Hi everybody
I tried to unpack one program packed with asprotect 1.12, and I think everything is unpacked properly (OEP, rebuilding all imports) but after trying to execute program I received
file system error 31. I tried find on google what is that error but nothing relevant so if somebody knows what is going on please inform me. If anybody interesting in that problem I can mail file (about 1 MB).
Thanks
I am running Win ME, and interesting is OllyDbg report on packed file "bad or unknown format of 32 bit executable"

The first thing to do is to look in your dumped .exe and check to see if that string appears ?

It may be doing an elcomsoft style protection check, basically an error is flagged if the asprotect protectionis missing.

Kilby...

Share with us the target, please

Signed,
-- FoxThree

Hi all
This is URL of target. My version is 3.0 but newest version is 3.01.
h**p://***.crystaloffice.com/clbplus.zip
Enjoy

I tried 3.01 and it is pretty ordinary. Unpacked and seems to run fine. However, there is a small point to be noted. If you use RV/ImpRec default size for IAT, you'll get only Kernel32.dll exports. This is a "strain" of ASPR that puts lots of 00 into the IAT fooling reconstructors. Try a length of multiple of 1000.

If you just put Kernel32.dll exports, that may lead to the error you've seen.

Look into the IAT using SoftICE and you'll see what I mean .

Signed,
-- FoxThree

Some years ago I coded a simple utility to get error code description. It's actually clone of Jeffry app but 12 times shorter in size.
You can type error code inside the dlg, or run it with error code as command line argument.
App is one instance app, if you run new instance it passes command line arg (if any) to previous instance and unload itself.
Nothing special, just a little tool for quick error codes description look up.

Hi foxtree, I notice that default options in RV is short and I enlarge it. This i my resolved imports. Check it and compare with your. Maybe there is a difference.
Thanks Svin for utility.

Your imports are wrong. Your IAT seems to have been fooled by the standard ASPR tricks.

Looking at your addresses, you've resolved either on Win2K/WinMe. Try RV's ASPR Plugin. That would help you. Otherwise, go into SoftICE and bpmb 001E043C etc.. and you'll see what I mean.

Signed,
-- FoxThree

Hi foxthree, I realy don't know what is wrong. This is unresolved imports after RV run.
38 001E0430 0142E964 0000 ?????? (my solution is getversion)
41 001E043C 0142E944 0000 ?????? getmodulehandlea
43 001E0444 0142E938 0000 ?????? getversion
62 001E0490 0142E8E4 0000 ?????? getmodulehandlea
65 001E049C 0142E494 0000 ?????? getprocaddress
78 001E04D0 0142E900 0000 ?????? getmodulehandlea
106 001E0540 0142E954 0000 ?????? getcurrentprocess
So this is what I think is good.
example: u 142E964
DS:005E0430=0142E964

018F:0142E964 55 PUSH EBP
018F:0142E965 8BEC MOV EBP,ESP
018F:0142E967 E86467FFFF CALL KERNEL32 GetVersion
018F:0142E96C 5D POP EBP
018F:0142E96D C20400 RET 0004
I did other unresolved same way ,generate .bin file and paste at the end of last section, and then error 31...
Can you upload your IAT for compare with my IAT. Please explain me what is wrong.
BTW is OEP = 401000 ??

I think the last one is FreeResource

Hey crUsAdEr how you figure out the last one is FreeResource. This one ?
106 001E0540 0142E954 0000 ??????

Well the funny nice trick Revirigin does for you is alphabetize the imports. Almost all a program's imports will be in alphabetical order, it isn't very often that they are not, in a real program. A protected program will have some that are out of order of course just to throw you.

Anyway, you can guess it is FreeResource in two ways:

1. It's in the right spot for the alphabetic order

2. The routine does nothing. This is exactly what FreeResource now does in Win32. Nothing. It doesn't even need to be called. Notice that RET 0004? This removes the unused GetVersion return value from the stack.

Also, after you have unpacked enough apps, you will become familiar with the functions that are commonly not resolved. Try using a program you have already unpacked and compare their IAT tables to see if you can fill in the blanks.

Also, you have quite a few GetModuleHandleA resolves, which is very fishy. I think you are being tricked. You might want to walk through each of them in SI just to be sure where they REALLY go ! I ran into major problems with a certain app once when I used SI under Win98 and then tried running the program in Win2K, a LOT of the Unicode functions did not get resolved properly. I had to walk through about 10 of them manually to make sure of what they were.

Remember the best tool to use is your brain and some creativity !

-nt20

Hi all, with help of nikolatesla20 (API alphabetical order) I fill this:
38 001E0430 0142E964 0000 ?????? FreeResource
41 001E043C 0142E944 0000 ?????? getcommandlinea
43 001E0444 0142E938 0000 ?????? getcurrentprocess
62 001E0490 0142E8E4 0000 ?????? getmodulehandlea
65 001E049C 0142E494 0000 ?????? getprocaddress
78 001E04D0 0142E900 0000 ?????? getversion
106 001E0540 0142E954 0000 ?????? I dont know what is here
Now I dont receive error 31 but program still cannot run. What is wrong now?

try LockResource for the last one???

You should read SplAj's commview and Awave tutorial.. also, try to see wat the emulated API is doing... see what is passed to eax as the results...

Also, disassemble the system dll and look at those API code... will help greatly to understand why they are so...

And it is not GetCurrentProcess but GetCurrentProcessID

Signed,
-- FoxThree

Hi all, I fill everything what you guys said but damn clipplus won't work. This is really frustrating so please upload working resolved.txt or I will kill computer or better watch football. Maybe it is easy.