ASPack 2.12 is a fairly good packer, be it a good one, that’s all it really is… thus its level of protection isn’t that good… This packer is a good starting point for those looking to further their knowledge in reversing.
Packer: ASPack 2.12 -> Alexey Solodovnikov.
Level: Beginner.
Tools:
1. PEiD.
2. ImpRec.
3. OllyDbg.
4. OllyDump plugin.
5. Brain.
Open your target in OllyDbg, you should see a warning about the entrypoint being outside of the executable’s code section… Olly’s twigged that our target maybe packed and has decided to warn us… We know what we’re doing so we’ll be brave and continue.
There’s no point analysing the code as it’s compressed.
If you take a look at the instructions around ASPack’s entrypoint you should see something similar to this:
PUSHAD
CALL 005F300A
JMP 45BC34F7
PUSH EBP
RETN
We can get to OEP(Original-Entry-Point) using the ESP trick…
Step over the PUSHAD instruction(F8), notice the ESP register’s contents has now changed. Follow the ESP register in the dump window and set a hardware breakpoint(Size: dword. Type: on access) at the address you’ve just followed in the dump and press F9 to continue execution.
You should end up somewhere that looks similar to this:
JNZ L003
MOV EAX, 1
RETN 0×0C
L003:
PUSH 0×0040C2E4
RETN
ASPack uses a PUSH + RETN instruction as a jump to OEP(PUSH + RETN = JMP), so step through the loop until you hit the RETN instruction. Step into it(F7) and you’ll land at OEP.
I’m debugging a VB application so my OEP looks like the following:
PUSH 0×0040C8A0 ; Push “VB****” string
CALL 0×0040C2DC ; Call ThunRTMain
We can now continue by dumping the the application in its uncompressed form from memory using the OllyDump plugin, uncheck the rebuild imports option.
We now need to rebuild our dumped executable’s IAT if we want it to function correctly… IAT stands for Import-Address-Table, more info can be found about it here: An in-depth look inside Windows PE files.
Most protectors and some packers destroy the IAT to prevent beginners from obtaining a working dump, ASPack is one of those packers.
Launch ImpRec and fill in the OEP field with the OEP you got from OllyDump(RVA(Realative-Virtual-Address) – ImageBase), now hit Auto-Search and then “Get Imports”… Most of the time(with ASPack) you wont have any invalid pointers and you can continue by just adding the IAT to your dump and saving changes…
In my case I had 2 invalid thunks, I proceeded by using ImpRec’s Trace Level 1 feature, this fixed one of the functions in the thunk table, but the other remained invalid, after disassembling it wasn’t too hard to notice the function was garbage(a trained eye helps in this case), I simply cut the invalid pointers away and contiued by attaching the IAT to my dump.
If all was done correctly your dump should execute fine.
As always, if you’ve any questions, please let me know.
KOrUPt.