Log in

View Full Version : Just another idiot


miltantof
June 13th, 2002, 22:34
Hi guys, great forum!

my status : not quite a newbie yet
my problem : asprotect
the exe : hide folders 2.2.1.171 (www.fspro.net)
--------------------------------------------------



The unpacking and IAT rebuilding of the 2.0 version of this program posed no problem and the unpacked program works without a flaw.

2.2 is different.

Here's what I did:
- I found the oep and dumped at 004749c4
- realigned the sections with procdump
- reconstructed the IAT with ImpRec 1.4.2+
- changed the ep with procdump
- at 00474A22 I nopped out the call to the "internal error" message box
- and at 004037E6 I changed the je to jne (which caused another error message)

Now this is what happens:
If the original exe is loaded into memory my unpacked exe apparently works, but if the original
exe is not loaded my exe crashes with the following message :
"Access violation at address 00000009. Write of address 7074613d"
W32Dasm tells me that this coded address is not in a loaded module.

I'm totally lost. I'm hoping for a kind soul willing to shed some light and help me find my way home.

foxthree
June 14th, 2002, 06:59
Hajo:

I've downloaded and unpacked HideFoldersXP version. Runs like a charm. However, I believe you have the Windows 9x version --- which I don't have at the moment. I'll try it later today and let you know the results.

Signed,
-- FoxThree

miltantof
June 15th, 2002, 22:50
Hellooooo FoxThree

thanks for your reply.
Yes I have version 2.2 which is the windows 98 version.
I appreciate your help and will be waiting for any suggestion that will get me out of the woods.

foxthree
June 16th, 2002, 20:21
Hello:

Unpacked the above version of HideFolders and analyzed. At raw offset 7869B there is a indirect call to ASPR code @ C4E870. Naturally, by pass this call. Now, if you run it you'll get some Page Fault in BFF7XXXX address which belongs to IsBadStringW . So, Trace... soon enough we see at 0x403784 a routine which checks some SEH addresses to see if EAX == ECX?. With ASPR EAX always equals ECX. So, JNZ never is executed. But without ASPR, EAX != ECX. But alas, ECX value is never used. So, patch JNZ at raw offset 3791 What really matters is that the value at EAX should be correct some 6FXXXX, I think.

So, no more page faults and all is well Hope this helps.

I didn't find any Access Violation at adress 0000009 errors? May be 'coz different version.

Signed,
-- FoxThree

miltantof
June 17th, 2002, 01:42
thank you foxthree,
i'll get to work on it in the next few days
(I'll have to understand SEH's first).

miltantof
June 19th, 2002, 21:35
Hello all! and hello FoxThree,

first off thank you for the credits although undeserved.
I just knew this was a tough one, and I assure you it has grown
on me, I just can't shake it off. Alas I'm way over my head in
this and I would hope that you could be a little more unassuming.
I've tried, as per Splaj, to dump after Call Eax followed by the
suggestion by hobgoblin to copy and paste the sections, but no luck!
I need a little hand.
thanks guys!