the program can be downloaded here:
h**p://www.vknoware.com

i have done everything like in splaj's tuts but i can't get to the OEP. the last ret addr in the API cluster is 1211219. i've found the popad and jmp eax instructions at addr 12262e9
i did a bpr 12262e9 12262e9+1 (+3 also) r if eip == 12262e9
and SI doesn't popup

peid says it is aspr 1.2 [new strain]

and in the API cluster...there is no code like the one bellow:

[...]
0187:00F1C802 E8DD7BFFFF CALL KERNEL32!GetCurrentProcessId
0187:00F1C807 A3E035F200 MOV [00F235E0],EAX
0187:00F1C80C E8C37BFFFF CALL KERNEL32!GetCommandLineA
0187:00F1C811 A37836F200 MOV [00F23678],EAX
0187:00F1C816 C3 RET

instead there is some SMC and it jumps to those APIs with jmp

can someone give me some tips on unpackin it?

here is a screendump...maybe i'm in the wrong place

ehhh sorry my mistake... this proggie is named Advanced Log Analyzer v1.2

Hello,

This program appears to be written in Delphi 5, DeDe (Delphi disassembler ) can get the OEP for you.

For me it says its 0051A8A4. In SI this appears correct.

If you have Windows 98, use SuperBPM to protect your bpm's , and do a bpm X on that address and run again, lock it up (a eip <enter>, jmp eip <enter><enter again> and then get out of SI and dump the puppy with ProcDump. Dont forget to change back the bytes you just modified in the dumped file before continuing.

In Win2K or XP you can use Revirgin's tracer to get to the OEP and then dump it. YOu won't need to lock it up if you do it that way.

-nt20

ok tnx for the tips.. i've dumped the exe with lordpe but now i can't fix the IAT..

in RV:
oep: 00401000
rva: 001201A4
length: 000007EC

20 001201F4 00B10EE8 0000 ?????? to_Resolve
when i do "u b10ee8" i see only INVALID in SI

i have attached my resolved.txt file

anybody knows what to do?
tnx

There is nothing new in this AsPR. Just look for Kayakers' fantastic writeup on BPFTP Server (I think or G6 FTP Server) ...

Signed,
-- FoxThree

come on prejker - it's only 5am here and im awake enuf to see wot yr doin wrong!!

Get into the proggie do a dd 5201f4 and you will see 01210ee8 - just u 01210ee8 and open "sus ojos" you will see what you need there!

In goin back to sleep you try to wake up and you will get yr answer

I was able to resolve *ALL* api's combining rv/imprec both vers 1.3.
My problem is that the exe don't run (just exit clean, not a windows error). The OEP for me is 519a30.
I guess is some aspr tricks coz the app looks for some value in and check for 0.
Look:

015F:00519A30 55 PUSH EBP 
015F:00519A31 8BEC MOV EBP,ESP
015F:00519A33 83C4F4 ADD ESP,-0C
015F:00519A36 53 PUSH EBX
015F:00519A37 56 PUSH ESI
015F:00519A38 8945FC MOV [EBP-04],EAX
015F:00519A3B 8B45FC MOV EAX,[EBP-04]
015F:00519A3E 80B89C07000000 CMP BYTE PTR [EAX+0000079C],00
015F:00519A45 0F85DB010000 JNZ 00519C26

the last JNZ exits the app.

if i force the JNZ to no jump, the app hangs up in just those mov eax:
015F:004F9917 8B4304 MOV EAX,[EBX+04]

any tips?, thanks and greets.

Working OEP is 0051A8A4. change it with LordPE, if it still not runs, then you've got some Imports wrong.

I gave it a quick look and could make it working, also crack is easy: 90 90 twice at the right address and you're all set up.

yes, i'm having problems in finding the right OEP.

i cannot find the signature 61,ff,e0 with softice (s 30:0 l ffffffff 61,ff,e0).

the aspr version im dealing with is aspr 1.2[New Strain] (that says peid 0.8).

so, i've try to find the OEP with foxthree's OEPfinder. i set a bpx on getversion, the second time sice pops up i make a "jmp eip" and then i run OEPfinder, and i fin the signature 61,ff,e0. (all runs give a different address). Then i set a bpm <address> and of course i use SuperBPM, but i cannot breakpoint on it.

so, i try the OEP resolver from peid 0.8, and gave me 519a30, but sice doesnt popup when i bpm it.

btw, those OEP wont run either.
Can u post the rebuilded IAT u make?.

thanks.

Hi magistral,
This may seem like a funny question, but did you try a breakpoint like this: bpmb <address> x

This works for me everytime taken that I have Superbpm running. I was on WinME when I unpacked it, and I found the OEP to be=51A8A4
IT address=5201A1
IT size=7EC

I unpacked it yesterday, and it runs like a dream after resolving the redirected import api's. I found 10 unresolved api's, and they are (after resolving them):
20 Getprocaddress
21 Getmodulehandlea
25 Getcommandlinea
62 Getmodulehandlea
90 Lockresource
105 Getversion
112 Getprocaddress
113 Getmodulehandlea
126 GetcurrentprocessId
128 Freeresource

Hope this helps,
hobgoblin