Log in

View Full Version : APDFPR Pro V2.1


hobferret
November 30th, 2002, 21:47
Hi all

Got APDFPR Pro V2.1 with new asprotect but have a problem - this might interest you hobgoblin. EIP is at 0041B02A where it jumps to 0041B640, you need this space for patches!! At 0041E50A there is a redirected call which includes GetModuleHandleA some pushes and pops then a return. At 0041B85C there is another redirected call which includes GetModuleHandleA and again some pushes and pops and a return. But different from the one above.
If you use imprec or revirgin and allocate GMHA the prog crashes, so I used the "spare" section to patch - i.e. at 0041B640 CALL 0041B029 insert the code then the call to GMHA and some more code, the same at 0041B85C CALL 0041B034 e.t.c. This works fine but somewhere there is yet another rediredted call or at least I think so coz just a bit further in you get the stack corrupted.
I spent a few hours last nite searching but can't see the wood for the trees. Anybody offer any help?

BTW for some reason /tracex won't work with this version either!!

_Servil_
December 1st, 2002, 10:08
don't know if you talking about the same thing i think but push [ebx]/pop [ebx] calls are sometimes called to detect the protection layer presence.under 'normal' conditions dynamic library doen't allow to rewrite it's code.

simply, skip the call

btw. it just brought me to idea, would it be possible to write a signature for IDA to recognize and name the As*protect library calls embedded in the resolved app? ;p (sorry for OT)

bart
December 1st, 2002, 12:09
i saw it also in image dupeless (inside exes body), i would like to see new aspr help file to find out what's new

hobgoblin
December 1st, 2002, 18:06
Well, I got some different results than you did, bart. First of all, tracex worked nicely for me. I suspended the program in a loop at 41B640 (which I used as OEP), then dumped it and used revirgin to find the iat table and to rebuild it. I found 8 unresolved apis, which I traced manually. After rebuilding the program the ususal way using LordPE, it ran as it is supposed to do. Well, almost. It didn't crash, but I can't get the about box or register box to open. And when I disassemble it using W32dasm, I only get a few strings. (But that may be due to w32dasm. Haven't tried IDA on this one yet).

hobgoblin

hobferret
December 1st, 2002, 18:24
Hobgoblin Hmm, strange...

Are you saying that you attach the tshep section using LordPE rather than letting revirgin do it itself?


If so what difference does it make?

Maybe you could PM me your IAT to see what if any the differences are, you have these long winter nites in Norway so just maybe you could - or even post it here - or is that not allowed anymore.

Anyway thanks for replying I thought you may be interested in this one!

Iwarez
December 1st, 2002, 20:09
hobgoblin, I dumped the program and fixed the imports and there was no problem getting to the about/registration screen. Maybe one of your imports is wrong?

nikolatesla20
December 1st, 2002, 21:17
I would not rely on Revirgin's autopatcher, it is not reliable, sorry to say. Just add a new section to the dump with LordPE, go to revirgin, enter the RVA of the new section and press "generate!" and then patch in the imports yourself with a Hex Editor, and then go back to LordPE to point the Import directory to your new section. ALso dont forget to correct the imagesize after doing this manually.

-nt20

hobgoblin
December 1st, 2002, 23:12
Hi iwarez,
Did you use revirgin or imprec? And could you please mail me yor idata section? I'm just interested to compare it with mine.

hobferret: I like to compare iwarez idata section with mine first, then I get back to you, okey?

hobgoblin

Manko
December 2nd, 2002, 00:36
Mine worked on first try too. ;P (Hi, hobgoblin!)

/Manko

hobgoblin
December 2nd, 2002, 09:20
Hi manko,
Sorry for not being able to get back to you as promissed.
Sometimes things get tangled up IRL, and I don't get around to do everything I want to...
Seems to me that you get along fine in the wonderful world of reversing...

hobgoblin

Iwarez
December 2nd, 2002, 10:11
Hobgoblin, I'am not at home right now. when I get back I'll send it.

Iwarez
December 2nd, 2002, 21:04
Is this software possible to make full version? I managed to make it think it's registered but it will only work for passwords up to 4 chars in length. Tried to find the code that does the generating but failed. Anyone more luck?

_Servil_
December 2nd, 2002, 21:29
find thread of .asprotect licensing, essay from SplAj

Iwarez
December 2nd, 2002, 22:30
Thanks servil for your post but I already know of code encryption. What I was trying to say was that if the program can run from 1 to 4 it can also run from 1 to 10 or whatever. Actually, when I perform a sequence of actions the program is actually fooled into running a bruteforce with a greater length...

Zilot
December 3rd, 2002, 09:19
Hobferret !

This is not new Aspr , it is very old with

8113e0----------->DialogBoxParamA (User32 ) (rva 4b5a8)

this is wrong resolved with autotracer in ImpRec and is Find ResouceA , rename it in DialogBoxParamA

and in ImpRec there is another incorrect resolved Api with plug-
ins

and instead

81139c------------>GetVersion you should put GetCommandLineA

rva 4b724 , OEP is 41b643

Hobgoblin !

About window works , PM if you are still interested in IAT


Regards Soldat

hobferret
December 4th, 2002, 13:45
Soldat

Do not agree with your EIP not all progs start with PUSH EBP etc.

Anyways I got mine goin last nite with all the features enabled - still with EIP @ 41B024.

Nearly sunrise so Im goin

Hobgoblin will PM you details!!

BTW all the data strings must be in the dll's coz nowt in WDASM

Thanx 2 all who gotten involved

hobferret
December 4th, 2002, 21:18
Hi again all out there

Just spent 10min @ lunch and got it registered - quite easy really!!

BTW B4 when I was goin on about dll's forget it there are none

Regs to all out there

HOBGOBLIN dont 4get yr PM