Log in

View Full Version : Hard to unpack :(


BruceLee
October 20th, 2002, 18:14
ArtIcons Pro 3.24
=================

ASProtect v1.2? A.S. .data

OEP: 128500

Invalid functions:
Kernel32!GetProcAddress
Kernel32!GetModuleHandleA
Kernel32!GetCommandLineA
Kernel32!GetModuleHandleA
Kernel32!LockResource
Kernel32!GetVersion
Kernel32!GetProcAddress
Kernel32!GetModuleHandleA
Kernel32!GetCurrentProcessId
Kernel32!GetCurrentProcess
Kernel32!FreeResource

But If I dump at OEP: program crash raed of address 01xxxxxx!

Before the program comes to the OEP, it dips into the code 7 times,
then it goes to the OEP. I manipulate the first four dips. At the
first four call I see that the program via eax pushes a value to
an adress, [00xxxxxx]. I jump over this instruction.
In fifth call I do a similar thing. The call is longer.
In sixth call I can manipulate program to always have executions left.

Last call is untouched.

Program starts normal but then goes crazy (((((

Can anybody unpack this proggie to work normal after unpacking?
I do a search in previous threads but not found anything can help me.

Please give me a hand,
Bruce Lee

DakienDX
October 20th, 2002, 18:30
Hello BruceLee !

I don't need to unpack the program, it sounds to me like something which has been discussed already before and which is really easy to fix.

ASProtect can pass the registered username to the application. (as NULL-terminated string) So the program can load the string and use the value. (for example to display it in the "About" box)

The string is always present, even if it is empty. Then the value passed to the program by ASProtect is a pointer to a single 00h byte.

The memory the address points to is in the ASProtect address space and if you remove ASProtect, this address space does not exist any more and you get a read error. Setting this address to 0 helps most time. (program thinks ASProtect didn't pass him anything)

BruceLee
October 21st, 2002, 08:38
Hello DakienDX !

I don't think so because on about box wrote:

Registered to:
TRIAL VERSION
DAY 5 of 30

DakienDX
October 21st, 2002, 09:54
Hello BruceLee !

Have you tested what I suggested or not?

Could you post the piece of code where the read error occurs?

Can you tell what happens if this piece of code is executed while the ASProtect layer is still around the application?

BruceLee
October 21st, 2002, 13:20
Hmmm I quit!

Program after unpacking just gonne crazy and pop up two dialog in same time, menu bar is flashing, pop up dialog for shutdown windows No error messages! Strange!

zombieys
October 22nd, 2002, 04:48
bpx findfirstfilea

BruceLee
October 22nd, 2002, 10:08
bpx findfirstfile and then?

+SplAj
October 22nd, 2002, 11:35
Hajo

GDI......he he

This target was discussed by the RV Beta bashers a long time back in the good old days ........ /sigh

I remember that Eval the terrible stuck his numero uno moojo thing far up the backside of this unpacked ArtIconsPro.exe and the strange GDI api problem......

Eval, Eval where for art thou Eval..............

zombieys
October 22nd, 2002, 11:55
can i post the crack download?

+SplAj
October 22nd, 2002, 12:19
Zombyies

_____________________________
can i post the crack download?
_____________________________

err...NO....

how does this relate to 'bpx findfirstfilea' ???
lets do this the proper way in here

....PLEASE !!!........

foxthree
October 22nd, 2002, 19:03
I just unpacked under Win2K and the app. does not do whatever you said BruceLee. But it rather gives a series of Access violations each time touching ASPR code (since it is no longer present). BTW, talk about paranoid, this author checks for ASPR for every mouse click you make. If you really need this software, prepare to crack:

Unpax: ~2 mins
Patching *crazy-number-of-aspr-checks* : ????

Signed,
-- FoxThree

zombieys
October 23rd, 2002, 05:27
sorry
my english is poor
so i can't say more

artpro2.24 can check file size
you need bpx findfirstfilea

open and close artpro2.24,u must do it

Solomon
October 23rd, 2002, 05:58
yes many Dephi appz use class TSearchRec to get file size info etc.

TSearchRec is a simple wrapper of FindFirstFile/FindNextFile/FindClose.

BruceLee
October 23rd, 2002, 09:43
Thx all for helping me!
Now it's work perfectly

Yes, bpx FindFirstFileA!

Look at address 4E8903 CALL 00461ADC. This call always return 0009D000 in eax.
Change this in yours dumped file! Address 00461adc is calling on 9 locations.


Bruce Lee

backeyes
October 23rd, 2002, 20:55
0009D000h = 643072 = our target exe size
There's a check with 1000000 so that if the exe file is less than 1 Mb exe will run perfectly
So you're right we change to return from the call with 0009D000 in eax or change all 1000000 check with 2000000 for example as our unpacked exe is about 1,7 Mb

Anyways, i have a small question...
"Look at address 4E8903 CALL 00461ADC"

I can't see how from bpx FindFirstFileA you landed at 4E8903 (i agree it's the interesting call but am unable to land here on my own)
Could you help me please ?
thanx

regards

BruceLee
October 23rd, 2002, 21:21
00408F7E 50 PUSH EAX
00408F7F E840DCFFFF CALL 00406BC4 ; FindFirstFileA
00408F84 8BF0 MOV ESI,EAX ; landing here
00408F86 897314 MOV [EBX+14],ESI
...
00408FB0 C3 RET ; ok, return

00461B32 85C0 TEST EAX,EAX ; return here
00461B34 7508 JNZ 00461B3E
00461B36 8B9DACFEFFFF MOV EBX,[EBP-0154]
00461B3C EB03 JMP 00461B41
...
00461B70 E85B2BFAFF CALL 004046D0
00461B75 C3 RET
00461B76 E9711CFAFF JMP 004037EC
00461B7B EBDC JMP 00461B59
00461B7D 8BC3 MOV EAX,EBX
00461B7F 5B POP EBX
00461B80 8BE5 MOV ESP,EBP
00461B82 5D POP EBP
00461B83 C3 RET ; return

004E8903 E8D491F7FF CALL 00461ADC ; interesting part
004E8908 8BD8 MOV EBX,EAX ; return here
004E890A 81FB40420F00 CMP EBX,000F4240 ; in eax = ebx = 1B6000
004E8910 7E2B JLE 004E893D ; no jump

Look at this code in original articons.exe. Bpx on CreateWindowExA, and then bpx on 4E8903. Subroutine on address 461ADC always return 0009D000 and then on 4E8910 jump!

Open dumped file in W32Dasm. Go to address 461ADC. This address is calling on 9 locations:

49ace9
4ae555
4e8832
4e88ad
4e8903
4e891f
4f9107
4f9186
505cf8

Patch this locations in dumped file. Example:

Address 4e8903 -> | e8 | d4 | 91 | f7 | ff | ; call 461adc (original bytes)
------------------|----|----|----|----|----| ; replace with
Offset e8903 -> | b8 | 00 | d0 | 09 | 00 | ; mov eax, 9d000 (patched bytes)

Same on other 8 locations. Run dumped file. It works!!!!! ))))))))

Bruce Lee

backeyes
October 23rd, 2002, 21:49
waw what a fast and great reply

It's only 2 ret in fact, i dunno how i could have missed that but i understand now

thanx again
regards