In this tute i explane how unpacking asprotect ske 2. I don't show how unpack one progie, but i'll use some because i'll reverse the 3 types of it protection(advance it protection v1 and v2, and emulate system api).

Used tools: ollydbg, ollyscript.
Script: Aspro2_AIP1, Aspro2_AIP2

A software protected with Asprotect Ske2.

1)Find the OEP.
For find the oep i used the classic method: count the n of excepiont and at last, press alt+f9 and set  a memory bp of section address 401000

2)Rebuild the it.
As already told in prg protected with asprotect 2(SKE), we can find 3 types of it protection: for Emulate system api see my article on pmode, for the other 2 i 'll explane them here.
Advanced Import Protection was already present in old version of asprotect, but in a simple way. Now there are more decripting code to we render the life difficult. The AIP(aka Advanced Import Protection) make apis execute, using LoadLibrary, GetProcAddress and after do a "jmp api", and like saying before there are 2 version of this protection. The only difference between v1 and v2, is the corruption of IAT, exs:

0041740C  BA B8 D1 77 4A C9 D3 77 60 DA D1 77 2E 8C D1 77   0041741C  0D D6 D1 77 1B C0 D1 77 43 F5 D2 77 B3 03 D3 77

0056B3AC  42 24 80 7C F1 BA 80 7C 08 7F 0C F9 4B 6F DD 78   0056B3BC  3A D9 64 27 A6 0D 81 7C 28 9C 80 7C 97 AA 80 7C

As you can see, there are two iat, the first is ok(v1), instead the second is corrupt(v2), this is the only difference.
The AIP replace the "jmp [api]" like this: 00407A68  JMP DWORD PTR DS:[56B3AC] ; kernel32.Sleep, with a call like: 00416746 CALL 00D60000, and this call replace almost of "jmp [api]" in the protected progie.

I made two ollyscript for the two different version of AIP. The ollyscript for the first version demands address base of section which contains the iat and its size(to find the address of api) and the address of call to analize.

The second script demands the address where begins the IAT and the call to analize. Now i show how used this second script(the use of first script is similar to this):

 

Find the oep List all intermodular calls Now find call put by AIP: 00E10000 Now find the iat'section, find a jmp [api]: Where iat begins: 56b21c, and if it is corrupt. If it is, use the script Aspro2_AIP2: When you end the rebuilding of all AIP's call, u can dump the process using ollydump with the rebuild import with method 1.

                                                                                                                 Pnluck

Thx to Ntoskrnl, Quake2, Quequero, AndreaGeddon, dM, Silent, and all UIC and Pmode members. 

Vorrei ricordare che il software va comprato e  non rubato, dovete registrare il vostro prodotto dopo il periodo di valutazione. Non mi ritengo responsabile per eventuali danni causati al vostro computer determinati dall'uso improprio di questo tutorial. Questo documento è stato scritto per invogliare il consumatore a registrare legalmente i propri programmi, e non a fargli fare uso dei tantissimi file crack presenti in rete, infatti tale documento aiuta a comprendere lo sforzo che ogni sviluppatore ha dovuto portare avanti per fornire ai rispettivi consumatori i migliori prodotti possibili.

Reversiamo al solo scopo informativo e per migliorare la nostra conoscenza del linguaggio Assembly.