ASProtect SKE unpacking

[TempoMat]

Quote:

Originally Posted by ZeNiX

In some cases, you need a valid registration key to decrypt protected code blocks.

After reaching the OEP and analysing the code, I could see no sign of encrypted code sections.
At least it can be confirmed with the code flow of older versions except the calls to the VM or SKE SDK.
Also all typical strings references can be seen clearly
The only problem is the calls to the VM which the script is able to identify correctly by stops at the location it checks for the error 111.

Quote:

Another some cases, you need to repair the calls to ASProtect's API if the program uses SKE's SDK functions.

These are what I am trying to repair.

Example at the OEP of an MS VC++8 application

Code:

0040791F    .  E8 8D020000        CALL abcd.00407BB1            	; the OEP
00407924    .^ E9 80FEFFFF        JMP abcd.004077A9
00407929   /$  55                 PUSH EBP
0040792A   |.  8BEC               MOV EBP,ESP
0040792C   |.  A1 04304200        MOV EAX,DWORD PTR DS:[0x423004]
00407931   |.  83E0 1F            AND EAX,0x1F
00407934   |.  6A 20              PUSH 0x20
00407936   |.  59                 POP ECX                       	; 009D19A6
00407937   |.  2BC8               SUB ECX,EAX                   	; abcd.0040791F
00407939   |.  8B45 08            MOV EAX,DWORD PTR SS:[EBP+0x8]	; abcd.00449833
0040793C   |.  D3C8               ROR EAX,CL
0040793E   |.  3305 04304200      XOR EAX,DWORD PTR DS:[0x423004]
00407944   |.  5D                 POP EBP                       	; 009D19A6
00407945   \.  C3                 RETN

If you enter the call at the OEP you will see

Code:

00407BB1    $  55                 PUSH EBP
00407BB2    .  8BEC               MOV EBP,ESP
00407BB4    .  83EC 14            SUB ESP,0x14
00407BB7    .  8365 F4 00         AND DWORD PTR SS:[EBP-0xC],0x0
00407BBB    .  8365 F8 00         AND DWORD PTR SS:[EBP-0x8],0x0
00407BBF    .  A1 04304200        MOV EAX,DWORD PTR DS:[0x423004]
00407BC4    .  56                 PUSH ESI
00407BC5    .  57                 PUSH EDI
00407BC6    .  BF 4EE640BB        MOV EDI,0xBB40E64E
00407BCB    .  BE 0000FFFF        MOV ESI,0xFFFF0000
00407BD0    .  3BC7               CMP EAX,EDI
00407BD2    .  74 0D              JE SHORT abcd.00407BE1
00407BD4    .  85C6               TEST ESI,EAX                  	; abcd.0040791F
00407BD6    .  74 09              JE SHORT abcd.00407BE1
00407BD8    .  F7D0               NOT EAX                       	; abcd.0040791F
00407BDA    .  A3 00304200        MOV DWORD PTR DS:[0x423000],EAX                   ;  abcd.0040791F
00407BDF    .  EB 66              JMP SHORT abcd.00407C47
00407BE1    >  8D45 F4            LEA EAX,DWORD PTR SS:[EBP-0xC]
00407BE4    .  50                 PUSH EAX                      	; abcd.0040791F
00407BE5    .  E8 16846F01        CALL 01B00000                 	; Call to ASPR VM/SKE SDK
00407BEA    .  9B                 WAIT
00407BEB    .  8B45 F8            MOV EAX,DWORD PTR SS:[EBP-0x8]
00407BEE    .  3345 F4            XOR EAX,DWORD PTR SS:[EBP-0xC]
00407BF1    .  8945 FC            MOV DWORD PTR SS:[EBP-0x4],EAX	; abcd.0040791F
00407BF4    .  E8 07846F01        CALL 01B00000                 	; Call to ASPR VM/SKE SDK
00407BF9    .  4E                 DEC ESI
00407BFA    .  3145 FC            XOR DWORD PTR SS:[EBP-0x4],EAX	; abcd.0040791F
00407BFD    .  E8 FE836F01        CALL 01B00000                 	; Call to ASPR VM/SKE SDK
00407C02    .  DA31               FIDIV DWORD PTR DS:[ECX]
00407C04    .  45                 INC EBP
00407C05    .  FC                 CLD
00407C06    .  8D45 EC            LEA EAX,DWORD PTR SS:[EBP-0x14]
00407C09    .  50                 PUSH EAX                      	; abcd.0040791F
00407C0A    .  E8 F1836F01        CALL 01B00000                 	; Call to ASPR VM/SKE SDK

The CALL 01B00000 is called 60 times in this application

Quote:

Originally Posted by user1

And unpacked was registered.

The programs runs with small restrictions unregistered. It also does not used the ASProtect registration but its own pretty simple CRC32 routine.