Zurito@~
December 20th, 2001, 10:51
Hi
I´m loking for CommView 3.1 (build 156)
Regards
Zurito@~
I´m loking for CommView 3.1 (build 156)
Regards
Zurito@~
View Full Version : Help CommView 3.1 (build 156)
Kayaker
December 20th, 2001, 11:49
Sure, no problem. I can help with that:
http://www.tamos.com/download/main/
Er, that is what you meant, right? I'm sure you didn't mean you were looking for an easy crack or patched app, because you won't get that here.
Kayaker
http://www.tamos.com/download/main/
Er, that is what you meant, right? I'm sure you didn't mean you were looking for an easy crack or patched app, because you won't get that here.
Kayaker
Zurito@~
December 20th, 2001, 14:43
Sorry Kayaker
h**p://www.tamos.com/download/main it is the Build 161
I'am looking for Build 156
regards
h**p://www.tamos.com/download/main it is the Build 161
I'am looking for Build 156
regards
JMI
December 20th, 2001, 14:49
And if you had taken the time/effort to look around here (as in using the search button) you would have found that there are extensive materials posted here about CommView 3.1, specifically directed at build 156, 160, and 161. There's even an essay by our resident "coding god," +SplAj addressing this target and an extensive thread about the latest asprotect tricks in build 161.
Generally, to get help here you should show that you have done some work/searching on your own, say how far you've gotten and where you are stuck and you will find people here that have the talent and the knowledge to help. The purpose here is to help you learn to do the work of reversing yourself, not do it for you.
If you already have this material, and the desire for build 156 suggests that you are attempting to follow the +SplAj tut, you should indicate that's what you're doing, so it doesn't just look like a crack request.
CommView3.1, the downloadable version, is crippled, but freeware and those types of programs are often mirrored on sites other than the software company. Do a google search for CommView 3.1 and the chances are that alternative sites will have an older version. I believe I may have build 156 on my HD. If, after searching, you still can't find it, post again and maybe I can help.
Regards.
Generally, to get help here you should show that you have done some work/searching on your own, say how far you've gotten and where you are stuck and you will find people here that have the talent and the knowledge to help. The purpose here is to help you learn to do the work of reversing yourself, not do it for you.
If you already have this material, and the desire for build 156 suggests that you are attempting to follow the +SplAj tut, you should indicate that's what you're doing, so it doesn't just look like a crack request.
CommView3.1, the downloadable version, is crippled, but freeware and those types of programs are often mirrored on sites other than the software company. Do a google search for CommView 3.1 and the chances are that alternative sites will have an older version. I believe I may have build 156 on my HD. If, after searching, you still can't find it, post again and maybe I can help.
Regards.
Zurito@~
December 21st, 2001, 10:30
Hello
I am reading the tutorial CommView 3.1 Written by +Spl/\j.
Somebody could explain to me better as solving these APIS:
090 001A03B0 005881EC 0000 ?????? ??????
109 001A03FC 0058826C 0000 ?????? ??????
154 001A04B0 005882A0 0000 ?????? ??????
Is there a form but easy to resolve?
... others will be FreeResourceand LockResource.
because he knows it?
These 2 API have a RET004 from the stack, so just selecting a random API will fail you with a RET. Take care. Look at the ALPHABETIC names of the resolved.txt. You get a big clue from this .
For the item 109 this i LockResource <= = as he knows it?
you will see a PUSH blah RET004 code.
Please they can respond in an easy English , sorry my bad English
I am a beginner, I would be appreciated they explained to it in an easy way
Thank you
I am reading the tutorial CommView 3.1 Written by +Spl/\j.
Somebody could explain to me better as solving these APIS:
090 001A03B0 005881EC 0000 ?????? ??????
109 001A03FC 0058826C 0000 ?????? ??????
154 001A04B0 005882A0 0000 ?????? ??????
Is there a form but easy to resolve?
... others will be FreeResourceand LockResource.
because he knows it?
These 2 API have a RET004 from the stack, so just selecting a random API will fail you with a RET. Take care. Look at the ALPHABETIC names of the resolved.txt. You get a big clue from this .
For the item 109 this i LockResource <= = as he knows it?
you will see a PUSH blah RET004 code.
Please they can respond in an easy English , sorry my bad English
I am a beginner, I would be appreciated they explained to it in an easy way
Thank you
DakienDX
December 21st, 2001, 11:41
Hi Zurito@~ !
Perhaps ASProtect isn't the best choice to start with.
Of course, you would like to have the program cracked, but if you're not familiar with unpacking, tutorials may not solve your problem, even if they're written in easy English.
English is the only language here. It's difficult for people whose natural language is English to speak it in an easy way. I might have problems too understanding your Spanish. (If I'd learned it some time ago
)
Perhaps ASProtect isn't the best choice to start with.
Of course, you would like to have the program cracked, but if you're not familiar with unpacking, tutorials may not solve your problem, even if they're written in easy English.
English is the only language here. It's difficult for people whose natural language is English to speak it in an easy way. I might have problems too understanding your Spanish. (If I'd learned it some time ago
)JMI
December 21st, 2001, 12:09
Zurito@~
+SplAj said do the following:
1. "Close all programs"
2. "set bpx GetVersion"
3. "start CV.exe.
4. "F12 back to API cluster"
U 005881EC (your address for 090 001A03B0 005881EC )
5. "see ... link to ... API cluster (in) EAX ... location."
6. "Match ... memory (address in EAX, his = BFF9FA9F) to the API."
7. Try U "memory address from EAX" (his= BFF9FA9F)
8. use API address + name to resolve 090.
090 +"your code address (001A03B0) +"BFF9FA9F 02F5 KERNEL32.dll SizeofResource"
Your "BFF9FA9F" may be different. Use what you find.
next entry
U 0058826C (109 001A03FC 0058826C )
repeat 6, 7, 8.
Next entry
U "next address",
then 6, 7, 8.
Next entry, etc.
Regards.
+SplAj said do the following:
1. "Close all programs"
2. "set bpx GetVersion"
3. "start CV.exe.
4. "F12 back to API cluster"
U 005881EC (your address for 090 001A03B0 005881EC )
5. "see ... link to ... API cluster (in) EAX ... location."
6. "Match ... memory (address in EAX, his = BFF9FA9F) to the API."
7. Try U "memory address from EAX" (his= BFF9FA9F)
8. use API address + name to resolve 090.
090 +"your code address (001A03B0) +"BFF9FA9F 02F5 KERNEL32.dll SizeofResource"
Your "BFF9FA9F" may be different. Use what you find.
next entry
U 0058826C (109 001A03FC 0058826C )
repeat 6, 7, 8.
Next entry
U "next address",
then 6, 7, 8.
Next entry, etc.
Regards.
Zurito@~
December 21st, 2001, 13:20
There is something that I don't make in a correct way,
that that is do I make bad?
attach files screen from Api cluster
Regards
that that is do I make bad?
attach files screen from Api cluster
Regards
JMI
December 22nd, 2001, 23:58
Zurito@~
Do you know how to use softice, icedump, softice loader, Revirgin, and LordPE? If not you must learn first.
What I wrote before is for after you have found the OEP, dumped the exe and done E EIP EB FE , used Revirgin to trace the import table and are tracing the "unresolved."
If you can use these tools then, if Softice is running, and icedump loaded, start Softice Loader and load cv.exe. At the dialogue box, press "yes". Softice starts, you are now at "Invalid" ASPR code.
BPX GETVERSION, enter, F5
Softice breaks at "API Cluster", like your screen dump.
Write down the address of the "ret" from bottom of "API Cluster" and screendump, like +SplAj said.
F5 again, then F12 many times until you see "CommView!.text+ (address) in Softice.
S (ADDRESS OF API CLUSTER RETURN, YOURS=017ac7f5) L FFFFFFFF 61,FF,E0
like this S 017ac7f5 L FFFFFFFF 61,FF,E0
Write down the address of POPAD.
+SplAj's = 17C3875,
Mine = 17C387D
use your address.
BC* , control-D, close CommView.
Load cv.exe with Softice Loader again. Breaks at "Invalid"
BPR (YOUR ADDRESS) (YOUR ADDRESS)+ 3 R IF EIP==(YOUR ADDRESS)
Mine was BPR 17c387d 17c387d+3 R IF EIP==17c387d
F5, you should be at
61 POPAD
FFEO JMP EAX
F8 You should be at OEP.
E EIP EB FE , BC* , F5
Now you dump with LordPE or ProcDump.
If you follow so far, now you use Revirgin.
Regards.
Do you know how to use softice, icedump, softice loader, Revirgin, and LordPE? If not you must learn first.
What I wrote before is for after you have found the OEP, dumped the exe and done E EIP EB FE , used Revirgin to trace the import table and are tracing the "unresolved."
If you can use these tools then, if Softice is running, and icedump loaded, start Softice Loader and load cv.exe. At the dialogue box, press "yes". Softice starts, you are now at "Invalid" ASPR code.
BPX GETVERSION, enter, F5
Softice breaks at "API Cluster", like your screen dump.
Write down the address of the "ret" from bottom of "API Cluster" and screendump, like +SplAj said.
F5 again, then F12 many times until you see "CommView!.text+ (address) in Softice.
S (ADDRESS OF API CLUSTER RETURN, YOURS=017ac7f5) L FFFFFFFF 61,FF,E0
like this S 017ac7f5 L FFFFFFFF 61,FF,E0
Write down the address of POPAD.
+SplAj's = 17C3875,
Mine = 17C387D
use your address.
BC* , control-D, close CommView.
Load cv.exe with Softice Loader again. Breaks at "Invalid"
BPR (YOUR ADDRESS) (YOUR ADDRESS)+ 3 R IF EIP==(YOUR ADDRESS)
Mine was BPR 17c387d 17c387d+3 R IF EIP==17c387d
F5, you should be at
61 POPAD
FFEO JMP EAX
F8 You should be at OEP.
E EIP EB FE , BC* , F5
Now you dump with LordPE or ProcDump.
If you follow so far, now you use Revirgin.
Regards.
Zurito@~
December 23rd, 2001, 09:44
JMI
I know how to use softice, icedump, softice loader, Revirgin, and LordPE.
I have been able to finish with success the tutorial, but the only thing that I don't understand it is like is solved:
090 001A03B0 005881EC 0000 ?????? ??????
109 001A03FC 0058826C 0000 ?????? ??????
154 001A04B0 005882A0 0000 ?????? ??????
JMI Wrote:"If you follow so far, now you use Revirgin." here this my problem
As it is known that:
090==SizeofResource; 109==LockResorce and 154== FreeResource?
Doesn't Revirgin solve them and would I like to know like it becomes manually?
U 5881EC don't work (see my scren in attach)
Regards.
Thank you JMI for your effort in helpme
PD: I make a great effort in writing in English, sorry my bad English
I know how to use softice, icedump, softice loader, Revirgin, and LordPE.
I have been able to finish with success the tutorial, but the only thing that I don't understand it is like is solved:
090 001A03B0 005881EC 0000 ?????? ??????
109 001A03FC 0058826C 0000 ?????? ??????
154 001A04B0 005882A0 0000 ?????? ??????
JMI Wrote:"If you follow so far, now you use Revirgin." here this my problem
As it is known that:
090==SizeofResource; 109==LockResorce and 154== FreeResource?
Doesn't Revirgin solve them and would I like to know like it becomes manually?
U 5881EC don't work (see my scren in attach)
Regards.
Thank you JMI for your effort in helpme
PD: I make a great effort in writing in English, sorry my bad English
+SplAj
December 23rd, 2001, 10:12
Hi Zurito
sorry I could not send you CV.......
Ok you are on the right track and JMI, the gentleman, has prodded you into the right direction. What you now have to understand is the 'Resource' api calls have been emulated by aspr - never called and re-directed like others. This point is actually months old now....... trace the calls manually, if they occur ? Just believe that RET004 has to happen........ so just 'use RV to 'emulate' those calls.
The next builds are MUCH more fun to fix
Spl/\j
JMI, and all merry xmas
sorry I could not send you CV.......
Ok you are on the right track and JMI, the gentleman, has prodded you into the right direction. What you now have to understand is the 'Resource' api calls have been emulated by aspr - never called and re-directed like others. This point is actually months old now....... trace the calls manually, if they occur ? Just believe that RET004 has to happen........ so just 'use RV to 'emulate' those calls.
The next builds are MUCH more fun to fix
Spl/\j
JMI, and all merry xmas
JMI
December 23rd, 2001, 14:15
+SplAj :
Merry Xmas back at ya. I noticed some things that were "different", while most were the same, when I found cv3.1.156 for Zurito@~ on a German site so he, and I, could follow along with your essay. My OS is Win 98 SE (hear the sound of crashing..., thinking about going to NT or 2K) so I was using the markers you described for that OS. I'm trying to increase my understanding of what I'm seeing in Softice, especially when it is somewhat different from what is described,and why it worked out that way, or didn't.
The original break occurred at the "Invalid" entries and F5 got to the API Cluster at the same address as the essay. After the screendump you said to press F5 again and "trace back", indicating that one would end up at a himem point "at 16f:017axxxx or whatever." Nothing I tried at first got me back to an address that appeared to be "CommView" that was in the 0174xxxx range, so I assumed I did something stupid, or didn't "trace" the way you did.
When I first reached the API Cluster I didn't notice the identifer "cv" at the bottom, so at first I didn't realize that "cv" was "CommView" because later there really is "CommView" code identified at the bottom of Softice. I first tried F12 to "trace back" and passed the "cv" code and, after several more GetVersion's, I got to some "CommView" code at 02802C88.
Anyway, the reason this would be a problem for dummies like me, was that from this address, S EIP L FFFFFFFF 61,FF,E0 will, of course, never find a POPAD around 017xxxxx. U 17C3875 showed me the code, at a slightly different location, was approximately where it should have been, but I couldn't get there yet.
After several failed attempts at the search function, after tracing back to "CommView" code, I reread your Awave Studio essay and there you took a slightly different search approach, instead of EIP as the starting address, you had used the address of the "ret" at the end of the "API Cluster." I tried that, and gave that formula to Zurito@~, because I hadn't found my own error yet, and that one, S 17AC7FA L FFFFFFFF 61,FF,E0 worked fine, except it gave me a POPAD address of 17C387D , rather than your 17C3875, but after the F8 through the jump, OEP ends up at exactly the same address as in the essay. When I realized that the "cv" was also(?) or aspr "CommView" code I "traced back" to an address in "cv" below 017Axxx, where searching with the EIP should work. Duh!
I still haven't figured out or understood how the API Cluster and OEP are at the same addresses as the essay and the POPAD is this small difference on the same OS and same build of CV. But it is a good lesson that one can't blindly expect to follow a tut, line by line and always see everything exactly the same. Brains, and sometimes (my) lack thereof, still required.
Is it correct, as it appears, that one could do the search for the OEP right after you come out of the first F5 and F12 at the API Cluster, without an additional F5, trace back, using the address of the "ret" (017F:017AC7FA or whatever) from the API Cluster? I haven't had time to try this on other aspr softs, and I understand the changes evaluator, our musician friend (greetings to you as well and thanks for the heads up) has reported on the 160-161 builds of CommView about the re-re-directed API, and more interesting tracing ahead.
If your time permits, I was also wondering what Load32 was putting in memory with the following:
WINICE: Load32 Obj=0001 Add=0187:02801000 Len=00005C00 Mod=COMMVIEW
WINICE: Load32 Obj=0002 Add=0187:0280B000 Len=00002000 Mod=COMMVIEW
WINICE: Load32 Obj=0003 Add=0187:0280D000 Len=00000A00 Mod=COMMVIEW
WINICE: Load32 Obj=0004 Add=0187:02812000 Len=00000200 Mod=COMMVIEW
WINICE: Load32 Obj=0005 Add=0187:02813000 Len=00000A00 Mod=COMMVIEW
WINICE: Load32 Obj=0006 Add=0187:02815000 Len=00001400 Mod=COMMVIEW
WINICE: Load32 Obj=0007 Add=0187:02817000 Len=00000000 Mod=COMMVIEW
This happens if you use F12 and trace until you see "CommView" at the bottom of the Code window. All the rest of my tracing of aspr was in 017F: and I haven't gotten back to this code yet. Are these the CommView sections finally decrypted by aspr? They are the proper number, 7, of the sections of CV, excluding the 3 aspr sections, but the length doesn't seem to fit, even though I realize they were packed before. Maybe they are imports or exports or dlls. Got to learn more. Always more to read.
Zurito@~
After Christmas, I'll see if I can give you an "easy english" trip through Revirgin and tracing "unresolved" if the master's words of wisdom are still too difficult for you to follow, but then you still will not understand the "why," only "how" to fix build 156. As +SplAj said, cv3.1 build 161 handles API's another way.
Regards to all:
Merry Xmas back at ya. I noticed some things that were "different", while most were the same, when I found cv3.1.156 for Zurito@~ on a German site so he, and I, could follow along with your essay. My OS is Win 98 SE (hear the sound of crashing..., thinking about going to NT or 2K) so I was using the markers you described for that OS. I'm trying to increase my understanding of what I'm seeing in Softice, especially when it is somewhat different from what is described,and why it worked out that way, or didn't.
The original break occurred at the "Invalid" entries and F5 got to the API Cluster at the same address as the essay. After the screendump you said to press F5 again and "trace back", indicating that one would end up at a himem point "at 16f:017axxxx or whatever." Nothing I tried at first got me back to an address that appeared to be "CommView" that was in the 0174xxxx range, so I assumed I did something stupid, or didn't "trace" the way you did.
When I first reached the API Cluster I didn't notice the identifer "cv" at the bottom, so at first I didn't realize that "cv" was "CommView" because later there really is "CommView" code identified at the bottom of Softice. I first tried F12 to "trace back" and passed the "cv" code and, after several more GetVersion's, I got to some "CommView" code at 02802C88.
Anyway, the reason this would be a problem for dummies like me, was that from this address, S EIP L FFFFFFFF 61,FF,E0 will, of course, never find a POPAD around 017xxxxx. U 17C3875 showed me the code, at a slightly different location, was approximately where it should have been, but I couldn't get there yet.
After several failed attempts at the search function, after tracing back to "CommView" code, I reread your Awave Studio essay and there you took a slightly different search approach, instead of EIP as the starting address, you had used the address of the "ret" at the end of the "API Cluster." I tried that, and gave that formula to Zurito@~, because I hadn't found my own error yet, and that one, S 17AC7FA L FFFFFFFF 61,FF,E0 worked fine, except it gave me a POPAD address of 17C387D , rather than your 17C3875, but after the F8 through the jump, OEP ends up at exactly the same address as in the essay. When I realized that the "cv" was also(?) or aspr "CommView" code I "traced back" to an address in "cv" below 017Axxx, where searching with the EIP should work. Duh!
I still haven't figured out or understood how the API Cluster and OEP are at the same addresses as the essay and the POPAD is this small difference on the same OS and same build of CV. But it is a good lesson that one can't blindly expect to follow a tut, line by line and always see everything exactly the same. Brains, and sometimes (my) lack thereof, still required.
Is it correct, as it appears, that one could do the search for the OEP right after you come out of the first F5 and F12 at the API Cluster, without an additional F5, trace back, using the address of the "ret" (017F:017AC7FA or whatever) from the API Cluster? I haven't had time to try this on other aspr softs, and I understand the changes evaluator, our musician friend (greetings to you as well and thanks for the heads up) has reported on the 160-161 builds of CommView about the re-re-directed API, and more interesting tracing ahead.
If your time permits, I was also wondering what Load32 was putting in memory with the following:
WINICE: Load32 Obj=0001 Add=0187:02801000 Len=00005C00 Mod=COMMVIEW
WINICE: Load32 Obj=0002 Add=0187:0280B000 Len=00002000 Mod=COMMVIEW
WINICE: Load32 Obj=0003 Add=0187:0280D000 Len=00000A00 Mod=COMMVIEW
WINICE: Load32 Obj=0004 Add=0187:02812000 Len=00000200 Mod=COMMVIEW
WINICE: Load32 Obj=0005 Add=0187:02813000 Len=00000A00 Mod=COMMVIEW
WINICE: Load32 Obj=0006 Add=0187:02815000 Len=00001400 Mod=COMMVIEW
WINICE: Load32 Obj=0007 Add=0187:02817000 Len=00000000 Mod=COMMVIEW
This happens if you use F12 and trace until you see "CommView" at the bottom of the Code window. All the rest of my tracing of aspr was in 017F: and I haven't gotten back to this code yet. Are these the CommView sections finally decrypted by aspr? They are the proper number, 7, of the sections of CV, excluding the 3 aspr sections, but the length doesn't seem to fit, even though I realize they were packed before. Maybe they are imports or exports or dlls. Got to learn more. Always more to read.
Zurito@~
After Christmas, I'll see if I can give you an "easy english" trip through Revirgin and tracing "unresolved" if the master's words of wisdom are still too difficult for you to follow, but then you still will not understand the "why," only "how" to fix build 156. As +SplAj said, cv3.1 build 161 handles API's another way.
Regards to all:
JMI
December 24th, 2001, 16:28
Zurito@~
You wrote that your search using U5881EC did not lead you anywhere. You must not have been at the OEP.
After you start Softice Loader and load cv3.1.156 and set BPX GetVersion and F5 and then F12, follow steps to get to OEP at 589878. When you are there you can start looking at "unresolved."
U 5881EC; U 58826C; and U 5882A0 will then show good aspr code. Give it a try.
Regards.
You wrote that your search using U5881EC did not lead you anywhere. You must not have been at the OEP.
After you start Softice Loader and load cv3.1.156 and set BPX GetVersion and F5 and then F12, follow steps to get to OEP at 589878. When you are there you can start looking at "unresolved."
U 5881EC; U 58826C; and U 5882A0 will then show good aspr code. Give it a try.
Regards.
Zurito@~
December 25th, 2001, 11:49
Hi
See my attach file JMI, please
Regards.
See my attach file JMI, please
Regards.
Viper
December 25th, 2001, 12:18
Parse error: parse error in /home/httpd/html/upload/attachment.php on line 61
JMI
December 28th, 2001, 15:26
Zurito@~
Sorry but I am still to busy to deal with this issue right now. You have to understand how to use Softice to break on and trace various addresses related to the IAT and the re-directed entries.
For now, I recommend that you carefully review +SplAj's comments in the article on the General board here on Awave Studio 7.3, begun on 6-2001. He makes some specific comments on how to trace the entries found in RV. Remember that in looking at some of the entries you will sometimes see that they are within a groug of similar API's, such as KERNEL32. This is also a good clue that the "unresolved" entry is also within that group.
I believe that thread is at
http://www.woodmann.net/forum/showthread.php?threadid=1675
That's all for now.
Regards.
Sorry but I am still to busy to deal with this issue right now. You have to understand how to use Softice to break on and trace various addresses related to the IAT and the re-directed entries.
For now, I recommend that you carefully review +SplAj's comments in the article on the General board here on Awave Studio 7.3, begun on 6-2001. He makes some specific comments on how to trace the entries found in RV. Remember that in looking at some of the entries you will sometimes see that they are within a groug of similar API's, such as KERNEL32. This is also a good clue that the "unresolved" entry is also within that group.
I believe that thread is at
http://www.woodmann.net/forum/showthread.php?threadid=1675
That's all for now.
Regards.
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.