Instructions
Open The EXE With PEiD to first verify that it is packed with ASPack.
If it is, then go ahead and open up OllyDBG (With OllyDump Plugin), and then open the EXE.
The first instruction should be a PUSHAD, and a CALL [Application Name].XXXXXXXX
Go ahead and press F8 (Step-over), it will step-over the PUSHAD instruction, and the ESP register to the right should change.
Go ahead, right click the ESP register, and follow in dump.
Now, your at the bottom left hand side, right click, make sure your veiwing Hex -> ASCII 16 char
Highlight the first 4 bytes you see, right click, set Hardware Breakpoint -> On Access -> DWORD
Then hit F9 (Run)
You will end up at a JNZ SHORT.
Press F7 (step-into) to step-into it.
The PUSH [Application].[Address] is holding the OEP!
Press F7 twice, and you will now be sitting at the OEP.
Now right click that address, OllyDump -> Make dump
Modify the OEP to the address that you are at. Also note the RVA (Named as 'Start Address') and the Size.
Dump.
Now, open Imprec.
Take the Start Address, Minus it from the original OEP, now fill that new Address into the OEP Feild in Imprec.
Fill the RVA with the start address. And Size, with Size.
Hit IAT AutoSearch. If all your stuff is right, then Imprec should say
"Found address which may be in the Original IAT. Try 'Get Import'."
Press ok. The RVA and Size should change, this is whats suppose to happen.
Now press Fix Dump, and select the dumped.exe you saved from OllyDBG.
Now test the newly unpacked EXE, and it should work!