you might be fed up with this already - but i finally decided to unpack an asprotected target. as i usually only reverse crackme's this is new to me. the target is:

art icons pro 3.16 (***.aha-soft.com).

i managed to unpack the exe, dump it and rebuild the imports with imprec. (OEP: 1241B4, IAT: 12D1B4, IATSize: 81C)

the dumped exe didn't start. i had to fix a call at address 5241c4, which jumped to aspr code and another check at address 403F60.

afterwards, the prog started, but showed plenty of memory access errors. i fixed the first two, but this caused other, more serious mem violations: suddenly strange messageboxes appear, the windows font changes...

i have read the past 30 or so asprotect-related threads (there's even one regarding the same app, but a previous version). i've learned that asprotected targets do strange things sometimes, but unfortunately i haven't found a solution to this one

maybe some of the more experienced people here could give me some hints. i've attached my resolved iat.txt

figugegl

They are very tricky guys!

I found 4 total jmp and changed to EB
But in previous version

Articons is a target name I remember from last year.

If I remember properly there are several calls which jump into the aspr code, and then jump straight to an address back in the target.

No processing or anything just

call aspr_address
....
....

aspr_address: jmp real call_address

These are no the same as the api checks which turn up in the elcom products.

It's probably no help, but I only ever saw it in a couple of targets.

Kilby...

i found two jumps to aspr code at startup (address 51a4e9 and 51a52e). when i patch these two, my windows messes up in a strange way: the font changes and messageboxes appear in german! (my win is german, but articons is english).

there are four more jumps to aspr code when exiting the prog (52380c, 523845, 5238a4, 52395d).

what sort of problem could that be?

evaluator:
is my resolved iat correct? does it run on your computer when you patched those two calls?

figugegl

YEAH!

I don't know so good IMPREC's format.
Resolve with latest REVIRGIN and maybe I can analyze RV.TXT

Had some time to spend so picked up last (??) version
3.17 B(eta).
Had some months earlier a fight with this one, Thanks to Splaj


Just when you think you're there......Even on exit they are
checking.
But after some tracing all rebuilded/Patched .

So nice prog to rebuild/trace and patch.


See you,

SpeKK

spekkel: could you please be more specific

i haven't tried more since my last post, but i will download the latest version and see... i couldn't figure out what was wrong. and every time i started the dump it messed up my windows (

figugegl

Fisrt off all you can dump the prog on several places,

I usually dump the prog a soon i see the data is stored. so that will be after xx breaks on getprocaddress.
((iF you dump later you have to correct a Lot of indirect calls..))
Now you don't have to deal (in this case) with the dubble/triple...dips!

First crash (except iat api's,Sure you have the correct ones) will be at the first call back to aspr.
Lool in the original prog where is lands back, BUT if your prog is already expired it jumps to an other location (looks the same ticky,tricky )
so first remove some (2) key's in registry or reverse 2 flags after
regqueryvalueexa .
After this i patched 3 locations in the dumped.exe H'mm i traced/
compared with the original.If you have the same version i give you
those addresses.
Messing up your window isn't the fault of your api's but it's all about Checking the integrity of the file (i think..)


Ciao, SpeKK