Log in

View Full Version : WhereIsIt 3.21 (aspr 1.22-1.30 ?)


mnk
November 30th, 2001, 06:03
hmmm,

I was wondering, WII ( w*w.whereisit-soft.com ) has version 3.21 out.

It's identified as being packed with asprotect 1.22 (FI) and asprotect 1.2*-1.30 (peid) but caspr 1.012 can't make head nor tails of it ?

Anyone has success in unpacking this automatically, or what would be the best way of action to unpack this target?

btw: if you use the ecl keygen it works for a very brief while so you can dump the encrypted code, if any?

thanks

mnk
December 1st, 2001, 23:36
maybe I posted this in the wrong area?

evaluator
December 2nd, 2001, 04:38
1. Your post sounds like crack-serial request.
In this case you are in "wrong area".
2. If you want to learn "unpacking",
you can read "tutorials" about it..
Bye-bye-bye!!!

mnk
December 2nd, 2001, 09:16
hmmm, how shall I word this. If you see a tut that says "intermediate", then, most of the time I can follow the train of thought and actually know whats happening and learn things. As "advanced" ones most of the time assume an imo very thorough knowledge of IAT and PE stucture, which, sadly, is not one of my trades.

I started back in the days of dos with a nice old version of SI and I even used "bubble chamber" next to Sourcer.

now, I never am confronted with native windows32 programming and I don't know the latest asprotect tricks. I've attempted some IAT rebuilds after dumping, but most of the time I'm left with a loader patch or something because of instability.

Sadly, I don't have time to make for studying the entire PE 32 + windows API as this is very, very far from my daily occupations, so I am just here looking for hints.

After some hardship, I eventually cracked just about every single program I set my mind on (reget(dx), wincmd + 2crcs, bestcrypt 6-7, some dongles, the bat! (when it was packed), some ftp clients/servers, ...) and I do this for the challenge and fun (and I prefer hard code patches to keygens, inline patches etc, since I loath the registry).

Now, I never succeeded to see structure in whereisit, yet I've been using it for a while and tried several times to target this.

Now, I got a new IDA3.15 (the cracked version, not the full) to play with, which seems handier in some fields, and I was eager to give this another go as it might shed some new light on the, for me hard, whereisit 3.*.

I never thought the day would come I needed to prove worthyness and l33tness on a HCU board. *snif*

this is all so silly, please aide

thanks

btw: maybe I should stick to the same nick for some time

evaluator
December 6th, 2001, 15:11
Hey!

I unpacked your WhereWasIt!
And here also (as in DigiSecret) activated special ASPR-trick.
Thanks, for point!
So what help you want?

riPPadoGG
December 10th, 2001, 05:00
Hi,

Did you manually unpack or use some tool??
Please explain how you did it..
I having all sorts of trouble with Asprotected programs..

regards
riPPadoGG

+SplAj
December 10th, 2001, 08:33
hi mnk et al

Please don't think you have to prove anything here EXCEPT the willingness to learn.

If you look back only a few months you will see that evaluator came here as a newb, got some pointer......and off he went and ripped aspr to bloody shreds

NOW he is the aspr reference manual

So please DO refer to the tuts as a starter on manual unpacking. We can help you if you try and come back with some progress report. It is a great joy to get a running rebuilt target de-aspr'd. However, please be aware that you are not just defeating aspr, but the original clever, resourceful programmer himself - HINT

Pick an easy target to just dump and rebuild, like the 'glocksoft' stuff. eg. AAAnalyser. At least these nice targets run still as shareware without aspr wrapper time-check.

Delve deep, keep notes and make a LOT of /screendumps to refer back to..........

Good luck

Spl/\j

evaluator
December 10th, 2001, 10:44
Wow!
After unpacking and testing I deleted my ArtWork
OK. Here I submitted idata.bin. Paste this at 2FC000
of dump. Values for PEditor
IT 2FC000, size 1E0
OEP 002A7B2C

But! Proggie will crash because special check.
Try crack callers to FarJumps FF25ECC36F00 & FF25C4C46F00
Soon I will write crazyTut about WhereHasShe and others..