Hi everyone, this is my first time to the forums. I have a problem I need help solving and I can't seem to work through it even with the tutorials available.

I've been trying to unpack Magic Workstation (mtg program that has a bunch of annoying non-registered features) and its protected with ASProtect 1.23 RC4.
http://img463.imageshack.us/img463/5564/peid0pz.jpg
I've been able to locate the fake OEP and what I believe to be the actual OEP. I was also able to locate what I believe to be the stolen bytes, but I can't quite figure out which ones are the ones I need to copy.

OEP: http://img456.imageshack.us/img456/548/oep5is.jpg
Stolen Bytes: http://img456.imageshack.us/img456/7716/trace7gz.jpg

There are 8 "00" above there, then the C4948A00 then 4 more "00", but if you look at the trace there isn't really a defined list of bytes that I could copy up to the oep. Also I'm not sure what to make of the C4948A00 in the 00 bytes either.
Everything above 8AA4D4 are DD commands for many lines.

I'd appreciate any help I can get. I've been working with this for quite a while now and I've been stuck here all night. I'm pretty inexperienced with ollydbg and reversing yet so perhaps I'm just missing something.
Thanks.

the stolen bytes are previos to the jmp to the fake oep, where´s the jmp to the oep in this image?

Ricardo

I think your stolen bytes are,

PUSH EBP
MOV EBP,ESP
MOV ECX,8

Unfortunately I can't confirm it because IMPRec keeps hanging everytime I try to rebuild the IAT. Since it's 1:30 in the morning I have to quit.

The way I came up with the bytes is I think it's Borland Delphi 4/5 and ECX is 8 at the fake ep. The way I intended to confirm them is assemble the new bytes, change the ep save, re-start and step through til the fake ep and compare the stack and registers.

At any rate I hope it gives you something to try.

There isn't a jump to it anywhere that I can find, which is part of why I'm finding this so confusing.

Another thing which confused me a bit was all the ECX == 8 is for is to push 16 0's onto the stack...
I'm gonna try the suggested stolen bytes mcnorth posted and see if that works. I had been under the impression that the stolen byte count will always match the number of "00".
Thanks a lot for the posts, I'll update after I try some things then.

well the jump can be a push and ret or other variants but you need reach the oep in the tracing where this line in the image?

Ricardo

google "stripper 2.11.02" could help

I think you are right in that the stolen bytes Do fill the space of the 00's.

008AA4E0 55 PUSH EBP ; byte 1
008AA4E1 8BEC MOV EBP,ESP ; bytes 2 & 3
008AA4E3 B9 08000000 MOV ECX,8 ; bytes 4 thru 8

The next problem is that Magic Workstation wants to read memory that isn't there for which I don't have an answer. If you work out a solution to that would you share it with me?

About that question, "where's the entry to the OEP in the image?"

Start at the bottom of the run trace window and work your way up. Those numbers in the left hand column of the run trace window are steps backward from the (fake) oep. To illustrate this get to your fake oep just like you did before. open your run trace window, scroll to the bottom and position it so you can see your code window, stack, registers and run trace window all at the same time. Now make sure your code window is active (click the title bar if its not) and hit the minus key once. (etiher one will do) See the Return in your code window? See the return in the run trace window one step back. Hit the minus key again and same thing. Pop ecx in code window and pop ecx 2 steps back in run trace. You can continue to use the minus key to trace back to see what the condition of the registers and stack are (or were) when the instruction was executed.

This is all new to me but I think when looking for stolen bytes in run trace you need to start from the bottom and scroll up for this reason. A PUSH EBP 5000 steps back has to be totally irrelevant if PUSH EBP occurs later on. I think the most recently occuring PUSH EBP should be your clue to start looking for more stolen bytes.

With that said and for what it's worth I don't think all compilers start with PUSH EBP. For example MS Visual C++ 4 starts with,

MOV EAX,DWORD PTR FS:[????]

and Borland C++ starts similarly with,

MOV EAX,DWORD PTR DS:[????]

Or at least that's what PEid says. (which could be wrong as well)

The answer to where's the jump is, at the bottom of the window. (not shown) It has to be. You broke on the OEP (fake) so the instruction that sent you there is the last instruction in run trace which is RETN with 8AA4E8 (the entry point) at the top of the stack.

that stripper program actually worked, i wish i knew how it did that
been tryin to crack the program now, haven't really had much luck yet, but we'll see
thanks ^_^

That's great. Doesn't hurt to know how to manually unpack though. Hosinimh figured out the solution for the dump trying to write to non-existent memory.

Cheers

If you succseed in cracking this program please post your crack, i really need this program.
mail me at : cpprules@excite.com

Please!!!!!!!!!!!!!

Please!!!!!!!!!!!, noone else has cracked this program

Please!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!