After reading a lot of threads about aspr, I gave a shot to unpack Available Domains Pro at h**p://w*w.alphacomsoft.com and as you might have guessed stuck at runtime.

Found the OEP at 391F5 (correct?)

Fixed (?!) the IAT thru Imprec, tried RV too but it crashes.
IAT RVA=77000 Size=7C4
After resolving entries it refused to run...

I wish to know if there are any D-D code in this. If anyone can shed some light in finding
D-D code in apps in general is very much appreciated.

Maybe some of the gurus here could give me some hints where have I done wrong.

I've attached my resolved iat

fALC0N

Hi there:

No D-D tricks in this one. [Even if it did, it doesn't matter ]

A cursory glance of your rebuilt IAT, also shows that everything is fine, too! I'm attaching my rebuilt IAT thru' RV so that you can analyze this one more!

OEiP == 391F5 <--- Correct!

By, not running, do you mean the FAULT 0Eh after running the unpacked ADomains? That is easily fixed. There is a redirected call to ASPR code! NOP it and everything is fun

For further reference, search the forum. You'll find enough references for redirected code fixing.

Signed,
-- FoxThree

Thanks for replying foxthree but it still gives me an error at 016f:0043715c and NOP'ing just doesn't resolve it.

Is there something i'm missing?

Is it a redirected call?

Thanks,

fALC0N

Hi Falcon:

No. NOPing 016f:0043715c will not work. You've to NOP the caller itself. It will be at 0040f5d or something like that. Look in the call stack. If you NOP the caller, everything is nice

BTW, the instruction 016f:0043715c is not the problem. It is the instruction above it that refers to "ASPR" memory that causes the page fault. I think, it is something like MOV EAX, ECX or something where ECX == EXXXX (ASPR mem area).

Find it man and have fun

Signed,
-- FoxThree

Hi foxthree,

No matter what I've tried, it just doesn't work... I even tried with your iat, I tried, I tried, I don't like to give up!

Is it something else ?? I must be missing something pretty badly!

fALC0N

Hi there:

What Hex Editor are you using to paste the IAT? DO NOT USE HexWorkshop as it is broken for > 2MB file sizes. Use UltraEdit.

Signed,
-- FoxThree

Hi foxthree,

I never used hexworkshop (and I didn't know it couldn't handle >2Mb files).

I used imprec's fixdump and rv's fixdump at all times.
fALC0N

hi

Did you get the aspr memory 'check' sorted at ~437150 ? It is NOT a rediirected call.

For me the aspr mem was E73431....of course this is gone. But this is only a simple sub eax,ecx check. (E73431 - E73431 == 0)

So, find offset in dumped exe for 31 34 E7.....found at raw offset 0x9F9D8 so change the bytes to D8 F9 49.

Now target runs because 49F9D8-49F9D8==0

Spl/\j

Hi Splaj

Thanks for looking at this aspr problem !!
And you are right! when i do that it passes that point, but now it gets stuck at 016f:0044bbe8.
Also is this thing running on anyone's comp?? or am I the only one

I appreciate your help
fALC0N

I guess I'm stuck dead on this

Hi FalCon:

Here is once again a step by step things to do:

(1) Find OEP. You already did this. Dump using /dump command of ICEDump. Specify the image size and image base correctly.

(2) Run RV and rebuild the IAT. Again, you've done this correct using ImpREC

(3) Thirdly, when you run, you'll find app crashes.

Single step in SICE and find that a call at 407F50 makes a call to ASPR as +SplAj mentions (sub ECX, EAX or something like that).

What I've done is to NOP out this entire call. (Yes, it is not required). [You can also do a "cleaner" patch by what +SplAj guru said.]

NOP the call to ASPR code at 00407F50 (5 NOPs) [Flag check code]

Try this step by step.

Signed,
-- FoxThree