Aspack 2.11 |
amois |
Program Type: - |
Tools: SoftICE, IceDump |
|
|
I will try to explain how we can manualy unpack program which is protected by Aspack 2.11
|
First target is Clip Manager
v4.31 (www.hesystems.com)
[bpx
getprocaddress] --> ClipManager.exe --> Until to program code
[F11]
[map32
clipmanager]
Owner Obj Name Obj#
Address Size Type
CLIPMANAGE
.text 0001 0177:00401000 00091000
IDATA RW
CLIPMANAGE .data 0002 0177:00492000 00019000 IDATA RW
CLIPMANAGE
.tls 0003 0177:004AB000 00001000 IDATA RW
CLIPMANAGE
.rdata 0004 0177:004AC000 00001000 IDATA RW
CLIPMANAGE .idata 0005 0177:004AD000 00003000 IDATA RW
CLIPMANAGE .edata 0006 0177:004B0000 00003000 IDATA RW
CLIPMANAGE .rsrc 0007 0177:004B3000 0002D000 IDATA RW
CLIPMANAGE .reloc 0008 0177:004E0000 0000B000 IDATA RW
CLIPMANAGE .aspack 0009 0177:004EB000 00002000 IDATA RW
CLIPMANAGE
.data 000A 0177:004ED000 00001000 IDATA RW
Let's check idata section. [d 4AD000]
--> ?? ?? ?? --> Packed. We will just put
breakpoint to this memory ranges -->
[bpm 4AD000]. After breakpoint, we will try to find OEP with tracex. First section is between 401000 ~ 492000 -->
[bc*] --> [\tracex 401000 492000] --> just little waiting -->
016F:00401000 MOV EAX,[00492334] <-- OEP
016F:00401005 SHL EAX,02
016F:00401008 MOV
[00492338],EAX
Import Table is clear
--> We can dump at 401000 --> No need Revirgin. (Sorry Tsehp)
NOTE:
This OEP is little interesting. [bpx getprocaddress]
--> original file --> [F11]
Now we put
breakpoint to 401000. --> [bpm 401000 x] -->
[F5] --> check OEP --> again [F5]
016F:00401000
RET
<-- is this OEP ? (First break)
016F:00401001
ADD ESI,[EBX]
016F:00401000 MOV EAX,[00492334] <-- No, this is OEP (Second break)
016F:00401005 SHL EAX,02
Second target is WinControl 2000 v2.10.279
(www.wincontrol.com)
[bpx getprocaddress]
--> WinControl --> Until to program code --> [F11]
[map32
wincontrol]
Owner Obj Name Obj#
Address Size Type
WINCONTROL CODE 0001 0177:00401000 000F5000 IDATA RW
WINCONTROL
DATA 0002 0177:004F6000 00003000
IDATA RW
WINCONTROL BSS 0003 0177:004F9000 00001000
IDATA RW
WINCONTROL .idata 0004 0177:004FA000
00003000 IDATA RW
WINCONTROL .tls 0005
0177:004FD000 00001000 IDATA RW
WINCONTROL .rdata 0006 0177:004FE000
00001000 IDATA RW
WINCONTROL .reloc 0007 0177:004FF000 00010000 IDATA
RW
WINCONTROL .rsrc 0008 0177:0050F000 000E0000 IDATA RW
WINCONTROL .wincon 0009 0177:005EF000 00003000 IDATA RW
WINCONTROL
.data 000A 0177:005F2000 00001000 IDATA RW
[bpm 4FA000] --> [bc*] -->
[\tracex 401000 4F6000]
016F:004F4D2C PUSH
EBP <-- OEP
016F:004F4D2D MOV EBP,ESP
016F:004F4D2F MOV
ECX,0000000F
Third target is
AMP Hakedis ve Kesif Win v5.00
(www.ampyazilim.com.tr)
It's protected by Aspack
2.1, but we will reply same method.
[bpx
getprocaddress] --> AmpHak --> Until to program code --> [F11]
[map32
AmpHak]
Owner Obj Name
Obj# Address
Size Type
AMPHAK CODE 0001 0177:00401000 00273000 IDATA RW
AMPHAK
DATA 0002 0177:00674000 00015000
IDATA RW
AMPHAK BSS 0003 0177:00689000 00003000
IDATA RW
AMPHAK .idata 0004 0177:0068C000 00003000
IDATA RW
AMPHAK .edata 0005 0177:0068F000 00001000 IDATA RW
AMPHAK .tls 0006 0177:00690000 00001000 IDATA RW
AMPHAK .rdata 0007 0177:00691000 00001000 IDATA RW
AMPHAK
.reloc 0008 0177:00692000 0002B000 IDATA RW
AMPHAK .rsrc
0009 0177:006BD000 00199000 IDATA RW
AMPHAK .aspack 000A 0177:00856000
00002000 IDATA RW
AMPHAK .data 000B 0177:00858000 00001000 IDATA
RW
[bpm
68C000] --> [bc*] --> [\tracex 401000 674000] --> just wait ~3 minutes
016F:00673640 PUSH
EBP <-- OEP
016F:00673641 MOV EBP,ESP
016F:00673643 ADD
ESP,-0C
|
If you are earning money by means of software, please buy this software.