Unpacking G6FTP 3.0

Quote:

Originally Posted by IWarez

Neh, it's not a virus. It's a custom crypting thingie and after that asprotect. As far as I can see it's a false warning.

StudPE says it is ASPACK 2.12... Can somebody confirm it?

My current state: I didn't have the time due to much other projects... I will try it next days on my own...

Cheers, neogen

OEP is: 0049899C -> 0009899C

the 0 you see before this location belongs to some Dword value .. don't touch it!

but stolen bytes you give might be confuse... i tried

558BEC83C4D8B894834900

my exe is not crashing but ends somewhere where the programs quit or is not reading some part necessary to load ...

of course there are some aspr. checks as i said before... if you don't fix them the program will crash .... tip: RaiseException API

make sure also at 0042B68C the call dword has that RVA (dword value [FC824900]) in your dumped exe or will never work or even load at all

the only solution will be to trace with original one and step into the calls until program reach the code to be full loaded... then to trace with dumped one to see differences.

Call EAX @ 0040400E .... and where exactly is calling this.. RVA ?

[bedrock]

Ok, i've gone back to looking at this target, but i'm not really sure what is going on. I've dumped and rebuit stolen bytes and iat, and now i've started tracing through the dumped exe, to see differences between the dump and the protected exe.

I get to here in the code:

Code:

00402250   . 8BC3           MOV EAX,EBX
00402252   . 85C0           TEST EAX,EAX
00402254   . 79 03          JNS SHORT dumped_.00402259
00402256   . 83C0 03        ADD EAX,3
00402259   > C1F8 02        SAR EAX,2
0040225C   . 8B15 24C64900  MOV EDX,DWORD PTR DS:[49C624]
00402262   . 8B5482 F4      MOV EDX,DWORD PTR DS:[EDX+EAX*4-C]
00402266   . 85D2           TEST EDX,EDX
00402268     74 79          JE SHORT dumped_.004022E3
0040226A   . 8BF2           MOV ESI,EDX
0040226C   . 8BC6           MOV EAX,ESI
0040226E   . 03C3           ADD EAX,EBX
00402270   . 8320 FE        AND DWORD PTR DS:[EAX],FFFFFFFE
00402273   . 8B42 04        MOV EAX,DWORD PTR DS:[EDX+4]

At 40225C, the address in [49C624] is 86FB0, in the dumped exe the memory at this address is EE FE EE FE, but in protected exe it is 00 00 00 00 and this difference cause's access violation.

I have set this block of memory to 00 in olly, and continued, but i eventually get to try access 87000 which doesn't exist in dumped target, but does in asprotected target ??

Can anyone point me in next step?

Thanks,

--
bedrock

If you dump with Ollydump at OEP instead of dumping with AsprDumper you will get 00 00 00 00 in that area where you had FF FF FF FF.

I noticed this while I was testing.

[bedrock]

Hmmm strange

I made my dump with Ollydump, i dumped at fake oep after all aspr exceptions had occured and then pasted stolen bytes in with hex editor

SvensK, have you got working dump yet?

--
bedrock

Nah, I quit trying after 3.0.1 was released.

[bedrock]

He he, i hadn't noticied 3.0.1 was out, i guess it's the same protection though