Hi,

I'm trying to pacth this program using a process patcher... and I have gotten it fully cracked... that is until it restarts itself!

After you use api spy on a program, it shuts down and restarts itself! Well, this is a problem because it's executing the wrong .exe!!!

Anyone who has used this program knows what i'm talking about... if anyone can help, I'd really REALLY appreciate it.

I don't really know what to break on... I've tried 'creatprocessa', 'creatthread', etc....

What I would like to do is find out where in memory the name of the program is stored... and change that to my patched loader (i'm using risc's loader, btw)...

Thanks,
Drak0

Snake's page have a document about v2.4. Check it out, might be help.

I know I saw that... but he manually unpacked it and then just patched the .exe...

I'm am doing it a different way... with a process patcher...

but i'm thinking that his way is the better way

Any thoughts are still welcome

-Drak0

Hi!

I tried to unpack it like snake but it doesn't work in 2.5 Don't know why. Maybe experienced reverser can help?

Greetz

proggy is compressed with petite1.2

Just manually unpackwith softice:
load apis32.exe (it breaks off its one)
Then trace and go in the first call (f8)
Trace till: popad
pop f
jmp 406360 ( goes to entry point) < here you
make a jmp eip instead and F5 >> go to procdump and
make a full dump exm Dumpapis32.exe.

After this you must make the right entry point by using
procdump > pe-editor > and change the entry-point from you new dumpapis32.exe to
6360 =( 406360-400000) Ok now it runs you can disass. and modify ...........

Good luck ......SpeKKeL!........

Hi,

I must be an idiot.... but I can't find that 'popad' thing.... everytime it get to a 'rep movsd' and then the program just runs after i press f10...

grr... what does 'rep movesd' mean?

why isn't it getting to that popad?

Thanks,
Drak0

P.S. Sorry if i'm an idiot...

WELL DON'T know why it's going to run after the rep mov instruction (( maybe someone else ??)) try putting a breakpoint after this instr. ?? (be sure before dumping to erase all bpx's)

rep mov = move ecx bytes(dwords) from DS:[(E)SI] to
ES:[(E)DI]

.................SpeKKeL!...........

Seems to be a lot of un-required complications going on here:

1. Start APIS 2.5
2. Start Procdump
3. Select apis32 from the procdump task list
4. Right click and select dump full


You now have a fully working unpacked APIS 2.5

Have fun

Harlequin

Hi Harlequin

Very nice, but it doesn't work so smooth as you think. Why? I don't know. It is unpacked but it crashes all the time. Yes i have to change entry point (probably), but when i try to change it with ProcDump, ProcDump crashes. So it doesn't work for me. I don't know for the others.
BTW it doesn't work too if you apply what snake wrote in his tutorial too (for me). So the next step will be what? Maybe guys with + sign in the nick can help. I think they can know that (i hope so).

Greetz

Hi SpeKKeL!

This doesn't work too because ProcDump is crashing.

Greetz

Well don.t know why it isn,t working for you but i did it all the way without any problems..(unpacked and disassembled)
Try before dumping (save all) erase all bpx's and shut down as much as possible at the back running progg.'s
Because it didn't crash here i don't know what further
could be the problem..

I wrote a process patcher in win32asm which I used to enable VB string references in WDASM. The code is easy to modify and adapt for any other program. If your interested you can download it from Iczelion's site here: http://members.nbci.com/_XMCM/winasm/files/VBLoader.zip

Hi

Don't know why you are struggling?
I just downloaded the latest version from softseek and unpacked it as above without a problem.

Using procdump 1.6
win 98

Perhaps you would send me your copy (full install package)

Harlequin

Hi,

I too got it to work just like you said above... but traced it w/ OllyDBG and easly found the right entry point... and changed it w/ procdump and everything worked... then I was able to patch the program w/o any problems....

-Drak0

Pffffff.....Just in time.. A Good Happy Cracking New Year........SpeKKeL!