Hi guys I had chance to play further with the latest T&R 1.9
protected with ASprotect 1.2 (evolution) version...
After unpacking and fixing up the dumped exe I tried to patch the opening 'nag screen' not to show ... and I came across the SAME hash/encryted code loop as I described in my 'Bloatware Commview 2.5' message a while ago... that crashes the exe if any bytes are changed. So this routine was not made up by Tamo but our dear friend Alexey !
So how to bypass it. Rather easy actually... just read my notes below and that should get you on your way :-
TagRename v1.9 (DL 26th April 2001)
===================================
OEiP @ 0x551370 / IAT @ 0x1571CC length 0x844
Create new section .SplAj @ 0x249000 length 0x3100
and use Revirgin to restore the API calls and create a new IT 249000
an paste it in your dumped exe.
Set the OEiP and IT addresses with PEditor 1.7 and fix it up to be Win2K compliant (rebuilder)
It does not run :-(
Problem at 0x5513B3 Call [556CBC] - was a high call that did this in Windows ME :-
0187:012DC7C8 833DA835410000 CMP DWORD PTR [004135A8],00
0187:012DC7CF 7406 JZ 012DC7D7
0187:012DC7D1 FF15A8354100 CALL [004135A8]
0187:012DC7D7 C3 RET
Now we have got rid of ASprotect this call no longer exists so the exe CRASHES !
But 'Call [004135A8]' is actually equivalent to 'Call 00550AAC'

.....
so change the 4 bytes at offset VA 556CBC to AC0A5500
(thats raw offset 156CBC for Hex editor)
Fixed :-)
Now it runs.
Next is the 'encryted' checksum problem. If you patch any bytes in the unpacked exe
then you get an 'initialisation error' cos you f*cked the checksum. This is stored
in VA 0x556CAC (raw 156CAC) and the expected value is 879FCC2641A64A6893E91A5A5C8777ED. This is just before the above 0x556CBC bytes !
The code that puts this value there is at 0x550A19, check it out at the REPZ MOVSD !
So just PUT the expected bytes in the dumped exe with a hex editor and change the code that 'pokes' the wrong hash to point to 556CCC

so it is always correct ! Change 1 byte at VA 0x550A22 :- AC to CC (raw 150A22) . Now you can patch what you want
Note: this 'checksum' error is also generated with a 'BPX' in SI as part of the calculation !!! .... so a BPX 550A21 would generate an error before. Now it won't
SplAj