OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Packer Name	Packer Author	Classification	Analysis By	Last Updated
ASPack 2.12	Alexey Solodovnikov	Compressor	quig	June 15 2005

Allocation	Anti-Debug	Anti-Disassembly	Section Name	Sample
PE Header	no	yes	aspack	N/A

Notes
This is an easy one to find the OEP of. Single step through a couple of opcode tricks and into the main unpack loop. You should notice a JNZ to a very distant address. This distant address turns out to be the end of the packer.

Transfer Command

push [patched value]
ret

Entry Point Signature

.aspack:00412001                 public start
.aspack:00412001 start           proc near
.aspack:00412001                 pusha
.aspack:00412002                 call    skipBytes
.aspack:00412002 ; ---------------------------------------------------------------------------
.aspack:00412007                 db 0E9h
.aspack:00412008 ; ---------------------------------------------------------------------------
.aspack:00412008                 jmp     short loc_41200E ; ret address
.aspack:0041200A ; ---------------------------------------------------------------------------
.aspack:0041200A
.aspack:0041200A skipBytes:                              ; CODE XREF: start+1p
.aspack:0041200A                 pop     ebp             ; = fx ret addr after call (412007)
.aspack:0041200B                 inc     ebp
.aspack:0041200C                 push    ebp
.aspack:0041200D                 retn
.aspack:0041200D start           endp ; sp = -20h
.aspack:0041200D

.aspack:0041200E
.aspack:0041200E loc_41200E:                             ; CODE XREF: start+7j
.aspack:0041200E                 call    loc_412014
.aspack:0041200E ; ---------------------------------------------------------------------------
.aspack:00412013                 db 0EBh
.aspack:00412014 ; ---------------------------------------------------------------------------
.aspack:00412014
.aspack:00412014 loc_412014:                             ; CODE XREF: .aspack:loc_41200Ep
.aspack:00412014                 pop     ebp
.aspack:00412015                 mov     ebx, 0FFFFFFEDh
.aspack:0041201A                 add     ebx, ebp
.aspack:0041201C                 sub     ebx, 12000h
.aspack:00412022                 cmp     dword ptr [ebp+422h], 0
.aspack:00412029                 mov     [ebp+422h], ebx
.aspack:0041202F                 jnz     END_OF_PACKER

.aspack:0041239A END_OF_PACKER:                          

.aspack:0041239A                                         
.aspack:0041239A                 mov     eax, 0A870h     ; original entry point offset
.aspack:0041239F                 push    eax
.aspack:004123A0                 add     eax, [ebp+422h] ;add image base to offset
.aspack:004123A6                 pop     ecx
.aspack:004123A7                 or      ecx, ecx
.aspack:004123A9                 mov     [ebp+3A8h], eax ;patch 004123BA to be push [offset]
.aspack:004123AF                 popa
.aspack:004123B0                 jnz     short loc_4123BA
.aspack:004123B2                 mov     eax, 1
.aspack:004123B7                 retn    0Ch             ; error exit ?
.aspack:004123BA ; ---------------------------------------------------------------------------
.aspack:004123BA
.aspack:004123BA loc_4123BA:                             ; CODE XREF: .aspack:004123B0j
.aspack:004123BA                 push    0               ; put a ret addr on stack 
.aspack:004123BF                 retn                    ; ret to pushed address

Known Unpackers

// Script for OllyScript plugin by SHaG - http://ollyscript.apsvans.com
/* 
Find target's OEP [ ASPack v2.12 ] v0.1
---------------------------------------
Author: DeAtH HaS cOMe #eCh!2004 .:[ CracksLatinos ]:.
Email : death_ech@phreaker.net 
OS : Win XP SP1,OllyDbg 1.10,OllyScript v0.92 
Date : 09.10.2004 
Config: No BreakPoint sets
Note : Any bug or comments, please report at death_ech@phreaker.net
That's all folks!
Un saludo para todo CracksLatinoS, maravillosos listeros, y para mi enana Aur

There are 29,879 total registered users.

Recently Created Topics
PaiMei stalker modul...	May/19
Attach to program us...	May/13
IDA PRO how to make ...	May/12
FACT: OpenRCE is dead.	May/08
Int 3 anti debug?	May/05
help needed - Beginn...	May/03
Attaching IDA Pro to...	Apr/27
File type	Apr/21
Debugging iphone app...	Apr/15
Attaching	Apr/12

Recent Forum Posts
Ollydbg 2.0 - Plugin...	openrce...
IDA PRO how to make ...	codeinject
FACT: OpenRCE is dead.	codeinject
IDA Resource Viewer ...	r2x64
FACT: OpenRCE is dead.	djnemo
FACT: OpenRCE is dead.	codeinject
FACT: OpenRCE is dead.	pedram
help needed - Beginn...	araujo
Attaching IDA Pro to...	codeinject
Int 3 anti debug?	codeinject

Recent Blog Entries
	sweetyss	May/18
Adam Wainwright continues t...
	lowpriority	Apr/13
OllyMigrate Plugin for Olly...
	everdox	Mar/08
2 anti-trace mechanisms spe...
	everdox	Mar/07
Advanced debugging techniques
	everdox	Mar/06
Branch tracing and LBR acce...
More ...

Recent Blog Comments
	clarisonic on:	Apr/03
New version of Ollydbg!
	clarisonic on:	Apr/03
New version of Ollydbg!
	trackerx90 on:	Mar/04
SuppressDebugMsg As Anti-De...
	coachfactory on:	Feb/25
Portable Executable Format ...
	coachfactory on:	Feb/25
A new Anti-Olly trick.
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit