Web
: http://kickme.to/mxbnet
Contact Me : dheeraj_xp@yahoo.com
Visual zip password recovery v5.4
Type : Zip password
recovery Crack :
Unpacking was not 100% ok with this guy ...
Protection : ASProtect
Tech : Loader + Later I was able to Unpack this baby
So made a loader.This program only calculates about 80% - 90% ... after
it shows a nag screen.While calulating just break in to SICE and we can
see the loop .. just trace and we can locate where flag is set and
nag screen is called ...
015F:004C3FD5
648920 MOV FS:[EAX],ESP
015F:004C3FD8 A1D8F14C00 MOV EAX,[004CF1D8]
015F:004C3FDD 803800 CMP BYTE PTR [EAX],00 <-- CHECK
015F:004C3FE0 0F85C1000000 JNZ 004C40A7
.....................................................
015F:004C405F 8B10 MOV EDX,[EAX]
015F:004C4061 FF92D8000000 CALL [EDX+000000D8] ---> CALL NAG
015F:004C4067 83F802 CMP EAX,02
015F:004C406A 750E JNZ 004C407A
Make [004CF1D8] = [004D5F74] = 01! To Crack
Flag Set : [To Find Root]
BPMB 004D5F74 W -->
015F:004CA9C5
E85210F5FF CALL 0041BA1C
015F:004CA9CA A1D8F14C00 MOV EAX,[004CF1D8]
015F:004CA9CF C60000 MOV BYTE PTR [EAX],00 <--- Here
Loader : Make a loader which will do this .....
015F:004CA9CF C60001 MOV BYTE PTR [EAX],01
Update
: [Unpacking the Program]
IAT
fixed by ImpRec 1.3 gave stack problems ...But when i used ImpRec 1.42
it worked.
Let us unpack this baby ...
BPX SHOWWINDOW
015F:00408048
FF25C8955200 JMP [005295C8]
--->
015F:00F50FF0 689820F5BF PUSH USER32!ShowWindow
015F:00F50FF5 C3 RET
So IAT packets
at 005295C8
Use WinHex -- RAM Editor --- Open Process memory --- Go to 005295C8
IAT Starts From : 00529190 --> To --> 0052992F = 79F + 1 = 7A0
Use ImpRec 1.4.2 [ImpRec 1.3 Didn't worked well?]
RVA = 129190
Size = 7A0
Select "GetImports" --> "ShowInvalid" --> "Auto Trace"
By this way all API get validated.
Load IceDump
[Great Tool!] and in SICE ...put
BPX GetVolumeInformationA
Now run VZPR 5.4 .. soon we will break in ASProtect Code ..
Now remove BPX and use .... tracex command ..
/tracex 400000 eip-8
We can see we break in ASProtect module ... type this command till
we break in main program module ... [After you are in main program
module never give this command it will give you page fault!]
We will break here ...
015F:00491D30
55 PUSH EBP <--- Not OEP -- No Don't Dump Here
015F:00491D31 8BEC MOV EBP,ESP
015F:00491D33 B8785F4D00 MOV EAX,004D5F78
015F:00491D38 8B5508 MOV EDX,[EBP+08]
015F:00491D3B E8CC2BF7FF CALL 0040490C
015F:00491D40 5D POP EBP
015F:00491D41 C20400 RET 0004 --> Return to ASProtect
Now use "F10"
and return to ASProtect code...
Now use tracex command ... we can see code like these just follow above
step ... and wait till you reach here ... [Long wait]
015F:004CC8A8
55 PUSH EBP <-- Real OEP --- Dump It --- JMP EIP TRICK
015F:004CC8A9 8BEC MOV EBP,ESP
015F:004CC8AB 83C4F4 ADD ESP,-0C
015F:004CC8AE 53 PUSH EBX
015F:004CC8AF B870C54C00 MOV EAX,004CC570
015F:004CC8B4 E853ACF3FF CALL 0040750C
015F:004CC8B9 8B1DBCF14C00 MOV EBX,[004CF1BC]
015F:004CC8BF 8B03 MOV EAX,[EBX]
015F:004CC8C1 E8320CF9FF CALL 0045D4F8
015F:004CC8C6 8B0DACF34C00 MOV ECX,[004CF3AC]
015F:004CC8CC 8B03 MOV EAX,[EBX]
015F:004CC8CE 8B15D42F4C00 MOV EDX,[004C2FD4]
015F:004CC8D4 E83F0CF9FF CALL 0045D518
015F:004CC8D9 8B0DE0F04C00 MOV ECX,[004CF0E0]
Now 4CC8A8
is our real OEP ... Dump it with JMP EIP trick [EB FE]
Use WinHex and correct EB FE --> 55 8B ..Now use PEdit and make
EP = CC8A8
Now load tree file and fix the Dump using ImpRec 1.42 [OEP = CC8A8]
Luckly ImpRec 1.42 has done the job ... it is totaly unpacked.
Patch
:
015F:004CA9CF C60001 MOV BYTE PTR [EAX],01 OFFSET
= CA9CF