foxthree
March 3rd, 2002, 14:36
Hi there:
After successfully unpacking APDFPR Pro 1.61, I'm trying to patch it. There seems to be some trick involved here and I'm sure somebody mentioned it before I'm unable to recall it. So, forgive me if this is a repost.
See what happens is that, the app calls GetDlgItemTextA to get the serial. Then it does a _lstrlen call and does some computations out of the length itself. I'm able to bypass all this casually. However, it finally comes to a place which looks like this
Push 00000004
push FFFFFFFF
GetProcAddress
Now this call returns (presumably) address of a function with ordinal 4 in the EAX. [Here I get 00000000 in EAX, because (again presumably) the function is missing/based on the serial no.)]
This function seems to be decrypting something (If I proceed further I get API is missing and Decryption failure and stuff like that)
Finally if successful it does a
mov 0044E8F8, 00000001
mov EAX,00000001
ret
which btw, seems to be the successful reg. sequence
If I forcefully try this, it works only that APDFPRP crashes as we've simulated the decryption routine and not actually decrypted the content (whatever that may be [Can it be code?])
Could any gurus here throw some light on whether I'm on the right track or is it the 2AM blues ;-)
Signed,
-- FoxThree
After successfully unpacking APDFPR Pro 1.61, I'm trying to patch it. There seems to be some trick involved here and I'm sure somebody mentioned it before I'm unable to recall it. So, forgive me if this is a repost.
See what happens is that, the app calls GetDlgItemTextA to get the serial. Then it does a _lstrlen call and does some computations out of the length itself. I'm able to bypass all this casually. However, it finally comes to a place which looks like this
Push 00000004
push FFFFFFFF
GetProcAddress
Now this call returns (presumably) address of a function with ordinal 4 in the EAX. [Here I get 00000000 in EAX, because (again presumably) the function is missing/based on the serial no.)]
This function seems to be decrypting something (If I proceed further I get API is missing and Decryption failure and stuff like that)
Finally if successful it does a
mov 0044E8F8, 00000001
mov EAX,00000001
ret
which btw, seems to be the successful reg. sequence
If I forcefully try this, it works only that APDFPRP crashes as we've simulated the decryption routine and not actually decrypted the content (whatever that may be [Can it be code?])
Could any gurus here throw some light on whether I'm on the right track or is it the 2AM blues ;-)
Signed,
-- FoxThree