ASProtect 1.2 (11/02/01) Revirginated (on Win2K)
================================================

IAT at RVA 0x66118 Length 0x5C4 OEip at 0x458F7C (LoL ~3 hours
manually found !)

Dumped.exe is 632kb

One 'problem' API at '00066260 00C1C424 0000 ?????? to_Resolve'just
replace with KERNEL32 GetProcAddress (use SI to get the memory
address)

Make a new section at 0x9E000 0x2000 long - named .SplAj
Paste IAT.bin to 0x66118 and IT.bin to 0x9E000. Fix up yer header
(OEiP & IT addresses) with PEeditor 1.7

It Runs ? ..... slight problem with a call to 'C7C6D8' but this is
just a high call with a 'C3 RET' so change the D8C670 at offsets
0x64FAC and 0x64FB0 (reverse byte order !)to C84F46 and put a value
of 'C3' at offset 0x64FC8.

Finished

BTW the ASprotect is AUTO registered now. Just try to protect
Notepad.exe and then run it......... NO NAG !!!!

hOrn_dOg (aka +SplAj)

Hi

Have rebuilded too ... but it's not registred
Nag screen is show at random !
Try to execute many time. (Hi Alex)

SV

Hi SV

Your right...about 20 runs then the NAG !

As R!sc always says..." you have more work to do "
but not today I have to treat the wife :*

hOrny

I'm disappointed by the new version,
only a small modification in the redirected iat's, just a push->ret instead of a call.

No more encrypted iat's on my asprotected 1.2 notepad.

Alexey, send us the source, we'll fight for you

regards,

+Tsehp

You devils 3, is nothing sacred? Heh, heh. 8)

Hi All,

I've been walking around the dungeons of Asprotect looking for where the shareware nag is written into a file. Just emerged for more supplies.

As usual the protection peeled like a banana under Revirgin. The shareware nag is in this little snippet (from Notepad) between the Import decryption routine and the OEP jump. BTW, I found a slightly different OEP for the packer on Win98SE.

:0068FB7C EB02 JMP 0068FB80
:0068FB7E FF2569152830 JMP [30281569]
:0068FB84 690005840808 IMUL EAX,[EAX],08088405
:0068FB8A 42 INC EDX
:0068FB8B 891528306900 MOV [00693028],EDX
:0068FB91 F7E2 MUL EDX
:0068FB93 89D0 MOV EAX,EDX
:0068FB95 48 DEC EAX
:0068FB96 09C0 OR EAX,EAX
:0068FB98 7510 JNZ 0068FBAA
:0068FB9A EB02 JMP 0068FB9E

Force the JNZ 0068FBAA and there's no nag. Interesting little routine that gives the delayed nag, not sure exactly how it works though. The value of [EAX] in IMUL EAX,[EAX],08088405 seems to be the determining semi-random factor, but doesn't seem to be stored outside of memory. I thought there might be a simple copying of these bytes to the file during packing, but it doesn't seem so. They exist as hex in the unpacked packer, but don't seem to be used directly.

So I broke on the btnProtectClick event in the unpacked packer and started tracing right up to where the packed image is written to file. Didn't find much 'cept lotsa Delphi bloat.

Well, back into it. If I haven't returned in 24hrs send help

PS, no worries Alexey, I don't think anyone on this end is planning to distribute copies of Asprotect. Think of it as beta testing

Regards,
Kayaker

Hi , and todays OEiP is......458FD8 !

Everyday a new one Alexey ?

Ya knows we just play with your nice ASProtect, as we do with all the commercial boys, and sure I have no product bigger than 5k to protect so phear not I release a 'patch' exe protected with ASP

Thanks for the challenges, as you know we would have nothing to reverse without you ;D

+SplAj