• 标 题:System Cleaner 4.89 Build 110
  • 作 者:gmh001
  • 时 间:2003/04/11 12:12pm
  • 链 接:http://bbs.pediy.com

用OllyDbg脱ASPR 1.3x的壳
   ================================================

作者:LaBBa
翻译:gmh001
软件: System Cleaner 4.89 Build 110
Url    : http://www.allerasoft.com/products/systemcleaner/

前言
==================
OK,贴上来!!这是我第三次写这篇破解文章,第一次正在写的时候机死机了,第二次停电了。
(呵呵,运气有点背啊…)
现在…

这篇文章讲述如何真正快速简单的脱掉ASPR 1.3x的壳,并且找出被抽掉的字节…

并且不使用SoftIce、IceDump和 /tracex!

用什么?

使用OllyDbg !


所需工具
================
1. OllyDbg 1.09b2 or newer
2. ProcDump(G-rom)/Pe-edit(y0da)
3. imprec 1.3 (MackT/UCF)(protools.cjb.net)
4. HVIEW / Hex Editor

脱壳步骤
=======================
1. 找到 OEP+从内存中抓取程序
2. 找到抽掉的字节
3. 重建IAT
4. 修正OEP
5. 结束


====================================
第一步—找到 OEP+从内存中抓取程序
====================================

1. 运行Olly并载入应用程序(如果有提示就按 YES!)
2. 现在按F9就会在这儿中断:

   017E3414  3100            XOR DWORD PTR DS:[EAX],EAX  〈-我们在这儿中断!
   017E3416  EB 01            JMP SHORT 017E3419
   017E3418  68 648F0500      PUSH 58F64

 为什么Olly会中断?我们不用设断点吗?!
 呵呵,Olly在每次进入一个新模块时都会中断…我们将继续使用它!!

3. 按Shift+F9,这样Olly会继续运行直到遇到一个新模块。
4. 按Shift+F926次后我们将到达这里:

   017E2D7A  3100            XOR DWORD PTR DS:[EAX],EAX〈-我们停在这里
   017E2D7C  64:8F05 00000000 POP DWORD PTR FS:[0]   〈在这里设断点
   017E2D83  58              POP EAX
   017E2D84  833D 806D7E01 00 CMP DWORD PTR DS:[17E6D80],0
   017E2D8B  74 14            JE SHORT 017E2DA1
   017E2D8D  6A 0C            PUSH 0C
   017E2D8F  B9 806D7E01      MOV ECX,17E6D80
   017E2D94  8D45 F8          LEA EAX,DWORD PTR SS:[EBP-8]
   017E2D97  BA 04000000      MOV EDX,4
   017E2D9C  E8 EFE0FFFF      CALL 017E0E90
   017E2DA1  FF75 FC          PUSH DWORD PTR SS:[EBP-4]
   017E2DA4  FF75 F8          PUSH DWORD PTR SS:[EBP-8]
   017E2DA7  8B45 F4          MOV EAX,DWORD PTR SS:[EBP-C]
   017E2DAA  8338 00          CMP DWORD PTR DS:[EAX],0
   017E2DAD  74 02            JE SHORT 017E2DB1
   017E2DAF  FF30            PUSH DWORD PTR DS:[EAX]
   017E2DB1  FF75 F0          PUSH DWORD PTR SS:[EBP-10]
   017E2DB4  FF75 EC          PUSH DWORD PTR SS:[EBP-14]
   017E2DB7  C3              RETN

 如果我们再按一次Shift+F9,软件就运行了…千万别这么做!!

5. 现在我们向下移光标,到这里:

   017E2D7C  64:8F05 00000000 POP DWORD PTR FS:[0]

 按 F2(设断点)。
 再按Shift+F9,Olly就会在断点中断。

6. 现在按F8单步追踪,执行RETN将会到达这里:

   017F4EC8  E9 080A0000      JMP 017F58D5 〈-在这里
   
 按F8执行这个跳转…
 现在我们来到这里:
   017F58D5  D3DE            RCR ESI,CL          〈-停在这里
   017F58D7  B9 7D966271      MOV ECX,7162967D
   017F58DC  81C1 38F10A23    ADD ECX,230AF138
   017F58E2  D3EE            SHR ESI,CL
   017F58E4  BA 9ECC7376      MOV EDX,7673CC9E
   017F58E9  81EA C56EFFD4    SUB EDX,D4FF6EC5
   017F58EF  81F2 B7104902    XOR EDX,24910B7
   017F58F5  C1CA 94          ROR EDX,94
   017F58F8  8BF2            MOV ESI,EDX
   017F58FA  81EE 87D851D2    SUB ESI,D251D887
   017F5900  C1CE B0          ROR ESI,0B0
   017F5903  8BC6            MOV EAX,ESI
   017F5905  C1C8 28          ROR EAX,28  
   017F5908  53              PUSH EBX
   017F5909  5E              POP ESI
   017F590A  81C5 974FAF73    ADD EBP,73AF4F97
   017F5910  BA 048A9178      MOV EDX,78918A04
   017F5915  F7D2            NOT EDX
   017F5917  F7D2            NOT EDX
   017F5919  81C2 FC756E87    ADD EDX,876E75FC
   017F591F  8BDA            MOV EBX,EDX
   017F5921  41              INC ECX-------------------------
   017F5922  8BD9            MOV EBX,ECX            |
   017F5924  D1C3            ROL EBX,1            | a Realy Long
   017F5926  81F3 A38FD7AC    XOR EBX,ACD78FA3        |    Loop
   017F592C  3BD8            CMP EBX,EAX            |
   017F592E  ^0F85 EDFFFFFF    JNZ 017F5921--------------------
   017F5934  8BC1            MOV EAX,ECX  〈〈-在这里设断点!!

 好了,我们可以不用通过按 F8 来追踪整个循环!!我们在下面的指令上设一个断点:
 
     017F5934  8BC1            MOV EAX,ECX

 设置断点后(F2),按F9(运行),将会在断点上停下来。

7. 为什么??总是用F8 / F7追踪??!!
 好吧…不!!
 Olly里有一个很好的功能:调用命令行。
 从菜单里选择:Plugins->Command line->Command line

 现在我们将写一个条件追踪命令!
 YES ! Olly有一个追踪命令!它调用-TC-条件追踪
 它将会在条件表达式为真时中断!

 这样…在文本框里写入:TC EIP<900000
 按Enter键。
 在窗口的右下会出现:“正在追踪”

 我的机子慢,花了大约8分钟(350MHz)
 在另一台较快的机子上花了2分钟多一点(900MHz Celeron)

8. 追踪完成后中断在这里:

   0057EA5B    E8            DB E8
   0057EA5C    00            DB 00
   0057EA5D    8A            DB 8A
   0057EA5E    E8            DB E8
   0057EA5F    FF            DB FF

嘿!!  i Dont See Shit !!这是为什么?!
 噢,Olly没有分析这段代码,实际上我们并没有真提停在OEP上!
 OEP=57EA5B

9. 重点!! 在OEP处看盾EAX值(CPU窗口的右上面)
 EAX=57E318
 记住它,以后会用到它的。

10. 打开 ProcDump/Pe-Edit,完全抓取进程。


===================================
第三步-找出抽掉的字节=
===================================

找出抽掉的字节有三种方法:

1. ASPR会执行抽掉的字节,象下面这样跳转到OEP:

   Stolen_Bytes_1
   Stolen_Bytes_2
   Stolen_Bytes_3
   .....
   .....
   PUSH_THE_ADDRESS_OF_OEP
   RET_TO_OEP

2. ASPR首先保存抽掉的字节,然后从OEP处还原,再象下面这样跳转到OEP:

   Stolen_Bytes_1
   Stolen_Bytes_2
   Stolen_Bytes_3
   PUSH EBX
   PUSH ESI
   PUSH EDI
   ......
   ......
   ......
   REPZ STOSB 〈-还原字节
       POPFD
       POPAD
   JMP_TO_OEP

3. 没有抽掉的字节时,只执行PopAD指令和跳转到OEP。

 那么我们怎么处理它呢?
 看看ASPR在跳转到OEP前的最后几步是什么。这需要查看跟踪日记。
 太好了!Olly可以使用"Run Trace"功能来得到一个 跟踪日记。
 这样…选择菜单: View->Run trace
 现在我们看见一个新窗口…跳转到最后一行的前一行,你会看到CPU窗口也变为同样的地址,象下面这样:

   017F5779  F3:AA            REP STOS BYTE PTR ES:[EDI]
   017F577B  9D              POPFD
   017F577C  61              POPAD
   017F577D  -E9 D992D8FE      JMP SYSTEMCL.0057EA5B  〈-OEP的地址

 我们用第二种方法对付它!!

 上面的内容我是在 winXP下发现的,不是 win98::
 在CPU窗口里按 Ctrl+S(搜索命令的次序)
 写入下面的:

   PUSH EBX
   PUSH ESI
   PUSH EDI  

 你会发现:

   01029227  0055 8B          ADD BYTE PTR SS:[EBP-75],DL
   0102922A  EC              IN AL,DX                                                      ; I/O命令
   0102922B  83EC 54          SUB ESP,54
   0102922E  53              PUSH EBX
   0102922F  56              PUSH ESI
   01029230  57              PUSH EDI
   01029231  6A 11            PUSH 11

忽略 "00",你会找到抽掉的字节:55,8b,ec,83,ec,54
 记下它们,以后会有用的…

关闭OLLY…
目前是不需要它啦…


=============================
第三步-重建IAT=
=============================

1. 首先运行软件,等候它被载入。
2. 运行Imprec,从列表中选择进程。
3. 按"IAT AutoSearch"
4. 把大小从"BC"修改为1000(BC太小了!!)
5. 按"Get Imports"
6. 按"Show Invalid"
7. 在显示无效的项目上右击鼠标,选择"Trace level 1"
8. 再次按"Show Invalid"…现在我们应该得到下面的东西:

   (从保存的树中剪切)
   FThunk: 0019E258    NbFunc: 00000400
   1    0019E258    kernel32.dll    00D6    DeleteCriticalSection
   1    0019E25C    kernel32.dll    0228    LeaveCriticalSection
   ................
   省略-省略
   ................
   1    0019E2A4    kernel32.dll    01D1    GetThreadLocale
   1    0019E2A8    kernel32.dll    01B9    GetStartupInfoA
   0    0019E2AC    ?    0000    017E0F2C            <-- good
   0    0019E2B0    ?    0000    017E139C            <-- good
   1    0019E2B4    kernel32.dll    018B    GetModuleFileNameA
   1    0019E2B8    kernel32.dll    0183    GetLocaleInfoA
   1    0019E2BC    kernel32.dll    0181    GetLastError
   1    0019E2C0    kernel32.dll    0158    GetCurrentDirectoryA
   0    0019E2C4    ?    0000    017E1408            <-- good
   1    0019E2C8    kernel32.dll    0133    FreeLibrary
   1    0019E2CC    kernel32.dll    011C    FindFirstFileA
   ..................
   省略-省略
   ..................
   1    0019E314    kernel32.dll    00A0    CloseHandle
   0    0019E318    ?    0000    0255A00E            <-- BAD
   1    0019E31C    user32.dll    0112    GetKeyboardType
   1    0019E320    user32.dll    019F    LoadStringA
   1    0019E324    user32.dll    01AD    MessageBoxA
   1    0019E328    user32.dll    0026    CharNextA
   0    0019E32C    ?    0000    70F7D832            <-- BAD
   1    0019E330    advapi32.dll    00F7    RegQueryvalueExA
   1    0019E334    advapi32.dll    00EF    RegOpenKeyExA
   1    0019E338    advapi32.dll    00D8    RegCloseKey
   0    0019E33C    ?    0000    F37514C2            <-- BAD
   1    0019E340    oleaut32.dll    0006    SysFreeString
   1    0019E344    oleaut32.dll    0005    SysReAllocStringLen
   1    0019E348    oleaut32.dll    0004    SysAllocStringLen
   0    0019E34C    ?    0000    4007F56E            <-- BAD
   1    0019E350    kernel32.dll    0307    TlsSetvalue
   1        0019E354    kernel32.dll    0306    TlsGetvalue
   1    0019E358    kernel32.dll    01E6    GlobalAlloc
   0    0019E35C    ?    0000    017E139C            <-- good
   0    0019E360    ?    0000    BF57C0D8            <-- BAD
   .......................
   省略-省略
   .......................
   
 好了,我们继续重复这样做…
 我们需要手工选择所有坏地址(不在压缩代码内),然后在它们上面右击鼠标,从菜单里选择 "Cut Thunk(s)"。
 观察窗口在最下…那儿有好的Thunk(s)…

 现在我们需要修正这些好字节…你可能从fraviamb.cjb.net下载过一些插件
 或者看我其他关于如何重建的文章(New2Cracking.cjb.net或者Fraviamb.cjb.net)
 这是我修正的:

   0019E2AC-> 017E0F2C ->GetProcAddress
   0019E2B0-> 017E139C ->GetModuleHandleA
   0019E2C4-> 017E1408 ->GetCommandLineA
   0019E35C-> 017E139C ->GetModuleHandleA
   0019E428-> 017E1420 ->LockResource
   0019E47C-> 017E13C4 ->GetVersion
   0019E4AC-> 017E0F2C ->GetProcAddress
   0019E4B8-> 017E139C ->GetModuleHandleA
   0019E4FC-> 017E13F8 ->GetCurrentProcessId
   0019E500-> 017E13F0 ->GetCurrentProcess
   0019E50C-> 017E1430 ->FreeResource

9. 按"Fix Dump",选择我们抓取的文件…
 imprec将会以在文件名前加"_"的方式保存抓取的文件。


=========================
第四步-修正OEP=
=========================

1.打开HVIEW /Hex编辑器,跳转到OEP的偏移地址:57ea5b处,
 向后移6字节到57ea55处,用"00"替换写入  stolen bytes. 保存为新文件。

2. 打开ProcDump/Pe-Edit ,点击“Pe-Edit”按纽载入重建的新文件,修改入口点为:57ea55 (因为抽掉的字节)

3. 如果你现在试图运行程序,它会死掉的!!

4. 打开Olly并载入我们的修正文件。

5. 停在OEP: 57ea55处,EAX寄存器的值是什么?还记得我告诉过你在抓取之前保存的EAX的值吗?它是EAX=57E318,两个值的差别意味着有两个以上的命令:  that is stolen:

   MOV EAX, 0157E318

 这条指令占用5个字节(你可自己在 HVIEW里试一下)
   B818E35700      MOV EAX, 0157E318
 这意味着有6+5=11(十进制)个抽掉的字节
 那么,真正的OEP是:
 11=B(hex)
 OLD_OEP-STOLEN_BYTES=57EA5B-B=57EA50
 OEP = 57EA50
 用HVIEW/Hex打开,跳转到新的OEP,写入:
   
   55,8B,EC,83,EC,54,B8,18,E3,57,00

 用ProcDump\Pe-Edit修改入口点为:57EA50
 哈哈,这下程序能运行了!!!
 收工!!!

翻译后记:俺一直用Softice,没用过OllyDbg,所以有些内容不知道是否准确,再者水平有限,如有错误,请各位大虾指点!!

以下附原文:

Unpacking ASPR 1.3x With OllyDbg
================================================

Writer     : LaBBa
App    : System Cleaner 4.89 Build 110
Url    : http://www.allerasoft.com/products/systemcleaner/

Pre to this tut
==================
ok listen up ! this is the 3rd time i write this tut !!
the first time my computer crash while writing it
the second time there was a power fail in my house !!

now..

this tut is going to show us how to unpack real easy and fast ASPR 1.3x
and finding the stolen bytes real easy and fast too...

and all that without using SoftIce and IceDump and the /tracex !

how u ask ?

by using OllyDbg !


Needed Tools
================
1. OllyDbg 1.09b2 or newer
2. ProcDump(G-rom)/Pe-edit(y0da)
3. imprec 1.3 (MackT/UCF)(protools.cjb.net)
4. HVIEW / Hex Editor

Steps of Unpacking
=======================
1. Finding the OEP + Dumping
2. Finding the Stolen Bytes
3. Rebuilding the IAT
4. Fixing the OEP
5. The End.


====================================
Step 1 - Finding the OEP + Dumping =
====================================

1. load Olly and load the App to it (if it ask somthing just say YES!)
2. now press F9 and the prog will break here :

   017E3414  3100            XOR DWORD PTR DS:[EAX],EAX  <- we break Here!
   017E3416  EB 01            JMP SHORT 017E3419
   017E3418  68 648F0500      PUSH 58F64

 why Olly Break ? we didn't ask for break points ?!
 well Olly Break every time that it enter a new module ... AND WE ARE GOING TO USE IT !!

3. press Shift+F9 so Olly continue to run till new module.
4. after 26 times of Shift+F9 we will be here :

   017E2D7A  3100            XOR DWORD PTR DS:[EAX],EAX  <-we land here
   017E2D7C  64:8F05 00000000 POP DWORD PTR FS:[0]     <-here to set a Break Point
   017E2D83  58              POP EAX
   017E2D84  833D 806D7E01 00 CMP DWORD PTR DS:[17E6D80],0
   017E2D8B  74 14            JE SHORT 017E2DA1
   017E2D8D  6A 0C            PUSH 0C
   017E2D8F  B9 806D7E01      MOV ECX,17E6D80
   017E2D94  8D45 F8          LEA EAX,DWORD PTR SS:[EBP-8]
   017E2D97  BA 04000000      MOV EDX,4
   017E2D9C  E8 EFE0FFFF      CALL 017E0E90
   017E2DA1  FF75 FC          PUSH DWORD PTR SS:[EBP-4]
   017E2DA4  FF75 F8          PUSH DWORD PTR SS:[EBP-8]
   017E2DA7  8B45 F4          MOV EAX,DWORD PTR SS:[EBP-C]
   017E2DAA  8338 00          CMP DWORD PTR DS:[EAX],0
   017E2DAD  74 02            JE SHORT 017E2DB1
   017E2DAF  FF30            PUSH DWORD PTR DS:[EAX]
   017E2DB1  FF75 F0          PUSH DWORD PTR SS:[EBP-10]
   017E2DB4  FF75 EC          PUSH DWORD PTR SS:[EBP-14]
   017E2DB7  C3              RETN

 if we do another Shift+F9 the App will strat runing .. so DON'T!!

5. now move the marker down to :

   017E2D7C  64:8F05 00000000 POP DWORD PTR FS:[0]

 and now press F2 (set Break Point).
 now press Shift+F9 and Olly will Break at our break point.

6. now trace with F8 (Trace Over) and execute the RETN and you will be here:

   017F4EC8  E9 080A0000      JMP 017F58D5 <- we are here

 execute with F8 this jump too..
 now we will be here:
   017F58D5  D3DE            RCR ESI,CL          <--we Land Here
   017F58D7  B9 7D966271      MOV ECX,7162967D
   017F58DC  81C1 38F10A23    ADD ECX,230AF138
   017F58E2  D3EE            SHR ESI,CL
   017F58E4  BA 9ECC7376      MOV EDX,7673CC9E
   017F58E9  81EA C56EFFD4    SUB EDX,D4FF6EC5
   017F58EF  81F2 B7104902    XOR EDX,24910B7
   017F58F5  C1CA 94          ROR EDX,94
   017F58F8  8BF2            MOV ESI,EDX
   017F58FA  81EE 87D851D2    SUB ESI,D251D887
   017F5900  C1CE B0          ROR ESI,0B0
   017F5903  8BC6            MOV EAX,ESI
   017F5905  C1C8 28          ROR EAX,28  
   017F5908  53              PUSH EBX
   017F5909  5E              POP ESI
   017F590A  81C5 974FAF73    ADD EBP,73AF4F97
   017F5910  BA 048A9178      MOV EDX,78918A04
   017F5915  F7D2            NOT EDX
   017F5917  F7D2            NOT EDX
   017F5919  81C2 FC756E87    ADD EDX,876E75FC
   017F591F  8BDA            MOV EBX,EDX
   017F5921  41              INC ECX-------------------------
   017F5922  8BD9            MOV EBX,ECX            |
   017F5924  D1C3            ROL EBX,1            | a Realy Long
   017F5926  81F3 A38FD7AC    XOR EBX,ACD78FA3        |    Loop
   017F592C  3BD8            CMP EBX,EAX            |
   017F592E  ^0F85 EDFFFFFF    JNZ 017F5921--------------------
   017F5934  8BC1            MOV EAX,ECX  <<-- Here To Set A Break Point!

 well we will not trace the hole loop by pressing F8 !! we will put a Break Point
 on :
   017F5934  8BC1            MOV EAX,ECX

 now after setting the Break Point (F2) press F9 (Run) and we will break at our BP

7. now what ?? we trace all with F8 / F7(Trace Into) all the way ??!!
 well.. NO!!
 we have a nice feature in Olly called Command Line
 Choose from the menu Plugins->Command line->Command line

 now we are going to write a trace command with condition!
 YES ! Olly does have a Trace command! It's call - TC - Trace Condition
 it will trace till the condition it True !

 So.. Write in the text Box : TC EIP<900000
 and now press Enter.
 at the window right Down you will see : "Tracing"

 at my Slow computer it took me about 8+ min (350MHz)
 at another computer that i tried it took 2+ min (900MHz Celeron)

 so if anyone would like to buy me a computer u know where to find me and msg me.

8. after the trace is done we break here  :

   0057EA5B    E8            DB E8
   0057EA5C    00            DB 00
   0057EA5D    8A            DB 8A
   0057EA5E    E8            DB E8
   0057EA5F    FF            DB FF

 Hey !!  i Dont See Shit !! what is this ?!
 well this code has not been analyse yet by Olly  
 it doesn't realy matter WE ARE AT THE OEP!
 OEP=57EA5B

9. Important ! at the OEP look at the value of EAX (top right - CPU Window)
 EAX=57E318
 write it down and Keep it we could need it !

10. Now opne ProcDump/Pe-Edit and Dump fully our process.


===================================
Step 2 - Finding the Stolen Bytes =
===================================

well to the Stolen Bytes there is corntly 3 ways:

1. ASPR will Execute the stolen bytes and then go to the OEP like this:

   Stolen_Bytes_1
   Stolen_Bytes_2
   Stolen_Bytes_3
   .....
   .....
   PUSH_THE_ADDRESS_OF_OEP
   RET_TO_OEP

2. ASPR will first Save the Stolen Bytes then it will Eares the bytes From the OEP
 then will Jmp to the OEP like this :

   Stolen_Bytes_1
   Stolen_Bytes_2
   Stolen_Bytes_3
   PUSH EBX
   PUSH ESI
   PUSH EDI
   ......
   ......
   ......
   REPZ STOSB <- Eares the bytes
       POPFD
       POPAD
   JMP_TO_OEP

3. With NO Stolen Bytes it just PopAD and jumps to the OEP (No Stolen Bytes)

 so with what we are dealing with ??
 to view the last steps of ASPR before it got to our OEP we need to See the Trace Log
 YES ! Olly got a Trace code log that called "Run Trace"
 so.. choose the menu View->Run trace
 now we will See a new Window .. go to the line one before the last and u will see
 that the CPU window also changes to the same address and it will look like this :

   017F5779  F3:AA            REP STOS BYTE PTR ES:[EDI]
   017F577B  9D              POPFD
   017F577C  61              POPAD
   017F577D  -E9 D992D8FE      JMP SYSTEMCL.0057EA5B  <-- the address of the OEP

 so we are dealing with #2 way! ;)

 this i found that is working on winXP NOT win98 :
 so now in the CPU window Press Ctrl+S (Serch for Seqeuance of Commads)
 and write this there :

   PUSH EBX
   PUSH ESI
   PUSH EDI  

 you will find :

   01029227  0055 8B          ADD BYTE PTR SS:[EBP-75],DL
   0102922A  EC              IN AL,DX                                                      ; I/O command
   0102922B  83EC 54          SUB ESP,54
   0102922E  53              PUSH EBX
   0102922F  56              PUSH ESI
   01029230  57              PUSH EDI
   01029231  6A 11            PUSH 11

 ignor the "00" and you will have :
 our stolen bytes : 55,8b,ec,83,ec,54
 write them down too we will need them later...

NOW CLOSE OLLY AND EXIT IT...
WE DONT NEED IT FOR NOW...


=============================
Step 3 - Rebuilding the IAT =
=============================

1. first run our app an wait till its loaded.
2. open Imprec and choose our process from the list
3. press on "IAT AutoSearch"
4. change the size from "BC" to 1000 (BC is too small !!)
5. press on "Get Imports"
6. press on "Show Invalid"
7. right click on the invalid that was shown and choose "Trace level 1"
8. press on "Show Invalid" again .. and now we should get somthing like this:

   (cut from the saved tree)
   FThunk: 0019E258    NbFunc: 00000400
   1    0019E258    kernel32.dll    00D6    DeleteCriticalSection
   1    0019E25C    kernel32.dll    0228    LeaveCriticalSection
   ................
   snip-snip
   ................
   1    0019E2A4    kernel32.dll    01D1    GetThreadLocale
   1    0019E2A8    kernel32.dll    01B9    GetStartupInfoA
   0    0019E2AC    ?    0000    017E0F2C            <-- good
   0    0019E2B0    ?    0000    017E139C            <-- good
   1    0019E2B4    kernel32.dll    018B    GetModuleFileNameA
   1    0019E2B8    kernel32.dll    0183    GetLocaleInfoA
   1    0019E2BC    kernel32.dll    0181    GetLastError
   1    0019E2C0    kernel32.dll    0158    GetCurrentDirectoryA
   0    0019E2C4    ?    0000    017E1408            <-- good
   1    0019E2C8    kernel32.dll    0133    FreeLibrary
   1    0019E2CC    kernel32.dll    011C    FindFirstFileA
   ..................
   snip-snip
   ..................
   1    0019E314    kernel32.dll    00A0    CloseHandle
   0    0019E318    ?    0000    0255A00E            <-- BAD
   1    0019E31C    user32.dll    0112    GetKeyboardType
   1    0019E320    user32.dll    019F    LoadStringA
   1    0019E324    user32.dll    01AD    MessageBoxA
   1    0019E328    user32.dll    0026    CharNextA
   0    0019E32C    ?    0000    70F7D832            <-- BAD
   1    0019E330    advapi32.dll    00F7    RegQueryvalueExA
   1    0019E334    advapi32.dll    00EF    RegOpenKeyExA
   1    0019E338    advapi32.dll    00D8    RegCloseKey
   0    0019E33C    ?    0000    F37514C2            <-- BAD
   1    0019E340    oleaut32.dll    0006    SysFreeString
   1    0019E344    oleaut32.dll    0005    SysReAllocStringLen
   1    0019E348    oleaut32.dll    0004    SysAllocStringLen
   0    0019E34C    ?    0000    4007F56E            <-- BAD
   1    0019E350    kernel32.dll    0307    TlsSetvalue
   1        0019E354    kernel32.dll    0306    TlsGetvalue
   1    0019E358    kernel32.dll    01E6    GlobalAlloc
   0    0019E35C    ?    0000    017E139C            <-- good
   0    0019E360    ?    0000    BF57C0D8            <-- BAD
   .......................
   snip-snip
   .......................
   
 well it continue like this on and on..
 we need to manualy choose all the BAD address (Not in the packer code) and then
 choose "Cut Thunk(s)" from the right click of the mouse on them.
 * Wachout at the end .. there is a good thunk in there..

 now we need to fix those other Good bytes.. u can download from fraviamb.cjb.net some plugs
 i saw there or to read my other tuts about how to rebuild those (New2Cracking.cjb.net or Fraviamb.cjb.net)
 here is my fix :

   0019E2AC-> 017E0F2C ->GetProcAddress
   0019E2B0-> 017E139C ->GetModuleHandleA
   0019E2C4-> 017E1408 ->GetCommandLineA
   0019E35C-> 017E139C ->GetModuleHandleA
   0019E428-> 017E1420 ->LockResource
   0019E47C-> 017E13C4 ->GetVersion
   0019E4AC-> 017E0F2C ->GetProcAddress
   0019E4B8-> 017E139C ->GetModuleHandleA
   0019E4FC-> 017E13F8 ->GetCurrentProcessId
   0019E500-> 017E13F0 ->GetCurrentProcess
   0019E50C-> 017E1430 ->FreeResource

9. now press on "Fix Dump" and choose our Dumped file..
 imprec will save the file with "_" before the name of the dump file.


=========================
Step 4 - Fixing the OEP =
=========================

1. now open HVIEW /Hex Editor and go to the OEP offset: 57ea5b
 go up (back) to 57ea55 (6 bytes back) and write instad of the "00" our
 stolen bytes. now save our new file.

2. now open ProcDump/Pe-Edit and load to Pe-Edit our rebuild file and change
 the Entery Point to : 57ea55 (because of the stolen bytes)

3. if u will now try to run the App it will Crash!!

4. open Olly and load to it our Fixed File

5. at the OEP : 57ea55 what is the value of EAX ? Remember that i told you
 to save the value of EAX at the OEP before the dumping ? it was EAX=57E318
 this value is deffrent from our value that means that we have one more Command
 that is stolen:

   MOV EAX, 0157E318

 in bytes it takes 5 bytes(you can try it your self at HVIEW)
   B818E35700      MOV EAX, 0157E318
 that means we have 6+5=11(decimal) stolen bytes
 that means that the real OEP is:
 11=B(hex)
 OLD_OEP-STOLEN_BYTES=57EA5B-B=57EA50
 OEP = 57EA50
 now go to the new OEP at HVIEW/Hex Edit and write there :
   
   55,8B,EC,83,EC,54,B8,18,E3,57,00

 now fix with ProcDump\Pe-Edit the Entery Point to : 57EA50
 and now the prog can RUN!!!!!  
 The End!