ASPR 1.2 question

[gabri3l]

JMI, I just checked and you are right 1.3a is the version I'm using as well. Though all my exceptions occur outside of the code section. all in the 00AXXXXX range.

Exceptions:
00A10671 <-- First exception
...25 exceptions later...
00A10019 <--Last exception

I set a breakpoint on: 00A10053: JMP Dword PTR SS:[EBP-14]
Step into the jump And begin my trace
I get the entry point: 0047ED5F

I'm using XP SP1 on my home comp and NT on my work comp both give me exceptions outside the programs address range. After pressing F9 to start the program I press Shift+F9 twenty six more times to end on the last instruction. That may drop you to the equivalent of the code in my first post.
In HAVOK's paper in codebreakers he talked about how ASPR would jump to your .code section and then jump right back out again to make it harder to find the OEP. But as the exceptions are occuring inside the code I'm lost. I'll read up on it and see if its mentioned anywhere.


But yes I was confused as to why i keep getting an already packed error. However i use stripper to dump it and it gave me the following

03:52:15 - asprotect detected..
Image Base :00400000
03:52:15 - dumping victim..
03:52:15 - processing import table..
ImportAddressTable RVA :000990f8 - kernel32.dll
ImportAddressTable RVA :00099378 - user32.dll
ImportAddressTable RVA :00099024 - gdi32.dll
ImportAddressTable RVA :00099000 - advapi32.dll
ImportAddressTable RVA :0009936c - shell32.dll
ImportAddressTable RVA :0009932c - msacm32.dll
ImportAddressTable RVA :000995cc - winmm.dll
ImportAddressTable RVA :000995bc - version.dll
03:52:16 - fixing import table..
ImportAddress RVA :00099224 - kernel32.dll!LockResource
ImportAddress RVA :00099234 - kernel32.dll!GetCurrentProcessId
ImportAddress RVA :00099258 - kernel32.dll!FreeResource
ImportAddress RVA :0009925c - kernel32.dll!GetModuleHandleA
ImportAddress RVA :00099284 - kernel32.dll!GetCurrentProcess
ImportAddress RVA :0009929c - kernel32.dll!GetVersion
ImportAddress RVA :000992f4 - kernel32.dll!GetCommandLineA
ImportAddress RVA :000993d0 - user32.dll!DialogBoxParamA
03:52:18 - no stolen bytes are found..
EntryPoint RVA :0007ed5f
03:52:18 - saving unpacked file..
03:52:18 - file was unpacked successful..
03:52:18 - done..

A perfect unpack... Now if I could only do that.

Just a thought: Maybe my problem lies not in my dump or my IAT but rather my resulting file structure. My unpack will run, but there may be garbage in there thats throwing both w32dasm and asprotect off. I'll try and study up on my PE structures tomorrow.