Quote:
Originally Posted by ZeNiX
In some cases, you need a valid registration key to decrypt protected code blocks.
|
After reaching the OEP and analysing the code, I could see no sign of encrypted code sections.
At least it can be confirmed with the code flow of older versions except the calls to the VM or SKE SDK.
Also all typical strings references can be seen clearly
The only problem is the calls to the VM which the script is able to identify correctly by stops at the location it checks for the error 111.
Quote:
|
Another some cases, you need to repair the calls to ASProtect's API if the program uses SKE's SDK functions.
|
These are what I am trying to repair.
Example at the OEP of an MS VC++8 application
Code:
0040791F . E8 8D020000 CALL abcd.00407BB1 ; the OEP
00407924 .^ E9 80FEFFFF JMP abcd.004077A9
00407929 /$ 55 PUSH EBP
0040792A |. 8BEC MOV EBP,ESP
0040792C |. A1 04304200 MOV EAX,DWORD PTR DS:[0x423004]
00407931 |. 83E0 1F AND EAX,0x1F
00407934 |. 6A 20 PUSH 0x20
00407936 |. 59 POP ECX ; 009D19A6
00407937 |. 2BC8 SUB ECX,EAX ; abcd.0040791F
00407939 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+0x8] ; abcd.00449833
0040793C |. D3C8 ROR EAX,CL
0040793E |. 3305 04304200 XOR EAX,DWORD PTR DS:[0x423004]
00407944 |. 5D POP EBP ; 009D19A6
00407945 \. C3 RETN
If you enter the call at the OEP you will see
Code:
00407BB1 $ 55 PUSH EBP
00407BB2 . 8BEC MOV EBP,ESP
00407BB4 . 83EC 14 SUB ESP,0x14
00407BB7 . 8365 F4 00 AND DWORD PTR SS:[EBP-0xC],0x0
00407BBB . 8365 F8 00 AND DWORD PTR SS:[EBP-0x8],0x0
00407BBF . A1 04304200 MOV EAX,DWORD PTR DS:[0x423004]
00407BC4 . 56 PUSH ESI
00407BC5 . 57 PUSH EDI
00407BC6 . BF 4EE640BB MOV EDI,0xBB40E64E
00407BCB . BE 0000FFFF MOV ESI,0xFFFF0000
00407BD0 . 3BC7 CMP EAX,EDI
00407BD2 . 74 0D JE SHORT abcd.00407BE1
00407BD4 . 85C6 TEST ESI,EAX ; abcd.0040791F
00407BD6 . 74 09 JE SHORT abcd.00407BE1
00407BD8 . F7D0 NOT EAX ; abcd.0040791F
00407BDA . A3 00304200 MOV DWORD PTR DS:[0x423000],EAX ; abcd.0040791F
00407BDF . EB 66 JMP SHORT abcd.00407C47
00407BE1 > 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-0xC]
00407BE4 . 50 PUSH EAX ; abcd.0040791F
00407BE5 . E8 16846F01 CALL 01B00000 ; Call to ASPR VM/SKE SDK
00407BEA . 9B WAIT
00407BEB . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-0x8]
00407BEE . 3345 F4 XOR EAX,DWORD PTR SS:[EBP-0xC]
00407BF1 . 8945 FC MOV DWORD PTR SS:[EBP-0x4],EAX ; abcd.0040791F
00407BF4 . E8 07846F01 CALL 01B00000 ; Call to ASPR VM/SKE SDK
00407BF9 . 4E DEC ESI
00407BFA . 3145 FC XOR DWORD PTR SS:[EBP-0x4],EAX ; abcd.0040791F
00407BFD . E8 FE836F01 CALL 01B00000 ; Call to ASPR VM/SKE SDK
00407C02 . DA31 FIDIV DWORD PTR DS:[ECX]
00407C04 . 45 INC EBP
00407C05 . FC CLD
00407C06 . 8D45 EC LEA EAX,DWORD PTR SS:[EBP-0x14]
00407C09 . 50 PUSH EAX ; abcd.0040791F
00407C0A . E8 F1836F01 CALL 01B00000 ; Call to ASPR VM/SKE SDK
The
CALL 01B00000 is called 60 times in this application
Quote:
Originally Posted by user1
And unpacked was registered.
|
The programs runs with small restrictions unregistered. It also does not used the ASProtect registration but its own pretty simple CRC32 routine.