View Full Version : ASProtect API Emulator DLL (LapTonic Help!)
foxthree
March 5th, 2002, 18:56
Hi:
Recently I've been investigating patching the APDFPRP 1.61. In this regard, LapTonic gave an excellent link for ASProtect API emulation ( to overcome the Push 04, Push ffffffff, GetProcAddress problem )
However hard I tried to follow LapTonic's 2-3 line hints <grin> and apply my mind, I'm still not successful.
Any tutorial/hints/tips from LapTonic/+spl/\j guru/ others is greatly appreciated and gratefully analyzed ;-)
Thanks wizards,
Signed,
-- FoxThree
crUsAdEr
March 5th, 2002, 21:56
Hi Foxthree,
I might be wrong but the impression i gathered is that section of the registered program in encrypted and will be decrypted through this routine so the API emulator is not going to help much...
You still have to reverse the decryption routine and bruteforce it to make it decrypt the code fragments...
But then i am not sure... working on some simple cryptography right now to get the hang of it before i come back to this program :>
All the best, :>
LaptoniC
March 6th, 2002, 00:39
binh81 is right, this emulator returns just 1 after function 4(decrypt code).I have tried this dll on your program but whenever I add my dll import it just crashes after quit.However, if you want to learn how to use this dll here is my quick tutorial
1) I have added some 00 s at the end of dumped file.I guess add import function of peditor is little buggy.You should have enough room to add new import.Before adding new import add some nulls at the end of file lets say 100 or 200.
2) Click on imports tab andright click on one of the imports and choose "add import".eneter asprapi.dll as dll name and ASProt1 as function.Dont forget that dll must be at programs directory.Run this file.If program runs without error you did it.If it gives error.That means Peditor's damaged import table.So go back to 1 and add more nulls.
If it is succesfull you will find one text file which is like DUMPED_.exe_IData.In these text file you will find something like
ASProt1 - call dword ptr [004860F2]
which is as hex FF15 F2604800
3) What we want is to change getprocaddress pointer.First of all we find the address of getprocaddres function.I have opened my dumpedfile with peditor and searched getprocaddress function I have found these
RVA Offset Hint
84C5C 84C5C 01A3
I opened my dumped file and go to my import table address which is 00084000.I have searched
5C4C08 we are searching in reverse order to find its pointer.
I have found that at 40768H which is 440768 as virtual address.
So getprocaddress function is refered as
call dword ptr [00440768]
which is as hex FF15 68074400
So search for FF15 68074400 and replace with FF15 F2604800
If you want to try this approach I can suggest you to look
Advanced Administrative Tools
hxxp://www.glocksoft.com
I have cracked v4.5 with this approach and it worked perfectly.
foxthree
March 6th, 2002, 05:20
Hi LapTonic:
Thanks for your post. I'll give it a try.
Signed,
-- FoxThree
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.