User Manual

User Manual
Utility: DecomAS
Unpacks versions: with 1.32 build xxxx by 2.5x
Mail Address-E: PE_Kill@mail.ru
Date: 08/04/2011
Authors
PE_Kill - actually I, the one who started it all and implemented.
Sanniassin - interpreter VM versions 1, 2, 3, and many other ideas.
Maximus - Crazy tester. Without his regular, full and got me everywhere bug
reports, would not have this project in the form in which it currently exists. Also
many other ideas and proposals.
Program description
DecomAS- is mounted extractor protection ASProtect by ASPack Software.
The utility is written with the purpose to show the reliability of the software
developers to protect. For its use for other purposes the author is not responsible.
Attention!
Some antivirusniki (in particular of Kaspersky) unpacked file is considered a
virus, most likely due to the fact that the entry point of the program is changed to
the last section RVA (if stolen OEP), which often do viruses. I can assure you that
the virus is not there, at least I did not add it back. In any case, if in doubt, do not
use this utility and its results.
Working with utility

Working with the tool is very simple. To begin, open the victim. This can be
done in three ways:
1) Click the Open button
2) Start unpacking by specifying the parameter file path
3) Drag the file name from the file manager in the utility window (Drag and
Drop).
DecomAS analyze the file for ASProtect'a presence and try to identify the
compiler. At the moment, unpacking only recognizes Delphi. If the extractor is not
found Delphi, and you are sure that the victim is written on it, you can manually
specify this unpacker by checking the appropriate place.
It is believed that the ASPack / ASProtect hung exactly on the program, if

heuristics showed the following:
But this is only for convenience and information content, unpacking is not
interested in these options (except for the compiler).
options
The next step is to configure the decompression options. Options window
appears in three cases:
1) If you press Options
2) At the first start decompressor
3) When you run a new version of the decompressor, provided that the
registry settings were old version
Let us consider in more detail the options unpacker.
Section "Compiller"
- Optimize unpacking for Delphi- If a check mark in Delphi option mainly
Utility window, then when unpacking import directory will be restored to its
original location in .idata section, as it was before the file protection. Also in the
penultimate step of unpacking sections will be given the name, following the style
of the linker Delphi.
Note. While the utility does not recognize Delphi 2006, so the second section of
code it passes.
- Hard scan (Example: for DLL)- This option is designed for the analyzer (if
the file is opened). The fact that the analyzer can identify the DLL on Delphi, and
possibly older versions of the compiler. This option allows the analyzer to analyze
further and resources as known in Delphi programs are specific.
Section "Registration"
- Kill ASProtect messages- this option may help in the past a trial, while
protecting the key file with the condition of failure run without a key, and other
bad circumstances.. Those. just manages call bad messages and unpacking is going
on.
- Clear Classic BlackList (v1.3x) - a very useful option in the presence of
banned key from version 1.3x ASProtect'a. Identify key this version can be along
its length and encoding (base64).
Example: 0iV8BSzRymWX1Z /
5DDiY6JIxVczHk1l7dOPPDAre09OrEjEi / SerJQl +
cSIFreBFfh4RaYS7lZs3lkjVHD7Ktw5be +
8VPv7PuaRBdgrvb9KD7o4tfYV1gNrSPUTNNIFHIPHRQFJtpmzh2dWn2kGS2z
qXRhjm / BwQW2LczPRYMpFo =
- Clear SKE BlackList- very useful option in the presence of banned key
from version 2.x SKE ASProtect'a. Identify key this version can be along its length
(depending on the settings of different length), and the division into blocks using
dashes.
Example: CEGHF-YY5J2-4R8A7-7SG8N-NVERC-J95ZS-RZTWD-
MR3YM-4LLKC-NJ5MU
Attention!!! If the program is unpacked without banned ASProtect SKE key, you
need to disable this option, otherwise ASProtect obnaruzhet cleaning BlackList'a.
- Fix HWID with: - if there is a key to another HardwareID need to activate
this option and enter the HWID of the computer on which you bought the key.
Attention!HWID replaced only SKE versions to 1.3x yet hands did not reach. For
substitution HWID'a need HWIDfx.dll Library unpacker directory.
- Emulate ASProtect API (SKE)- When this option is activated, after
unpacking all the API of the SDK ASProtect and emulate my be found. For this
purpose, imports entered the name of my DLL, which contains the stub functions
from SDK. The DLL name, you can edit for paronoidalnyh shareware.
Section "Dump"
- Preserve extra data - glued or not additional information (Overlay) to unzip
the file.
- Wipe junk - clean out the trash or not between the header and the first
section. Sometimes you need to program the data stored there. It is recommended
to enable this option for better optimization of the box.
Section "Analisys code"

- Find crypted code by key- unpacking find sections of code, similar to
pokriptovany code to unpack after entering a valid key. Because This feature solid
heuristics, then I am not responsible for the accuracy. unnecessary parts, which the
sites can not be found, but still it's better than looking kilometer listed in the
debugger can be found.
- Patch CRC, API, ... checks - After unpacking the utility will find and patch
test (special macros SDK) on unpacked.
- Enable demorpher- Demorfit or no code. If unpacking demorfer fails, the
file is NECESSARY to send me, but while I will correct everything, time will pass,
and if the file needs to be unpacked immediately, it is sufficient to disable demorf.
I recommend to always include this option!
"Other" section
- Kill trial keys in registry - before unpacking will be found and removed all
the temporary ASProtect keys.
- Save log file- I recommend to always activate this option. The fact that a
log of the main window displays unpacker only basic information decompression
stroke. When this option will be written a detailed log directory of the victim. The
log is more like a project file and there a lot of information not included in the
main log, this also applies to registration.
All settings (except HWID) is stored in the registry.
Recommended settings
Unpacking
Unpack Press the button and wait for the result. When failure to send the file
to me on soap.
Emulation ASProtect API

While in the IAT ASProtect API program, DecomAS replaces the call of the
IPA to the challenge of the IPA aspr_api.dll. This is assuming that the set
appropriate checkbox in the options window and version ASProtect - SKE. But not
always such emulation would work, because ASPack Software is constantly
changing them, adds something, something deletes. For example, before all the IPA
was not setting ModeID, and now there is. Accordingly, in the old API emulation
program just fly off, due to improper alignment of the stack. Emulation ASProtect
1.x API completely lies with you , DecomAS only show some addresses in the
log, and even then not all.
Advice and problem-solving

Recently encountered a problem. someDLL program packed Aspro. When
you attempt to unpack issued Reported by:
L_o_a_d_e_r.exe - Unable to Locate Component
---------------------------
This application has failed to start because mfc80u.dll was not found. Re-installing
the application may fix this problem.
In this case, if the throw is given in the system32 DLL Runtime Error R6034.
On your computer, where DLL was originally in the system is the same. But at the
same time the loaded program clearly shows that the DLL loading. Zaguglit
became clear that mfc80u.dll is not loaded from the system folder, and the folder
that is listed in the manifest program. The manifest file I have not found, so opened
the EXE program sacrifices in the resource editor and saved to disk manifesto,
calling him L_o_a_d_e_r.exe.manifest, because Windows reads the manifesto for
the first executable file, which we loader, which loads a DLL to unpack. After that,
everything unpacked.
PE_Kill, 2006 - 2011

User Manual - Ru.en

Uploaded by

Copyright:

Available Formats

User Manual - Ru.en

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

User Manual - Ru.en

Uploaded by

Copyright:

Available Formats

Working with utility

It is believed that the ASPack / ASProtect hung exactly on the program, if

Section "Analisys code"

All settings (except HWID) is stored in the registry.

Emulation ASProtect API

Advice and problem-solving

PE_Kill, 2006 - 2011

You might also like