BriteDream,

I was referring to address location (provided by lownoise):

Original code:

$4043AA: 8B00 MOV EAX, DWORD PTR DS:[EAX]
$4043AC: 85C0 TEST EAX,EAX

Change to:

$4043AA: 33C0 XOR EAX,EAX

This patch allowed my dump to work after fixing with Imprec.

Moving along, if you press SHIFT + F9 26 times and then search the stack, the key you entered (dummy key in registry) is missing!

From this, and by checking the RegQueryKey breakpoints, I determined that the serial# is loaded in the AsProtect code which is not in the final unpacked code.

Also it seems on my system that the KEY from the registry is stored at location $990F3C and is pushed onto the stack.

Another tale tell sign is that it removes all spaces from the serial#. Big No No. When we see a loop to remove spaces it helps let us know we are getting closer. As a test... Put MALTESE MALTESE MALTESE as the key. When it's pushed onto the stack the spaces are missing.

And now for my stupid question: Don't Laugh...

I noticed AsProtect employs a technique making calls to odd address's which messes with Olly. I can right click and then say follow... but is there a better way to adjust the memory locations so that the code looks the same as it is as when it executes?

I will share as I go for those that might want to join in.

-Malt