|
|
#3
02-25-2004, 20:47
|
|||
|
|||
|
Pompeyfan same with me. all the discussions on Aspr are too complex for a newbie
 Thats why m just fooling around here giving free advices to newcomers in JMI style without any pennies   Thank u for starting this topic...Since i successfully tried out some easy tuts on unpacking UPX and Aspack lets try out this ASpr....but need help here If no one wants to help then its okay i'l check that link provided by satyricOn  but some1 plz help i want to finish off this tut...plz  yeah i was trying the tut by Labba last month but i was so confused at the point of getting the OEP. Program: Wtm-CD-Protect 1.54 see i could follow the tut like this. Yes i changed that '01' isdebuggerpresent to '00'. After Shift + F9 i land here 00B639EC 3100 XOR DWORD PTR DS:[EAX],EAX 00B639EE 64:8F05 00000000 POP DWORD PTR FS:[0] 00B639F5 58 POP EAX 00B639F6 833D B07EB600 00 CMP DWORD PTR DS:[B67EB0],0 00B639FD 74 14 JE SHORT 00B63A13 00B639FF 6A 0C PUSH 0C 00B63A01 B9 B07EB600 MOV ECX,0B67EB0 00B63A06 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8] 00B63A09 BA 04000000 MOV EDX,4 00B63A0E E8 2DD1FFFF CALL 00B60B40 00B63A13 FF75 FC PUSH DWORD PTR SS:[EBP-4] 00B63A16 FF75 F8 PUSH DWORD PTR SS:[EBP-8] 00B63A19 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] 00B63A1C 8338 00 CMP DWORD PTR DS:[EAX],0 00B63A1F 74 02 JE SHORT 00B63A23 00B63A21 FF30 PUSH DWORD PTR DS:[EAX] 00B63A23 FF75 F0 PUSH DWORD PTR SS:[EBP-10] 00B63A26 FF75 EC PUSH DWORD PTR SS:[EBP-14] 00B63A29 C3 RETN I put the BP at 00B63A29 and then Shift+F9. Then command line with pressing Alt+F1 to : TC EIP<900000 I go here. 00405214 $-FF25 DC914300 JMP DWORD PTR DS:[4391DC] 0040521A 8BC0 MOV EAX,EAX 0040521C $-FF25 D8914300 JMP DWORD PTR DS:[4391D8] 00405222 8BC0 MOV EAX,EAX 00405224 $-FF25 D4914300 JMP DWORD PTR DS:[4391D4] 0040522A 8BC0 MOV EAX,EAX 0040522C $-FF25 D0914300 JMP DWORD PTR DS:[4391D0] Then after F8 1 time i go here. 00B61C64 55 PUSH EBP 00B61C65 8BEC MOV EBP,ESP 00B61C67 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00B61C6A 85C0 TEST EAX,EAX 00B61C6C 75 13 JNZ SHORT 00B61C81 00B61C6E 813D A47AB600 00>CMP DWORD PTR DS:[B67AA4],400000 ; ASCII "MZP" 00B61C78 75 07 JNZ SHORT 00B61C81 00B61C7A A1 A47AB600 MOV EAX,DWORD PTR DS:[B67AA4] 00B61C7F EB 06 JMP SHORT 00B61C87 00B61C81 50 PUSH EAX 00B61C82 E8 3135FFFF CALL 00B551B8 ; JMP to kernel32.GetModuleHandleA 00B61C87 5D POP EBP 00B61C88 C2 0400 RETN 4 Then again after the RET i go here 0040531C . BA 9C804300 MOV EDX,ACopy.0043809C 00405321 . 52 PUSH EDX 00405322 . 8905 B8944300 MOV DWORD PTR DS:[4394B8],EAX 00405328 . 8942 04 MOV DWORD PTR DS:[EDX+4],EAX 0040532B . E8 98FFFFFF CALL ACopy.004052C8 00405330 . 5A POP EDX 00405331 . 58 POP EAX 00405332 . E8 15E1FFFF CALL ACopy.0040344C 00405337 . C3 RETN I don't understand what i am supposed to do after dumping the process with Lord PE. I dump the process and save it. Then i press F8 and after the RET i get here. 00437589 8B DB 8B 0043758A 1D DB 1D 0043758B 90 NOP 0043758C 8A DB 8A 0043758D 43 DB 43 ; CHAR 'C' 0043758E 00 DB 00 0043758F 8B DB 8B 00437590 03 DB 03 00437591 E8 DB E8 00437592 1E DB 1E 00437593 1F DB 1F 00437594 FF DB FF 00437595 FF DB FF 00437596 8B DB 8B 00437597 0D DB 0D In LaBBa's tutorial i am supposed to land here. And the OEP is 00436EAD  00436EAD 8B1D 907A4300 MOV EBX,DWORD PTR DS:[437A90] ; ACopy.004386E8 00436EB3 8B03 MOV EAX,DWORD PTR DS:[EBX] 00436EB5 E8 FA25FFFF CALL ACopy.004294B4 00436EBA 8B0D 0C7B4300 MOV ECX,DWORD PTR DS:[437B0C] ; ACopy.00438774 00436EC0 8B03 MOV EAX,DWORD PTR DS:[EBX] 00436EC2 8B15 10374300 MOV EDX,DWORD PTR DS:[433710] ; ACopy.00433750 00436EC8 E8 FF25FFFF CALL ACopy.004294CC 00436ECD 8B0D 707A4300 MOV ECX,DWORD PTR DS:[437A70] ; ACopy.00438750 00436ED3 8B03 MOV EAX,DWORD PTR DS:[EBX] 00436ED5 8B15 C0274300 MOV EDX,DWORD PTR DS:[4327C0] ; ACopy.00432800 00436EDB E8 EC25FFFF CALL ACopy.004294CC 00436EE0 8B0D 047A4300 MOV ECX,DWORD PTR DS:[437A04] ; ACopy.00438764 00436EE6 8B03 MOV EAX,DWORD PTR DS:[EBX] What m i doing wrong i really don't understand...sorry if this problem is dumb...regrets ....newbies sometimes ask dumb ??? Experts should not bully them thanking in Advance Last edited by ferrari; 02-25-2004 at 20:49. 
|
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| little question about manually unpacking | MaRKuS-DJM | General Discussion | 3 | 11-13-2003 00:43 |
Threaded Mode