File sent

Thanks, file received.

Started the original app in Olly, got to OEP and tried to fix your dump with JackD's IAT with ImpRec.
Same problem as before: Access violation at 404f5f.
But for a very short time a window pops up... May it be the problem Satyric0n mentioned before?

Regards
Wurstgote

I think you need windows xp to test

Wurstgote,

It's a FREE mailbox, can't expect much. File size is the problem. Try zipping dump maybe if you want to retry?

JackD

JackD,

problem is, file is already zipped. Tomorrow I'll put it on a http server. You can download it from there. As soon as it's there, I will send you a PM.

Regards
Wurstgote

Wurstgote,

I think I was able to replicate what you're getting. I believe the problem is the dump you are using came after ASPR processed its 'dips'.

ASPR processes 'dips' before reaching the OEP that modify addresses to point to ASPR at 620484, 62048C, 620494, 620498, and 62049C.

data BEFORE ASPR dips
00620480: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
00620490: 00 8D 40 00-F4 85 57 00-20 86 57 00-20 86 57 00
006204A0: 00 00 00 00-FE FF FF FF-FE FF FF FF-00 00 00 00
006204B0: FE FF FF FF-FE FF FF FF-00 8D 40 00-00 00 8B C0

data AFTER ASPR dips
00620480: 00 00 00 00-61 38 60 01-00 00 00 00-FC 1E 63 01
00620490: 00 8D 40 00-08 1C 61 01-A4 1B 61 01-D8 1B 61 01
006204A0: FE FF FF FF-1E 00 00 00-1E 00 00 00-FE FF FF FF
006204B0: 00 00 00 00-00 00 00 00-00 8D 40 00-00 00 8B C0

data that WORKS
00620480: 00 00 00 00-F0 3F 61 00-00 00 00 00-00 00 00 00
00620490: 00 8D 40 00-F4 85 57 00-20 86 57 00-20 86 57 00
006204A0: FE FF FF FF-1E 00 00 00-1E 00 00 00-FE FF FF FF
006204B0: 00 00 00 00-00 00 00 00-00 8D 40 00-00 00 8B C0

MUST put something here for pointer in data that WORKS
00613FF0: 45 76 65 72-79 6F 6E 65-00 00 00 00-00 00 00 00

You still need to apply C3 at 57890C.

JackD

JackD,

wow, you're right: Your "data AFTER ASPR dips" exactly match those in my dump :)
Now I wonder, regarding the behaviour of the dumped app, where's the difference between your version and mine? The only one I recognize is that yours show in the "About" dialog that the app is registered to "Everyone" (due to
00620480: 00 00 00 00-F0 3F 61 00-00 00 00 00-00 00 00 00
and
0613FF0: 45 76 65 72-79 6F 6E 65-00 00 00 00-00 00 00 00)
while mine shows some trash.
Despite of that (little) difference, both versions behave the same (as far as I've found out).
I'm sure there must be something else, but I can't figure it out.
Do you mind to explain, please?

Regards
Wurstgote

Wurstgote,

I guess I'm not sure just what problem(s) you have at this point. Maybe your resource section, but I just don't know. If you can post your dump for download, I'll check it out.

JackD

JackD,

I would like to put my dump on my homepage for download, but it seems my provider is messing around with his system, so at the moment, I've got no ftp access to transfer the file... Perhaps it will work again later.
But could you please tell me at what point I need to dump the app? I've dumped it at the first time eip<900000 (it's at a jump back to ASPR code) and if I got you right, ASPR has already processed the dips (by the way... what are those dips?).

Regards
Wurstgote

Wurstgote, can you go on IRC to send me the file?

Regards

Satyric0n,

sure. Just a few minutes, I'm now at a different computer so I'll have to install mIRC again...

Regards

britedream:

I have tried your dump (Wurstgote sent it to me), and indeed it does work perfectly on WinXP (though not on Win2k). But, it only works while you keep the ASPR sections after the .rsrc section on the file.

If you read the beginning of this thread, you will see that Wurstgote and I have made an excercise of getting rid of all the sections after the .rsrc section: .data, .adata, and .mackt (removing this by having ImpRec put the imports in the section at 22A000 instead of in a new section).

Once I remove these sections from your dump (the .data section, specifically), your fix at 578911 for Options no longer works, and I must do the same thing as I did in my dump to get it working.

So my question is: does your method of fixing these problems work also if you remove the sections after .rsrc?

Regards,
Satyric0n

Hi,
I didn't follow all the post , it is a long one, but for removing the section I didn't see any need for removing those sections so I did not try your method,I am working on too many things at the same time, once I get a chance I will check it. you know this target is very strange in many ways, I think it uses the protected dlls as loader of some sort. your method would be clearer if you were to use normal target.

Regards.

As a rule, when I manually unpack ASProtected apps, I always remove the ASPR sections (.data and .adata in this case), and put the imports in the original .idata section (22A000 in this case) instead of in a new section (.mackt) as ImpRec does by default. I do this because these sections seem to me to be entirely unnecessary, and only waste space by making the exe bigger.

Having done that, this app's behavior seems (to me) to be consistent with every other ASPR'd app I have ever dealt with. I was able to unpack it without problems, it's just that my methods of doing so seem to be much different than yours.

If you get a chance to try it, I would be interested to see if your method of fixing the dumped file works with these sections removed.

Regards,
Satyric0n

Ok I will try to do that, but to test this today
I copied a dump of an old version of this target which starts normaly at oep , and replace the current version, when I run it , it no longer runs from the oep, but from inside asprotect.