OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Store Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Packer Name	Packer Author	Classification	Analysis By	Last Updated
ASPack 2.12	Alexey Solodovnikov	Compressor	quig	June 15 2005

Allocation	Anti-Debug	Anti-Disassembly	Section Name	Sample
PE Header	no	yes	aspack	N/A

Notes
This is an easy one to find the OEP of. Single step through a couple of opcode tricks and into the main unpack loop. You should notice a JNZ to a very distant address. This distant address turns out to be the end of the packer.

Transfer Command

push [patched value]
ret

Entry Point Signature

.aspack:00412001                 public start
.aspack:00412001 start           proc near
.aspack:00412001                 pusha
.aspack:00412002                 call    skipBytes
.aspack:00412002 ; ---------------------------------------------------------------------------
.aspack:00412007                 db 0E9h
.aspack:00412008 ; ---------------------------------------------------------------------------
.aspack:00412008                 jmp     short loc_41200E ; ret address
.aspack:0041200A ; ---------------------------------------------------------------------------
.aspack:0041200A
.aspack:0041200A skipBytes:                              ; CODE XREF: start+1p
.aspack:0041200A                 pop     ebp             ; = fx ret addr after call (412007)
.aspack:0041200B                 inc     ebp
.aspack:0041200C                 push    ebp
.aspack:0041200D                 retn
.aspack:0041200D start           endp ; sp = -20h
.aspack:0041200D

.aspack:0041200E
.aspack:0041200E loc_41200E:                             ; CODE XREF: start+7j
.aspack:0041200E                 call    loc_412014
.aspack:0041200E ; ---------------------------------------------------------------------------
.aspack:00412013                 db 0EBh
.aspack:00412014 ; ---------------------------------------------------------------------------
.aspack:00412014
.aspack:00412014 loc_412014:                             ; CODE XREF: .aspack:loc_41200Ep
.aspack:00412014                 pop     ebp
.aspack:00412015                 mov     ebx, 0FFFFFFEDh
.aspack:0041201A                 add     ebx, ebp
.aspack:0041201C                 sub     ebx, 12000h
.aspack:00412022                 cmp     dword ptr [ebp+422h], 0
.aspack:00412029                 mov     [ebp+422h], ebx
.aspack:0041202F                 jnz     END_OF_PACKER

.aspack:0041239A END_OF_PACKER:                          

.aspack:0041239A                                         
.aspack:0041239A                 mov     eax, 0A870h     ; original entry point offset
.aspack:0041239F                 push    eax
.aspack:004123A0                 add     eax, [ebp+422h] ;add image base to offset
.aspack:004123A6                 pop     ecx
.aspack:004123A7                 or      ecx, ecx
.aspack:004123A9                 mov     [ebp+3A8h], eax ;patch 004123BA to be push [offset]
.aspack:004123AF                 popa
.aspack:004123B0                 jnz     short loc_4123BA
.aspack:004123B2                 mov     eax, 1
.aspack:004123B7                 retn    0Ch             ; error exit ?
.aspack:004123BA ; ---------------------------------------------------------------------------
.aspack:004123BA
.aspack:004123BA loc_4123BA:                             ; CODE XREF: .aspack:004123B0j
.aspack:004123BA                 push    0               ; put a ret addr on stack 
.aspack:004123BF                 retn                    ; ret to pushed address

Known Unpackers

// Script for OllyScript plugin by SHaG - http://ollyscript.apsvans.com
/* 
Find target's OEP [ ASPack v2.12 ] v0.1
---------------------------------------
Author: DeAtH HaS cOMe #eCh!2004 .:[ CracksLatinos ]:.
Email : death_ech@phreaker.net 
OS : Win XP SP1,OllyDbg 1.10,OllyScript v0.92 
Date : 09.10.2004 
Config: No BreakPoint sets
Note : Any bug or comments, please report at death_ech@phreaker.net
That's all folks!
Un saludo para todo CracksLatinoS, maravillosos listeros, y para mi enana Aur

There are 21,678 total registered users.

Recently Created Topics
PyEmu error when cal...	Sep/02
Restore Themida/Winl...	Sep/02
Anti-olly technique	Aug/30
RAR Password	Aug/29
Heap protection on W...	Aug/23
Why Inline asm in C+...	Aug/20
Bypassing OllyAdvance	Aug/17
Error in logic for g...	Aug/17
Has anyone seen this...	Aug/17
ARM Executable - Pat...	Aug/16

Recent Forum Posts
reverse engineering ...	raiden56
pydbg, memory breakp...	Researc...
RAR Password	Ineedhelp
RAR Password	cod
Heap protection on W...	voila
Heap protection on W...	j00ru
Heap protection on W...	voila
Heap protection on W...	j00ru
Heap protection on W...	psylocn
Why Inline asm in C+...	ronnie2...

Recent Blog Entries
	meshmesh	Sep/01
Is it legal??
	waleedassar	Aug/30
Anti-olly technique
	QvasiModo	Aug/24
WinAppDbg 1.4 is out!
	artemblagodarenko	Aug/18
Dataflow-0.2.0 released. Ne...
	grzonu	Aug/17
Bypassing OllyAdvanced
More ...

Recent Blog Comments
	tosanjay on:	Sep/02
PyEmu 0.0.2
	GynvaelColdwind on:	Sep/01
Is it legal??
	PeterFerrie on:	Aug/31
Anti-olly technique
	dennis on:	Aug/26
Dr. Gadget IDAPython plugin
	halsten on:	Aug/19
Dataflow-0.2.0 released. Ne...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit