I will try to explain how we can manualy unpack program which is protected by Aspack 2.11

Reversing

First target is Clip Manager v4.31 (www.hesystems.com)

[bpx getprocaddress] --> ClipManager.exe --> Until to program code [F11]

[map32 clipmanager]

Owner     Obj Name  Obj#   Address     Size     Type
CLIPMANAGE .text    0001 0177:00401000 00091000 IDATA RW
CLIPMANAGE .data    0002 0177:00492000 00019000 IDATA RW
CLIPMANAGE .tls     0003 0177:004AB000 00001000 IDATA RW
CLIPMANAGE .rdata   0004 0177:004AC000 00001000 IDATA RW
CLIPMANAGE .idata   0005 0177:004AD000 00003000 IDATA RW
CLIPMANAGE .edata   0006 0177:004B0000 00003000 IDATA RW
CLIPMANAGE .rsrc    0007 0177:004B3000 0002D000 IDATA RW
CLIPMANAGE .reloc   0008 0177:004E0000 0000B000 IDATA RW
CLIPMANAGE .aspack  0009 0177:004EB000 00002000 IDATA RW
CLIPMANAGE .data    000A 0177:004ED000 00001000 IDATA RW

Let's check idata section. [d 4AD000] --> ?? ?? ?? --> Packed. We will just put breakpoint to this memory ranges -->

[bpm 4AD000]. After breakpoint, we will try to find OEP with tracex. First section is between 401000 ~ 492000 -->

[bc*] --> [\tracex 401000 492000] --> just little waiting -->

016F:00401000 MOV EAX,[00492334] <-- OEP
016F:00401005 SHL EAX,02
016F:00401008 MOV [00492338],EAX

Import Table is clear --> We can dump at 401000 --> No need Revirgin. (Sorry Tsehp)
NOTE: This OEP is little interesting. [bpx getprocaddress] --> original file --> [F11]
Now we put breakpoint to 401000. --> [bpm 401000 x] --> [F5] --> check OEP --> again [F5]

016F:00401000 RET                <-- is this OEP ? (First break)
016F:00401001 ADD ESI,[EBX]

016F:00401000 MOV EAX,[00492334] <-- No, this is OEP (Second break)
016F:00401005 SHL EAX,02


Second target is WinControl 2000 v2.10.279 (www.wincontrol.com)

[bpx getprocaddress] --> WinControl --> Until to program code --> [F11]

[map32 wincontrol]

Owner     Obj Name Obj#   Address       Size     Type
WINCONTROL CODE    0001 0177:00401000 000F5000 IDATA RW
WINCONTROL DATA    0002 0177:004F6000 00003000 IDATA RW
WINCONTROL BSS     0003 0177:004F9000 00001000 IDATA RW
WINCONTROL .idata  0004 0177:004FA000 00003000 IDATA RW
WINCONTROL .tls    0005 0177:004FD000 00001000 IDATA RW
WINCONTROL .rdata  0006 0177:004FE000 00001000 IDATA RW
WINCONTROL .reloc  0007 0177:004FF000 00010000 IDATA RW
WINCONTROL .rsrc   0008 0177:0050F000 000E0000 IDATA RW
WINCONTROL .wincon 0009 0177:005EF000 00003000 IDATA RW
WINCONTROL .data   000A 0177:005F2000 00001000 IDATA RW

[bpm 4FA000] --> [bc*] --> [\tracex 401000 4F6000]

016F:004F4D2C PUSH EBP         <-- OEP
016F:004F4D2D MOV EBP,ESP
016F:004F4D2F MOV ECX,0000000F


Third target is AMP Hakedis ve Kesif Win v5.00 (www.ampyazilim.com.tr)

It's protected by Aspack 2.1, but we will reply same method.

[bpx getprocaddress] --> AmpHak --> Until to program code --> [F11]

[map32 AmpHak]

Owner Obj Name Obj#    Address      Size    Type
AMPHAK CODE    0001 0177:00401000 00273000 IDATA RW
AMPHAK DATA    0002 0177:00674000 00015000 IDATA RW
AMPHAK BSS     0003 0177:00689000 00003000 IDATA RW
AMPHAK .idata  0004 0177:0068C000 00003000 IDATA RW
AMPHAK .edata  0005 0177:0068F000 00001000 IDATA RW
AMPHAK .tls    0006 0177:00690000 00001000 IDATA RW
AMPHAK .rdata  0007 0177:00691000 00001000 IDATA RW
AMPHAK .reloc  0008 0177:00692000 0002B000 IDATA RW
AMPHAK .rsrc   0009 0177:006BD000 00199000 IDATA RW
AMPHAK .aspack 000A 0177:00856000 00002000 IDATA RW
AMPHAK .data   000B 0177:00858000 00001000 IDATA RW

[bpm 68C000] --> [bc*] --> [\tracex 401000 674000] --> just wait ~3 minutes

016F:00673640 PUSH EBP         <-- OEP
016F:00673641 MOV EBP,ESP
016F:00673643 ADD ESP,-0C

If you are earning money by means of software, please buy this software.