I'm looking for a way to get rid of asprotect 1.1b . I would like to analyse a program that is protected by asprotect. Unfortunately i only found programs for aprotect < 1 . Could you give me an advice?
1)fire up olly.
2)open target program via olly.
3)go to options-debugging options-exceptions. remove everything except memory access violations in kernel32.
4)run the program. it will break. press shift+f9 each time it holds, counting how many times it held before it runs the program. note it.
5)restart the program. run again. press shift+f9, and press it so many times as you counted before -1. because on the last time, you will press shift+f8. I think you got the point.
6)plugins-command line-command line, type TC EIP<900000 and wait. It will hold at the OEP after a short time.
7)You can dump it, then fix your import table with ImpRec, then change the OEP with procdump or LordPE. Mostly, it works. If it quits, then you have to load the stack of the packed program manually.
This works with asprotect 1.2&1.3, but should work with 1.1 as well.
Have fun...
"The wisest one is the one who knows himself/herself." Quote of the life
belgther... aka... belgther
Interesting Belgther, i never really did something with manual unpacking, but it is very interesting to learn :lol:
As for your problem Cheraz, take a look at this site, although in russia, it has some tools available for download, including several unpackers for asprotect.
The path of access leads to the server of wisdom..
As for your problem Cheraz, take a look at this site, although in russia, it has some tools available for download, including several unpackers for asprotect.
Well, these asprotect unpackers never worked by me, i tested some of them in windows 98 some years ago. That's the reason why I started manual unpacking.
BTW, you can take a look at hxxp://biw.rult.at . it has god tutorials about this subject, too. I learned the way i mentioned from that site.
"The wisest one is the one who knows himself/herself." Quote of the life
belgther... aka... belgther
biw.rult.at nowadays is reversing.be
i've been a member on that site for about a year now, i haven't visited it since a couple of months ago, but i will asap.
The path of access leads to the server of wisdom..
1)fire up olly.
2)open target program via olly.
3)go to options-debugging options-exceptions. remove everything except memory access violations in kernel32.
4)run the program. it will break. press shift+f9 each time it holds, counting how many times it held before it runs the program. note it.
5)restart the program. run again. press shift+f9, and press it so many times as you counted before -1. because on the last time, you will press shift+f8. I think you got the point.
6)plugins-command line-command line, type TC EIP<900000 and wait. It will hold at the OEP after a short time.
7)You can dump it, then fix your import table with ImpRec, then change the OEP with procdump or LordPE. Mostly, it works. If it quits, then you have to load the stack of the packed program manually.
This works with asprotect 1.2&1.3, but should work with 1.1 as well.
Sign In
Register
Help
MultiQuote
