Unpacking ASPack 2.12 [from korupt.wordpress.com]

Hi all.

ASPack 2.12 is a fairly good packer, be it a good one(70% compression ratio), but that’s all it really is, a packer, thus it’s protection level is weak to say the least… And for that reason I give it a level of beginner :P.

Nonetheless it may interest some of you, so let’s get started…

Packer: ASPack 2.12 -> Alexey Solodovnikov.
Target: It doesn’t matter.
Level: Beginner.

Tools:

1. PEiD.
2. ImpRec.
3. OllyDbg.
4. OllyDump plugin.
5. Brain.

–FINDING OEP—

Open your target in OllyDbg, you should see a warning about the entry-point being outside of the executables code section… Seems Olly’s twigged that our target maybe packed ;)… Let’s continue, there’s no point analyzing the code as it’s encrypted.

If you take a look at ASPack’s entry point you should see something like this:

PUSHAD
CALL 005F300A
JMP 45BC34F7
PUSH EBP
RETN

Do you see what I see? We can get to OEP(Original-Entry-Point) via using the ESP trick…

Step over the PUSHAD instruction, notice the ESP register in the registers windows has changed. Follow the ESP register in the dump(If you don’t understand this read my previous article), now set a hardware breakpoint(On access, DWORD) on the first 4 bytes in the dump relative to the offset you’ve just followed and press F9 to run.
You should end up somewhere that looks roughly like this:

JNZ L003
MOV EAX, 1
RETN 0C
L003:
PUSH SmartyUn.0040C2E4
RETN

ASPack uses a PUSH + RETN instruction as a jump to OEP(PUSH + RETN = JMP), so step through the loop until you hit the RETN instruction. Step into it and You’ll land at OEP.

I’m debugging a VB(ugh) application so my OEP looks like the following:

PUSH SmartyUn.0040C8A0 ; Push “VB****” string
CALL SmartyUn.0040C2DC ; Call ThunRTMain

(Through experience I’m well aware that this is VB’s OEP, Practice makes perfect…)

Continue by dumping the the application(See OllyDump plugin), Un-check the rebuild imports option.

–REBUILDING THE IAT—

What’s the IAT? IAT stands for Import-Address-Table… I’d suggest you Google it as I don’t want to go to in-depth at the moment.

Most protectors and some packers destroy the IAT to prevent beginners from reversing the target, ASPack is one of those packers.

Launch ImpRec and Fill in the OEP field with the OEP you got from OllyDump(RVA(Realative-Virtual-Address) - ImageBase), now hit Auto-Search and then “Get Imports”, most of the time you wont have any invalid pointers and you can continue by fixing your dump normally…

In my case I had 2 invalid thunks(Imports from 2 modules(DLL’s) that were invalid address’s in the IAT), I proceeded by using ImpRec’s Trace Level 1 feature(Right Click), this fixed one of the functions in the thunk table, but the others were still invalid, after disassembling them it wasn’t too hard to notice they were garbage(fake)(a trained eye helps in this case), simple cut the invalid pointers away(again, Right click) and fix your dump…

–Testing—

If all was done correctly your dump should execute fine(Hopefully) :)… I hope you’ve enjoyed this tutorial, maybe one of you learned something…

If you’ve any questions, comments, improvements or likewise complaints please let me know, thanks.

KOrUPt.