Log in

View Full Version : Patching APDFPR Pro 1.61 ?


foxthree
March 3rd, 2002, 14:36
Hi there:

After successfully unpacking APDFPR Pro 1.61, I'm trying to patch it. There seems to be some trick involved here and I'm sure somebody mentioned it before I'm unable to recall it. So, forgive me if this is a repost.

See what happens is that, the app calls GetDlgItemTextA to get the serial. Then it does a _lstrlen call and does some computations out of the length itself. I'm able to bypass all this casually. However, it finally comes to a place which looks like this

Push 00000004
push FFFFFFFF
GetProcAddress

Now this call returns (presumably) address of a function with ordinal 4 in the EAX. [Here I get 00000000 in EAX, because (again presumably) the function is missing/based on the serial no.)]

This function seems to be decrypting something (If I proceed further I get API is missing and Decryption failure and stuff like that)

Finally if successful it does a

mov 0044E8F8, 00000001
mov EAX,00000001
ret

which btw, seems to be the successful reg. sequence

If I forcefully try this, it works only that APDFPRP crashes as we've simulated the decryption routine and not actually decrypted the content (whatever that may be [Can it be code?])

Could any gurus here throw some light on whether I'm on the right track or is it the 2AM blues ;-)

Signed,
-- FoxThree

crUsAdEr
March 3rd, 2002, 18:34
Here is the link
http://www.woodmann.net/forum/showthread.php?s=&threadid=2716

foxthree
March 3rd, 2002, 19:32
Hi there binh81 ;-)

Thanks for the link. Yes, exactly what i'm facing. Now, like it has been said by SV, this app is using ASPROTECT itself to register itself so when we remove this shell, app no longer returns correct function address in EAX? So, we're doomed .... or are we ;-)

Well, now we have dumped we can debug further. So, I've debugged till the call to GetProcAddress and obtained the Entry point address to the decryption code which takes the Serial Number as argument.

I haven't have time to dig into this decrypt code further but will give it a shot:

BTW, the EiP to the function that GetProcAddress returns in (win98) is: 0063C6C8

U can easily check this for urself ;-)

BTW, thanks for all the tip and help.

So, I'm learning yet.... <grin>

Signed,
-- FoxThree

PS: I'm attaching the function call gate via a sice screendump ...

crUsAdEr
March 3rd, 2002, 20:17
Yeah i foudn out about that decryption routine but feel that i ma not ready for it yet... I'll be reading about encryption and all that first before attacking the fortress...

Good luck, my friend :>... if u do defeat it then u can always teach me :>

cheers

LaptoniC
March 3rd, 2002, 22:15
I dont know you guys know this trick but there is
Quote:
ASProtect(tm) API-Emulator Dll (c) by VAG //VSL '2000 ARR


This dll emulates asprotect apis.Usage is very simple.Change the options in dll compile it.Add new dll import to our emulator lets say asprapi.dll.Then change GetProcAddress import to AsProt1 function.It works quite well.Beware that some programs need regname entries which two lines I mean like
_regName equ 'LaptoniC',13,10,'Site License'

Hope it helps

foxthree
March 4th, 2002, 07:42
Hi Laptonic:

Thanks for your post. I'll definitely give it a shot!

Signed,
-- FoxThree