Jump to OEP - Aspack 2.12

Hobgoblin & Dutchjewel:

I was able to do it on my own. Thanks Hobgoblin


Changes:

1) 0066B573 - E9 284ED9FF JMP gdbnt.004003A0


2)
004003A0 66:C705 B6B36600 E916 MOV WORD PTR DS:[66B3B6],16E9
004003A9 66:C705 B8B36600 50D9 MOV WORD PTR DS:[66B3B8],0D950
004003B2 66:C705 BAB36600 FF90 MOV WORD PTR DS:[66B3BA],90FF
004003BB 66:C705 BCB36600 9000 MOV BYTE PTR DS:[66B3BC],90
004003C4 - E9 9EB02600 JMP gdbnt.0066B467
004003C9 0000 ADD BYTE PTR DS:[EAX],AL
004003CB 0000 ADD BYTE PTR DS:[EAX],AL
004003CD 0000 ADD BYTE PTR DS:[EAX],AL
004003CF 0000 ADD BYTE PTR DS:[EAX],AL
004003D1 C605 5FA94F00 00 MOV BYTE PTR DS:[4FA95F],0
004003D8 C605 77A94F00 00 MOV BYTE PTR DS:[4FA977],0
004003DF - E9 08AF1700 JMP gdbnt.0057B2EC<------------Jump to OEP

It works perfect

Regards,

[TheDutchJewel]

Hobgoblin,

Just want to let you know that your way of jumping to free space at the beginning of the file, add bytes to modify the jnz to jump to the patch bytes, and then jumping back to jump to OEP works great.

Thanks for this very helpfull way of teaching.

Regards,

[hobgoblin]

Nice to be able to help.
I use this method quite often when I crack some packed proggies for fun. I prefer this method because often you have to patch more than 1 or 2 bytes, and then you need more space than you get when you utilize code that's not executed. Although, sometimes the hunt for finding code that's not executed which can be overwritten without risk can be quite entertaining. And even more: if you start using this method on upx packed proggies, you have to take into account what space are protected and what space are not.
Well, enough said.....

regards,
hobgoblin

[hobgoblin]

Here is another way of patching Aspack 2.12. This time I have utilized the decryption routine itself in order to avoid adding too much code.
Put a bp on 0066B3A0 and singlestep from there...

Just for fun from,
hobgoblin

[TheDutchJewel]

Quote:

Originally Posted by hobgoblin

Put a bp on 0066B3A0 and singlestep from there...

Are you sure about bp at 0066B3A0?

Quote:

0066B3A0 B9 B2030000 MOV ECX,3B2

After pressing F8 there I get this error:

Quote:

Breakpoint corrupted!
OllyDbg set byte at address 0066B3A0 to CC (code of command INT3, used as breakpoint). Now this byte contains
CB. Do you want to keep modified command? (If you answer 'No', old code B9 will be restored).

After I choose Yes or No, progress terminates.

BTW this happens also in the original EXE:

Quote:

0066B3A0 B9 ECB21700 MOV ECX,17B2EC

[hobgoblin]

Never mind putting a bp at 0066B3A0.
Check the code there before and after the decryption routine is done. Then singlestep through that code without bp's just to see what happens with the code from 0066B3A0 until OEP is reached. Usually the adress for the OEP is written into the address 0066B3C0. In this case the adress to the location for the patching code is written into 0066B3C0.

hobgoblin