hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
GovernmentSecurity.org > System Security > Beginners Section
Cheraz
Jul 2 2005, 03:05 PM
Hi,

I'm looking for a way to get rid of asprotect 1.1b . I would like to analyse a program that is protected by asprotect. Unfortunately i only found programs for aprotect < 1 . Could you give me an advice?
gr33dy
Jul 2 2005, 09:05 PM
I haven't tried it myself but there is a program called "rAD" that may be able to do it: http://protools.reverse-engineering.net/fi...packers/rad.zip

Otherwise, this link may be helpful: http://www.ghu.as.ro/unpacktuts/labba1.htm

belgther
Jul 3 2005, 01:45 AM
1)fire up olly.
2)open target program via olly.
3)go to options-debugging options-exceptions. remove everything except memory access violations in kernel32.
4)run the program. it will break. press shift+f9 each time it holds, counting how many times it held before it runs the program. note it.
5)restart the program. run again. press shift+f9, and press it so many times as you counted before -1. because on the last time, you will press shift+f8. I think you got the point.
6)plugins-command line-command line, type TC EIP<900000 and wait. It will hold at the OEP after a short time.
7)You can dump it, then fix your import table with ImpRec, then change the OEP with procdump or LordPE. Mostly, it works. If it quits, then you have to load the stack of the packed program manually.


This works with asprotect 1.2&1.3, but should work with 1.1 as well.

Have fun...
White Scorpion
Jul 3 2005, 09:31 AM
Interesting Belgther, i never really did something with manual unpacking, but it is very interesting to learn laugh.gif

As for your problem Cheraz, take a look at this site, although in russia, it has some tools available for download, including several unpackers for asprotect.

Cheraz
Jul 3 2005, 09:44 AM
Thanks guys, you're really helpful.
belgther
Jul 3 2005, 03:58 PM
QUOTE(White Scorpion @ Jul 3 2005, 10:31 AM)
As for your problem Cheraz, take a look at this site, although in russia, it has some tools available for download, including several unpackers for asprotect.
*



Well, these asprotect unpackers never worked by me, i tested some of them in windows 98 some years ago. That's the reason why I started manual unpacking.
BTW, you can take a look at hxxp://biw.rult.at . it has god tutorials about this subject, too. I learned the way i mentioned from that site.
White Scorpion
Jul 3 2005, 05:41 PM
biw.rult.at nowadays is reversing.be
i've been a member on that site for about a year now, i haven't visited it since a couple of months ago, but i will asap.
r4d14t10n
Jul 4 2005, 06:50 PM
if u just want to analys it ....u can dump it with programs like ProcDump ... or Win32 Intro ... hmmm if u cant find them ... pm me..
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.