Anybody out there know anything about speedcommander8, it does not appesr to be packed but it must be somehow. Finding the EIP is easy, revirgin and imprec both work but fail to find 4 api's. 3 of them are easy but the 4th is a mystery. Tracing thru the proggie does not call any api but crashes if you jump over it or do a ret on the call. Version 7 was packed with VBOX and was simple but GOD only knows what this one is!

Any suggestions???

Hi,
Did you try PEiD?

Hi esther

No I didn't try peid coz looking at the file there is no MZP or .adata sections, however, I just tried it and behold it tells me its alexy again - Aspr1.2. Still does not help though

Thanks for your reply. Will have to keep digging!!

Rgds hob

Hows abouts a lill snippet from thata there api?

/Manko

Hi Manko

The prog calls a S/R indirectly and goes thru Kernel32FindResourceA - Kernel32LoadResource - Kernel32LockResource then calls User32DialogBoxIndirectParamA.

In the dumped version the three Kernel calls are missing! Just calls the User one and obviously crashes!!

See if you can work that out coz im scratching my head

I leeched version 9 and that's aspr 1.3. I ripped it off in about 5 min after I could debug it better. When you try to register via the menu it offers you can generate a valid serial for your name. Very very easy....

The reason why I'm the only one answering is that you already have the info you need...

We have established it's aspr, and when I see what you have written, would still have prefered some codelisting, it seems to me (still a newbie, with only 5-6 aspr under my belt) you have not been successful in searching the forum, or you would have known what this is...

It's just an ordinary emulated api. Obviously NOT the one you have now put in, since you say yourself it calls some other apis before the one you have tried...

Do your homework! Search again! (...or if you give up, PM me instead...)

This thread is dead.

Good Luck!

/Manko

Yo, Iwarez! That's not particularly helpful nor very nice...
You trying to make him feel small or do you need a clueless newbie to feel big?!
Yaeah, I'm just bitching, but I loathe comments like that.
But maybe you had other motives? Sorry about bitchin' but it felt right... :P

Well sorry that, but this target is really very easy. But now for a more helpful answer (newest version 9):

- The oep can easily be found when you bp at getstartupinfoa
- You miss bytes at the oep which you can find when you are able to break at the first bytes that are executed in the main program memory. Just copy and paste those to where they belong and dump the program
- IAT I restored with ImpREC and a plugin for aspr 1.3 I found here.
- After ImpREC rebuilded the PE I corrected the OEP and the nag was gone and the program runs.

Optional:
- Debug the dumped app and get a valid serial number. After you get it you can use the program as it was (with asprotect).

Better Manko?

Some bp's for the optional part:

BP at 467ff0 in target
BP at 64130c2b in mxcmn40

have fun.

Hi again Manko
Sorry abt delay in getting back bin down rio grande camping!
Below is the code listing the proggie calls - all from ONE indirection, that's what I mean by the three KERNEL calls are missing in the dumped prog. I can't find anything on these forums that resemble this so please tell me where you found it!!
BTW I didn't know version 9 has been released - I will get hold of that and see if it's anything similar.

017F:00ECC898 55 PUSH EBP
017F:00ECC899 8BEC MOV EBP,ESP
017F:00ECC89B 53 PUSH EBX
017F:00ECC89C 8B5D08 MOV EBX,[EBP+08]
017F:00ECC89F 8B4518 MOV EAX,[EBP+18]
017F:00ECC8A2 50 PUSH EAX
017F:00ECC8A3 8B4514 MOV EAX,[EBP+14]
017F:00ECC8A6 50 PUSH EAX
017F:00ECC8A7 8B4510 MOV EAX,[EBP+10]
017F:00ECC8AA 50 PUSH EAX
017F:00ECC8AB 6A05 PUSH BYTE+05
017F:00ECC8AD 8B450C MOV EAX,[EBP+0C]
017F:00ECC8B0 50 PUSH EAX
017F:00ECC8B1 53 PUSH EBX
017F:00ECC8B2 E8157BFFFF CALL KERNEL32!FindResourceA
017F:00ECC8B7 50 PUSH EAX
017F:00ECC8B8 53 PUSH EBX
017F:00ECC8B9 E87E7BFFFF CALL KERNEL32!LoadResource
017F:00ECC8BE 50 PUSH EAX
017F:00ECC8BF E8807BFFFF CALL KERNEL32!LockResource
017F:00ECC8C4 50 PUSH EAX
017F:00ECC8C5 53 PUSH EBX
017F:00ECC8C6 E8917BFFFF CALL USER32!DialogBoxIndirectParamA
017F:00ECC8CB 5B POP EBX
017F:00ECC8CC 5D POP EBP
017F:00ECC8CD C21400 RET14

Regs
/hob

Hi!

the function you are looking for is probably DialogBoxParamA..

Hi Norby

Already tried that one - any more ideas anyone??

Nope

Hi everyone

Well finally got it working and the latest version 11/15/2002 but now have another problem. The "cracked" versions are all in German I dont get the lingo - all the data strings are in German too.

Anyone know how to get it back to english - there must be some Germans reading this - if you are give me a tip

Thanx 4 all who replied

hob

Nice to see that you made it.
But I'm curious: What api function did you find to be the correct one?

hobgoblin

Hi hobgoblin

I didn't find the answer to the bogus call I found a piece of code:
XXXXXXXX MOV EAX,[ESI+xxxx]
XXXXXXXX TEST EAX
XXXXXXXX JNZ XXXXXXXX
So I changed the ESI+xxxx so it loaded 01 into the register and then jumped. So it must have been something to do with flags being set haven't looked at it again to clarify coz it's working NOW. But after getting past that hurdle I got another crash imprec said it was FreeResource but it really was GlobalUnlock

However, as I said it's all German and I don't understand that lingo, Spanish yes but not German. There must be something in there that sets the lingo but being as when you look at it in WDASM it's all GERMAN!!

I would also like to know how that guy found the serial coz it ain't easy in the version I got!
Regards
hobferret