here is EP,
00401000 u>/$ 68 01606200 push unpackme.00626001
00401005 |. E8 01000000 call unpackme.0040100B
0040100A \. C3 retn
0040100B $ C3 retn

registers here,
EAX 00000000
ECX 0012FFB0
EDX 7C92EB94 ntdll.KiFastSystemCallRet
EBX 7FFDF000
ESP 0012FFC4
EBP 0012FFF0
ESI FFFFFFFF
EDI 7C930738 ntdll.7C930738
EIP 00401000 unpackme.<ModuleEntryPoint>

stack here,
0012FFC4 7C816D4F 返回到 kernel32.7C816D4F
0012FFC8 7C930738 ntdll.7C930738
0012FFCC FFFFFFFF
0012FFD0 7FFDF000
0012FFD4 8054C038
0012FFD8 0012FFC8

here is OEP, got with script by Alt+M
004B7555 |. /73 0E jnb short unpackme.004B7565 ; :::[OEP ]:::
004B7557 |. |F7D8 neg eax
004B7559 |. |03C4 add eax,esp
004B755B |. |83C0 04 add eax,4
004B755E |. |8500 test dword ptr ds:[eax],eax
004B7560 |. |94 xchg eax,esp
004B7561 |. |8B00 mov eax,dword ptr ds:[eax]
004B7563 |. |50 push eax
004B7564 |. |C3 retn
004B7565 |> \51 push ecx
004B7566 |. 8D4C24 08 lea ecx,dword ptr ss:[esp+8]
004B756A |> 81E9 00100000 sub ecx,1000
004B7570 |. 2D 00100000 sub eax,1000
004B7575 |. 8501 test dword ptr ds:[ecx],eax
004B7577 |. 3D 00100000 cmp eax,1000
004B757C |.^ 73 EC jnb short unpackme.004B756A
004B757E |. 2BC8 sub ecx,eax
004B7580 |. 8BC4 mov eax,esp
004B7582 |. 8501 test dword ptr ds:[ecx],eax
004B7584 |. 8BE1 mov esp,ecx
004B7586 |. 8B08 mov ecx,dword ptr ds:[eax]
004B7588 |. 8B40 04 mov eax,dword ptr ds:[eax+4]
004B758B |. 50 push eax
004B758C \. C3 retn
004B758D CC int3
004B758E CC int3
004B758F CC int3

registers here,
EAX 00000094
ECX 0041F6F2 unpackme.0041F6F2
EDX 00F60285
EBX 3D83D8BF
ESP 0012FF14
EBP 0012FF94
ESI 00D95B28
EDI 00000094
EIP 004B7555 unpackme.004B7555

stack here,
0012FF14 00F61AF3
0012FF18 00626889 unpackme.00626889
0012FF1C 00D95B28
0012FF20 3D83D8BF
0012FF24 0012FFE0
0012FF28 0012FF60

part of memory here, i think is real IAT
00588000 77DCC41B advapi32.RegOpenKeyA
00588004 77DBA7B1 advapi32.CryptDecrypt
00588008 77DB8546 advapi32.CryptReleaseContext
0058800C 77DBA254 advapi32.CryptDestroyHash
00588010 77DBA685 advapi32.CryptDeriveKey
00588014 77DBA122 advapi32.CryptHashData
00588018 77DBA2F9 advapi32.CryptCreateHash
......

but, another problem occurs, look here and above
004B7555 |. /73 0E jnb short unpackme.004B7565 ; :::[OEP ]:::
......
......
004B7564 |. |C3 retn ; this retn will goto 00F61AF3

here,with call GetVersionExA and GetModuleFileNameA,it prove OEP's right
00F61AF3 8965 E8 mov dword ptr ss:[ebp-18],esp
00F61AF6 F2: prefix repne:
00F61AF7 EB 01 jmp short 00F61AFA
00F61AF9 F0:BE DA364800 lock mov esi,4836DA 00F61AFF 337424 08 xor esi,dword ptr ss:[esp+8]
00F61B03 8BF4 mov esi,esp
00F61B05 893E mov dword ptr ds:[esi],edi
00F61B07 56 push esi
00F61B08 FF15 88805800 call dword ptr ds:[588088] ; this call is kernel32.GetVersionExA
00F61B0E 8B4E 10 mov ecx,dword ptr ds:[esi+10]
00F61B11 890D D4C56100 mov dword ptr ds:[61C5D4],ecx
00F61B17 8B46 04 mov eax,dword ptr ds:[esi+4]
00F61B1A A3 E0C56100 mov dword ptr ds:[61C5E0],eax
00F61B1F 8B56 08 mov edx,dword ptr ds:[esi+8]
00F61B22 8915 E4C56100 mov dword ptr ds:[61C5E4],edx
00F61B28 8B76 0C mov esi,dword ptr ds:[esi+C]
00F61B2B 81E6 FF7F0000 and esi,7FFF
00F61B31 8935 D8C56100 mov dword ptr ds:[61C5D8],esi
00F61B37 83F9 02 cmp ecx,2
00F61B3A E8 C1E40500 call 00FC0000
00F61B3F 5D pop ebp
00F61B40 E9 D70E0000 jmp 00F62A1C
00F61B45 85C0 test eax,eax
00F61B47 0F85 B0030000 jnz 00F61EFD
00F61B4D ^ E9 83F1FFFF jmp 00F60CD5
00F61B52 8975 FC mov dword ptr ss:[ebp-4],esi
00F61B55 68 032AF600 push 0F62A03
00F61B5A E8 A1E40500 call 00FC0000
00F61B5F 8365 FC 00 and dword ptr ss:[ebp-4],0
00F61B63 ^ E9 DAECFFFF jmp 00F60842
00F61B68 FF15 80805800 call dword ptr ds:[588080] ; this call is kernel32.GetModuleFileNameA

of course, the section 00F60000 is not the PE's section , so it won't be dumped, and the dumped PE go here with wrong, what should i do ?

最初由 flyinsky 发布
http://ollydbg.win32asmcommunity.net/index.php?=6&topic=1334

这个好像就是那个 ASProtect 1.23RC4 吧？

94

pe-pack 1.0 :: 27.27%
aspack 2.11 :: 16.67%
pencrypt 3.0 :: 16.67%
telock 0.60 :: 16.13%
telock 0.95 :: 14.29%
telock 0.96 :: 14.29%
zcode 1.01 :: 14.29%
pklite 1.1 build 11 :: 13.64%
neolite 1.0 :: 13.33%
neolite 1.01 :: 13.33%
neolite 2.00 :: 13.33%
bit-arts crunch 4.0.0.0 :: 12.50%
dbpe/phantasm 0.07 :: 12.50%
dbpe/phantasm 0.8 :: 12.50%
exe-bundle 1.31 :: 12.50%
packmaster 1.0/1.6 :: 12.50%
stone's pe-encryptor 1.0 :: 12.50%
stone's pe-encryptor 1.13 :: 12.50%
telock 0.70 :: 12.50%
telock 0.71 :: 12.50%
telock 0.80 :: 12.50%
telock 0.92a :: 12.50%
ep 0.2 :: 12.00%
neolite 1.0x [dll/ocx] :: 10.34%
ezip 1.0 :: 9.68%
telock 0.90 :: 9.68%
aspack 1.08.04 :: 9.38%
aspack 2.000 :: 9.38%
aspack 2.001 :: 9.38%
krypton 0.3 :: 9.38%
pcpec alpha preview :: 9.38%
pe-diminisher 0.1 :: 9.38%
pe-ninja 1.0 :: 9.38%
spec b3 :: 9.38%
neolite 2.00 [dll/ocx] :: 9.09%
upx 0.71-0.72 :: 9.09%
pe-shield 0.25 :: 8.33%
lamecrypt 1.0 :: 8.00%
fsg 1.0 :: 7.14%
pc-guard 4.03d-4.05d :: 6.45%
aspack 1.08.03 :: 6.25%
dbpe/phantasm 1.0 :: 6.25%
krypton 0.2 :: 6.25%
noodlecrypt 2 :: 6.25%
petite 1.2 :: 6.25%
pklite 1.1 build 11 [dll/ocx] :: 6.25%
spec b2 :: 6.25%
telock 0.85f :: 6.25%
telock 0.98 :: 5.56%
aspack 2.11c-d :: 4.55%

我搞了很久就是脱不了，郁闷