Log in

View Full Version : asprotect phase two!


vbdisease
May 13th, 2002, 20:54
hi all,

this may not be a typical "how to find the oep" thread.
i ve got some questions beyond the first hurdle.

i really got through the whole process and now iam really
happy because my first unpacked app does SOMETHING!
(not what i expected, but its alive...somehow :/ )

i used fox's great oep-finder, superbpm, si and imprec to hunt down all the imports an fix my dump.

but now, as +splaj mentioned in his cv-tut, NOTHING happend at all when i start the dumped.exe. i searched for a filecheck or a crc but with no luck.

i never went that far. iam really exicted. hehe. even DeDe shows fine content and w32dasm (after setting right section characteristics) disassembled everything well.

but the damn little proggie rejects to pop up

so, my question, is there someone who could have a look with me at this "phase 2" ??? what did i overlooked??

this is NOT a crackreq...i dont wanted to post to much infos from "phase one"...but if theres someone whos ask for it (pm?) i will be glad to discuss it with him. if the "missing thing" is not "asprotect related", then plz tell me.

thank you all....

regards
vbdisease

h**p://w*w.howcares.i.unpacked.it

crUsAdEr
May 13th, 2002, 21:02
Hi Vbdisese,

nice work on Asp... well there are various reason why the damn proggie wont run, i have never looked at this particular target but my suggestion is get down to trace it... i mean the dumped exe... use a ring 3 debugger liekk w32dasm or Olly debugger or something, trace to see where it exits... and then see condition jumps before that... and of course use IDA to disassemble it, and Dede :>>...

it depends on where you dump the program, if you dump before dippings, the Get Date Trial Asp API is not initialised and hence the variable value in you dump will most likely be -1, for both length of trial and date left, hence the dumped exit itself.. but then that is just another guess... get tracing and you'lll find it.. of course, compare the code flow with the packed program itself....

Hope this help somehow, good luck!
crUsAdEr

vbdisease
May 13th, 2002, 21:47
hi crusader,

man, after reading your post (and another beer)...i tried it again.

what can i tell...am i to dumb to see whats obviously?? it was right infront of my "drunken" eyes..hehe...

right after oeip there is this "backstep" to aspr:

...
015F:005818FE FF157C425800 CALL [0058427C]
....

from "original" app i got this:
...
015F:0128E8CC CMP DWORD PTR [0129666C],00
015F:0128E8D3 JZ 0128E8DB
015F:0128E8D5 CALL [0129666C]
015F:0128E8DB RET
....

guess what i found at 0129666C?

-> DS:0129666C=00580CBC

hehe...its so simple...all i have to do is change the CALL [0058427C] in dumped.exe to CALL 580CBC....

UNPACKED!!! *JUMP* *jump* *CHEERS*

ok..there may be some further "backsteps"..but they cant kill my happiness right now!

hehe..now my last question:

is beer good for cracking? ) some may overlook the obvious!

i'll stay tuned....up to the next aspr!!!!!!! )

regards
vb