|
my dump is from the Oep
|
I did name it as the same as the original program "zup", it works registered
|
finally, it doesn't matter if it is registered or not... for me it's only the unpacking-practice. but i wondered about the rename thing :)
|
in earlier version of asprotect I noticed that it create a text file in the program folder for each dump you run, if you delete this file ,or rename the dump, it will run unregistered, I didn't see these files here, but
it may be created some where else. |
found the code. it's in the dump...
00594614 8BD0 MOV EDX,EAX 00594616 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00594619 8B80 A80A0000 MOV EAX,DWORD PTR DS:[EAX+AA8] 0059461F 8B08 MOV ECX,DWORD PTR DS:[EAX] 00594621 FF51 5C CALL DWORD PTR DS:[ECX+5C] 00594624 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00594627 8B80 000B0000 MOV EAX,DWORD PTR DS:[EAX+B00] 0059462D 33D2 XOR EDX,EDX 0059462F E8 2864FEFF CALL zupa.0057AA5C 00594634 A1 D0AC5B00 MOV EAX,DWORD PTR DS:[5BACD0] <<< checks the dword in 5BACD0 = RVA 5BACD2 00594639 E8 CA64E7FF CALL zupa.0040AB08 0059463E 85C0 TEST EAX,EAX 00594640 76 10 JBE SHORT zupa.00594652 <<< jump UNREGISTERED 00594642 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00594645 8B80 5C090000 MOV EAX,DWORD PTR DS:[EAX+95C] 0059464B 33D2 XOR EDX,EDX 0059464D E8 CE23EBFF CALL zupa.00446A20 00594652 33C0 XOR EAX,EAX the dword 5BACD0 begins in my dump with B8, in your dump with B7. the solution is to nop the JBE @RVA 00594640 :) @59A5C3 is another JBE, this must also be nopped. |
new target: CloneCD 4.3.1.9
i came to the following: stolen bytes: none OEP: 40154C but there's still a read/write error if clone-cd analyses a CD. i think it's a problem with IAT, but all invalid pointers are fixed IAT: |
your "zup" isn't fully registered, if you
want to make it registered do the following: 1- at address 5be7dc=3d ( this will make us as if we were registered) 2-nop 52a2f6 (will prevent it from change our status in step 1) 52a356 (this will make it think we have a valid lic ) you will no longer have the registration entry. and will be fully registered. |
hm... makes it so much difference?
how did you find that value? only tracing? powerstrip is the harder target... |
Z-Up v4.3.1
MaRKuS-DJM,
Would you be kind to attach tree.txt for Z-Up Maker last version. I'm working on it but I have error . ( wrong OEP ? ). Regards, Zlatko |
it's on page one the second post (by britedream)
|
1 Attachment(s)
britedream or Marcus ,
Would you, please, check what is incorrect with this tree.txt . How to decide should will be ADD ESP, -010 or SUB ESP, -0C ? Regards, Zlatko |
Quote:
at the begging 0014A0EC kernel32.dll 018D GetTimeFormatW at the end 0014B67C crypt32.dll 0085 CryptExportPKCS8 your iat list dont have em |
@zlatko the esp-value in the dump must match to the esp-value in the original-file @OEP
|
1 Attachment(s)
Markus,
If you have time would you try to work with me on new target ? Pgm. is dumped and IAT is resolved but there is some call ( unresolved ) outside of dump. It is not point to any dll call, just simple compare and jump. It is possible that I didn't resolve Iat correctly. Tree is attached ! Regards, Zlatko |
it seems there are many pointers which aren't fixed... have you checked britedream's IAT?
|
| All times are GMT +8. The time now is 17:27. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX