where's the error in this asprotect-target?

[MaRKuS-DJM]

the program i tried to unpack is Z-Up Maker 4.3.0

these are my infos
stolen bytes:
push ebp
mov ebp,esp
add esp,-10
mov eax, 5B64BC

and my iat is attached

but it doesn't work.
i don't know where's the error... i think it's all correct?!?!?!?!?!

[britedream]

Hi Markus,
the stolen bytes and Iat are not correct, your program is working on the following info.:
005B6CCC > $ 55 PUSH EBP
005B6CCD . 8BEC MOV EBP,ESP
005B6CCF . 83EC 0C SUB ESP,0C
005B6CD2 . 53 PUSH EBX
005B6CD3 . B8 BC645B00 MOV EAX,dd_.005B64BC

here is the iat:

[britedream]

Thanks Markus, You always come up with
unique programs.

[MaRKuS-DJM]

oh yes, i forgot the push ebx
but how did you get the sub esp,0c?
i thought it was -10?
maybe i'm confused *lol*

[MaRKuS-DJM]

britedream, i've tried your infos... but it still cames up with the same error

my dump is correct, i think

[britedream]

Hi,
the program is working on the info I gave you. also check your iat against mine

[MaRKuS-DJM]

i understood why sub esp,0c was my fault. i pm'ed you

[britedream]

to Markus,
please check your pm

[MaRKuS-DJM]

Britedream, i want to ask you if these infos are correct for powerstrip (the program worked for me):

OEP: 555DE7
Stolen Bytes:
push ebp
mov ebp,esp
sub esp,0c
push ebx
mov eax,4032A0


nop the calls (call eax):
522BC1
52487D

IAT:

[MaRKuS-DJM]

i think, for powerstrip this is enough:

push ebp
mov ebp,esp
sub esp,10

[britedream]

Well done Markus,your iat is correct, and your stolen bytes are correct if not for the extra command you put: mov eax,xxxxxx, now your oep should shift little bit down,
After eliminating the extra command, to 555dec.

Regards.

[MaRKuS-DJM]

your dump works perfect for Z-Up Maker. I saw you have newer version, so i downloaded this one... i've dumped it again and it doesn't work. so i made a differences report.

in my dump are many extra bytes where in your dump are only 00. i've looked at the offsets, and these "extra bytes" are error messages like "runtime error" or anything else. but where do they came from???

[MaRKuS-DJM]

hey, i got it work!!!!

where did you dump, britedream? i dumped always here:

005B6CD8 E8 6B0DE5FF CALL dumped_.00407A48
005B6CDD 8B1D CCB05B00 MOV EBX,DWORD PTR DS:[5BB0CC] ; dumped_.005BC7D8
005B6CE3 8B03 MOV EAX,DWORD PTR DS:[EBX]
005B6CE5 E8 12E0E9FF CALL dumped_.00454CFC
005B6CEA 8B03 MOV EAX,DWORD PTR DS:[EBX]
005B6CEC BA 086E5B00 MOV EDX,dumped_.005B6E08 ; ASCII "Z-Up Maker"
005B6CF1 E8 0ADCE9FF CALL dumped_.00454900
005B6CF6 8B0D 60AE5B00 MOV ECX,DWORD PTR DS:[5BAE60] ; dumped_.005BEC84
005B6CFC 8B03 MOV EAX,DWORD PTR DS:[EBX]
005B6CFE 8B15 54D85800 MOV EDX,DWORD PTR DS:[58D854] ; dumped_.0058D8A0
005B6D04 E8 0BE0E9FF CALL dumped_.00454D14

the dump hasn't worked!!!
now i've dumped here:

00407948 -FF25 20035C00 JMP DWORD PTR DS:[5C0320]
0040794E 8BC0 MOV EAX,EAX
00407950 -FF25 1C035C00 JMP DWORD PTR DS:[5C031C]
00407956 8BC0 MOV EAX,EAX
00407958 -FF25 18035C00 JMP DWORD PTR DS:[5C0318]
0040795E 8BC0 MOV EAX,EAX


and it works!!!

there are still some differences, your program runs registered, mine unregistered. have you cracked it?

[britedream]

no I didn't crack it . I just removed the
asprotect. and it is protect by it.

[MaRKuS-DJM]

i noticed a very strange thing... if my dump has the name "dumped_.exe" it is unregistered. if i rename it to "aaaaaaaaaaaaaaaaaaaaaaaaaaaa.exe" it's suddenly registered!? why that?

britedream, it's the same with your dump... it works registered as "dd_.exe" and unregistered as "dda_.exe"