haggar's ASProtect 1.23RC4 tutorial

silentenigma

hi ppl

i have reversed all the stuff in that tutorial haggar's ASProtect 1.23RC4 tutorial (http://www.reversing.be/article.php?story=20050329165716822). I have unpacked the proggy and understand all the stuph Wink

i have an another question. it is about IAT rebuilding.

after unpacking i open ImpREC and select our proggy under olly Wink

1. i write the OEP and Click IAT AutoSearch -> it gives a messagebox and says RVA:11000 and size:5000 . i change these sections after messagebox
2. then i click Get Imports.
3. i click Show Invalid
4. there are a lot stuph highlighted on the window. i RiGHT-Click and select one on the Haggars PLUGINS for imprec TO TRACE!!
5. this takes a lot time (a few minutes)
6. it finishes (in log part it says there are a lot failed things ???)
7. then i clicked on Fix Dump and it successfully rebuilds

BUT i couldnt open the unpacked and rebuilded Proggy

did i do smth wrong ??
where is the problem

thanks for your help Smile

NOTE: i have searched your forum but really i couldnt find the exact answer

NOTE2: i use the same proggy same version (it is still downloadable)

SKiLLa · Frequent poster Joined: 29 Mar 2005 Posts: 79

Before step 7, did you 'cut the invalid chunks' after tracing ?
And what kind of error do you get when you try to run the rebuilded app ?

silentenigma · Posted: Wed Jun 21, 2006 7:50 pm Post subject:

before step 7 of course i delete all thunks Smile

and it gives the error; you know, a messagebox appers and it says this program confront with a SERIOUS problem Very Happy

SEND an error report or Dont Sent Wink

this kinda message?

bengunn · Regular Joined: 15 Apr 2005 Posts: 118

Knight · Regular Joined: 21 Aug 2005 Posts: 122

Maybe ur program is protected with different version of asprotect, thus plugin might not work and that screws up whole thing.

Regards,
Knight

silentenigma · Posted: Thu Jun 22, 2006 11:10 am Post subject:

@bengunn:
Do you mean that shouldnt i delete those thunks? then what must i do?? Just Cut them or do nothing???

@Knight:
Dude i write in my first post, it is the same protection same file Wink

However, lets say a diffrent proggy but same protection, logic is same, i find the OEP and stolen bytes but ınfortunately i cant rebuild the import??

i wish Haggar will answer me Rolling Eyes

bengunn · Regular Joined: 15 Apr 2005 Posts: 118

haggar · Regular Joined: 19 Mar 2005 Posts: 246

Click "Show invalid", then right click on them and "Cut thunk(s)". Try then.

Btw, that was my first tutorial Smile

Unpacking that version today is pice of cake Cool

silentenigma · Posted: Thu Jun 22, 2006 7:59 pm Post subject:

btw i 've overcome the problem Smile

before writing the stolen bytes on 00 bytes on Olly, i analyze the code. Very Happy

but i musn't. So first i write the stolen bytes on Olly, then analyze the code and rebuild the iat Wink

and it is ok!!

@bengunn:
hey dude as u said, i should take the IAT size: 000008D8 are you sure ??

bengunn · Regular Joined: 15 Apr 2005 Posts: 118