【关键字】:C,文件,ASP,RO,DLL,AS,PRO,PR,EC,TE,CT,DLL,ASPROTECT
【来 源】:网络
脱DLL文件的ASPROTECT的壳(英文)
{Main} | {Index}
Advanced PDF to HTML converter 1.4
Type : PDF to HTML Converter
Protection : Main dll file packed with ASProtect
Tech : Dumping and Fix IAT
Crack :
Here dll file "pdf2html.dll" is packd with ASProtect.We will have to unpack this dll file.
In SICE BPX GETSTARTUPINFOA and run the program.When we break in the dll file module ... look few lines up ... we can see ....
015F:10046F82 55 PUSH EBP -->> REAL EP
015F:10046F83 8BEC MOV EBP,ESP
015F:10046F85 6AFF PUSH FF
015F:10046F87 6838470510 PUSH 10054738
015F:10046F8C 68FC4F0410 PUSH 10044FFC
015F:10046F91 64A100000000 MOV EAX,FS:[00000000]
015F:10046F97 50 PUSH EAX
015F:10046F98 64892500000000 MOV FS:[00000000],ESP
015F:10046F9F 51 PUSH ECX
015F:10046FA0 51 PUSH ECX
015F:10046FA1 53 PUSH EBX
Dumping can be done even after API CALL GETSTARTUPINFOA ...
Dump it using JMP EIP trick ... correct EB FE using WinHex. Use PEditor and
make EP = 46F82
Now just look at the API CALL GETSTARTUPINFOA ... it will be like this :
10047031 CALL [10053070] ----> ASPROTECT TRICK
So IAT of this dll is some where here ...
Use WinHex RAM Editor and open the memory of this dll file.
Goto this address .... we can see a bunch of address ...which
starts from :
10053000 ---> 10053133 = 134
So run ImpRec and pick this dll and enter these values :
RVA = 53000
SIZE = 134
Now click "GetImports" ... we can see two thunks are invaild.
Now click "AutoTrace" ... and we get all APIs validated ...
Now fix dump .... now this dll file is totaly unpacked and will run.
Note : It is seen that while converting pdf to html sometimes the program crashes ... it is a program bug .... not our fault. You can verify it with unpacked dll file.After unpacking this main dll file ... you can torture it in whatever way you like ....hee..
Method 1:
Open unpacked dll file in WinHex.. We can see the nag string ....:
CREATED WITH UNREGISTERED VERSION .... just change this to ...
[HTML COMMENT] this will inhibit nag string ...
|