Hi all, I unpack asprotected target, patch two bytes for removing registration and proggy run, but problem I encountered is I cannot exit proggy.
Of course I can kill process with lordPE but it is not best solution. Proggy is 7D Shifter ver 1.0
hxxp://www.7dgames.com. It is cute little game. Any suggestion.

Hello kalisto !

Maybe you would like to share a bit more information.

Why can't you exit the program?
Is the "X" grayed out?
Is the menu entry for "exit" disabled?
Can you exit the ASProtected copy?
Can you exit the unASProtected but unpatched program?
Does the program import ExitProcess or similar?
Are you sure you rebuilt all imports correctly?
Did you have still the same problem after rebooting?

More explanation.
Patched unpacked proggy has dialog box with four button help, paste(for pasting reg.key), register and exit button.
All buttons are active (not grayed). When I press exit button nothing happend. You can play game but dialog box dissaperred.
Of course meny exist with two pop up. First has exit options (not grayed). Pressing that exit button proggy disaperred but proggy still runing. I know that because proggy is on lordPE display.
ExitProcess API exist and if you force proggy to ExitProcess API(assembling to jmp ExitProcess) proggy exit.
Asprotected proggy is OK. I probably rebuiled imports OK with imprec with asprotect plugin enabled but I must nop one call to one location otherwise proggy crash but that patch is irelevant and I can exit normal. Rebooting nothing change.
Interest thing is I unpack proggy on win 2000 only with olly dbg ,imprec and PEID for finding OEP.
Finnaly unpatched proggy exit OK but I cannot play.

Hello kalisto !

"PEID for finding OEP" ?

You mean you ran the program, dumped it when the first dialog box poped up and used the OEP resolved by PEiD?

My guess would be that the program has already set some internal variables and you dumped them too. So the program doesn't set the variables when running again. (since they're already set) This could mean some variables contain wrong values or pointers.

But if you traced the program with OllyDbg to it's OEP, suspended it there and dumped it then, there should be no problem with this.

If a "Paste" button is present, it's possible that the program uses the ASProtect build-in registration functions. (so nobody needs to enter the long registration string manually) So it could be using values passed by ASProtect to the exported functions. If the ASProtect layer is removed, the exported functions are not called any more and the values are unset.

I don't know more possibilities at the moment.

Yes Dakien DX I traced program to OEP provided by PEID (great tool) but also checked with Foxy's OEP finder and it's same. Of course I suspend proggy with famous loop -jmp eip - and then dump with lordPE.
Maybe you should look at program yourself.

Hello kalisto !

I've no problems on my PC. I can press all buttons. I needed two patches to get rid of all registration code which nobody needs.

The program uses the ASProtect built-in registration functions. Read in the ASProtect documentation to see how they work.

Normally the program shouldn't be able to run if it is unpacked but unpatched. Try to find the error there and patch it away as well as the next error and the program will run.

Hi Dakien DX
I patched (nop) call at 401702 because it jump to asprotect address which dont exist.
FF15 94424400 CALL NEAR DWORD PTR DS:[444294]
and address 00427E9F 74 09 JE SHORT dumped_.00427EAA (74 with 75).
Second patch is neccessery because if it is not patched I can't play. It just completely exit.If I change 74/75 I can play but when I press exit proggy dissapered from screen but still run in memory.
My question is did you remove dialogbox titled "Notice about UNREGISTERED ..."
How you start game. I press exit button or register button ----msgbox---OK.
Did you patch address as I did or something else.
What OS you run. I unpacked on win 2000.
Thanks!

Sounds like it issues an EndDialog() (or something similar) but doesn't RET from the WndProc so it never get to ExitProcess()... Just a thought tho I might completley wrong...

Hello kalisto !

Yes, I patched the same address at 00401702. But you must not Nop out the call, you must redirect it to the procedure it was supposed to call. (trace into the call while the ASProtect layer is still present and see which procedure it calls)

After that the program thinks it's registered and tries to load the name it's registered to. But this fails also if the ASprotect layer is not present. So you can set the value it tries to load to "0" and see the unregistered message only in the about box (and it runs without any limitations) or you can change the value and set your own registered owner text somewhere.

After all I did it. Thanks Dakien DX. I patched 401702 into jmp 401708, then 40170F into jne 401781 and finaly 00401789 into jne 00401816 and works fine. Thanks again.

Hello kalisto !

Not they way I thought of, but if it works it is OK.

If you don't remove the ASProtect layer and trace into the call at 00401702, you'll find some ASProtect code which calls a procedure in the main program. Remember this address and patch the unpacked file to call that address instead of NOPing out or jumping over the call.

Then the program tries to read the name it's registered to and tries to get it's length. Since the address points to ASProtected code, it is not valid and will fail. Set the address to "0" so the program skips this part and just shows "Unregistered Version" or redirect this address to some address in the program's memory and put your name there. Then it shows "Registered to: " and your name.

Yes you are right. Thanks!.