Hello!!

I have trouble with following program

AD Picture Viewer Version 2.4.1

http://www.abroaddesign.com/picview/picview.zip

I tried to unpack this stuff

(OS win 98)

I think I found OEP

It was 4DF6A8 (found pattern 61,FF,E0 with Soft Ice)

something like

push ebp
mov ebp ,esp
.....
.....



Rebuilded IAT with Revirgin ,found 4 unresolved APIs

after manually resolvation they were

GetProcAddress
GetModuleHandleA
GetCurrentProcess
GetVersion

all in KERNEL32.dll

I did generation of IAT with DUMPED.exe
put new OEP with PE-Editor by Yoda (after dumpfixer)

Try to run but there was crash
then I try to compare the pattern of original program and dumped.exe

the difference was at address
4069DC ret

after it the original program returns in 4xxxxx area
and the DUMPED.EXE
returns in 7xxxxx where after following instruction

cmp ( I've forgotten what ) it jumps to KERNEL and
message

This program performed ilegal operation and will be closed

apears

I beleive this is some of protection checks but I don't know which

because I don't have to much experience

Thanks for help

Soldat

Hi Soldat
I found OEP at 4DfB98 (Version 2.5 build 231).
After rebuilding the IT , the OEP was like this :
push ebp
mov ebp,esp
.
.
.
call 000451D74
Call [4E5B70]
.
.
.

I got an error while executing this line . I ran the original
file and in softice I trace up to that line .
Then d 4E5B70 . 4E5B70 -> xxxxx -> ... -> 4DF470.
so I changed "Call [4E5B70]" to "Call 4DF470" .
and the Prog runs normally

as long as you can be sure that [4E5B70] contains 4DF470 in any case (on any system)

Hi there,
Maybe you got some of the imports wrong or messed up. I used Revirgin and it came up with these unresolved imports:

21 000E61E4 011CE494 0000 ?????? to_Resolve
22 000E61E8 011CE8E4 0000 ?????? to_Resolve
26 000E61F8 011CE944 0000 ?????? ??????
63 000E629C 011CE8E4 0000 ?????? to_Resolve
92 000E6318 011CE954 0000 ?????? ??????
107 000E6354 011CE900 0000 ?????? ??????
112 000E6368 011CE494 0000 ?????? to_Resolve
114 000E6370 011CE8E4 0000 ?????? to_Resolve
125 000E639C 011CE938 0000 ?????? ??????
127 000E63A4 011CE964 0000 ?????? ??????

After tracing in Softice I found them to be:

21 Getprocaddress
22 Getmodulehandlea
26 Getcommandlinea
63 Getmodulehandlea
92 Lockresource
107 Getversion
112 Getprocaddress
114 Getmodulehandlea
125 GetcurrentprocessID
127 Freesreource

When I traced in Softice it looked like that the import at 92 is Getcurrentprocess. This is wrong. The call here have a ret 0004 instruction at the end. This indicates that this is a "dummy" call. When I checked in the resolved list in Revirgin, it looks more "natural" to change it to Lockresource.
At 127 the import seems to be Getversion. But the same goes here, only that it looks more natural to change it to Freeresource.

That's it. After changing the code as described by SilsalaMata, it runs perfect. To top it: It is also registered.:-)
Try to enter a code via the About screen, you'll see what I mean. And the 30 day period is now "hardcoded" into the program, so it never epxires.
The only thing left to be removed is the trial text.

Hope this helps,
hobgoblin

Yes I've made it but I have question for you

Hobgoblin or SilSaLaMaTa

Yes the crash was because IAT ,because I didn't do as well

now would you explane me how did you find that

26 000E61F8 011CE944 0000 ?????? ??????

was

Getcommandlinea

then

107 000E6354 011CE900 0000 ?????? ??????

Getversion

and


125 000E639C 011CE938 0000 ?????? ??????

125 GetcurrentprocessID


because when I traced them with tracer in Revirgin they appeared

to be

GetModuleHandleA
GetModuleHandleA
GetVersion

then I checked the addresses of them

(011CE944,011CE900,011CE938 ) wirh Soft-Ice

and found the same as with Revirgin (by the way I use v1.3 of Revirgin)

When I did as you Hobgoblin,when renamed in the same way

everythink was good (also I changed call according to

SilSaLaMaTa)

At least the protection ( I mean window that apears before

starting program about key entering hasn't wanished)

I didn't check time limitation because there is still several days for demo

And also if you want Hobgoblin ,explane me again about those

fake APIs where did you see them to be

LockResource

FreeResource

my Revirgin didn't rename anythink ,maybe is something wrong

with me

Thank you both

Hi there,
Nice to see that you resolved some of your problems.
Instead of me repeating and rewriting a lot of stuff, you can easily get all the answers you need if you search this board for the information revealed to all of us by +Splaj, Kayaker and a couple of others devoted to reversing the Asprotect protection.
I can't possible imagine I have something new to add to what they have shared on this board.
Just search using the names I just gave you, and you will find a lot of stuff, maybe somehow fragmented and spread out over several posts. But I can asure you: By digesting that information you will get a very detailed understanding about Asprotect.

good luck,
hobgoblin