Hi guys, great forum!

my status : not quite a newbie yet
my problem : asprotect
the exe : hide folders 2.2.1.171 (www.fspro.net)
--------------------------------------------------



The unpacking and IAT rebuilding of the 2.0 version of this program posed no problem and the unpacked program works without a flaw.

2.2 is different.

Here's what I did:
- I found the oep and dumped at 004749c4
- realigned the sections with procdump
- reconstructed the IAT with ImpRec 1.4.2+
- changed the ep with procdump
- at 00474A22 I nopped out the call to the "internal error" message box
- and at 004037E6 I changed the je to jne (which caused another error message)

Now this is what happens:
If the original exe is loaded into memory my unpacked exe apparently works, but if the original
exe is not loaded my exe crashes with the following message :
"Access violation at address 00000009. Write of address 7074613d"
W32Dasm tells me that this coded address is not in a loaded module.

I'm totally lost. I'm hoping for a kind soul willing to shed some light and help me find my way home.

Hajo:

I've downloaded and unpacked HideFoldersXP version. Runs like a charm. However, I believe you have the Windows 9x version --- which I don't have at the moment. I'll try it later today and let you know the results.

Signed,
-- FoxThree

Hellooooo FoxThree

thanks for your reply.
Yes I have version 2.2 which is the windows 98 version.
I appreciate your help and will be waiting for any suggestion that will get me out of the woods.

Hello:

Unpacked the above version of HideFolders and analyzed. At raw offset 7869B there is a indirect call to ASPR code @ C4E870. Naturally, by pass this call. Now, if you run it you'll get some Page Fault in BFF7XXXX address which belongs to IsBadStringW . So, Trace... soon enough we see at 0x403784 a routine which checks some SEH addresses to see if EAX == ECX?. With ASPR EAX always equals ECX. So, JNZ never is executed. But without ASPR, EAX != ECX. But alas, ECX value is never used. So, patch JNZ at raw offset 3791 What really matters is that the value at EAX should be correct some 6FXXXX, I think.

So, no more page faults and all is well Hope this helps.

I didn't find any Access Violation at adress 0000009 errors? May be 'coz different version.

Signed,
-- FoxThree

thank you foxthree,
i'll get to work on it in the next few days
(I'll have to understand SEH's first).

Hello all! and hello FoxThree,

first off thank you for the credits although undeserved.
I just knew this was a tough one, and I assure you it has grown
on me, I just can't shake it off. Alas I'm way over my head in
this and I would hope that you could be a little more unassuming.
I've tried, as per Splaj, to dump after Call Eax followed by the
suggestion by hobgoblin to copy and paste the sections, but no luck!
I need a little hand.
thanks guys!