Results 1 to 13 of 13

Thread: Ecomsoft products Asprotected

  1. #1

    Ecomsoft products Asprotected

    Hi, all guys on this board.

    From here i've reversed a lot of progs but I'm newbie in unpacking.I've learned alot from this board and specially threads and tutorials by +slaj about asprotect.

    I'm now working on Elcomsoft products, i started with AOXPPR_P.EXE ( Advanced Office XP Password Recovery Pro ), you can find it

    OK, found OEP, used revirgin but it still remain some unresolved. I've learned again but i can't find them for sure.

    Can anybody help me with this example ? You can find here in attachment an RESOLVED.TXT file generated by RV.

    Thank's

    louzew@libertysurf.fr

  2. #2
    Hi LOUZEW,

    There are lots of threads regarding this topic.Search the forum
    No iat attachments is to be upload.cut and paste the part which is not resolved .

    Regards
    esther


    Reverse the code,Reverse Your Minds First

  3. #3

    Elcomsoft Again

    OK ester,
    Sorry for this attachment, i'll post now unresolved only !

    OK, i know there is a lot of threads about that on this board, i've learned more and more of them, i still have pb to resolve these ones, if somebody can help !

    Thank's

  4. #4
    foxthree
    Guest

    Resolved this....

    Hey:

    I just resolved AOXPPRPro version successfully under Win9x. If you're talking about the unresolved one in USER32.dll thunk, refer to my post on ADPRPRPro and the reply by Crusader... In fact there are only a few APIs in USER32.dll that do a RET 0014

    Signed,
    -- FoxThree

    PS: BTW, the above is my assumption only. You've not given any sufficient info as to which APIs you haven't been able to resolve yet
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5

    Elcomsoft again

    Hi, Foxthree
    Thank's alot for responding, i've read many of your posts !
    I've take a look too for your post on ADPRPRPro and the reply by Crusader.
    OK, but i'm a newbie in unpacking and i still have prob to locate unresolved functions.

    I'll post here in attachment UNRESOLVED.TXT from AOXPPRPro, maybe can you take a look, and if you have resolved it successfully, maybe can you explain how do you do to find these unresolved functions.

  6. #6

    New post for Elcomsofts

    Hi, foxthree
    I don't know Why but somebody deleting attachment from my last post, It was only unresolved from AOXPPRPro !
    Maybe the guy deleting it can explain (i'm refering to the esther reply)

    OK, for you Foxthree, the unresolved calls are following :

    25 001F34F0 BFF8E0CD 0133 KERNEL32.dll FreeLibrary
    26 001F34F4 013213C4 0000 ?????? ??????
    27 001F34F8 BFF8E150 0138 KERNEL32.dll GetACP

    30 001F3504 BFF779D5 0158 KERNEL32.dll GetCurrentDirectoryA
    31 001F3508 01321388 0000 ?????? ??????
    32 001F350C BFF92F1B 01DC KERNEL32.dll GetVersion

    52 001F355C BFF776F7 018B KERNEL32.dll GetModuleFileNameA
    53 001F3560 0132133C 0000 ?????? to_Resolve
    54 001F3564 BFF9100F 0196 KERNEL32.dll GetOEMCP

    56 001F356C C0193CDC 019F KERNEL32.dll GetPrivateProfileStringA
    57 001F3570 01320EE8 0000 ?????? to_Resolve
    58 001F3574 BFF8CAE1 01A6 KERNEL32.dll GetProcessHeap

    99 001F3618 BFF9C654 023C KERNEL32.dll LockFile
    100 001F361C 013213B4 0000 ?????? ??????
    101 001F3620 BFF820A9 0249 KERNEL32.dll MapViewOfFile

    I hope you can tell me how to find them ! ( i have to learn again..)

    Thank's

  7. #7
    LOUZEW:

    Perhaps you didn't read the warning which is now part of the header of all of the Forums, except "Off Topic" which states, in capital letters:

    "DO NOT UPLOAD ANY TARGET SPECIFIC CODE."

    Perhaps you didn't understand when esther (look I spelled it correctly this time) told you to "cut and paste" rather than "attach" sections of code. Although it wasn't stated, we can assume that it is intended to prevent someone else from taking an attachment and pasting its information into their own file and get a potentially working program. Again assuming, we can conclude that is another attempt to prevent the wolves constantly nipping at the heels of this Board from claiming that the Board is facilitating the distribution of cr*cked software.

    It shouldn't be that difficult to cut and past a small section of the code as you appear to have done in you last post and this is not "directly" insertable into someone else's efforts, even though it can be re-typed into their output.

    Just as an aside, have you considered using Softice to look at the addresses in the "unresolved"? It is generally unlikely that you will find something from a different API in the middle of references to KERNEL32.dll, but you could go to the first address at 013213C4 and see what you find right at that address and above and below this address. Here is a cut and paste from our resident unpaxing God, +Spl/\j, from the thread RIGHT BELOW YOURS, in which he wrote:

    [quote]

    To manually trace a re-directed API just look at the unresolved and then while holding target in EB FE loop Ctl-D into SI and U the call eg from above example :-
    027 001A029C 00E8C94C 0000 ?????? ??????

    in Si type U E8C94C' and examine the code.

    it will look something like :-

    0167:0132138E 8BC0 MOV EAX,EAX
    0167:01321390 E8DB3DFFFF CALL KERNEL32!GetVersion <- FAKE call
    0167:01321395 A1F06C3201 MOV EAX,[01326CF0] <- restore GetCommandLineA
    0167:0132139A C3 RET

    so if you hade MANUALLY logged that memory block where ASPR saves GetWhatWeWant API result then you will know that [1326CF0] holds result of GetCommandLineA API
    [end quote]

    Give this a try.

    Regards.
    JMI

  8. #8
    foxthree
    Guest

    JMI answers :)

    Hello there:

    How much ever hard I try, I can't answer better than +SplAj and JMI. Seek and ye shall find ... Follow, +SplAj's post as posted by JMI and you'll never miss...

    Signed,
    -- FoxThree
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9

    RE: Elcomsoft

    OK guys (JMI & Foxthree)
    First of all (about attachment) i was thinking that this text file was only a piece of text and not a section of code, i've noted your advice !

    I'll try now what you said JMI and let you know

    Thank's again for your responses guys !

  10. #10
    Hi FoxThree,JMI,
    Thanks for directing newbies to search the board .How ironic when the answer is right under your nose and you didn't bother to look at it

    Best Regards
    esther


    Reverse the code,Reverse Your Minds First

  11. #11
    my new hair style :) +SplAj's Avatar
    Join Date
    Feb 2001
    Location
    Afghanistan, Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria
    Posts
    373

    Lightbulb plugin

    LOUZEW


    The public release of ASPR1.2x plugin that fits Imprec/RV worked for a long time.

    This is a delphi 'bloatware' dll , but a packed version. Currently it does NOT resolve the latest Alexey trick to shake off API tracers :-

    001F3500 kernel32.dll 01DC GetVersion <-WRONG should be GetCommandLineA

    If you un-assemble that redirector call in SI you'll see wtf gives

    BTW wtf is '+slaj' ??????? r u taking piss
    Last edited by +SplAj; September 10th, 2002 at 12:49.
    Carve my name into your arm :)

  12. #12

    Elcomsoft again

    Hi, all
    many thank's for your responses and your help. I've read many posts and tutorials this last two days and found some interesting things. I've read the evaluator post that describe Api calls and their offset from begining of aspr module. My UNRESOLVED calls where exactly at these offsets. Well, dumped and fix now AOXPPRPro.exe but have still a Pb. The App crashe, lot of work again, i'll read more again !

    Only a question : HOW do you do to know theses api calls ?, cause following your tuts, i never seen them, maybe something wrong for me, here is what i do :

    BPX GetVersion. F5 and trace back to asprcode with F12 , after that never seen the following

    xxxxxxxx : PUSH 00
    xxxxxxxx : CALL KERNEL32!GetModuleHandleA
    xxxxxxxx : MOV [yyyyyyyy],EAX
    xxxxxxxx : CALL KERNEL32!GetVersion
    xxxxxxxx : MOV [yyyyyyyy],EAX
    xxxxxxxx : PUSH 017B35AC
    xxxxxxxx : CALL KERNEL32!GetVersionExA
    xxxxxxxx : CALL KERNEL32!GetCurrentProcess
    xxxxxxxx : MOV [yyyyyyyy],EAX
    xxxxxxxx : CALL KERNEL32!GetCurrentProcessId
    xxxxxxxx : MOV [yyyyyyyy],EAX
    xxxxxxxx : CALL KERNEL32!GetCommandLineA
    xxxxxxxx : MOV [yyyyyyyy],EAX
    xxxxxxxx : RET

    I've found this sequence only on an older Asprotected App (Aspr 1.2)

    TO Foxthree : till you've fixed it, Maybe can you PM me a little tut for the complete unpack/Fix method with AOXPPRPro for exemple.

    I really want to know more on Asprotect ( the protected App don't care but i have this one and allready worked on)

    In advance, Thank's to all of you my friends !!!

  13. #13
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,489
    Blog Entries
    1
    >>that never seen the following

    Because that code peace is from older aspr versions.

    Now is another code. Debug aspr code & find it.
    Don't be lazy.

Similar Threads

  1. Asprotected app, I have the key constants and a working key.
    By komplex in forum Malware Analysis and Unpacking Forum
    Replies: 0
    Last Post: January 21st, 2014, 13:24
  2. dll Asprotected
    By mR_gANDALF in forum Malware Analysis and Unpacking Forum
    Replies: 29
    Last Post: April 19th, 2003, 15:53
  3. Has anyone worked on AEA products?
    By flyingsilicon in forum The Newbie Forum
    Replies: 2
    Last Post: December 7th, 2002, 23:36

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •