hello,

(First sorry, it's an asprotect problem one more time...)
My problem isn't on a particular target but on particular asprotect versions i think, but it's certainly better to deal with that on a specific target so he it is :
Crystal Button v1.45 : can be downloaded at crystalbutton.com (us version)

I dumped it with icedump without problem, it dips only one time in code at 4085A0, found oep etc etc...
We can see that iat begin at address 497000 and is 72C size too

And here is the thing i didn't understand :
There are 6 unresolved api, for me :

123 000971F8 0132139C 0000 ?????? ??????
133 00097220 0132133C 0000 ?????? to_Resolve
141 00097240 01320EE8 0000 ?????? to_Resolve
157 00097280 013213B4 0000 ?????? ??????
161 00097290 01321358 0000 ?????? ??????
199 00097328 01321388 0000 ?????? ??????

For the second and thirth api i did a "u 0132133C" and "a u 01320EE8" and find it's GetModuleHandleA and GetProcAddress, but others only put a value in eax (and i can't find something like a "mov [eax], api" like some asprotect versions)
So my question is : how can we know which api it can be with knowing the return value only ? with a few experience i think it's easy but when we begin with that...
And is there an usefull api documentation somewhere ? can't find that

Thanks and continue with this great and helpfull board, i already learnt a lot of things and am very happy to be there

regards

backeyes:

Time for you to exercise your button pressing skills and do a search of this board for threads on asprotect. One of the best things you could do is use the search button and put "asprotect" in the left side and "+Splaj" on the right side. Then open each thread, go to the bottom of the file, click on "show printable version, then click on the top right button, which says "Show all (number) posts from this thread on one page" and copy them ALL, one at a time to your HD and read them carefully.

THEN repeat this process using "aspr" and "+Splaj" and, again, copy all the threads you don't already have to your HD.

THEN repeat BOTH of these steps AGAIN using first "asprotect" and then "aspr" on the left and "evaluator" on the right.

THEN, just for good measure, REPEAT AGAIN, just using first "asprotect" and then "aspr" on the left.

After you have copied ALL these threads to your HD and READ them ALL, you will have the answer to your question, and the answer to MOST questions about past versions of asprotect available to review.

The problem is that your question has been asked several times already. That's why you are asked to use the "search" button BEFORE asking a question.

The more specific answer to your question is that asprotect, in this version builds an array of addresses where it has "emulated" the "return value" of the API. What the hell is the "return value" of the API you ask?? This also is explained in the prior threads.

Here's a good clue. Check out this thread and you should understand, it's titled "asprotect question" posted by vbdisease on 01-30-2002. You should find it with the "search" I suggested. It is at:

http://www.woodmann.net/forum/showthread.php?threadid=2603

Evaluator also gave us a good list on the re-directed APIs of asprotect in a thread titled "For newbiez-ASsPROT-unpacker help." You can do your own search for that one.

It is NECESSARY if you want to understand and attack asprotect that you READ and REVIEW these prior threads, then your questions can be about things that haven't been discussed before.

Regards.

Hi backeyes !!

Your APIs Are

GetCommandLineA--------->146139c
GetModuleHandleA--------->146133c
GetProcAddress------------>1460ee8
LockResource-------------->1460ee8
GetVersion----------------->1461358
GetCurrentProcess--------->1461388

I'm working on Win 2k OS, so maybe this addresses are different
with you

Yes there is one dip

its address is 14638cb , just bypass it ( bypass jz instruction with force jumping).The EOP is 43C0F0

After IAT rebuilding everything is fine , but there is still protection

with adding TRIAL message after saving , indenpendent of file

packing , time limitation is broken but this is here

Good Luck !!!


Soldat

Yep thanx to jmi (seems i missed a post ) i finally found my problem and unpacked it

Now there's save limit, nags, time limit but my problem isn't there...
I saw that, when exporting a created button, the result is very bad : only bad and dark pixels
Everything work fine but this, so i dunno how to deal with this problem. I can't see where is the problem...

Any help would be appreciated
regards