Results 1 to 6 of 6

Thread: Aspack trouble

  1. #1
    Soldat
    Guest

    Question Aspack trouble

    Hello!!

    I have trouble with following program

    AD Picture Viewer Version 2.4.1

    http://www.abroaddesign.com/picview/picview.zip

    I tried to unpack this stuff

    (OS win 98)

    I think I found OEP

    It was 4DF6A8 (found pattern 61,FF,E0 with Soft Ice)

    something like

    push ebp
    mov ebp ,esp
    .....
    .....



    Rebuilded IAT with Revirgin ,found 4 unresolved APIs

    after manually resolvation they were

    GetProcAddress
    GetModuleHandleA
    GetCurrentProcess
    GetVersion

    all in KERNEL32.dll

    I did generation of IAT with DUMPED.exe
    put new OEP with PE-Editor by Yoda (after dumpfixer)

    Try to run but there was crash
    then I try to compare the pattern of original program and dumped.exe

    the difference was at address
    4069DC ret

    after it the original program returns in 4xxxxx area
    and the DUMPED.EXE
    returns in 7xxxxx where after following instruction

    cmp ( I've forgotten what ) it jumps to KERNEL and
    message

    This program performed ilegal operation and will be closed

    apears

    I beleive this is some of protection checks but I don't know which

    because I don't have to much experience

    Thanks for help

    Soldat
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    SilSaLaMaTa
    Guest
    Hi Soldat
    I found OEP at 4DfB98 (Version 2.5 build 231).
    After rebuilding the IT , the OEP was like this :
    push ebp
    mov ebp,esp
    .
    .
    .
    call 000451D74
    Call [4E5B70]
    .
    .
    .

    I got an error while executing this line . I ran the original
    file and in softice I trace up to that line .
    Then d 4E5B70 . 4E5B70 -> xxxxx -> ... -> 4DF470.
    so I changed "Call [4E5B70]" to "Call 4DF470" .
    and the Prog runs normally
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    serkul
    Guest
    and the Prog runs normally
    as long as you can be sure that [4E5B70] contains 4DF470 in any case (on any system)
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Registered User
    Join Date
    Oct 2001
    Location
    Norway
    Posts
    138

    Hi there

    Hi there,
    Maybe you got some of the imports wrong or messed up. I used Revirgin and it came up with these unresolved imports:

    21 000E61E4 011CE494 0000 ?????? to_Resolve
    22 000E61E8 011CE8E4 0000 ?????? to_Resolve
    26 000E61F8 011CE944 0000 ?????? ??????
    63 000E629C 011CE8E4 0000 ?????? to_Resolve
    92 000E6318 011CE954 0000 ?????? ??????
    107 000E6354 011CE900 0000 ?????? ??????
    112 000E6368 011CE494 0000 ?????? to_Resolve
    114 000E6370 011CE8E4 0000 ?????? to_Resolve
    125 000E639C 011CE938 0000 ?????? ??????
    127 000E63A4 011CE964 0000 ?????? ??????

    After tracing in Softice I found them to be:

    21 Getprocaddress
    22 Getmodulehandlea
    26 Getcommandlinea
    63 Getmodulehandlea
    92 Lockresource
    107 Getversion
    112 Getprocaddress
    114 Getmodulehandlea
    125 GetcurrentprocessID
    127 Freesreource

    When I traced in Softice it looked like that the import at 92 is Getcurrentprocess. This is wrong. The call here have a ret 0004 instruction at the end. This indicates that this is a "dummy" call. When I checked in the resolved list in Revirgin, it looks more "natural" to change it to Lockresource.
    At 127 the import seems to be Getversion. But the same goes here, only that it looks more natural to change it to Freeresource.

    That's it. After changing the code as described by SilsalaMata, it runs perfect. To top it: It is also registered.:-)
    Try to enter a code via the About screen, you'll see what I mean. And the 30 day period is now "hardcoded" into the program, so it never epxires.
    The only thing left to be removed is the trial text.

    Hope this helps,
    hobgoblin

  5. #5
    Soldat
    Guest
    Yes I've made it but I have question for you

    Hobgoblin or SilSaLaMaTa

    Yes the crash was because IAT ,because I didn't do as well

    now would you explane me how did you find that

    26 000E61F8 011CE944 0000 ?????? ??????

    was

    Getcommandlinea

    then

    107 000E6354 011CE900 0000 ?????? ??????

    Getversion

    and


    125 000E639C 011CE938 0000 ?????? ??????

    125 GetcurrentprocessID


    because when I traced them with tracer in Revirgin they appeared

    to be

    GetModuleHandleA
    GetModuleHandleA
    GetVersion

    then I checked the addresses of them

    (011CE944,011CE900,011CE938 ) wirh Soft-Ice

    and found the same as with Revirgin (by the way I use v1.3 of Revirgin)

    When I did as you Hobgoblin,when renamed in the same way

    everythink was good (also I changed call according to

    SilSaLaMaTa)

    At least the protection ( I mean window that apears before

    starting program about key entering hasn't wanished)

    I didn't check time limitation because there is still several days for demo

    And also if you want Hobgoblin ,explane me again about those

    fake APIs where did you see them to be

    LockResource

    FreeResource

    my Revirgin didn't rename anythink ,maybe is something wrong

    with me

    Thank you both
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    Registered User
    Join Date
    Oct 2001
    Location
    Norway
    Posts
    138

    hi..

    Hi there,
    Nice to see that you resolved some of your problems.
    Instead of me repeating and rewriting a lot of stuff, you can easily get all the answers you need if you search this board for the information revealed to all of us by +Splaj, Kayaker and a couple of others devoted to reversing the Asprotect protection.
    I can't possible imagine I have something new to add to what they have shared on this board.
    Just search using the names I just gave you, and you will find a lot of stuff, maybe somehow fragmented and spread out over several posts. But I can asure you: By digesting that information you will get a very detailed understanding about Asprotect.

    good luck,
    hobgoblin

Similar Threads

  1. Aspack 2.12? Maybe...
    By HellSoul in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: September 5th, 2004, 16:25
  2. Aspack unpacked dll relocations ignored
    By djpaul1963 in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: August 5th, 2003, 12:24
  3. Unpacking Armadillo 2.xx + Aspack 2.xx
    By r00t in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: January 16th, 2003, 07:00
  4. SafeSerial (sase.ocx Aspack)
    By JanDebug in forum Malware Analysis and Unpacking Forum
    Replies: 9
    Last Post: December 19th, 2002, 23:35
  5. how to unpack Dll file for Aspack 2.12 ?
    By kernel5 in forum Malware Analysis and Unpacking Forum
    Replies: 29
    Last Post: March 14th, 2002, 17:23

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •