#46
|
|||
|
|||
To Svensk
in error one above, there is a call right above it, step into, and change the value of the address being move to eax, to point to an address where your name is at. Last edited by britedream; 03-25-2004 at 20:13. |
#47
|
|||
|
|||
I see what you mean britedream.
Still some problem though. I've compared the "code" section of mine and your dumped exe and even though there are no differences, yours is registered and mine is not. Do you have custom code executed in any of the other sections. |
#48
|
|||
|
|||
you saw the address at 444600 ,where my name is,just go to the address moved to eax in dump and change the value to 444600.
you should change the value of the address moved, not the address its self. Last edited by JMI; 03-26-2004 at 02:57. |
#49
|
|||
|
|||
Hehe, sorry for being so thick. All is well and it runs registered now.
Thanks a bunch m8 |
#50
|
|||
|
|||
To lownoise,
When I changed the code to xor EAX , EAX DVDIdle Pro came up with the splash screen. Is this something that is commen with AsProtect? I recall Stripper creating a working exe out of dvdIdle Pro. I thought this whole process was to create an unpacked version of the original program. yes? I will look thru this executing exe and see if I can discover the algorithm for the serial #. |
#51
|
|||
|
|||
After doing some tracing....
Since I am interested in creating a serial#.... the code to check for a valid serial # is missing. That's why the XOR EAX,EAX works because the serial# check is missing (from the program). It's not being left in "unpacked" program (which is probably why there aren't many keygens for AsProtect Programs IE: PowerStrip and DVDIdle Pro/Region Free). I BP on all (and every) RegQueryKey and it never loads hKey with "KEY" which is where the code is stored in the Registry. When you go thru the enter serial # dialog box.... it's a dummy... no check is done. It just saves it to the registry and tells you to restart. When you restart the program.... it bypasses the missing code due to the XOR EAX,EAX. How do I get that code into the pack as well? Is it impossible with AsProtect? -Malt.... Me Thinks I have to do this in memory... and not from an unpacked file. Last edited by Maltese; 03-26-2004 at 11:42. |
#52
|
||||
|
||||
hm... do you think you can keygen RSA1024? Asprotect checks the serial on startup, then it sets global variables which get the program registered. a way to dump the program registered is to use asload, break on EP of asprotected program, then let Asload do his job you can dump registered
Asload has a system to bypass the RSA-Algorythm & load it registered nearly like the loader of TMG for AnyDVD. |
#53
|
|||
|
|||
Well,
I am attempting to trace the code to reverse it. Things I know so far: After pressing F9 once. Press SHIFT + F9 22 (BEFORE it's placed on the stack) times and the stack holds the key brought in from the registry. It's stored here in memory: STACK 12EA90: 9910D4 (address). Address varies by size of key Try this: Create a new String Value of "KEY" in: KEY_CURRENT_USER\Software\DVDIdle Pro Right click modify and place something obvious... MARKUSMARKUSMARKUS in it Press F9 once, then SHIFT + F9 (22 times to see it already loaded in stack) Look at 12EA90 This is as far as discovery as I've made... Since I'm new to olly (not reverse engineering techniques) I am attempting to bp when my fake key is loaded and backtrace. If you are interested in this with me I will share everything I find. -Malt I could use some help too along the way if you have time. P.S. MaRKuS... I'm not trying to crack the encryption. That would be if I had an encoded string... and tried to figure out what it originally said before it was encrypted without the formula. The formula/algorithm for AsProtect/DVDIdle is in the code as it checks it's validity. One just has to reverse the steps. So technically I'm not trying to perfrom an amazing feat... Getting to that code is my focus now. Last edited by Maltese; 03-30-2004 at 09:36. |
#54
|
|||
|
|||
To britedream: I see one of your stolen bytes tuts is about PWSEX.
Did you work on removing the trial limits as well, or did you just unpack it? I'm working it this myself, that's why I'm asking. I have successfully removed the splash, unregged nags and the "graying" of some passwords. Still working on the "10 accounts at a time stuff". Last edited by SvensK; 03-26-2004 at 07:23. |
#55
|
|||
|
|||
To svensk:
that was done due to request from a member to find the stolen, I didn't look anyfurther. To maltese: I admire your work, I will do somthing to help you. please, check your pm. |
#56
|
|||
|
|||
Quote:
the dump file once unpacked. does asload read back this region to dump, we can read any region from asprotect to be included in dump.but there is onther way to register, that is to write a dll, then have small patch in the original to load the dll and trick asprotect to allow you to patch it. I have seen this done. but I believe reading the right region back to dump is much easier to do. Last edited by britedream; 03-26-2004 at 11:09. |
#57
|
|||
|
|||
maltese, when you say "that is why xoring eax.... works", which instruction are you refering to.
|
#58
|
|||
|
|||
BriteDream,
I was referring to address location (provided by lownoise): Original code: $4043AA: 8B00 MOV EAX, DWORD PTR DS:[EAX] $4043AC: 85C0 TEST EAX,EAX Change to: $4043AA: 33C0 XOR EAX,EAX This patch allowed my dump to work after fixing with Imprec. Moving along, if you press SHIFT + F9 26 times and then search the stack, the key you entered (dummy key in registry) is missing! From this, and by checking the RegQueryKey breakpoints, I determined that the serial# is loaded in the AsProtect code which is not in the final unpacked code. Also it seems on my system that the KEY from the registry is stored at location $990F3C and is pushed onto the stack. Another tale tell sign is that it removes all spaces from the serial#. Big No No. When we see a loop to remove spaces it helps let us know we are getting closer. As a test... Put MALTESE MALTESE MALTESE as the key. When it's pushed onto the stack the spaces are missing. And now for my stupid question: Don't Laugh... I noticed AsProtect employs a technique making calls to odd address's which messes with Olly. I can right click and then say follow... but is there a better way to adjust the memory locations so that the code looks the same as it is as when it executes? I will share as I go for those that might want to join in. -Malt Last edited by Maltese; 03-30-2004 at 09:37. |
#59
|
|||
|
|||
After we run the trace and patch the stolen bytes and reset OEP...
When we go to dump the file, is there a way to also store the memory contents of 960000 thru 990000 so that they are reloaded in the same location when the "unpacked" program starts up? Back in the day we could save the memory and dump it to a binary file...then you could reload it back into the same memory location from the file at any time you wanted. Is there a way to do this now? -Malt |
#60
|
|||
|
|||
exactly , yes, in dumped file itself we can patch to read back all the region you want , just choose the region you want,save as binary, then read it back, of course you have to allocate the space for each region using virtualAllloc.
Last edited by britedream; 03-26-2004 at 14:24. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
ASProtect SKE unpacking | TempoMat | General Discussion | 10 | 08-24-2016 17:48 |
need help unpacking ASProtect | Fade | General Discussion | 8 | 05-25-2011 22:12 |
Unpacking asprotect | britedream | General Discussion | 7 | 09-01-2004 01:46 |