Hi everyone ,

I traced some asprotect routines , and I know that many appz
protected by it are registered by a licesene which checked by
rsa-1024 , my question is :

At the end of the check routine , isn't it just a matter of flag/indicator which is triggered if the license is OK ??

If yes, does someone saw something like that ??

well I came to that speculation by thinking of the app which
protected , the app does not check our license before
it show the nag , it just check some flag/indicator . I know that
because the rsa-1024 routine is at aspr code and it is not
called by the app .

Hello Nigma !

You might want to look at the ASProtect documentation. Then you would understand how it protects an application.

It has callback functions which the protected program can use to to interact with ASProtect, even after the application is loaded and running.

You will also find out that ASProtect uses "signatures" and encrypts parts of the code segment. This parts will be skipped if no license key is present, but if you tell ASProtect that a right key was found (inversing a flag/jump), ASProtect will decrypt the encrypted parts of the code segment with the license you've provided. Since you license will be invalid (else you wouldn't want to do this), the code will be decrypted wrong and simply crash on execution.

So the if the license is OK is not a question about a flag and the application can call the RSA procedure itself (over the callbacks).

Hello Nigma !

No, the callback functions don't exist any more when the program is unpacked.

You have to manually clear the values passed the program by ASProtect (address of registered name, days left, ...), since these values are already set at the OEP and contain some memory address which is not present in the unpacked file. This will finally lead to some memory access error.

How the program reacts on the missing callbacks is different. Some crash since they try to use the callbacks without checking if the address they're calling is 00000000h, some will work without the callbacks since they check if ASProtect passed them a callback address or if the address is still 00000000h.

Then there are two callbacks, one is executed if trial version, the other is executed if registered version. It depends on the program if it's "normally" registered and sets itself to trial if the callback is executed or if it's vice versa.

But this isn't the main problem. This is just a basic cracking issue.
The parts of the code segment which are encrypted with help of the signatures will still be encrypted if you unpack the file, so without a valid license there will be always code missing (for example the save function). You can only get a complete dump if you have a valid license. (and then you probably wouldn't try to unpack it)

Hello _Servil_ !

I have never tried myself to bruteforce the missing bytes, but it should be impossible. As far as I know it uses Twofish to encrypt the data. I don't know how many bits the password is long, but probably 64 or 128 bit.
With 64 bits it would take many years and with 128 bits it would be nearly impossible.

As I already wrote, the encrypted code is decrypted only with a valid license. If the key is invalid the program will just jump over the code (or crash if you told ASProtect that the key you entered was correct, but is was really not).

If you've heard about ASProtect documentation, why don't you download ASProtect and read it instead of asking if it is possible to download it.