Unpack 1299 ASProtect

[martin123ko 0]

Hello Everyone,
I made Windows XP VM and used PENTAGRAM:
https://www.kodevelopers.com/unpack-amp-bypass-reverse-engineering/1101-aspack-asprotect-unpacker-stripper-v207211-rc2-213b9.html

ASProtect unpacker to unpack the Launcher.exe and KnightOnLine.exe of version 1299.
There are 3 Folders there:
* Stripper_v213b9
* Stripper.v2.11.RC2
* Stripper.v2.07

When I tried Stripper.v2.11.RC2, the unpacking failed.
When I tried Stripper.v2.07, the VM got BSOD(Blue Screen of Death).
When I tried Stripper_v213b9, the unpacking worked!
But for some reason the produced unpacked executable doesn't work well, even the launcher.
What could be the reason?
I even tried ImpREC 1.7e to fix the imports and also Scylla_v0.9.8, but when I click the exe, nothing happens.
I checked the entry point OEP with x64dbg and it looks good:
0x0067623F

Is there any better way to unpack ASProtect? Like the manual way using x64dbg? and then manually fix the imports without counting on some tool or script to do the job for me?
I can unpack later ASProtect versions manually, but the old 1.22 1.23 beta for some reason I'm having trouble finding the OEP.

I appreciate any help! Thanks in advance 🙂

Regards,
Martin Brooker

[OzkanOzdemir 1.530]

You need disable hackshield for 1298 KO.exe and its will work.
We have ASM forum but closed for any reasons. Sorry i dont open ASM and Unpack forums, do it yourself.

[martin123ko 0]

Alıntı

You need disable hackshield for 1298 KO.exe and its will work.
We have ASM forum but closed for any reasons. Sorry i dont open ASM and Unpack forums, do it yourself.

test
-- mesaja ek olarak --
Oh...I can comment now. Interesting. Because before it didn't let me saying I have to wait some time before I can post again. :)
Thanks for the input!
But I believe the issue atm is not with HackShield, there is some other problem with the way the stripper unpacked the exe. Maybe some stolen bytes code for API calls. Not sure what exactly.
And I already patched the HackShield call in the WinMain but it didn't help. The fact that also when I unpacked the Launcher.exe and the launcher doesn't require any additional patches, the launcher won't work.
I also tried to manually fix the entry point where it makes this call:

00676219 | 0000                     | add byte ptr ds:[eax],al                    |

0067621B | 0000                     | add byte ptr ds:[eax],al                    |

0067621D | 0000                     | add byte ptr ds:[eax],al                    |

0067621F | 0000                     | add byte ptr ds:[eax],al                    |

00676221 | 0000                     | add byte ptr ds:[eax],al                    |

00676223 | 0000                     | add byte ptr ds:[eax],al                    |

00676225 | 0000                     | add byte ptr ds:[eax],al                    |

00676227 | 0000                     | add byte ptr ds:[eax],al                    |

00676229 | 0000                     | add byte ptr ds:[eax],al                    |

0067622B | 0000                     | add byte ptr ds:[eax],al                    |

0067622D | 0000                     | add byte ptr ds:[eax],al                    |

0067622F | 0000                     | add byte ptr ds:[eax],al                    |

00676231 | 0000                     | add byte ptr ds:[eax],al                    |

00676233 | 0000                     | add byte ptr ds:[eax],al                    |

00676235 | 0000                     | add byte ptr ds:[eax],al                    |

00676237 | 0000                     | add byte ptr ds:[eax],al                    |

00676239 | 0000                     | add byte ptr ds:[eax],al                    |

0067623B | 0000                     | add byte ptr ds:[eax],al                    |

0067623D | 0000                     | add byte ptr ds:[eax],al                    |

0067623F | FF15 90316A00            | call dword ptr ds:[]           |

Because the stripper doesn't make the entry point look like a regular entry point as it should. So I patched it like this:

00676219 | 55                       | push ebp                                    |

0067621A | 8BEC                     | mov ebp,esp                                 |

0067621C | 6A FF                    | push FFFFFFFF                               |

0067621E | 68 68E36A00              | push knightonline.6AE368                    |

00676223 | 68 44606700              | push knightonline.676044                    |

00676228 | 64:A1 00000000           | mov eax,dword ptr fs:[0]                    |

0067622E | 50                       | push eax                                    |

0067622F | 64:8925 00000000         | mov dword ptr fs:[0],esp                    |

00676236 | 83EC 58                  | sub esp,58                                  |

00676239 | 53                       | push ebx                                    |

0067623A | 56                       | push esi                                    | esi:EntryPoint

0067623B | 57                       | push edi                                    | edi:EntryPoint

0067623C | 8965 E8                  | mov dword ptr ss:[ebp-18],esp               |

0067623F | FF15 90316A00            | call dword ptr ds:[]           |

Which is how a regular entry point should look like.
That's is why I wonder why it doesn't work well with the stripper :( Even VirusTotal says it's quiet infected, which I know it's probably a false positive, but still, I think a clean manual unpack should solve all this problems and I'll need to dig more to get there.
If I'll succeed, I'll also share it here in the forums, because it would be nice to finally have a clean unpacked 1299 KnightOnLine.exe and Launcher.exe without the annoying false positive detection.
Any input from you guys would be highly appreciated. Thanks again!

[sezgin3371 0]

https://t.me/pump_upp - best crypto pumps on telegram
Make 1000% and more within 1 day, join channel @pump_upp !

[noping 0]

https://t.me/pump_upp - best crypto pumps on telegram
Make 1000% and more within 1 day, join channel @pump_upp !