Web
: http://kickme.to/mxbnet
Contact Me : dheeraj_xp@yahoo.com
Advanced Zip Password Recovery 3.53 Build 19
Type : Zip password
recovery program Crack : At last i was able to unpack this shit ..... enjoy ...
Protection : ASProtect
Tech : Dumping + IAT Fix + Address Fixup
Dumping
+ OEP
Load IceDump [Great Tool!] and in SICE ...put
BPX GetVolumeInformationA
Now run AZPR 3.53 .. soon we will break in ASProtect Code ..
Now remove BPX and use .... tracex command ..
/tracex 400000 eip-8
We can see we break in ASProtect module ... type this command till
we break in main program module ... [After you are in main program
module never give this command it will give you page fault!]
We will break here ...
015F:00401000
6A0A PUSH 0A --->> OEP << - Here
015F:00401002 E847850200 CALL 0042954E
015F:00401007 50 PUSH EAX
015F:00401008 6A00 PUSH 00
015F:0040100A E845850200 CALL 00429554
015F:0040100F 6A00 PUSH 00
015F:00401011 50 PUSH EAX
015F:00401012 E8EA360100 CALL 00414701
015F:00401017 50 PUSH EAX
015F:00401018 E82B850200 CALL 00429548
015F:0040101D 87DB XCHG EBX,EBX
Now 401000
is our real OEP ... Dump it with JMP EIP trick [EB FE]
Use WinHex and correct EB FE --> 6A 0A..Now use PEdit and make
EP = 1000
IAT Fixup
BPX SETWINDOWTEXTA ---->>
015F:004238A3
2EFF152CA64200 CALL CS:[0042A62C]
015F:004238AA A1BCE74A00 MOV EAX,[004AE7BC]
So IAT Packets
are at 0042A62C
Use WinHex RAM Editor ... Look at this address and find
bunch of address ...
IAT -->
0042A430 --> To --> 0042A793
RVA = 2A430
Size = 0042A793 - 0042A430 + 1 = 364
Use ImpRec
1.3 .. [ImpRec 1.4 gave page faults while tracing ?]
"Show Invalid" --> "Auto Trace"
Invalid ptr :
rva : 0002A528
mod:user32.dll DestroyWindow
rva : 0002A52C mod:kernel32.dll FindResourceA ???? **ERROR**
rva : 0002A530 mod:user32.dll DispatchMessageA
Right on
0002A52C ... select "Invalidate Functions"
Hold Down SHIFT key and select "Trace Level1"
Now messagebox pops up with encountered API's.Look out for
user32 mod .... it will be ...
rva : 0002A52C mod:user32.dll DialogBoxIndirectParamA
[Note : In the end we will see
that we where wrong at this point.Any way to fix IAT we
must fill this API ... so go on]
Release SHIFT and click OK in messagebox.Thus the API will be
filled.Now few more API's are invalid ... these are emulated APIs
by our sucker ASProtect.
Now select "Save Tree" in ImpRec1.3 ... and save it.
Now use ImpRec1.42 with ASProtect emu plugin ..select AZPR process
and select "Load Tree" and load our tree file which we saved.
Now click "Show Invalid" --->> "ASprotect Emu"
.....
We can see that now all APIs get validated now save this tree..And Fix
the Dumped File ... Now run fixed file ... it will run ...
Page
Faults
It is seen that if we click "About Box" or "Registration"
a page fault
occurs ?? What the Heck ??
Page Fault Code [ About Box ] ...
015F:00413BFA
6A00 PUSH 00
015F:00413BFC 68DD0E4200 PUSH 00420EDD
015F:00413C01 56 PUSH ESI
015F:00413C02 6896050000 PUSH 00000596
015F:00413C07 FF3538E44A00 PUSH DWORD PTR [004AE438]
015F:00413C0D 2EFF152CA54200 CALL CS:[USER32!DialogBoxIndirectParamA]
015F:00413C14 E9C9FEFFFF JMP 00413AE2
Page Fault At --->> 00413D0D CALL [0042A52C] --> CS:0042A52C=BFF51251
In Real packed File ....
015F:00413BFC
68DD0E4200 PUSH 00420EDD
015F:00413C01 56 PUSH ESI
015F:00413C02 6896050000 PUSH 00000596
015F:00413C07 FF3538E44A00 PUSH DWORD PTR [004AE438]
015F:00413C0D 2EFF152CA54200 CALL CS:[0042A52C] --> CALL ASProtect
015F:00413C14 E9C9FEFFFF JMP 00413AE2
Inside ASProtect ...
015F:006EC97C
55 PUSH EBP
015F:006EC97D 8BEC MOV EBP,ESP
015F:006EC97F 53 PUSH EBX
015F:006EC980 8B5D08 MOV EBX,[EBP+08]
015F:006EC983 8B4518 MOV EAX,[EBP+18]
015F:006EC986 50 PUSH EAX
015F:006EC987 8B4514 MOV EAX,[EBP+14]
015F:006EC98A 50 PUSH EAX
015F:006EC98B 8B4510 MOV EAX,[EBP+10]
015F:006EC98E 50 PUSH EAX
015F:006EC98F 6A05 PUSH 05
015F:006EC991 8B450C MOV EAX,[EBP+0C]
015F:006EC994 50 PUSH EAX
015F:006EC995 53 PUSH EBX
015F:006EC996 E8717AFFFF CALL KERNEL32!FindResourceA
015F:006EC99B 50 PUSH EAX
015F:006EC99C 53 PUSH EBX
015F:006EC99D E8DA7AFFFF CALL KERNEL32!LoadResource
015F:006EC9A2 50 PUSH EAX
015F:006EC9A3 E8DC7AFFFF CALL KERNEL32!LockResource
015F:006EC9A8 50 PUSH EAX
015F:006EC9A9 53 PUSH EBX
015F:006EC9AA E8ED7AFFFF CALL USER32!DialogBoxIndirectParamA
015F:006EC9AF 5B POP EBX
015F:006EC9B0 5D POP EBP
015F:006EC9B1 C21400 RET 0014
It seems
that Loading resource is the part of ASProtect ....
So this is the main problem with our dump ... it is directly calling
API DialogBoxIndirectParamA ....
Solution :
Assemble this at offset : 1057 [Free Space inside unpacked exe file]...
VA = 00401057
015F:00401057
55 PUSH EBP
015F:00401058 8BEC MOV EBP,ESP
015F:0040105A 53 PUSH EBX
015F:0040105B 8B5D08 MOV EBX,[EBP+08]
015F:0040105E 8B4518 MOV EAX,[EBP+18]
015F:00401061 50 PUSH EAX
015F:00401062 8B4514 MOV EAX,[EBP+14]
015F:00401065 50 PUSH EAX
015F:00401066 8B4510 MOV EAX,[EBP+10]
015F:00401069 50 PUSH EAX
015F:0040106A 6A05 PUSH 05
015F:0040106C 8B450C MOV EAX,[EBP+0C]
015F:0040106F 50 PUSH EAX
015F:00401070 53 PUSH EBX
015F:00401071 E89FF9B7BF CALL KERNEL32!FindResourceA
015F:00401076 50 PUSH EAX
015F:00401077 53 PUSH EBX
015F:00401078 E890FAB7BF CALL KERNEL32!LoadResource
015F:0040107D 50 PUSH EAX
015F:0040107E E8A61DB9BF CALL KERNEL32!LockResource
015F:00401083 50 PUSH EAX
015F:00401084 53 PUSH EBX
015F:00401085 E8C701B5BF CALL USER32!DialogBoxIndirectParamA
015F:0040108A 5B POP EBX
015F:0040108B 5D POP EBP
015F:0040108C C21400 RET 0014
Our Fix up Routine .... so that our routine will be called at :CALL CS:[0042A52C]
015F:0040108F
C7052CA5420057104000 MOV DWORD PTR [0042A52C],00401057
015F:00401099 E962FFFFFF JMP 00401000 ---> JMP To Real OEP
Make 0040108F our new EP.Use PEditor and make EP = 108F
Patching Dumped File To Get Registered Version
In the Registraion Box enter some s/n and in SICE put BPX GETWINDOWTEXTA.
Now click "OK" and when we break in program module trace ....
015F:004172A5
E80FFFFFFF CALL 004171B9 ---> Reg Dlg Box
015F:004172AA 83F801 CMP EAX,01
015F:004172AD 7568 JNZ 00417317
015F:004172AF 8D8500FFFFFF LEA EAX,[EBP-0100]
015F:004172B5 E845FBFFFF CALL 00416DFF --->> Main Reg Chk
015F:004172BA 85C0 TEST EAX,EAX -->> Make EAX = 01
015F:004172BC 7437 JZ 004172F5
015F:004172BE 8D8500FFFFFF LEA EAX,[EBP-0100]
015F:004172C4 E8CAFCFFFF CALL 00416F93
015F:004172C9 6A40 PUSH 40
015F:004172CB A1BCE74A00 MOV EAX,[004AE7BC]
015F:004172D0 FFB0A0050000 PUSH DWORD PTR [EAX+000005A0]
015F:004172D6 FFB0A8050000 PUSH DWORD PTR [EAX+000005A8]
015F:004172DC 2EFF157CA54200 CALL CS:[USER32!GetFocus]
015F:004172E3 50 PUSH EAX
015F:004172E4 2EFF15D4A54200 CALL CS:[USER32!MessageBoxA]
BPX GetWindowTextA
BPMB 6AEFA8 R [This is where our S/N is found ] ..... we reach
015F:00416E08
89C6 MOV ESI,EAX
015F:00416E0A E8F1160100 CALL 00428500
015F:00416E0F 89C1 MOV ECX,EAX
015F:00416E11 83F806 CMP EAX,06
015F:00416E14 7D07 JGE 00416E1D
015F:00416E16 31C0 XOR EAX,EAX
015F:00416E18 E9F8000000 JMP 00416F15
015F:00416E1D BF02000000 MOV EDI,00000002
015F:00416E22 99 CDQ
015F:00416E23 F7FF IDIV EDI
................................................
015F:00416E48 8D5594 LEA EDX,[EBP-6C]
015F:00416E4B 8D45F0 LEA EAX,[EBP-10]
015F:00416E4E E86D140000 CALL 004182C0
015F:00416E53 BB10000000 MOV EBX,00000010
015F:00416E58 BAC0DF4200 MOV EDX,0042DFC0
015F:00416E5D 8D45F0 LEA EAX,[EBP-10]
015F:00416E60 E8BB180100 CALL 00428720
015F:00416E65 85C0 TEST EAX,EAX
015F:00416E67 75AD JNZ 00416E16 --- BAD BOY -- Fill with NOP
.....................................................
015F:00416E86 E835140000 CALL 004182C0
015F:00416E8B 8D45F0 LEA EAX,[EBP-10]
015F:00416E8E E81BFFFFFF CALL 00416DAE
015F:00416E93 85C0 TEST EAX,EAX
015F:00416E95 0F847A000000 JZ 00416F15 --- BAD BOY -- Fill with NOP
015F:00416E9B 833DA0184B0000 CMP DWORD PTR [004B18A0],00
015F:00416EA2 756C JNZ 00416F10 --- GOOD BOY --- Make JNZ --> JMP =
EB 6C
.....................................................
015F:00416EF2 68E8C24200 PUSH 0042C2E8
015F:00416EF7 2EFF157CA54200 CALL CS:[USER32!GetFocus]
015F:00416EFE 50 PUSH EAX
015F:00416EFF 2EFF15D4A54200 CALL CS:[USER32!MessageBoxA]
015F:00416F06 C705A0184B0001000000MOV DWORD PTR [004B18A0],00000001
015F:00416F10 B801000000 MOV EAX,00000001 -- Flag Set
==> 00416F15 C9 LEAVE
015F:00416F16 5F POP EDI
015F:00416F17 5E POP ESI
015F:00416F18 5A POP EDX
015F:00416F19 59 POP ECX
015F:00416F1A 5B POP EBX
015F:00416F1B C3 RET
So Patch it as shown above.
Min Max Length Error Fix up
Patching
gave some Min Max password length error.Stupid program shows infinite
MessageBox with text "It can't be ???".This error can be rectified
by removing some
code.
015F:0041E330
2EFF1514A64200 CALL CS:[USER32!SetDlgItemInt]
015F:0041E337 833D5C4F4C0000 CMP DWORD PTR [004C4F5C],00
015F:0041E33E 7509 JNZ 0041E349
015F:0041E340 833D684F4C0000 CMP DWORD PTR [004C4F68],00
015F:0041E347 7442 JZ 0041E38B
015F:0041E349 8B0D084F4C00 MOV ECX,[004C4F08]
015F:0041E34F A160464C00 MOV EAX,[004C4660]
015F:0041E354 99 CDQ *** ----------------------- !!
015F:0041E355 F7F9 IDIV ECX
015F:0041E357 891560464C00 MOV [004C4660],EDX
015F:0041E35D A164464C00 MOV EAX,[004C4664]
015F:0041E362 99 CDQ
015F:0041E363 F7F9 IDIV ECX
015F:0041E365 891564464C00 MOV [004C4664],EDX *** --- !!
015F:0041E36B 8D457E LEA EAX,[EBP+7E] ----> zip file name
015F:0041E36E E803E1FFFF CALL 0041C476 --> zip pass find algorithm
Unwanted
code from -- 0041E354 --> to --> 0041E36B Fill with NOP.This code
is only
used in Trial mode ... gives error in Registered Mode.Now it is working
fine without any
error.Now you can enter any registration key and register the program
... for example .... enter key = 5555555555.Mail me if you need this baby
:)
dheeraj_xp@yahoo.com
http://kickme.to/mxbnet