the latest version of RV seems not work on G-Lock Easymail professional 4.1.



-target's url: DELETED
-one dialog pops up when tracing, said, sorry but your 30-day trial has expired.....
-my win version, build number: win2k 5.00.2195 + sp3

anybody, esp Tsehp can look into it?

Thanks,

Spiderman:

Don't get me wrong, but why do you need RV's tracer? If I remember right, Easymail is ASPRed (I may be wrong, long time since I saw this target ) Maybe latest ASPR strain, maybe Alexey improved his decryptor...

RV is a great tool but don't rely too much on RV's tracer then you wouldn't learn anything. Tracers in general is only for beginning exploration into code woods. Like +SplAj and others say, the real stuff is what is inside your head. Use it...

and hey... don't forget the board's search

Signed,
-- FoxThree

LogfileTail
Download file size: 756 K
=========================

Packed with ASProtect v1.23 A.S

----------------- 1. FINDING OEP AND DUMPING ------------------

01894AB3 55 PUSH EBP
01894AB4 8BEC MOV EBP,ESP
01894AB6 83C4E8 ADD ESP,-18
01894AB9 53 PUSH EBX
01894ABA 56 PUSH ESI
01894ABB 57 PUSH EDI
01894ABC 33C0 XOR EAX,EAX
01894ABE 8945EC MOV [EBP-14],EAX
01894AC1 8945E8 MOV [EBP-18],EAX
01894AC4 B894904800 MOV EAX,00489094
01894AC9 6862944800 PUSH 00489462
01894ACE C3 RET

558bec83c4e853565733c08945ec8945e8b894904800 ; bytes to add before 00489094
OEP = 0489094-16 = 48907E

-------------------- 2. GETTING IAT --------------------------

call 01xxxxxx
call 01xxxxxx ; I type here d *edi
mov edx, [edi]
mov [edx], eax
jmp 01xxxxxx

edi = 48e17c
d 48e17c and scroll down
? 492000 - 48e17c
3e84

Ok, I filed that memory range with 00h.

Start ImpREC
Put in ImpREC oep = 89462
IATAutosearch, getImports

show invalid -> trace level 1 <<<<<<<< FAILED!!!
i try with aspr v1.2 plugin but again FAILED!!!!

Later I'll try with Splaj ASPr v1.3 plugin but FAILED too!

It's a lot of SM code

In attach is my tree.txt with unresolved functions.

Can anybody helps me?

Bruce Lee

Seems you meet newest ASSPR.
We had discussion about.
Use search function.

I saw thread with new asprotect, but doesn't help! This is different or newest version

Bruce Lee

When "any" protector does redirection of IAT,
first it resolves real Import address, then makes redirection.

So when some tools can't resolve for you Import, you should open
debugger & try to find, where true import_name resolving happens.
So you will know real import name.

This is very general hint. So work on it, upgarade your skills.

I open debugger and I find functions, but to many functions is unresolved and before any api calls is a lot of code. Resolving manualy unresolved api calls is Sizif's job.

Try it!

Bruce Lee

spiderman
========

big clue for you
__________________________________
'sorry but your 30-day trial has expired.....'
__________________________________

Tsehp made RV sharewarez ?
errr NO!!!!.....g-lock don't want you to play anymore


BruceLee
=======

AT LAST ....... a NEW fuckin aspr target to compare . THANK U

I made a mistake in my pre Aspr plugin cos I only had 1 target.
see attached zip containing new 1.23 pre plugin.

The LogFileTail is now v 0.9.1 IAT 8E17C (724) and use my plugin 1st, then save tree, load tree and use 'Trace Level 1 (Disas)' on unresolved api, then cut the lame thunk to get dll's and finally patch in the GetWotWeWant API (GetCommandLineA, etc etc)

CYA

i'm back into hibernation mode........