PHP Expert Editor ver 2.5

Web : http://kickme.to/mxbnet
Contact Me : dheeraj_xp@yahoo.com

PHP Expert Editor ver 2.5

Type : PHP Editor
Protection : ASProtect
Tech : Dumping + IAT Fix

Crack :

Dumping :

In SICE ..

:BPX GETVOLUMEINFORMATIONA
Run the program when we break remove BPX and use ...

:/tracex 400000 eip-8
[For this you must have ICEDump loaded]

We can see that we break inside program module :

015F:005AE1B8 55 PUSH EBP << -- This is not OEP
015F:005AE1B9 8BEC MOV EBP,ESP
015F:005AE1BB 8B4508 MOV EAX,[EBP+08]
015F:005AE1BE A390335B00 MOV [005B3390],EAX
015F:005AE1C3 5D POP EBP
015F:005AE1C4 C20400 RET 0004 << Use F8 and return to ASProtect

Then give tracex command .. till we break in ...

015F:005AE827 00558B ADD [EBP-75],DL
015F:005AE828 55 PUSH EBP <<-- Here OEP - Dump It
015F:005AE829 8BEC MOV EBP,ESP
015F:005AE82B 83C4F4 ADD ESP,-0C
015F:005AE82E B8F0E15A00 MOV EAX,005AE1F0
015F:005AE833 E81894E5FF CALL 00407C50
015F:005AE838 A1203A5B00 MOV EAX,[005B3A20]
015F:005AE83D 8B00 MOV EAX,[EAX]
015F:005AE83F E8E094EAFF CALL 00457D24
015F:005AE844 A1203A5B00 MOV EAX,[005B3A20]
015F:005AE849 8B00 MOV EAX,[EAX]
015F:005AE84B BA80E85A00 MOV EDX,005AE880
015F:005AE850 E8D390EAFF CALL 00457928
015F:005AE855 FF1590335B00 CALL [005B3390]
015F:005AE85B A1203A5B00 MOV EAX,[005B3A20]
015F:005AE860 8B00 MOV EAX,[EAX]
015F:005AE862 E83D90EAFF CALL 004578A4
015F:005AE867 A1203A5B00 MOV EAX,[005B3A20]
015F:005AE86C 8B00 MOV EAX,[EAX]
015F:005AE86E E84995EAFF CALL 00457DBC
015F:005AE873 E8E454E5FF CALL 00403D5C

Dump it using EBFE Trick :
:d eip
:e [Now change 55 8B --> EB FE]
:x [Come out of SICE -- Dump Full image using LordPE -- Go Back to SICE]
:e [Now Change EB FE --> 55 8B]
:x [Get Out Of SICE]

Now use WinHex and edit dumped file and change "EB FE" --> "55 8B" Offset = 1AE828

IAT Fix :

Use ImpRec select "phpxedit.exe"
OEP = 1AE828
"IAT Auto Search" --> "Get Imports" --> "Show Invalid" --> "Auto Trace"
We can see IAT Read Successfully ... Now fix dumped file.

Fixing Dumped File :

Now try to run dumped file we will get a page fault ? what the heck ?
It is an ASProtect Trick ....

015F:005AE833 E81894E5FF CALL 00407C50
015F:005AE838 A1203A5B00 MOV EAX,[005B3A20]
015F:005AE83D 8B00 MOV EAX,[EAX]
015F:005AE83F E8E094EAFF CALL 00457D24
015F:005AE844 A1203A5B00 MOV EAX,[005B3A20]
015F:005AE849 8B00 MOV EAX,[EAX]
015F:005AE84B BA80E85A00 MOV EDX,005AE880
015F:005AE850 E8D390EAFF CALL 00457928
015F:005AE855 FF1590335B00 CALL [005B3390] <<- Page Fault

Now [005B3390] = 0130C784 which is ASProtect Code to decide if 30 Day
Trial is over or not ... which our unpacked file doesn't have.It we compare it
with real unpacked file we can see ..

015F:0130C784 833DA835310100 CMP DWORD PTR [013135A8],00
015F:0130C78B 7406 JZ 0130C793
015F:0130C78D FF15A8353101 CALL [013135A8] <<--- Note This
015F:0130C793 C3 RET

Now if [013135A8] == 005ADE34 -- 30 DAY TRIAL
Now if [013135A8] == 005AE07C -- 30 DAY EXPIRED -- KICK ASS

Patch :

So in unpacked file :

015F:005AE855 FF1590335B00 CALL [005B3390] <<-- Call 005ADE34 instead
of 0130C784

Offset : 1B3390 ---> 84 C7 30 01 -- To --> 34 DE 5A 00

Now our unpacked file runs successfully..
Now use PEditor and make all section flags "E0000020" of the dumped file. Now use Win32DASM and figure out flag jumps to Unregistered version and disable it ..

Usage Count :

30 Day count is stored in Windows registry key ..

REGEDIT4

[HKEY_CLASSES_ROOT\CLSID\{98C422C0-2854-B4F7-11AA-54F45C643F1F}]
@="hLtATzJBDy9z7ez/"

If you don't want to do unpacking stuff just delete this key when your 30 Day period is over and you get your 30 Day Trial back..