hi all
the target i try to unpack is :

mirror1.glocksoft.com/aatools.zip
AA Tools 5.12

OEP : 6c5cdb
Image Size : 3e6000

well i have unpack it and rebuild it With ImpREC and what i got was a working file !! but when i try to run the prog i got first a msgbox (i gess they used a GetLastError shit) that there is and Access violation in address : 404eDF so i set a BPX there and i saw a loop of
cmp CL, [EDX]
jz
...
..
the loops start at : 404ed8

when it get to edx= 1ccb120 the prog Crash (msgbox) and after that the prog continue .. but that is not all in the About menu if choosen there is also a Crash (msgbox) ...
:/ .. i tried Patching the loop that didn't help ..

so plz any1 that could help about how to fix that ...
tnx ...
BTW : sorry that i didn't used Revirgin.. i'm used to ImpREC ...

LaBBa:

I'm not too sure but I think, that mem area contains the Hardware ID calculation/decryption routines/data. That is why it happens in both startup and on click on About. Now that you've removed ASPR, the code is not present and hence the above message. ASPR uses SetUnhandledException Filter (and not GetLastError()!!!).

Okey, patching the loop is the wrong way to go. If you set a BPMB on 1A93861 Rw and 1ABABC4 RW you'll see how many times it breaks. To me, I think it all has to do with the CALL at 409823.

See if this helps.

Signed,
-- FoxThree

PS:
I have a small question of my own though:

This I belive is the loop code:

<CODE>
017F:00404EDA 85D2 TEST EDX,EDX 
017F:00404EDC 7421 JZ 00404EFF 
017F:00404EDE 52 PUSH EDX
==> 00404EDF 3A0A CMP CL,[EDX]
017F:00404EE1 7417 JZ 00404EFA
017F:00404EE3 3A4A01 CMP CL,[EDX+01]
017F:00404EE6 7411 JZ 00404EF9
017F:00404EE8 3A4A02 CMP CL,[EDX+02]
017F:00404EEB 740B JZ 00404EF8
017F:00404EED 3A4A03 CMP CL,[EDX+03]
017F:00404EF0 7405 JZ 00404EF7
017F:00404EF2 83C204 ADD EDX,04
017F:00404EF5 EBE8 JMP 00404EDF (JUMP )
017F:00404EF7 42 INC EDX
017F:00404EF8 42 INC EDX
017F:00404EF9 42 INC EDX
017F:00404EFA 89D1 MOV ECX,EDX
017F:00404EFC 5A POP EDX
017F:00404EFD 29D1 SUB ECX,EDX
017F:00404EFF E9D4FEFFFF JMP 00404DD8
017F:00404F04 C3 RET
</CODE>

At PUSH EDX, the EDX has values like:

"Microsoft wsock32.dll, ver2.2, 32bit of Apr 22 1999, at 20:29:32", the logon username, machinename, prog ver 5.12 and prog ver and build no. 5.12.0.950. What the above loop do with these values? It seems to construct strings like
"Moto21e22 A29 29.raTNCIWeo" (which is every 4th char in the first string). Hmm, where does all this go? To calc. Hardware iD?

I ever successfully unpacked AATools(maybe not the latest build). This prog just gets registration user name and hardware ID from ASPR with ASPR API. If the name is empty, you will get a unregistered version, otherwise it's a registered ver. So, just as what foxthree said, if you unpack ASPR, it will crash when it tries to get the necessary strings from ASPR. Just patch this and hard-code your name to the unpacked EXE, you will get a fake registered version. I think some functions can be enabled only when you have a real key, please check the context menu "copy to clipboard" in its proxy analyzer.

There is a working release xxxxxxxxx. I believe they unpacked this baby with a real key. Correct me if I'm wrong.

Hey sol,

Wanna elaborate ? :-)

I haven't played with ASPR, what's this about an API ?

And how is the different keys "different" in your opinion ?

LS

well i havn't saw before an ASPR HW ID .. Nice!!

but i didn't saw any answer about how to fix it ...

Does any1 know how to fix that kind of thing ??

I also successfully unpacked aatools 5.0 (old build) but not the last version. Fortunately I found the unpacked+cracked version on the net (xxxx) and It fully working. Never busy with it again.