Inline Patching ASPacked Program

look at VA 5DB39Ch, this dword contains OEP RVA (173118), so change replace it with 80 (address after DOS stub)
Now, you can add your byte replacement code at 400080h

Hi,
The method that is mentioned by Spiteful is very nice.
But if the packer is Aspack you can have another method for inline patching.

This is where you have your OEP

Code:

005DB3B0    61              POPAD
005DB3B1    75 08           JNZ SHORT SystemSh.005DB3BB
005DB3B3    B8 01000000     MOV EAX,1
005DB3B8    C2 0C00         RETN 0C
005DB3BB    68 18315700     PUSH SystemSh.00573118
005DB3C0    C3              RETN

Now check these lines:

Code:

005DB3B0    61              POPAD
005DB3B1    75 08           JNZ SHORT SystemSh.005DB3BB
005DB3B3    B8 01000000     MOV EAX,1
005DB3B8    C2 0C00         RETN 0C
005DB3BB    68 18315700     PUSH SystemSh.00573118
005DB3C0    C3              RETN
005DB3C1    8B85 26040000   MOV EAX,DWORD PTR SS:[EBP+426]
005DB3C7    8D8D 3B040000   LEA ECX,DWORD PTR SS:[EBP+43B]
005DB3CD    51              PUSH ECX
005DB3CE    50              PUSH EAX
005DB3CF    FF95 480F0000   CALL DWORD PTR SS:[EBP+F48]
005DB3D5    8985 54050000   MOV DWORD PTR SS:[EBP+554],EAX
005DB3DB    8D85 47040000   LEA EAX,DWORD PTR SS:[EBP+447]
005DB3E1    50              PUSH EAX
005DB3E2    FF95 500F0000   CALL DWORD PTR SS:[EBP+F50]
005DB3E8    8985 2A040000   MOV DWORD PTR SS:[EBP+42A],EAX
005DB3EE    8D8D 52040000   LEA ECX,DWORD PTR SS:[EBP+452]
005DB3F4    51              PUSH ECX
005DB3F5    50              PUSH EAX
005DB3F6    FF95 480F0000   CALL DWORD PTR SS:[EBP+F48]
005DB3FC    8985 58050000   MOV DWORD PTR SS:[EBP+558],EAX
005DB402    8B85 2A040000   MOV EAX,DWORD PTR SS:[EBP+42A]
005DB408    8D8D 5E040000   LEA ECX,DWORD PTR SS:[EBP+45E]
005DB40E    51              PUSH ECX
005DB40F    50              PUSH EAX
005DB410    FF95 480F0000   CALL DWORD PTR SS:[EBP+F48]
005DB416    FFD0            CALL EAX
005DB418    83C4 10         ADD ESP,10
005DB41B    5F              POP EDI                                  ; kernel32.77E814C7
005DB41C    6A 30           PUSH 30
005DB41E    8D9D 68040000   LEA EBX,DWORD PTR SS:[EBP+468]
005DB424    53              PUSH EBX
005DB425    57              PUSH EDI
005DB426    6A 00           PUSH 0
005DB428    FF95 58050000   CALL DWORD PTR SS:[EBP+558]
005DB42E    6A FF           PUSH -1
005DB430    FF95 54050000   CALL DWORD PTR SS:[EBP+554]

In every aspacked file from

005DB3C1 8B85 26040000 MOV EAX,DWORD PTR SS:[EBP+426]


To

005DB430 FF95 54050000 CALL DWORD PTR SS:[EBP+554]


Is always the same.
I mean you have the same code for all the time.
So searching for these bytes will lead you to the OEP.
But the fact is that these lines are just JUNK CODES.
So you can easily change them to any code you like.
The result is a huge space for inline patching.

But be careful of this command:
005DB436 0000 ADD BYTE PTR DS:[EAX],AL

This command is very critical and shouldn't be touched.

I mean this command is you limitation line.
never change it and commands after this line are critical also.

So you line patch will be like this:

Code:

005DB3A8    0BC9            OR ECX,ECX                               ; ntdll.77F532FA
005DB3AA    90              NOP
005DB3AB    90              NOP
005DB3AC    90              NOP
005DB3AD    90              NOP
005DB3AE    90              NOP
005DB3AF    90              NOP
005DB3B0    61              POPAD
005DB3B1    75 08           JNZ SHORT SystemSh.005DB3BB
005DB3B3    B8 01000000     MOV EAX,1
005DB3B8    C2 0C00         RETN 0C
005DB3BB    C705 6CC05500 8>MOV DWORD PTR DS:[55C06C],90DC458B
005DB3C5    C605 70C05500 3>MOV BYTE PTR DS:[55C070],3E
005DB3CC    68 18315700     PUSH SystemSh.00573118
005DB3D1    C3              RETN
005DB3D2    90              NOP
005DB3D3    90              NOP
005DB3D4    90              NOP

I paste the bytes that you should change.
Just copy and paste these bytes to see the result.

C7 05 6C C0 55 00 8B 45 DC 90 C6 05 70 C0 55 00 3E 68 18 31 57 00 C3 90 90 90


I hope this method is useful for further inline patching ASpack.
Best Regards,
Android.