where's the error in this asprotect-target?
 

the program i tried to unpack is Z-Up Maker 4.3.0

these are my infos
stolen bytes:
push ebp
mov ebp,esp
add esp,-10
mov eax, 5B64BC

and my iat is attached

but it doesn't work.
i don't know where's the error... i think it's all correct?!?!?!?!?!

Hi Markus,
the stolen bytes and Iat are not correct, your program is working on the following info.:
005B6CCC > $ 55 PUSH EBP
005B6CCD . 8BEC MOV EBP,ESP
005B6CCF . 83EC 0C SUB ESP,0C
005B6CD2 . 53 PUSH EBX
005B6CD3 . B8 BC645B00 MOV EAX,dd_.005B64BC

here is the iat:

Thanks Markus, You always come up with
unique programs.

oh yes, i forgot the push ebx :)
but how did you get the sub esp,0c?
i thought it was -10?
maybe i'm confused *lol*

britedream, i've tried your infos... but it still cames up with the same error :(

my dump is correct, i think

Hi,
the program is working on the info I gave you. also check your iat against mine

i understood why sub esp,0c :) was my fault. i pm'ed you

to Markus,
please check your pm

PowerStrip 3.47 Build 425
 

Britedream, i want to ask you if these infos are correct for powerstrip (the program worked for me):

OEP: 555DE7
Stolen Bytes:
push ebp
mov ebp,esp
sub esp,0c
push ebx
mov eax,4032A0


nop the calls (call eax):
522BC1
52487D

IAT:

i think, for powerstrip this is enough:

push ebp
mov ebp,esp
sub esp,10

Well done Markus,your iat is correct, and your stolen bytes are correct if not for the extra command you put: mov eax,xxxxxx, now your oep should shift little bit down,
After eliminating the extra command, to 555dec.

Regards.

your dump works perfect for Z-Up Maker. I saw you have newer version, so i downloaded this one... i've dumped it again and it doesn't work. so i made a differences report.

in my dump are many extra bytes where in your dump are only 00. i've looked at the offsets, and these "extra bytes" are error messages like "runtime error" or anything else. but where do they came from???

hey, i got it work!!!!

where did you dump, britedream? i dumped always here:

005B6CD8 E8 6B0DE5FF CALL dumped_.00407A48
005B6CDD 8B1D CCB05B00 MOV EBX,DWORD PTR DS:[5BB0CC] ; dumped_.005BC7D8
005B6CE3 8B03 MOV EAX,DWORD PTR DS:[EBX]
005B6CE5 E8 12E0E9FF CALL dumped_.00454CFC
005B6CEA 8B03 MOV EAX,DWORD PTR DS:[EBX]
005B6CEC BA 086E5B00 MOV EDX,dumped_.005B6E08 ; ASCII "Z-Up Maker"
005B6CF1 E8 0ADCE9FF CALL dumped_.00454900
005B6CF6 8B0D 60AE5B00 MOV ECX,DWORD PTR DS:[5BAE60] ; dumped_.005BEC84
005B6CFC 8B03 MOV EAX,DWORD PTR DS:[EBX]
005B6CFE 8B15 54D85800 MOV EDX,DWORD PTR DS:[58D854] ; dumped_.0058D8A0
005B6D04 E8 0BE0E9FF CALL dumped_.00454D14

the dump hasn't worked!!!
now i've dumped here:

00407948 -FF25 20035C00 JMP DWORD PTR DS:[5C0320]
0040794E 8BC0 MOV EAX,EAX
00407950 -FF25 1C035C00 JMP DWORD PTR DS:[5C031C]
00407956 8BC0 MOV EAX,EAX
00407958 -FF25 18035C00 JMP DWORD PTR DS:[5C0318]
0040795E 8BC0 MOV EAX,EAX


and it works!!!

there are still some differences, your program runs registered, mine unregistered. have you cracked it?

no I didn't crack it . I just removed the
asprotect. and it is protect by it.

i noticed a very strange thing... if my dump has the name "dumped_.exe" it is unregistered. if i rename it to "aaaaaaaaaaaaaaaaaaaaaaaaaaaa.exe" it's suddenly registered!? why that?

britedream, it's the same with your dump... it works registered as "dd_.exe" and unregistered as "dda_.exe"

my dump is from the Oep

I did name it as the same as the original program "zup", it works registered

finally, it doesn't matter if it is registered or not... for me it's only the unpacking-practice. but i wondered about the rename thing :)

in earlier version of asprotect I noticed that it create a text file in the program folder for each dump you run, if you delete this file ,or rename the dump, it will run unregistered, I didn't see these files here, but
it may be created some where else.

found the code. it's in the dump...

00594614 8BD0 MOV EDX,EAX
00594616 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00594619 8B80 A80A0000 MOV EAX,DWORD PTR DS:[EAX+AA8]
0059461F 8B08 MOV ECX,DWORD PTR DS:[EAX]
00594621 FF51 5C CALL DWORD PTR DS:[ECX+5C]
00594624 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00594627 8B80 000B0000 MOV EAX,DWORD PTR DS:[EAX+B00]
0059462D 33D2 XOR EDX,EDX
0059462F E8 2864FEFF CALL zupa.0057AA5C
00594634 A1 D0AC5B00 MOV EAX,DWORD PTR DS:[5BACD0] <<< checks the dword in 5BACD0 = RVA 5BACD2
00594639 E8 CA64E7FF CALL zupa.0040AB08
0059463E 85C0 TEST EAX,EAX
00594640 76 10 JBE SHORT zupa.00594652 <<< jump UNREGISTERED
00594642 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00594645 8B80 5C090000 MOV EAX,DWORD PTR DS:[EAX+95C]
0059464B 33D2 XOR EDX,EDX
0059464D E8 CE23EBFF CALL zupa.00446A20
00594652 33C0 XOR EAX,EAX


the dword 5BACD0 begins in my dump with B8, in your dump with B7.
the solution is to nop the JBE @RVA 00594640 :)


@59A5C3 is another JBE, this must also be nopped.

new target: CloneCD 4.3.1.9

i came to the following:
stolen bytes: none
OEP: 40154C

but there's still a read/write error if clone-cd analyses a CD. i think it's a problem with IAT, but all invalid pointers are fixed
IAT:

your "zup" isn't fully registered, if you
want to make it registered do the following:
1- at address 5be7dc=3d ( this will make us as if we were registered)

2-nop

52a2f6 (will prevent it from change our status in step 1)

52a356 (this will make it think we have a valid lic )

you will no longer have the registration
entry. and will be fully registered.

hm... makes it so much difference?
how did you find that value? only tracing?
powerstrip is the harder target...

Z-Up v4.3.1
 

MaRKuS-DJM,

Would you be kind to attach tree.txt for Z-Up Maker last version. I'm working on it but I have error . ( wrong OEP ? ).
Regards,

Zlatko

it's on page one the second post (by britedream)

britedream or Marcus ,

Would you, please, check what is incorrect with this tree.txt .
How to decide should will be ADD ESP, -010 or SUB ESP, -0C ?

Regards,

Zlatko

might be these iat values

at the begging
0014A0EC kernel32.dll 018D GetTimeFormatW

at the end
0014B67C crypt32.dll 0085 CryptExportPKCS8

your iat list dont have em

@zlatko the esp-value in the dump must match to the esp-value in the original-file @OEP

Markus,

If you have time would you try to work with me on
new target ? Pgm. is dumped and IAT is resolved but there is some call ( unresolved ) outside of dump. It is not
point to any dll call, just simple compare and jump. It is possible that I didn't resolve Iat correctly. Tree is attached !

Regards,
Zlatko

it seems there are many pointers which aren't fixed... have you checked britedream's IAT?

mtw, how did you fix these two entries?

Markus,

this is completely NEW target. Please read string
"Target:" in MSDG.txt file.
Problem with zup is resolved !

Z

oh i see... this is a program like aspack which works with Dword-calls... seems harder to fix... but your IAT should be correct. i came to the same

ok, zlatko, i came to the following with your program.

your IAT is correct. now the parts to edit:

0056901C 55 PUSH EBP
0056901D 8BEC MOV EBP,ESP
0056901F 83C4 F0 ADD ESP,-10
00569022 B8 848B5600 MOV EAX,MsDataGe.00568B84
00569027 E8 00DFE9FF CALL MsDataGe.00406F2C
0056902C A1 B4C65600 MOV EAX,DWORD PTR DS:[56C6B4]
00569031 8B00 MOV EAX,DWORD PTR DS:[EAX]
00569033 E8 C0B2EFFF CALL MsDataGe.004642F8
00569038 FF15 E8C15600 CALL DWORD PTR DS:[56C1E8]
0056903E A1 B4C65600 MOV EAX,DWORD PTR DS:[56C6B4]
00569043 8B00 MOV EAX,DWORD PTR DS:[EAX]
00569045 E8 46B3EFFF CALL MsDataGe.00464390
0056904A E8 05B6E9FF CALL MsDataGe.00404654

Edit to:

0056901C > $ 55 PUSH EBP
0056901D . 8BEC MOV EBP,ESP
0056901F . 83C4 F0 ADD ESP,-10
00569022 . B8 848B5600 MOV EAX,dumped_.00568B84
00569027 . E8 00DFE9FF CALL dumped_.00406F2C
0056902C . A1 B4C65600 MOV EAX,DWORD PTR DS:[56C6B4]
00569031 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00569033 . E8 C0B2EFFF CALL dumped_.004642F8
00569038 . E8 8FFAFFFF CALL dumped_.00568ACC
0056903D . 90 NOP
0056903E . A1 B4C65600 MOV EAX,DWORD PTR DS:[56C6B4]
00569043 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00569045 . E8 46B3EFFF CALL dumped_.00464390
0056904A . E8 05B6E9FF CALL dumped_.00404654

and this:

00568AD4 68 378B5600 PUSH MsDataGe.00568B37
00568AD9 64:FF30 PUSH DWORD PTR FS:[EAX]
00568ADC 64:8920 MOV DWORD PTR FS:[EAX],ESP
00568ADF A1 5CE25600 MOV EAX,DWORD PTR DS:[56E25C]
00568AE4 50 PUSH EAX
00568AE5 E8 B6FFFFFF CALL MsDataGe.00568AA0
00568AEA 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
00568AED A1 5CE25600 MOV EAX,DWORD PTR DS:[56E25C]
00568AF2 E8 7D13EAFF CALL MsDataGe.00409E74
00568AF7 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
00568AFA A1 30C65600 MOV EAX,DWORD PTR DS:[56C630]
00568AFF E8 94BCE9FF CALL MsDataGe.00404798
00568B04 A1 30C65600 MOV EAX,DWORD PTR DS:[56C630]
00568B09 8B00 MOV EAX,DWORD PTR DS:[EAX]
00568B0B E8 FCBEE9FF CALL MsDataGe.00404A0C
00568B10 85C0 TEST EAX,EAX
00568B12 7E 08 JLE SHORT MsDataGe.00568B1C
00568B14 A1 44C35600 MOV EAX,DWORD PTR DS:[56C344]
00568B19 C600 01 MOV BYTE PTR DS:[EAX],1
00568B1C E8 4BFFFFFF CALL MsDataGe.00568A6C
00568B21 33C0 XOR EAX,EAX

to:

00568AD4 |. 68 378B5600 PUSH dumped_.00568B37
00568AD9 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
00568ADC |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00568ADF 90 NOP
00568AE0 90 NOP
00568AE1 90 NOP
00568AE2 90 NOP
00568AE3 90 NOP
00568AE4 |. 50 PUSH EAX ; /Arg1 => 00C23405
00568AE5 |. E8 B6FFFFFF CALL dumped_.00568AA0 ; \dumped_.00568AA0
00568AEA |. 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
00568AED |. A1 5CE25600 MOV EAX,DWORD PTR DS:[56E25C]
00568AF2 |. E8 7D13EAFF CALL dumped_.00409E74
00568AF7 |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
00568AFA |. A1 30C65600 MOV EAX,DWORD PTR DS:[56C630]
00568AFF |. E8 94BCE9FF CALL dumped_.00404798
00568B04 |. A1 30C65600 MOV EAX,DWORD PTR DS:[56C630]
00568B09 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
00568B0B |. E8 FCBEE9FF CALL dumped_.00404A0C
00568B10 |. 85C0 TEST EAX,EAX
00568B12 |. 7E 08 JLE SHORT dumped_.00568B1C
00568B14 |. A1 44C35600 MOV EAX,DWORD PTR DS:[56C344]
00568B19 |. C600 01 MOV BYTE PTR DS:[EAX],1
00568B1C |> E8 4BFFFFFF CALL dumped_.00568A6C
00568B21 |. 33C0 XOR EAX,EAX

i think the rest isn't very hard.
registration flag is

56E24C
or 16E24C (for hex-editor), change it to 1 and all is ok

these call & the mov aren't neccessary for the program to work. it's only advanced asprotect-protection and should crackers cost time.

Thanks Markus,

I did same thing as you are in the first part but second part I misted ( at 00568ADC ) !

Regards ,

Z

PS. Would you PM me your email address or if you wish I can PM you mine.
It's much easier to work trough e-mail then on board.

i pm'ed you

I'm STUPID !

All changes I've made with Hiew ( instead with HexEd ) and you know what's happens ! -> Access v...

Z

PS. Thanks for address

i only use winhex and hiew, don't know about HexEd :)