Hello all ,

As u may know proggies protected with the asprotect version
doesn't closes filemon & regmon anymore . It seems that
Alxey doesn't have anything to hide in the registry , I tried
to get more trial time with no success .
Does someone konw how to crack the new aspr time
check ?

I dont know if its the same for all apps but the one ive got is packed with the new strain of asprotect 1.2 and when my trial period runs out i just double click a reg file i made for it and it runs...so obviouly it does check certain keys for flags but what those keys are im not too sure at the mo as .the reg file i use has 16 keys/values in it ..How did i make it??....It wasnt straight forward ..i installed the app using easyclean but somehow it didnt catch all the keys that where changed but thankfully i already had a copy a registry i had saved using an app called Testrun months ago so i reinstalled that registry and the asprotected app ran again like new ...in order to track what keys where changed i saved a copy of that old test run registry in Advanced registry tracer then ran the asprotected app again and did a compare ...so as i say im not exactly sure what keys where changed by asprotect but ill check it out

paul333

Nigma:

It is pretty straightforward. I tested it with LogFileTail (latest-latest-ASPR strain ). *Hint* Look for ASprotect in the regmon trail and you can't miss it.

Signed,
-- FoxThree

foxthree..nope its not as simple as that.......Just deleting or renewing the value in HKEY_USERS\.DEFAULT\Software\ASProtect\Data doesnt work

paul333

Try this:

Delete the related binary value under HKEY_CURRENT_USER\SOFTWARE\ASProtect\Data

then use Microsoft's Regclean.exe. Run the app.



P.S. I didn't actually try this because I usually finish aspr off first. Somebody once told me about this trick.

Good luck

Found Something !!


well I found that if I delete the reg under ASPROTECT which
foxtrhee talked about aspr reads a lot of registry keys and
build new value . After little tracing I saw that aspr is
using the REGENUMKEYEXA api to read almost all CLSID
I think it is to fool REGMON ( to make it hard to read all
the keys and see something interesting ) but I am sure
it is use it to build the new value that I mentioned , because
when I deleted some CLSID keys the proggie starts a new
trial time !

Tried on a couple of aspred progies now.

In fact, there is always one specific CLSID key (for each app, of course), not some. A quick search on regmon log reveals the repetitive patterns.

Take a closer look.

The CLSID AFAIK was an old ASsPR trick. I still vividly remember the time I deletec the HCKR\CLSID to get the trial back. That was way back (I think CoolMouse from ShellToys or something like that). Anyways, I think the new strains did away with CLSIDs but who the heck knows phully...there are too may ASsPR strains. Hey may be AV vendors should name ASsPR strains for our sakes

Signed,
-- FoxThree

Hiya, foxthree

KAV now identifies aspr. Versions 1 to early 1.1 are mostly not identified. Then it identifies as "PE_Patch". From early 1.2 to date it is "PE_Patch+ASProtect". I have a couple of progies which always use the latest version. So I can closely follow what's new with aspr now. KAV also gives some indications on the version upgrades. It takes longer (and longer) for it to identify latest aspr versions regardless of size of the executable.

Anyway, I compared five September babies (latest being Sep., 22) and here is what I got:

If "HKEY_CURRENT_USER\SOFTWARE\ASProtect\Data\XXXXXXXXXXXXXXXX" (the value of which holds the the date of installation) is missing, Aspr always checks below key amidst of a thousand junk ones to assure if no trial reset attempt is made. I guess the key holds the unique product identifier data:

[HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{XXXXXXXX-XXXX-11D6-8481-000054534544}\TypeLib]

So, deleting both gives you a virtual clean install each time. At least, this was the case for my PC. I couldn't check it on another PC.

Hope this serves as a useful hint for "those who could not unpack in 30 days", as +SplAj once quoted (and, what a courteous wording of him) in a reply to the thread I started about "latest aspr tricks".


Have you got stg. interesting about the new strains, foxthree?

wbe

Last weekend I did a loader on Advanced Office 2000 Password Recovery. so you can register the program much easier:

1. Go to registration screen of the program
2. Enter any serial
3. Set a bpx messageboxexa
4. when it breaks press f12 until program code and take the next call
5. Go inside by pressing F8
6. Overwrite the first bytes by doing an
"a" (without the " + press ENTER, and then writing 1 in al by doing an "mov al,1" (without the " +ENTER and then setting a return by typing "ret" (without the " + ENTER
7. Remember the Virtual Addresses you did that and do a loader for this program

You need to do an aspr loader, normal loaders won't work because aspr protected programs have loader protections. you get some ASPr loader asm source from the WKT! site...

ciao, Peacemaker

Peacemaker:

I don't think *any* serial would work. How did you manage to decrypt the code encrypted fragments in aopr?

Signed,
-- FoxThree

I haven't managed to get a valid serial yet, and I think this won't happen some day. I created a loader which registered Advanced Office 2000 Password Recovery 1.20. And if you wan't me to, I could send you the asm source of the loader.
I use Win98SE with SoftIce 4.05 and Icedump loaded to crack this app. It's easy doing a loader, but it's also possible to unpack an de-blacklist a blacklisted serial an register with the serial you de-blacklisted. But this would take spending much more time, so doing a loader is the easiest and the fastest way to do it...

greetz, peace

Hmmm... if I remember right, Elcomsoft guys encrypt critical code sections that can be decrypted only with the correct serial. The same was the case with aopr 1.2 which I last unpaxed and regged. Unless they've changed the scheme, if you just force decryption with some random serial, the code will be junk and surely the app will crash. Did you try accessing the disabled portions of the application after regging? I'm sure you'll see by what I mean.

Hint, search for posts by the great +SplAj, SV and of course my friend Crusader [Where art thou, Crus...?]

Signed,
-- FoxThree

@fox: you mean the 5 char limit at the wordlist search? i now can search for more than 5 char passwords...

is that what you meant? i think so or?

I've seen a rls from a group which name I now can't remember but that I'll post here if I'd time to dupe. The group released the pro version of the program WITH keygen,... thought of it being a joke but need to know if this file really exists...

AFAIK, there has been no keygens for elcomsoft apps (atleast publicly) and there has been only serialz leaks. Again, I ask, how did "any" serial work?

Signed,
-- FoxThree

Hello, Peacemaker!

I did as you wrote,
e.g. overwrote the first bytes with your full text:

"a" (without the " + press ENTER

NOT WORX!

What is wrong!?

~:0

Peacemaker

I do not believe that it is possible (in the short run of a milion years or so) that a specific aspr target can be keyed.

What I know can be done, as i've done it myself, is this :-

1) Find a blacklisted key for your target
2) use it and trick target (aspr code !) that key is ok
3) Target 'decrypts' ALL encrypted trial sections (e.g open 'VBA' in AO2000pro)
4) dump and rebuild exe
5) correct the header with .code, .data. .bss .rsrc etc etc
to get back to original exe
6) re-RUN ASPR on your unpacked target as a new project with a NEW set of keys ......and you have a keygen !

I have done this with last AO2000pro v1.20
ASPR simply re-encrypts the marked sections and U own the target.

Now......I am waiting for latest AOXPpro 'blacky' to appear
and NO I don't release keygens......but I may do a tut on this scheme....or

I sure believe that the target only fully decrypts if a valid serial is entered. but as I see the program is fully registered and the crippled functions work as well. If you want me to I'll send you the loader.

I would be interested in the scheme described last of using a blacklisted serial, unpacking it an then re-protect it with asprotect and so doing your own keygen.

I'll be waiting for the tut

@+splaj: I read a lot of your posts, and I did a long search for your tutorials on the net, but I haven't had any success in it. WOuld it be possible to send me some tutorials of yours or is there still a site where I can find them?

thankfully, peace

hi peacemaker

sadly (or gladly) www.discompress.com is no more all my old ramblings are hyperdust.

I keep thinking about making tuts in the standard format of Fravia html.....but as i'm usually sipping whiskey+coke by the poolside each day and with the mp3 music from my iPaq adding to the haze such ideas soon get blown away .......

Honestly, tuts are a bad bad bad idea, unless they discuss the theory and make the user THINK..... too many times JNZ 456789 is not in the latest target app....and confusion and frustration abound.

So do this :-

Find AO2000pro version 1.20......
Unpack it, make the jumps to get 'business licence'

All should be ok ......except if you press VBA ....hmmmm shit.

Now SEARCH the www for a 'blacky' ( thats not asian pron
enter into the registry 'key' You will notice it is Elcomsoft own proprietry licence scheme, much more 'insecure' than Alexeys, but it is still used by ASPR to decrypt just the same.

Now trace through the code again in original ASPR protected version, make it 'business licence' again with WinHex or SI poke, whatever,now it is fully registered AND decrypted, VBA is zuper gut and NOW dump and rebuild this baby.

Compare the 2 dumped.exe files with HexWorks...... all sections are decrypted and you own AO2000pro.

Now some fun, PLAY with that licence.... how many characters have to be valid.....hmmm bruce force maybe possible this side of a million years ....maybe I like RCE......maybe I play Bruce Lee with OTHER Elcomsoft targets......... eeeeeeeyaah

Hello,

this might be a little OT but as I see elcom discussed here their sn check func is what I wanted ask here recently, this is a simple, no-call/loop/jump, but pretty long (couple hundreds ops) sub taking something like 'magic tale' ;-) with sn producing another serial. The goal is to get input -- serial, knowing the result and second arg -- after hours of work the formula could be constructed but it's too complex to isolate input serial, for me, and BF is pointless since the serial has over 20 characters. Did someone inverse these funcs? Just curious.

Peacemaker:

If you do a search "here" with "+Splaj tuts" you will find some of his masterpieces from his discompress site. A number of them are also in the unpacking section of Krobar's site.

wbe:

I'm working on trying to "reactivate" an aspr 1.2 file which has expired through problems with attempting to learning sice on win2k. I am going through the regmon printout and find no key

[HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{XXXXXX
XX-XXXX-11D6-8481-000054534544}\TypeLib]

like you suggested as being checked by the program if the asprotect\data file is deleted. Are you using Win98? and do you know if the file is different on Win2k??

I noticed that the exe file from setup creates a key in HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData.

It also seems to make some interesting use of
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed

and a strange one called

HKCU\SOFTWARE\MICROSOFT\Windows\CURRENTVERSION\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACVQY:%pfvqy2%\OvgFuncr FZF Zrffratre

which might be interesting, and a value is set there, but I haven't had time to check it out yet.

Still having major problems with Sice on Win2k. Haven't figured out why "EXP=\%SystemRoot%\System32\advapi32.dll" doesn't seem to work to load advapi32.dll from my winice.dat file when the rest of the entries work fine, but I can load it with the loader. Can't much play with the registry without its API's. What I need is more time to play and less time to work on this friggen computer.

Regards.

Hi JMI,

I'm using W98 and I never had a chance of trying it on W2K. The closest PC to my laptop is in a 1k miles distance on this deserted land.

All I can suggest is to look for some similar repetitive patterns in regmon log as exemplified in:

[HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{XXXXXX

XX-XXXX-11D6-8481-000054534544}\TypeLib]

and "RegEnum" may be a good keyword to start searching in the log.

Another interesting point is that, after deleting Data under Asprotect, Microsoft's Regclean always catches these orphan \TypeLib entries along with some other keys found in the log . No other reg manipulation tool I have could do this. I couldn't figure this out yet. Anyway, it serves as an automated trace remover for aspr


I haven't had any occasion to check the other keys you've talked about. My W98 works in perfect harmony with sice in all respects. I cannot afford upgrading after reading all the posts about the troubles other pals are having.

Wish you good luck

wbe

Hi wbe:

You should get a pony to ride to the closest internet cafe.
Win98 seemed easier for Sice, but it was always crashing. Not a good thing when you need to get work out the door and it's on the computer and it won't work. Win2k is much more stable.

Thanks for this info. I'm still looking through the regmon printout. Just for your infor the word to review in the regmon printout is "EnumerateKey" rather than "RegEnum." When you spend hours editing the printout to remove the "checkkey" and "openkey" and "querykey" and then "closekey" you are finally left with just entries of "createkey" and "enumeratekey." This particular program makes a pass through "all" the "uninstall" files to bloat its printout or is it looking for something?? Interestingly, it doesn't seem to check the keys for numega or softice. Now that's strange.

I downloaded an ebook titled Nt and Win95 Registry and I am very curious to find out what the heck some of the entries are. There is always something more to read and always a great deal more to learn.

Stay safe out there.

Regards.

_servil_

I know what you mean, all those 'advanced we-crack-U-pay' tools appear to have unbreakable serials.

You can trace that long algo and find an expected 16byte result....but the bastard soft uses the serial not the calculated result to decrypt with

However, If you try my method discussed above you'll be suprised at how weak their use of aspr really is.

1) They maybe use something like AO2KP-BLAH-BLAH-BLAH
2) and the real weakness is the shortness of the 'decryptor' part, the rest being BLAH

Have a play and you'll see


Now Elcom will switch to Alexeys inbuilt key ?

@+SplAj: I'm sure your instructions are right and well working, but I haven't had much experience in unpacking btw inline patching asprotect yet.

At the moment I'm gonna fuck up myself with the shitty version 4.6.2 of Vbox on Adobe GoLive 6.0 ENG. I know there's still a thread open on this board discussing that problem, but noone found a good clearing of the problem till today.
Sure there are some good crackers who did, but thats not me I dumped, fixed sections and OEP did the imports but there must be one till two imports failed, even if ImpRec said it was right and all are fixed...

So back to AO2000PR...
Are there some good Tutorials out playing with the version of asprotect the program is protected with? who wrote it? where to find?

Thanks for your time your greatness

Hi JMI,

I am awfully sorry for the incorrect search word

I can't stay online for long nowadays (having problems with my sat link and relays), and aspr is my only toy to play while I'm off duty. So, my head was full of some set of APIs while I was typing.

What's the size and intended OS version of your target? If it's 1-2M big and works with W98, I'd like to have a look at it. Post the URL or PM it. It may be a chance to discuss some aspr behaviors on different platforms. Hopefully, if I can manage to arrive here again before you finish it off.

Regards,

wbe

wbe:

While I was working my way through the 24,000+ lines of my RegMon file in attempts to identify the second key that aspr places on my Win2K machines for my target, I took your advise and installed and used my copy of RegClean and, lo and behold, it worked to remove the added "TypeLib" file that the program added and allows a "clean" install with a renewed time limit. This particular target allowed only 13 "executions," so even if the program was "executed" to the start-up screen, and not actually "run," this counted as one of the "executions." I was having so many problems with Sice that I quickly used up my limit. My first problem with the use of RegClean was that there were many "orphan" entries on the first run that were "cleaned" (even though I had used a commercial registry cleaner shortly before) and none of them were in the format you identified.

So my next effort to "identify" the offending entry was to re-install the program, again use its uninstall exe, open RegEdit and erase the Asportect\Date key and run RegClean again. This time I got only one "new" removed entry, and again I was able to make a "new" clean install with a "new" time limit. So this technique works on Win2K as well as your report of its success on Win98.

After doing this several times, it became clear that, at least on Win2K, aspr was creating the "second" key "at random." The form for the key numbering format was always different, although the critical key had two constant repeating factors: It was always "TypeLib", like you stated, and always added near the end of the CLSID structure.

Having now identified an "easy" method of restarting the "timelimit", I began to study my RegMon file to attempt to gain a better understanding of what the program was doing, both to create this key and hide it from our prying eyes. What I found is rather interesting and a good lession in efforts by the protectors to hide their work.

I have not yet finished my analysis, but the first thing I did was to remove all the entries which were not explorer and/or target related entries from the RegMon printout. (A piece of advise here for those who haven't spent a lot of time with RegMon, TURN OFF ALL OTHER PROGRAMS RUNNING IN THE BACKGROUND BEFORE ATTEMPTING TO TRACE AN INSTALL, otherwise there can be whole lot of "extra" crap to remove, or ignore in the printout.)

We know that to make a key for use by the program, there has to be a call to QUERYKEY, and/or ENUMERATEKEY, then perhaps OPENKEY, and, if the key doesn't exist, CREATEKEY. But this is only the start. Having "Created" the key, the system next checks it "Key" entries and has to "Create" them and check their "Default" status and "create them" by SETVALUE. Then it has to "Create" a "TypeLib" and SETVALUE on a "Default" setting and then call OPENKEY again and SETVALUE once again with the aspr data. Now we have the "Key" that aspr uses to check against the Asprotect\Data Key.

So how do we find this "Key" if we don't simply use RegClean to remove it for us? It's relatively simply when we now know what to look for. With the caution that I've only analyzed this one target for this issue, I note that the creation of the "timelimit" key occurs in the RegMon printout almost directly above the creation of the Asprotect Key and Asprotect\Data key and is simple to spot with a fairly "clean" RegMon printout. So it appears that this issue is resolved (for now) but there is more interesting material to be learned from analysis of this printout.

First, to make it difficult for us to use Sice or some other debugger to find the creation of this Key, the program appears to run through almost the entire CLSID list probably MORE THAN ONCE, calling OPENKEY, QUERYKEY, and ENUMERATEKEY so often that anyone attempting to trace with these api's in the debugger would have a very very long process of tracing to get down to the end.

Since, at least on Win2K, there is no set pattern on the form of the "Key" that is created, it would be difficult to filter the breakpoint on those entries. However, it should be possible to construct a breakpoint which only checks (in the proper API format) calls to CREATEKEY and SETVALUE and break only on the important calls here. There is also the current limitation that the "Key" is of "TypeLib" as a possible additional filtering limitation. I haven't had time to try this yet, but it should work. Certanly RegEnumKeyExA would make one go blind and angry with all the hits to useless calls checking the list of the CLSID's.

But, wait boys and girls, there's more. This program also creates Key entries for its 'Version" and SETVALUE on a "version" number. It also creates a "control" for the program to use. However, the really clever thing that this version does is that it creates these "Keys" IN EXISTING KEYS FOR OTHER PROGRAMS.

Part of what it is doing with all its calls to EMNUMERATEKEY is to check the CLSIDs for existing entries of "TypeLib." When it had reached near the end of the list (so far all my Keys have been in CLSIDs which begin with an alphabet letter after checking most, if not all the others more than once) it somehow finds an existing key which DOES NOT HAVE A "TYPELIB" and grafts aspr's key into the existing key by calling CREATKEY and SETVALUE. I don't know enough yet to know how this is possible (always more to learn) but it is clearly what is happening here.

Not only was it able to graft this "TypeLib" Key on to an existing Key for something else, it was also able to graft the "version" and "control" entries onto a DIFFERENT key on some of the installs. I am still checking to determine whether it does this if the Key it chooses for the graft of the "TypeLib" already had a "version" and/or "control" entry, but it makes sense that this might be the case, because on at least one of the installs, it created all three keys grafted onto the same existing Key.

The only good news is that all of this happened (on this program at least) immediately above the creation of the Asprotect and Asprotect/Data Keys and was clearly visible in the RegMon printout, even if it would have been a very long long long way into a trace in Sice without proper filtering of the registry calls.

Now that I've figured out how this "timelimit" issue works, I can go back to my original task of figuring out how to make Sice work for me on Win2K and manually unpack this puppy to help someone who asked for "easy English" assistance on this particular target.

One last thing visible in the printout is that aspr is making some form of a hash out of machine specific information. The person I am trying to help sent me a copy of his Asprotect\Data file which, naturally, didn't work on my machine. On his machine he was able to "reinstall" his Asprotect\Data file with 6 executions left and keep resetting it that way. I didn't try this on my machine yet, because at first I didn't save the original install Data file before crashing my computer many times with Sice. It would be something else to check. On the start-up screen of this program it clearly identifies a hash of this "hardware identification" which did not change with the various installs. In the printout from RegMon one can see some of the reads of information which appears to have been used to create this information.

Enough for now. Time to get back to real world work.

Regards.

Good work JMI, a very informative and scrutinizing essay of yours. A rather unexplored area of aspr "codewoods" has now been cleared.

This, imho, serves as an unofficial announcement about a Service Release in the upcoming days

Regards,

wbe

Nice one JMI....

Its thorough in depth replies like this that i learn lots from ...THANKS!!

paul333

That's what the software lab is for.

I load up a clean win9x machine, run RegCompare.

Load up the software.

Run RegCompare.

Print out the differences. Find encrypted values. Date checks defeated. Piece of cake. Works every time.

This is my standard operating procedure on date limits, besides using RegMon. Regmon gets too involved tho, because its live and it gets ALL registry activity if you don't set filters.. It's better to use the Reg Compare deadlist, so you only look at DIFFERENCES.

Bow to the power of Registry Compare.


-nt20

@foxthree: It is possible to keygen an elcom software...
as I said I now GOT this keygen I talked about. I can't tell you who did it atm, because I'm at work. But when I'll go home I can send you the keygen if you want me to. In the nfo its written that the progra,m itself was protected with MD5 algo. So its possible to keygen. And one guy did.

Hi Peacemaker..

That would be interesting... i am sure our resident Cipher Knight will be interested in this if it is a REAL keygen... though Elcomsoft uses MD5 encryption, most of the password recovery stuff has a small security leak built-in .. so it is possible to fully reg them... but a real keygen would be very interesting to study...

Are you sure the guy who releases it doesnt do as SplAj has said? Does the keygen works with the version downloaded from Elcom site? And How many different keys does ti generate?

regards,
crUsAdEr

hi crusader:
i haven't tried many of the keys but it seemd to work.
but it also may be possible that the guy did like +splaj had said -> unprotecting->de-blacklisting->regging->reprotecting
So I'll upload the keygen anywhere when I'm home and up. :-)

you asked how new ASPR time limit algo. works.. easier than before maybe you know that previous ASPR versions reads the last time accessed from some registry key made in:

[HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\.....

with different values depending of your WIn OS "product ID" if you make the value common in any win OS(win9x,Win Me,XP,2k,NT) then key for XX program will work for any of them. the idea is make it generic so if you make a loader for the registry which it deletes the key or value then the program won't never expire

for previos ASPR versions the key is made reading this registry values:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion]
"LicensingInfo"=" "
"ProductId"=" "
"ServicePackNumber"=" "
"SubVersionNumber"=" "

the first key it reads is SubVersionNumber if the key is not present it will read ServicePackNumber or maybe the other which i don't remember then depending of the value, it mades (example):

[HKEY_CLASSES_ROOT\CLSID\{AA77D79D-D672-783D-D199-B1DA75B391CD}]

[HKEY_CLASSES_ROOT\CLSID\{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}]


if you make the values "ServicePackNumber"=" " <<----
"SubVersionNumber"=" " similar for each win OS the CLSID key/value will be the same

of course for each aspr packet app. the clsid key will be different even if your WINDOWs ID is the same

some people thought the key is made because aspr protected app. reads some other infomatin like the HD key. that's wrong.

now is easier than before aspr time limited app. works by adding the registry key:
HKEY_CURRENT_USER\SOFTWARE\ASProtect\Data you all know that

first it reads the String Value "Key"="" if not present then it goes to check time limit, this is in case the program is protected with the Encription registration method aspr uses

if you check with reg monitor you note that dosen't read other time limit related key but actually it does ,the fact is that it has two checks.

it does the first check on: HKEY_CURRENT_USER\SOFTWARE\ASProtect\Data

it writes there the first time that you ran the program with some hex values (encrypted values)

if you hit your clock forward you'll note that program is still expired or becomes expired

if you put the normal/actual date back program is still good and working only if you delete the key ........ASProtect\Data again because after expiration it modify the hex values to tell the program the next time you try to run it it was expired , will read the key and will continue expired

have you tried to delete that key open reg monitor and run the program again to see what happend then?

this is what it does ramdonly read for many keys on:
[HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\...

this happend if the first check: HKEY_CURRENT_USER\SOFTWARE\ASProtect\Data is not present then i goes/jump for the second time limit check

which is in: [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\

is hard to find because it reads too fast and reads there many keys not for the program. if you're advanced win user you can delete the complete Key CLSID also delete ASProtect\Data run the program again and you'll see how beutiful the program takes some delay then made again ASProtect\Data and a key (example) in: [HKEY_CLASSES_ROOT\CLSID\{AA77D79D-D672-783D-D199-B1DA75B391CD}] with the actual date

this could be generic for each win os on different aspr packet programs if you take the current date hex values: HKEY_CURRENT_USER\SOFTWARE\ASProtect\Data the same key of CLSID and you could use some time faker or something and you app. won't expire and you can use for it any win OS. if you took the same registry keys/values and make some kind of time limit loader that gives the date when the keys were working. all is done! i decided to give this information because sometimes is easier than you think and never noone spoke about this (i think). hope this help many of you my native language is not english if someone did not exaclty understood something you can PM me if desire.about deleting CLSID complete key.. becarefull because you win could crash. only do it as i said if you're experienced and you know how to fix/recover registry backups .i told this so everyone could see how this new aspr time limit check works in case you can't find the right CLSID key note that it also generates the CLSID keys ramdonly, if you delete it and you delete ...ASProtect\Data it will generate another CLSID key different each time you delete it. i'll hope i'm not breaking any rules on here with this information. please if something is wrong forgive me and moderators please edit or delete this reply.

ReaL|sTy:

I would be extremely careful about suggesting that anyone delete their entire CLSID strings because you will most likely get results you didn't anticipate and this is COMPLETELY UNNECESSARY. If you have read my previous posts in this thread you will note that aspr places the CLSID key "at random" by reading through the keys to find one without a "TypeLib" subkey near the end of the list (at least this is what it does in Win2K). It then adds information and a"TypeLib" key to some other program's CLSID key. In other words it does NOT create a new CLSID key, it just modifies one that is already there but doesn't have a "TypeLib" subkey attached to it.

However you DO NOT NEED TO FIND THIS KEY ITSELF. If you delete the asprotect key and then run microsoft's RegClean, it will find and remove this added "TypeLib" subkey everytime. I Tried it more tha 50 times and each time the "TypeLib" subkey was in a different CLSID which had not had it's own "TypeLib" subkey already and running RegClean found and removed it easily. These two steps reset the timelimit without dangerous modifications of the registry, such as deleting ALL the CLSID keys. Give it a try. I haven't tried it with other OS systems yet.

Regards.

sure JIM this is just another matter of finding the CLSID key which isn't hard at all but this is for knowledge only.. anyone can try it sure is dangerous as i said for experienced users only. you can export it( for savety) and import it as soon as you see how your aspr packet app. works and made the key i did it like that just for testing purposes in Win98 Se

if u want to defeat this time procedure do the following :

first delete the key asprotect in HKCU\software
then :

bpx ENUMEREGKEYex if *esp<02000000 do "r esi 1"

press F5 until the proggie run .

good luck !

btw anyone knows how the time limit clock checks works on armadilled protected ones?

Searched for some info about Elcomsoft product protection. Idle curiosity made me to bring up this old long thread.
Peacemaker & crUsAdEr:
What about keygen - is it real keygen and it works? (actually doubt)

It's just what +Splaj has written,
(I have tried Splaj's trick on some elcomsoft a time ago but aspr required additional HWiD or name (don't remember exactly yet) to generate the keys, since I know elcomsoft doesn't require either I got quite fooled...
There is only keygen rite for AO2kPR made by fallen which is however not keygen in it's real sense, you will have to bruteforce the db hardcoded and have luck enuf 2guess the initial seed'n'algo used to generate the series... )

Unpacked the last version of Elcomsoft's AIMPR. +Spl/\j thanks for tips. For me the easiest way was to rip&paste three pieces of code from the original aspred file (of course I had blacklisted serial). Don't understand what is those keygens is needed for, now I have full working app without any limitation. Anybody knows how often they change key which parts of code are encrypted with? Seems that not too often...