Newbie question ASPR 1.23 RC4 (long!)

You had 99% of it right. What you did wrong was dump it in the wrong place.

This is funny to me, because when I was first learning to unpack ASProtect (ASProtect was the first packer I learned to unpack manually, I skipped UPX and other easy ones to go straight for the good stuff ), I did the exact same thing, and it kicked my ass for like 2 days.

For this app, dump at 4072DC. (I use LordPE to dump, though I suppose it doesn't make any difference.) Your OEP is correct, your stolen bytes are correct, and assuming your IAT is correct, you should be good to go. I have attached my IAT just in case.

Assuming that works for you, now we come to the important part: do you understand why you need to dump at 4072DC? If not, I will explain it.

Also, for fun with ASProtect, there are 2 things you can do after unpacking to do a more efficient/thorough job. After fixing the IAT with ImpRec, open the resulting file in a PE editor, and look at the list of sections. You will see 2 or 3 unnecessary sections: 1 or 2 from ASProtect (called .adata and such), and 1 from ImpRec called .mackt. These are unnecessary and just make the file bigger, but there is something of a trick to getting rid of them all. Doing so will make the resulting file smaller, and more like (if not identical to) the original file pre-packing. Your final resulting file should not have these 2 or 3 extra sections, if you want unpack thoroughly. After removing these, rebuild PE using PE Tools to remove slack space, and you will have a perfect unpack. Again, this just makes the resulting file smaller, and isn't really necessary, but sometimes it's fun to be extra thorough.

Regards,
Satyric0n