KOrUPt

Unpacking ASPack

by KOrUPt on Dec.22, 2008, under Reversing

ASPack 2.12 is a fairly good packer, be it a good one, that’s all it really is… thus its level of protection isn’t that good… This packer is a good starting point for those looking to further their knowledge in reversing.

Packer: ASPack 2.12 -> Alexey Solodovnikov.
Level: Beginner.

Tools:
1. PEiD.
2. ImpRec.
3. OllyDbg.
4. OllyDump plugin.
5. Brain.

Open your target in OllyDbg, you should see a warning about the entrypoint being outside of the executable’s code section… Olly’s twigged that our target maybe packed and has decided to warn us… We know what we’re doing so we’ll be brave and continue.

There’s no point analysing the code as it’s compressed.

If you take a look at the instructions around ASPack’s entrypoint you should see something similar to this:

PUSHAD
CALL 005F300A
JMP 45BC34F7
PUSH EBP
RETN

We can get to OEP(Original-Entry-Point) using the ESP trick…

Step over the PUSHAD instruction(F8), notice the ESP register’s contents has now changed. Follow the ESP register in the dump window and set a hardware breakpoint(Size: dword. Type: on access) at the address you’ve just followed in the dump and press F9 to continue execution.

You should end up somewhere that looks similar to this:
JNZ L003
MOV EAX, 1
RETN 0×0C
L003:
PUSH 0×0040C2E4
RETN

ASPack uses a PUSH + RETN instruction as a jump to OEP(PUSH + RETN = JMP), so step through the loop until you hit the RETN instruction. Step into it(F7) and you’ll land at OEP.

I’m debugging a VB application so my OEP looks like the following:

PUSH 0×0040C8A0 ; Push “VB****” string
CALL 0×0040C2DC ; Call ThunRTMain

We can now continue by dumping the the application in its uncompressed form from memory using the OllyDump plugin, uncheck the rebuild imports option.

We now need to rebuild our dumped executable’s IAT if we want it to function correctly… IAT stands for Import-Address-Table, more info can be found about it here:  An in-depth look inside Windows PE files.

Most protectors and some packers destroy the IAT to prevent beginners from obtaining a working dump, ASPack is one of those packers.

Launch ImpRec and fill in the OEP field with the OEP you got from OllyDump(RVA(Realative-Virtual-Address) – ImageBase), now hit Auto-Search and then “Get Imports”… Most of the time(with ASPack) you wont have any invalid pointers and you can continue by just adding the IAT to your dump and saving changes…

In my case I had 2 invalid thunks, I proceeded by using ImpRec’s Trace Level 1 feature, this fixed one of the functions in the thunk table, but the other remained invalid, after disassembling it wasn’t too hard to notice the function was garbage(a trained eye helps in this case), I simply cut the invalid pointers away and contiued by attaching the IAT to my dump.

If all was done correctly your dump should execute fine.

As always, if you’ve any questions, please let me know.

KOrUPt.

:, , , , , ,

11 Comments for this entry

  • darkYuris
    December 29th, 2008 on 13:30

    “Launch ImpRec and fill in the OEP field with the OEP you got from OllyDump(RVA(Realative-Virtual-Address) – ImageBase), now hit Auto-Search and then “Get Imports”… Most of the time(with ASPack) you wont have any invalid pointers and you can continue by just adding the IAT to your dump and saving changes…”

    didn`t get this part… my unpacked executable fails to run.

  • KOrUPt
    December 29th, 2008 on 17:35

    Given you didn’t understand the above statement, did you rebuild the import table at all?

    Define “fails to run”, is it a valid Windows PE file?

    KOrUPt.

  • Myrmidon
    January 27th, 2009 on 22:46

    Hi I have a problem unpacking aspacked dll (2.12)

    Can U help me look at the file ?

    I suspect that the OEP is here somewhere but ImportREC cannot find any usefull OEP :

    008C93D4 55 PUSH EBP

    iz ovoga:
    008C93C5 E8 82CCFBFF CALL gamedrv_.0088604C
    008C93CA C3 RETN
    008C93CB 90 NOP
    008C93CC 832D 803A8D00 01 SUB DWORD PTR DS:[8D3A80],1
    008C93D3 C3 RETN
    008C93D4 55 PUSH EBP
    008C93D5 8BEC MOV EBP,ESP
    008C93D7 83C4 C4 ADD ESP,-3C
    008C93DA B8 BC7E8C00 MOV EAX,gamedrv_.008C7EBC
    008C93DF E8 B0D4FAFF CALL gamedrv_.00876894
    008C93E4 33C0 XOR EAX,EAX
    008C93E6 55 PUSH EBP
    008C93E7 68 14948C00 PUSH gamedrv_.008C9414
    008C93EC 64:FF30 PUSH DWORD PTR FS:[EAX]
    008C93EF 64:8920 MOV DWORD PTR FS:[EAX],ESP
    008C93F2 B8 98878800 MOV EAX,gamedrv_.00888798
    008C93F7 A3 F4078D00 MOV DWORD PTR DS:[8D07F4],EAX
    008C93FC B8 01000000 MOV EAX,1
    008C9401 E8 92F3FBFF CALL gamedrv_.00888798
    008C9406 33C0 XOR EAX,EAX
    008C9408 5A POP EDX
    008C9409 59 POP ECX
    008C940A 59 POP ECX

  • KOrUPt
    January 28th, 2009 on 16:54

    You haven’t provided enough information for me to give you reliable advice.

    Please upload the file in question and provide a description as what it’s for.

    KOrUPt.

  • Gonzo
    February 16th, 2009 on 16:26

    Hi my friend, I am in a problem trying to remove AsPack 2.12 from a well protected video codec dll file. I have tried lot tutorials and tools but no good luck. My skills are very basic on this and I shall really thanks a lot if you can guide me.

    Regards,

    Gonzo

  • KOrUPt
    February 17th, 2009 on 17:13

    I don’t have any specifics to provide decent advice… How come the tutorials were of no use? Are you sure this is ASPack you’re dealing with and not ASProtect or similar?

    I don’t have the time at the moment to take a shot at unpacking it for you. Sorry.

    KOrUPt.

  • ThunderLord
    April 5th, 2009 on 00:30

    Thanks man, It works perfectly

  • Konstantine
    May 6th, 2009 on 00:29

    Hi man ! I see you are avesome at this cap. I try to remove the limitation of 12th century blackjack (a small yet funny game) but i cant.. i am faced with AsProtect 2.1 x ske i tried stripper (latest version) but fails quick and ollydbg + ImpRec (both latest version) ..which also fails but i know should work, i think i am not so smart to use corectly :( Please could you help me to remove this limitation ? Throw a look and say to me if is so easy as it seems (for me dont seems so easy). I uploaded the file on: http://rapidshare.com/files/229631269/MEDIEVAL_BLACKJACK.zip.html (3.8mb). Many Thanks man !

  • jack
    May 12th, 2009 on 15:06

    https://download.yousendit.com/U0d5L0dPdzhqV0JMWEE9PQ

    can you check this please,,,,it is a dll packed with aspack,,,,,,it is protected and my aplication can run
    it crash because the protection but i can´t see why,,,,,,,thnks a lot,,,,

  • shinku
    July 25th, 2009 on 05:26

    Hi korupt whats up

    Well I’m studying RE stuff nowadays and i’d like to know why imprec crashes everytime I change the size to the one he tells me to put 000a9000.

    By default he puts this size: 00000640 and tells me if it not work i must change it to 000a9000, so when i fix the dumped file it tells me “iat is still invalid”

    any idea how to solve it buddy? i’m trying to remove some invalid pointers with olly but its bothering and i do not know how many ppointers are corrupted

    tomorrow i’ll be at #io hope to find you there

    []’s

    Shinku

  • XPN
    February 13th, 2010 on 01:35

    Excellent tut mate, just getting into unpacking and this was a good first step.

    Thanks again
    XPN

1 Trackback or Pingback for this entry

Leave a Reply

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Visit our friends!

Friends...

Archives

All entries, chronologically...