i. setting up OllyDbg
ii. setting up aadp4olly plugin
1a. -open OllyDbg and load AIKASM.exe
-click 'No' to skip analyzing compressed code
1b. -press [Shift]+[F9] 16 times until you reach the code shown in the picture below
Spoiler
*[Shift]+[F9] x-times is what a reverse engineers call 'exception counting trick'
*load the program into OllyDbg
*n = count how many times [Shift]+[F9] is pressed untill the program freely runs
*restart the program in OllyDbg
*x = n-1
**this is just an additional information, this is not one of the steps in the tutorial
-toggle a Breakpoint (BP) on the first RETN at [0x2E43A29 ] and click 'Yes' in the warning box
1c. -press [Shift]+[F9] once more to break on the BP
1d. -press [Alt]+[M] to bring up the 'Memory map' window
-right click on AIKASM-code line and select 'Set memory breakpoint on access'
1e. -press [F9] and take note of the address where the run command landed, it is the 'Entry Point(EP)'
1f. -scroll up the code a bit until you see a recurrences of a single instruction such as shown below
-press [Ctrl]+[A] to analyze the codes
2a. -restart AIKASM.exe in OllyDbg or you can press [Ctrl]+[F2]
-click 'No' to skip analyzing compressed code
2b. -repeat the steps from 1b until 1d
2c. -press [Ctrl]+[T] to bring up the 'Set Condition' dialog and configure it as shown below
-click 'OK'
-press [Ctrl]+[F11]
2d. -go to 'View' and select 'Run trace'
-right click anywhere within the 'Run trace' window and select 'Highlight register' and select 'EBP'
-scroll down to the bottom of the 'Run trace' window until a highlighted 'EBP=[0x12FFC0]' is seen
-take note of the address prior to the highlighted EBP register, it is the beginning of the stolen bytes
2e. -write down the instructions from [0x2E5620D] to [0x2E5626C], leave out all the 'JMP SHORTs' and red-marked instructions
0x2E5620D PUSH EBP
0x2E5620E MOV EBP,ESP
0x2E56210 PUSH -1
0x2E56212 PUSH 624710
0x2E56217 PUSH 5EF718
0x2E5621C MOV EAX,DWORD PTR FS:[0]
0x2E5622F PUSH EAX
0x2E56230 MOV DWORD PTR FS:[0], ESP
0x2E56237 SUB ESP, 58
0x2E56247 PUSH EBX
0x2E56255 PUSH ESI
0x2E56263 PUSH EDI
0x2E56264 MOV DWORD PTR SS:[EBP-18], ESP
-observe the instructions in the above figure and you will notice that the stolen bytes stopped before a 'PUSH (EP)'
-(credit to fennes for verifying the correct stolen bytes)
3a. -restart AIKASM.exe in OllyDbg or you can press [Ctrl]+[F2]
-click 'No' to skip analyzing compressed code
-repeat the steps from 1b until 1f
-right click on the start of the CodeCave/OEP [0x5EE833] and select 'New origin here'
3b. -go to 'Plugins' and select 'OllyDump' and select 'Dump debugged process'
-configure the 'OllyDump' dialog as shown in the picture below
-make certain that the 'Modify:' field is correct:
= [EP - BaseAddress]
= [0x5EE833] - [0x400000]
= [0x1EE833]
-click 'Dump'
3c. -while 'OllyDbg' is still open, launch 'ImportREC'
-select 'AIKASM.exe' process from the drop down list
3d. -change the 'OEP' field to the one calculated previously
-click 'IAT AutoSearch' and click 'OK' in the next dialog
3f. -change the 'Size' field to [0x1000] and click 'Get Imports'
3g. -click 'Show Invalid'
-right click on any of the highlighted invalid function and select 'Trace Level1(Disasm)'
3h. -click 'Show Invalid'
-right click on any of the highlighted invalid function and select 'Plugin Tracers' and select 'ASProtect 1.23 rc4'
3i. -click 'Show Invalid'
-right click on any of the highlighted invalid function and select 'Delete thunk(s)'
3j. -click 'Fix Dump'
-select 'dump.exe' and click 'Open'
-a new file named 'dump_.exe' should now be created in the AikaSEA folder
-close 'ImpREC'
4a. -close 'AIKASM.exe' process in 'OllyDbg' and open 'dump_.exe'
4b. -select the entire instructions from [0x5EE833] to [0x5EE857] which is the codeCave, right click on any of it and select 'Assemble'
-replace the whole instructions with the copied instructions previously in step 2e
before replacements
after replacements
4c. -press [Ctrl]+[A]
-right click anywhere within the 'CPU' window and select 'Copy to executable' and select 'All modifications'
-click 'Copy All' in the next dialog
-close the newly popped up window by clicking the 'X' icon at the top right corner
-click 'Yes' to save the modified file to disk
-in the 'Save file as' window, select 'dump_.exe' and click 'Save'
-click 'Yes' to overwrite files
5a. -open 'LordPE' and click 'Rebuild PE'
-select 'dump_.exe' and click 'Open'
-click 'OK' in 'LordPE' window
have fun..