Jump to OEP - Aspack 2.12

[TheDutchJewel]

I've a question about inline patching RK-FileSplitter v2.2
(http://www.rksoft.at/download/rk-filesplitter.exe). It's packed by Aspack
2.12.
I found the OEP (4064B8), but how to find the jump to OEP? The Aspack plugin doesn't break. Should it be changed, or is there another method to find it?

[diablo2oo2]

in aspack is no jump to oep ,if i remember correctly.

load packed target into olly and try to find it in the code. search for a binary string (ctrl+b): HEX: B8 64 40
or was it without imagebase : B8 64 00 ?
or if you dont find in olly,search in hexeditor.
redirect this to your free space, make your inline patch and jmp to oep.


or if you want be lazy, you could do a search and replace patch with my patcher,which works also with aspack.
kickme.to/diablo2oo2

[TheDutchJewel]

I searched for B8 64 00, redirected this to free space, made inline patch and jumped to oep. Got it working now.

Thanks for fast and good help, diablo2002.

jump to OEP is made by push "OEP", followed by ret. So just search for 68h 00 00 00 00 in after few carefull F7 and F8. Usually they are at the and of section, near a string Kernel32. Put a breakpoint at next instruction - 0C3h and you will see your OEP to emerge on the upper instruction

@ TheDutchJewel:

Hi,
A similar topic was posted long time before(search). Anyways, unpacking and Inline patching ASPACK is fun. But if you wanna have more fun then try inline patching this one

http://runtime.org/gdbnt.zip

Here are the bytes to patch:
004F93A2 /74 0C JE SHORT gdbnt.004F93B0

Change To

004F93A2 /EB 24 JMP SHORT gdbnt.004F93C8

Let me know how you did it plz

Regards,

[TheDutchJewel]

Hi ferrari,

I found this info, posted by mEtAl (search ):

Quote:

The program you have is packed with ASPack v2.11, this version is abit different then 2.12, but acually not...

And you won't find the signature bytes in version 2.11

Signature bytes:

Push 00000000 ; will push the OEP
Ret ; Will go to the OEP

I think you patch this to a JMP or so for version 2.12 and then you insert your inlinepatch where the JMP jumps to in the exe right?

ok, these bytes you won't find in the exe code of aspack 2.11.

I could write you a little tut, or else I could send you a program i coded togheter with a friend which is able to inlinepatch programs packed with ASPack.

I think this post is very clear about that there's a difference between v2.11 and 2.12 for the jump to OEP. Signature bytes couldn't be found.

Btw, when looking for the OEP, Olly says it's 0057AF44 while PEiD says it's 004D2574...

Quote:

Originally Posted by ferrari

@ TheDutchJewel:

Hi,
A similar topic was posted long time before(search). Anyways, unpacking and Inline patching ASPACK is fun. But if you wanna have more fun then try inline patching this one

http://runtime.org/gdbnt.zip

Here are the bytes to patch:
004F93A2 /74 0C JE SHORT gdbnt.004F93B0

Change To

004F93A2 /EB 24 JMP SHORT gdbnt.004F93C8

Let me know how you did it plz

Regards,

Hi,
I have seen this before. But I got pissed off trying inline patching 2.11c packed GetDataBack. I was able to successfully inline patch Captain Nemo by Runtime software and it's packed with this same version. The only problem is GetDataBack. I remember "hobgoblin" giving me some hints on inline patching this modified ASPack. But I was not able to do it. Then I used DZA patcher to patch it and it does patch it. But then the some buttons get corrupted and won't work.

But then coolfires tip is interesting

Here are the topics posted earlier:
http://exetools.com/forum/showthread.php?t=4072&highlight=ASPACK

My tutorial on inline patching ASPACK 2.11:
http://exetools.com/forum/showthread.php?t=3909

Download Captain Nemo:
http://runtime.org/captain.htm

Here is my patch for Captain Nemo:
http://iribtv.net/CCC/ARTEAM/cracks/captain_nemo.rar

You can apply my patch to the exe and then check in Olly.

REgards,

[TheDutchJewel]

Nice tut about finding the jump to OEP in aspack 2.11. This hardware breakpoint on ESP value method also works for v2.12.

The difference between v2.11 and v2.12 is that in v2.11 you can't find the signature bytes for the jump to OEP. It seems to me that the section for the signature bytes in v2.11 will be decrypted by the unpacking routine. (I see this is already explained here: http://exetools.com/forum/showthread.php?t=4072&highlight=ASPACK)

I downloaded GetDataBack for NTFS v2.25. When debugging I see this XOR code:

Quote:

0063C516 3C A9 CMP AL,0A9
0063C518 338F 0A4FC73A XOR ECX,DWORD PTR DS:[EDI+3AC74F0A]

But after I put a breakpoint on it, Olly didn't break.
So if possible, upload the exe you used in your previous section and I'll try to inline patch it.
Or can someone explain how to break on the XOR code?

[hobgoblin]

To ferrari,
If you're still interested in inlinepatching of Aspack 2.12, take a look at the attached file. It's gdbnt from runtime.org. I have made an inline patch just to show how it can be done.( I made a patch that patches 3 bytes in the unpacked file. Don't pay too much attention to the patched program itself, it may not be properly cracked.). Just open the file in Olly and put a bpx at 0066B573. This is right after the xor-based decryption is done. Just singlestep from there and see what happens and where..

regards,
hobgoblin

[TheDutchJewel]

ferrari,

Use this unpatched exe for v2.25.

Quote:

change:
0063C4B2 E9 14000000 JMP gdbnt.0063C4CB

into

0063C4B2 E9 5D140000 JMP gdbnt.0063D914

and add here your inline patch bytes:

Quote:

0063D914 66:C705 63874F00 EB23 MOV WORD PTR DS:[4F8763],23EB
0063D91D 68 CBC46300 PUSH gdbnt.0063C4CB
0063D922 C3 RETN

I used your patch info at the address you used. The attached exe is different from the one you used, so you should correct the address and bytes at 0063D914.

[hobgoblin]

Hi Dutchjewel,
Are you sure your solution in the previous post works? If you follow your described method, the code written to
0063D914 C705 63874F00 EB230000 MOV DWORD PTR DS:[4F8763],23EB
0063D91E 68 CBC46300 PUSH gdbnt.0063C4CB
0063D923 C3 RETN
(after jumping from 0063C4B2) will be overwritten later on...

hobgoblin

[TheDutchJewel]

Hi hobgoblin,

No I didn't check it. I simply used the patch bytes from ferrari in this example. I think the address 4F8763 should be changed for this version, but that's for ferrari. Anyway, the principle of inline patching should be good.

[hobgoblin]

I agree that the basic idea you're outlining will work.(I have done a similar thing in my patch).
But I think using the address at 0063C4B2 is too early. When you arrive at that code (location) the program isn't properly unpacked yet, and that the unpacking process that follows this jump will overwrite what you previously have patched. In my patch I used the first jump after the decryption is done, and that works (as a starting point for further patching/redirection).

regards,

[TheDutchJewel]

You've right. The first jump after decryption is done is 0063C55B? I checked now the jump to OEP, and it's decrypted well. Then ferrari should use that address instead of 0063C4B2, and push to 0063C467 instead of 0063C4CB.

regards

Hobgoblin,
A big thanks to you. I scanned the exe and well understood what you did I see that the author has updated the software and did not change the versiov no. i.e 2.31 The patch which I posted earlier is not applicable to this version. So I downloaded the program again and that matches the file you uploaded. I just did this to crack it fully
Changes:
004FA95E /75 00 JNZ SHORT _gdbnt.004FA960

004FA976 /75 00 |JNZ SHORT _gdbnt.004FA978

Still I need to practice on more such modified ASPack. The standard one is easy to inline patch. Thanks once again mate.

@Dutchjewel
Thanks for your attention to my problem buddy. I'm aware of that method you posted. You can see it in my tutorial. This ASPACked Getdataback is different to that. Anyways thanks

Regards,