E00 55 PUSH EBP
00575E01 8BEC MOV EBP,ESP
00575E03 83EC 10 SUB ESP,10
00575E06 B8 70575700 MOV EAX,AddressB.00575770
00575E0B E8 5C11E9FF CALL AddressB.00406F6C

Ok at this point I right click on 00575E00 and select New Origin Here.
Then Plugins -> OllyDump -> Dump debugged process, uncheck "Rebuild Import" and dump.


In ImpRec 1.6F :

Attach to addressbookrecovery.exe
Click IAT AutoSearch
Set Size to 1000
Click Get Imports
Click Show Invalid
Right click -> Trace Level1
Click Show Invalid
Right click -> Plugin Tracers -> aspr2
Click Show Invalid
Check for any remaining functions in ASProtect address space (none that I can see)
Right click -> Cut thunk(s)
Click Fix Dump and select dumped file.

These are my ImpRec option settings :

New Imports - All unchecked.
Fix EP to OEP - unchecked.
Use PE Header From Disk - checked.

Add new section (main screen) - checked.


After all this I run the fixed dump but the program doesn't load. All it does is generate a file called Err.log with the contents "Error ppp.03".
btw I'm running Windows 2003 server, the original program runs fine so I assume it should run fine when unpacked.

Once again I appreciate all the help, I'm learning a lot
Reply With Quote
 

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Threaded Mode Threaded Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
ASProtect or UPX? int21h General Discussion 2 12-14-2006 11:02
New Asprotect?? loman General Discussion 7 02-04-2004 20:34


All times are GMT +8. The time now is 17:01.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )