Hi:

Recently I've been investigating patching the APDFPRP 1.61. In this regard, LapTonic gave an excellent link for ASProtect API emulation ( to overcome the Push 04, Push ffffffff, GetProcAddress problem )

However hard I tried to follow LapTonic's 2-3 line hints <grin> and apply my mind, I'm still not successful.

Any tutorial/hints/tips from LapTonic/+spl/\j guru/ others is greatly appreciated and gratefully analyzed ;-)

Thanks wizards,

Signed,
-- FoxThree

Hi Foxthree,

I might be wrong but the impression i gathered is that section of the registered program in encrypted and will be decrypted through this routine so the API emulator is not going to help much...

You still have to reverse the decryption routine and bruteforce it to make it decrypt the code fragments...

But then i am not sure... working on some simple cryptography right now to get the hang of it before i come back to this program :>

All the best, :>

binh81 is right, this emulator returns just 1 after function 4(decrypt code).I have tried this dll on your program but whenever I add my dll import it just crashes after quit.However, if you want to learn how to use this dll here is my quick tutorial

1) I have added some 00 s at the end of dumped file.I guess add import function of peditor is little buggy.You should have enough room to add new import.Before adding new import add some nulls at the end of file lets say 100 or 200.
2) Click on imports tab andright click on one of the imports and choose "add import".eneter asprapi.dll as dll name and ASProt1 as function.Dont forget that dll must be at programs directory.Run this file.If program runs without error you did it.If it gives error.That means Peditor's damaged import table.So go back to 1 and add more nulls.
If it is succesfull you will find one text file which is like DUMPED_.exe_IData.In these text file you will find something like
ASProt1 - call dword ptr [004860F2]
which is as hex FF15 F2604800

3) What we want is to change getprocaddress pointer.First of all we find the address of getprocaddres function.I have opened my dumpedfile with peditor and searched getprocaddress function I have found these

RVA Offset Hint
84C5C 84C5C 01A3

I opened my dumped file and go to my import table address which is 00084000.I have searched

5C4C08 we are searching in reverse order to find its pointer.

I have found that at 40768H which is 440768 as virtual address.
So getprocaddress function is refered as

call dword ptr [00440768]
which is as hex FF15 68074400

So search for FF15 68074400 and replace with FF15 F2604800

If you want to try this approach I can suggest you to look

Advanced Administrative Tools
hxxp://www.glocksoft.com
I have cracked v4.5 with this approach and it worked perfectly.

Hi LapTonic:

Thanks for your post. I'll give it a try.

Signed,
-- FoxThree