Hi all,
need some help on this

0 0012B814 BFF748B4 01E6 KERNEL32.dll GlobalAlloc
1 0012B818 BFF7FFF0 0319 KERNEL32.dll VirtualAlloc
2 0012B81C BFFA19F5 00D8 KERNEL32.dll DeleteFileA
3 0012B820 BFFA082B 0237 KERNEL32.dll LocalLock
4 0012B824 BFFA0F73 01D9 KERNEL32.dll GetTimeZoneInformation
5 0012B828 BFF8E150 0138 KERNEL32.dll GetACP
6 0012B82C BFFA08BC 0342 KERNEL32.dll WriteProfileStringA
7 0012B830 BFF9E1D3 0304 KERNEL32.dll TlsFree
8 0012B834 BFF84A5F 02C9 KERNEL32.dll SetErrorMode
9 0012B838 BFF7B9B2 0228 KERNEL32.dll LeaveCriticalSection
10 0012B83C BFF90FAF 028E KERNEL32.dll ResumeThread
11 0012B840 BFF8F4FC 02EB KERNEL32.dll SetThreadPriority
12 0012B844 BFF77844 019F KERNEL32.dll GetPrivateProfileStringA
13 0012B848 BFF77284 0353 KERNEL32.dll lstrcmp
14 0012B84C BFFA18B8 01CE KERNEL32.dll GetTempPathA
15 0012B850 BFFB3FF7 01C1 KERNEL32.dll GetSystemDefaultLangID
16 0012B854 BFFA0A62 0320 KERNEL32.dll VirtualQuery
17 0012B858 0081C468 0000 ?????? to_Resolve


17 0012B858 0081C468 0000 ?????? to_Resolve
I can't find the the real api for this.
I disassenbed this address but it only
points to push ebp ???

Could you guys kindly help me?
btw the prog is Advanced Disk Catalog
TIA
regards
stillnewbie

Look at the next instructions after push ebp.
It must be ret somewhere there
Look at the arguments, that are pushing in the stack and moving into regs before ret .....

Hi Rot8,
Thanks for the input but some of the unresolved address points to mov eax,[eax]
it leads you to nowwhere :'(
Hope someone take a look at this :-P
regards
stillnewbie

Hi there :-) ,
Did you trace the unresolved imports in the orignial executable?
Maybe they aren't used at all, or just try to replace those entries
with the GetVersion address ....
maybe this helps
regards
e.

while waiting for a new version that will solve this :
1-try the mangled scheme option, it will make an attempt to tell if those entries are used
2-bpmb them before loading and make the prog run for a while, you'll also see if they are used
3-try an ida session

alexey usually does this with entries unused or very small api's. when you trace it, just put the module + name or put the address before resolving again.

when the global tracer will be finished (pretty soon) , I'll automatize all this.

regards,

+Tsehp

Heya Guys,
Thanks for the input,
Advance Disk catalog is the worst I have seen lately :P.It redirects the api and its
encrypted :/. +Tsehp thats great news and thanks for your harddwork and looking into it

Best regards
stillnewbie

I have looked at targets from this same author (www.elcomsoft.com) and the wrapper is quite interesting...The PDF decryption program had api redirection with this behavior mentioned above:
mov eax,[eax] blah blah

its actually replaced simple apis (getprocessid,etc) by retrieving the values ahead of time and thus not even using api after OEP...thus, it would be very hard for revirgin/imprec to detect this...what i did was bpm the suspicious [eax] area, and you will find out what the value is and then figure out the API to correct manually...there were 3-4 of these if i recall in PDF program...if your lucky, you will find the routine during unpacking where it executes all the apis, all in a row! then its easy to fix...

btw, there was also a redirection for resource APIS (lock/loadresource) along with one in USER32.DLL for DialogBox.... It was interesting to see, but unpacking this is not easy for newbies =(

good luck,
madmax

just read the thread on 'AFR + aspack...',
they explain what i was talking about, its the sixth or seventh reply, check it out for good reading...btw, its asprotect =)

madmax

yeah, i know that is ASPR just a typo when i write the title