Tried unpacking DVDIdle Pro - AsProtect

[britedream]

maltese, when you say "that is why xoring eax.... works", which instruction are you refering to.

BriteDream,

I was referring to address location (provided by lownoise):

Original code:

$4043AA: 8B00 MOV EAX, DWORD PTR DS:[EAX]
$4043AC: 85C0 TEST EAX,EAX

Change to:

$4043AA: 33C0 XOR EAX,EAX

This patch allowed my dump to work after fixing with Imprec.

Moving along, if you press SHIFT + F9 26 times and then search the stack, the key you entered (dummy key in registry) is missing!

From this, and by checking the RegQueryKey breakpoints, I determined that the serial# is loaded in the AsProtect code which is not in the final unpacked code.

Also it seems on my system that the KEY from the registry is stored at location $990F3C and is pushed onto the stack.

Another tale tell sign is that it removes all spaces from the serial#. Big No No. When we see a loop to remove spaces it helps let us know we are getting closer. As a test... Put MALTESE MALTESE MALTESE as the key. When it's pushed onto the stack the spaces are missing.

And now for my stupid question: Don't Laugh...

I noticed AsProtect employs a technique making calls to odd address's which messes with Olly. I can right click and then say follow... but is there a better way to adjust the memory locations so that the code looks the same as it is as when it executes?

I will share as I go for those that might want to join in.

-Malt

After we run the trace and patch the stolen bytes and reset OEP...

When we go to dump the file, is there a way to also store the memory contents of 960000 thru 990000 so that they are reloaded in the same location when the "unpacked" program starts up?

Back in the day we could save the memory and dump it to a binary file...then you could reload it back into the same memory location from the file at any time you wanted. Is there a way to do this now?

-Malt

[britedream]

exactly , yes, in dumped file itself we can patch to read back all the region you want , just choose the region you want,save as binary, then read it back, of course you have to allocate the space for each region using virtualAllloc.

[britedream]

the error you refer to by xoring mov eax,...., is due to a refrence to region 970000"imagebase", 973861"Va" , which isnot there any more, if you aren't registered then eax==0, this is why it is running ok in your case, if it were to return other value for unregistered, then I would think it will effect the target.

[Kyrios]

there are 2 encrypted fragments in the dumped file. If it wasn't decrypted yes, it can't be FULLY working version.
Is there any way to decrypt without having to register? IF there was a blacky serial, how can we do with it?


TIA,
kyrios

[MaRKuS-DJM]

Quote:

Originally Posted by Kyrios

Is there any way to decrypt without having to register? IF there was a blacky serial, how can we do with it?

maybe you can use asload and let it run registered. You can debug it, set BP on CreateProcess and then debug the program while asload does his register-job and then dump the program fully registered & decrypted