hi all ...
yes it's agian ASPR and now...

Change Folder Icons v 4.6
http://www.nesoft.org

OEP : 46E3A4
Image Size :E3000

well after dumping come the fixing..
i used ImpREC and after doing the API emu
it fixed all but one!!!
ptr :11813B4

well i checked what is it in the Pack file and got this:

PUSH EBP
MOV EBP,ESP
MOV EAX,[01186CF4] <-- if do "d eax" u get the path of the prog probly a GetCommandLineA
MOV EAX,[EBP+08] <-- if do "d eax" return : TPF0.TForm1.Form ??? what is it ??
POP EBP
RET 0004
after the "ret" it takes the val of eax and use it..
what is the API that return : TPF0.TForm1.Form ???
it look like an Resouce thing.. so i tried mnual changing it to :

LockResource <--- no good still CRASH
FreeResouce <-- no good still CRASH
LoadResouce <-- no good still CRASH but in a wierd way...

well i don't know what else to do so i came to you guys..
hope to get answer soon.. tnx all...

Maybe try LoadString


Another hint you can do is to see where the call comes from, so you can see how many arguments get passed. This can help lead you to the correct API call as well.

So to "walk the stack", once you are in this ASPR function, then do "dd esp" and try to find an appropriate address on the stack that might be where the call came from (some people might use the WS to see the stack window, but I prefer to look at ESP manually)

Then you can "U" the address to see where the call came from. Right above the call you will see the arguments that get pushed.

LoadString takes 4 arguments, in case it might be that one.

-nt20

HaJo,

well your wanted api is lockresource...Why still crashing i don't know ??
I found another possible reason why the prog could crash:
( well it did by me )
somewhere in the dumped prog there is made a call [4b31b8]
which first calls getmodulehandlea after that there is a push dword getversion and after that (pffff) get commandlinea is loaded in eax...Imprec's plugin tarcer (emul 1.2) will trace for you the getversion....!

Try debugging by comparing (tracing) the original and your rebuilded exe .

Greetz,

Spekk

hi SpeKKeL
well if i change it to LockResource when u run the prog it send a msgbox : Access violation at address 0040284C in module 'dupd.exe' read of address C0000A04

and then another and if u do a event the prog will continue doing so ..

Just like i said in my earlier post>>> Check the call !!!!!!!!!
Make that getversion a commandlinea OR skip the whole call and you'll see NO PROBLEM !


SpeKK

the message box was in 40284c and i trace up to see the start of the loop that checks ... and in 40283c is starts i just puted a RET and thats all..

hi spekkel,

Could i know how didyou figure the 1st 'API' is just LockResource?

PUSH EBP
MOV EBP,ESP
MOV EAX,[XXXXXXXX]
MOV EAX,[EBP+08]
POP EBP
RET 0004

It probabl is but it's located in unnamed module and calls no api at all, I've found this sub in another .aspr program later ...

First of all,

In this prog imprec's aspr emul.dll plugin can't discover which api it is.Allso a getversion is somewhere traced but must be a getcommandlinea !
I have been bizzy making a new aspr-plugin which traces all okee..but isn't ready for publish.

The lockresource: well lot of threads have dealed with this (just like freeresource ) I always putted a ret 02f which does nothing more then a ret 004, so this must work allso.
H'mm who exactly dicovered it was a free and lockresource i don't
know but it's obvious (spelled correct ??) that it must be originally these api's just look to the alfabetic list.

greetz,

spekk

The reason, my fellow RCE'rs, is that LockResource and FreeResource do absolutely nothing.

If you "U LockResource" in SI on windows 98 you will get a function that does nothing (except for simply moving the argument you passed in, into your return value).

mov eax,[esp+04]
ret 0004 ; HMMM that was kinda pointless...

Similarily, if you "U FreeResource" the assembly is:

xor eax,eax
ret 0004 ; EVEN more pointless.....

So these routines do nothing, and no doubt Alexey knew about that, so he added functions himself that do nothing.

According to MSDN, you don't need to call FreeResource anyway, the OS cleans up after you without it.

These two functions are only there for 16 bit compatiblity. I have no idea why people still use them.

-nt20

DANGEROUS.....You are making dangerous windows assumptions that if windows doesnt change it wont work and every version of the dll has the same lockresource and freeresource code. If Microsoft decided to change this.....it will cripple your app. So they are not obsolete. They are the correct way of doing things. Though at this point they do seem useless eheh.

Snatch