Log in

View Full Version : Ecomsoft products Asprotected


LOUZEW
September 8th, 2002, 16:28
Hi, all guys on this board.

From here i've reversed a lot of progs but I'm newbie in unpacking.I've learned alot from this board and specially threads and tutorials by +slaj about asprotect.

I'm now working on Elcomsoft products, i started with AOXPPR_P.EXE ( Advanced Office XP Password Recovery Pro ), you can find it

OK, found OEP, used revirgin but it still remain some unresolved. I've learned again but i can't find them for sure.

Can anybody help me with this example ? You can find here in attachment an RESOLVED.TXT file generated by RV.

Thank's

louzew@libertysurf.fr

esther
September 8th, 2002, 16:40
Hi LOUZEW,

There are lots of threads regarding this topic.Search the forum
No iat attachments is to be upload.cut and paste the part which is not resolved .

Regards

LOUZEW
September 8th, 2002, 16:52
OK ester,
Sorry for this attachment, i'll post now unresolved only !

OK, i know there is a lot of threads about that on this board, i've learned more and more of them, i still have pb to resolve these ones, if somebody can help !

Thank's

foxthree
September 8th, 2002, 17:27
Hey:

I just resolved AOXPPRPro version successfully under Win9x. If you're talking about the unresolved one in USER32.dll thunk, refer to my post on ADPRPRPro and the reply by Crusader... In fact there are only a few APIs in USER32.dll that do a RET 0014

Signed,
-- FoxThree

PS: BTW, the above is my assumption only. You've not given any sufficient info as to which APIs you haven't been able to resolve yet

LOUZEW
September 8th, 2002, 20:59
Hi, Foxthree
Thank's alot for responding, i've read many of your posts !
I've take a look too for your post on ADPRPRPro and the reply by Crusader.
OK, but i'm a newbie in unpacking and i still have prob to locate unresolved functions.

I'll post here in attachment UNRESOLVED.TXT from AOXPPRPro, maybe can you take a look, and if you have resolved it successfully, maybe can you explain how do you do to find these unresolved functions.

LOUZEW
September 9th, 2002, 17:59
Hi, foxthree
I don't know Why but somebody deleting attachment from my last post, It was only unresolved from AOXPPRPro !
Maybe the guy deleting it can explain (i'm refering to the esther reply)

OK, for you Foxthree, the unresolved calls are following :

25 001F34F0 BFF8E0CD 0133 KERNEL32.dll FreeLibrary
26 001F34F4 013213C4 0000 ?????? ??????
27 001F34F8 BFF8E150 0138 KERNEL32.dll GetACP

30 001F3504 BFF779D5 0158 KERNEL32.dll GetCurrentDirectoryA
31 001F3508 01321388 0000 ?????? ??????
32 001F350C BFF92F1B 01DC KERNEL32.dll GetVersion

52 001F355C BFF776F7 018B KERNEL32.dll GetModuleFileNameA
53 001F3560 0132133C 0000 ?????? to_Resolve
54 001F3564 BFF9100F 0196 KERNEL32.dll GetOEMCP

56 001F356C C0193CDC 019F KERNEL32.dll GetPrivateProfileStringA
57 001F3570 01320EE8 0000 ?????? to_Resolve
58 001F3574 BFF8CAE1 01A6 KERNEL32.dll GetProcessHeap

99 001F3618 BFF9C654 023C KERNEL32.dll LockFile
100 001F361C 013213B4 0000 ?????? ??????
101 001F3620 BFF820A9 0249 KERNEL32.dll MapViewOfFile

I hope you can tell me how to find them ! ( i have to learn again..)

Thank's

JMI
September 9th, 2002, 18:44
LOUZEW:

Perhaps you didn't read the warning which is now part of the header of all of the Forums, except "Off Topic" which states, in capital letters:

"DO NOT UPLOAD ANY TARGET SPECIFIC CODE."

Perhaps you didn't understand when esther (look I spelled it correctly this time) told you to "cut and paste" rather than "attach" sections of code. Although it wasn't stated, we can assume that it is intended to prevent someone else from taking an attachment and pasting its information into their own file and get a potentially working program. Again assuming, we can conclude that is another attempt to prevent the wolves constantly nipping at the heels of this Board from claiming that the Board is facilitating the distribution of cr*cked software.

It shouldn't be that difficult to cut and past a small section of the code as you appear to have done in you last post and this is not "directly" insertable into someone else's efforts, even though it can be re-typed into their output.

Just as an aside, have you considered using Softice to look at the addresses in the "unresolved"? It is generally unlikely that you will find something from a different API in the middle of references to KERNEL32.dll, but you could go to the first address at 013213C4 and see what you find right at that address and above and below this address. Here is a cut and paste from our resident unpaxing God, +Spl/\j, from the thread RIGHT BELOW YOURS, in which he wrote:

[QUOTE]

To manually trace a re-directed API just look at the unresolved and then while holding target in EB FE loop Ctl-D into SI and U the call eg from above example :-
027 001A029C 00E8C94C 0000 ?????? ??????

in Si type U E8C94C' and examine the code.

it will look something like :-

0167:0132138E 8BC0 MOV EAX,EAX
0167:01321390 E8DB3DFFFF CALL KERNEL32!GetVersion <- FAKE call
0167:01321395 A1F06C3201 MOV EAX,[01326CF0] <- restore GetCommandLineA
0167:0132139A C3 RET

so if you hade MANUALLY logged that memory block where ASPR saves GetWhatWeWant API result then you will know that [1326CF0] holds result of GetCommandLineA API
[end quote]

Give this a try.

Regards.

foxthree
September 9th, 2002, 19:55
Hello there:

How much ever hard I try, I can't answer better than +SplAj and JMI. Seek and ye shall find ... Follow, +SplAj's post as posted by JMI and you'll never miss...

Signed,
-- FoxThree

LOUZEW
September 9th, 2002, 20:06
OK guys (JMI & Foxthree)
First of all (about attachment) i was thinking that this text file was only a piece of text and not a section of code, i've noted your advice !

I'll try now what you said JMI and let you know

Thank's again for your responses guys !

esther
September 10th, 2002, 11:35
Hi FoxThree,JMI,
Thanks for directing newbies to search the board .How ironic when the answer is right under your nose and you didn't bother to look at it

Best Regards

+SplAj
September 10th, 2002, 12:46
LOUZEW


The public release of ASPR1.2x plugin that fits Imprec/RV worked for a long time.

This is a delphi 'bloatware' dll , but a packed version. Currently it does NOT resolve the latest Alexey trick to shake off API tracers :-

001F3500 kernel32.dll 01DC GetVersion <-WRONG should be GetCommandLineA

If you un-assemble that redirector call in SI you'll see wtf gives

BTW wtf is '+slaj' ??????? r u taking piss

LOUZEW
September 14th, 2002, 20:55
Hi, all
many thank's for your responses and your help. I've read many posts and tutorials this last two days and found some interesting things. I've read the evaluator post that describe Api calls and their offset from begining of aspr module. My UNRESOLVED calls where exactly at these offsets. Well, dumped and fix now AOXPPRPro.exe but have still a Pb. The App crashe, lot of work again, i'll read more again !

Only a question : HOW do you do to know theses api calls ?, cause following your tuts, i never seen them, maybe something wrong for me, here is what i do :

BPX GetVersion. F5 and trace back to asprcode with F12 , after that never seen the following

xxxxxxxx : PUSH 00
xxxxxxxx : CALL KERNEL32!GetModuleHandleA
xxxxxxxx : MOV [yyyyyyyy],EAX
xxxxxxxx : CALL KERNEL32!GetVersion
xxxxxxxx : MOV [yyyyyyyy],EAX
xxxxxxxx : PUSH 017B35AC
xxxxxxxx : CALL KERNEL32!GetVersionExA
xxxxxxxx : CALL KERNEL32!GetCurrentProcess
xxxxxxxx : MOV [yyyyyyyy],EAX
xxxxxxxx : CALL KERNEL32!GetCurrentProcessId
xxxxxxxx : MOV [yyyyyyyy],EAX
xxxxxxxx : CALL KERNEL32!GetCommandLineA
xxxxxxxx : MOV [yyyyyyyy],EAX
xxxxxxxx : RET

I've found this sequence only on an older Asprotected App (Aspr 1.2)

TO Foxthree : till you've fixed it, Maybe can you PM me a little tut for the complete unpack/Fix method with AOXPPRPro for exemple.

I really want to know more on Asprotect ( the protected App don't care but i have this one and allready worked on)

In advance, Thank's to all of you my friends !!!

evaluator
September 15th, 2002, 07:19
>>that never seen the following

Because that code peace is from older aspr versions.

Now is another code. Debug aspr code & find it.
Don't be lazy.