OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Packer Name	Packer Author	Classification	Analysis By	Last Updated
ASPack 2.12	Alexey Solodovnikov	Compressor	quig	June 15 2005

Allocation	Anti-Debug	Anti-Disassembly	Section Name	Sample
PE Header	no	yes	aspack	N/A

Notes
This is an easy one to find the OEP of. Single step through a couple of opcode tricks and into the main unpack loop. You should notice a JNZ to a very distant address. This distant address turns out to be the end of the packer.

Transfer Command

push [patched value]
ret

Entry Point Signature

.aspack:00412001                 public start
.aspack:00412001 start           proc near
.aspack:00412001                 pusha
.aspack:00412002                 call    skipBytes
.aspack:00412002 ; ---------------------------------------------------------------------------
.aspack:00412007                 db 0E9h
.aspack:00412008 ; ---------------------------------------------------------------------------
.aspack:00412008                 jmp     short loc_41200E ; ret address
.aspack:0041200A ; ---------------------------------------------------------------------------
.aspack:0041200A
.aspack:0041200A skipBytes:                              ; CODE XREF: start+1p
.aspack:0041200A                 pop     ebp             ; = fx ret addr after call (412007)
.aspack:0041200B                 inc     ebp
.aspack:0041200C                 push    ebp
.aspack:0041200D                 retn
.aspack:0041200D start           endp ; sp = -20h
.aspack:0041200D

.aspack:0041200E
.aspack:0041200E loc_41200E:                             ; CODE XREF: start+7j
.aspack:0041200E                 call    loc_412014
.aspack:0041200E ; ---------------------------------------------------------------------------
.aspack:00412013                 db 0EBh
.aspack:00412014 ; ---------------------------------------------------------------------------
.aspack:00412014
.aspack:00412014 loc_412014:                             ; CODE XREF: .aspack:loc_41200Ep
.aspack:00412014                 pop     ebp
.aspack:00412015                 mov     ebx, 0FFFFFFEDh
.aspack:0041201A                 add     ebx, ebp
.aspack:0041201C                 sub     ebx, 12000h
.aspack:00412022                 cmp     dword ptr [ebp+422h], 0
.aspack:00412029                 mov     [ebp+422h], ebx
.aspack:0041202F                 jnz     END_OF_PACKER

.aspack:0041239A END_OF_PACKER:                          

.aspack:0041239A                                         
.aspack:0041239A                 mov     eax, 0A870h     ; original entry point offset
.aspack:0041239F                 push    eax
.aspack:004123A0                 add     eax, [ebp+422h] ;add image base to offset
.aspack:004123A6                 pop     ecx
.aspack:004123A7                 or      ecx, ecx
.aspack:004123A9                 mov     [ebp+3A8h], eax ;patch 004123BA to be push [offset]
.aspack:004123AF                 popa
.aspack:004123B0                 jnz     short loc_4123BA
.aspack:004123B2                 mov     eax, 1
.aspack:004123B7                 retn    0Ch             ; error exit ?
.aspack:004123BA ; ---------------------------------------------------------------------------
.aspack:004123BA
.aspack:004123BA loc_4123BA:                             ; CODE XREF: .aspack:004123B0j
.aspack:004123BA                 push    0               ; put a ret addr on stack 
.aspack:004123BF                 retn                    ; ret to pushed address

Known Unpackers

// Script for OllyScript plugin by SHaG - http://ollyscript.apsvans.com
/* 
Find target's OEP [ ASPack v2.12 ] v0.1
---------------------------------------
Author: DeAtH HaS cOMe #eCh!2004 .:[ CracksLatinos ]:.
Email : [email protected] 
OS : Win XP SP1,OllyDbg 1.10,OllyScript v0.92 
Date : 09.10.2004 
Config: No BreakPoint sets
Note : Any bug or comments, please report at [email protected]
That's all folks!
Un saludo para todo CracksLatinoS, maravillosos listeros, y para mi enana Aur

There are 31,313 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
hi!	Jul/01
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit