The packed file is identified by PEID 0.8 as:
[ASProtect 1.2x / ASProtect 1.3 -> Alexey Solodovnikov]

I unpacked it with ImpREC and runs fine on my machine. But it just doesn't run on anyone else's system.

I dug in several tutorials for days and fixed the redirected-API shit. But in one tutorial by NchantA mentions that ASPR also bypasses the IAT by jumping directly to APIs' addresses. I am supposed to find out the IAT and fill it in in impREC, which can be done by pressing F8 until I see a jmp table.

well.. I pressed F8 for liked 2 hours and didn't see any thing like that.

Can anyone please give me a hint on this?

You should check out Revirgin. I haven't had much luck with Imprec. RV is much easier to use, understand, and have used it to rebuild numerous ASPR and vbox apps with no problems, W2k and everything.

You probably want to use RV to rebuild the import table and LordPE to dump the executable.

If ya rebuilded your exe under xp/2k that is the problem try to
rebuild under 98 with renormalize importz option and this will work on all win.

ImpRec ownz

hey thanks you all.

I got it solved as peti suggested. Plus I also need to check [Create New IAT] in the Options of impREC. Unpacked exe generated under XP just doesn't run on 98.

well.. guess it's all MS needs to blame. ;p

Must revitalize this matter:

I unpacked an Asprotected app written in Borland C
the OEP therefore is 401000 usual EB 10 as entry point.

Unpacked under XP and dumped with LordPE. Imports resolved after having increased IAT size, fixed all Imports. App runs fine.

Boot with W2K does not run. Boot with ME, crashes.

Ok, save import table and make 3 dumps for each OS, then fix it.
Runs only on the OS I dumped it. It depends clearly of the dump as I can take a dump made on ME and fix it on XP. It will only run on ME.

Dump was made as usual, found OEP 401000, locked app and dumped it. Someone can illuminate me with some hints? I'm really puzzled.

MAINLY you have truble because of NOT-renormalized Imports.

OK?

So if you will check each import-name when it decrypted,
you will find difference with resolved.

So if you NEED MULTI-OS runable dump, you should be sure about
each Import-name. (be proffy unpakcer

Sorry, I double checked all Import names and I'm sure that they're correct. I also used both RV & Imprec to fix the dumps.

However when I've a running fixed app on my OS, then when I put it on another machine with the same OS it crashes.

This however could be fixed by nopping a call which seemed to me an asp call. So maybe I've to find some other calls to fix for make it run on all OS's.

mm..
Now last step can be: you tell me what app, url etc.

Go to the following and get notepro or/and clipplus


www.crystaloffice.com

I'm really goin' insane on this question.

I've unpacked and fixed dozens and dozens of Asprotected apps, but this is the fist time I've seen something like this happening.

I think, you miss at address 64D0A8 direct aspr-module check in memory.

Debug it. (notepro)

I know about this call and noped it


0041430B . A1 A8D06400 MOV EAX,DWORD PTR DS:[64D0A8]
00414310 . E8 17CC1E00 CALL dump_OEP.00600F2C


but then the dumped file runs on another system, but only with the same 0S, it still does not run on W2K or ME.

Debugged it, but didn't find any other asp call.

Simulate it

Resolved. Was a relocation problem. Now it runs everywhere.

Thanks for your help in any case.