Is it possible to unpack ASProtect 1.23 RC4 Registered packing software?

Now I find a software packed with "ASProtect 1.23 RC4 Registered -> Alexey Solodovnikov [Overlay]".I try to unpack it,but failed.I can find the stolen bytes,the OEP,and fix the IAT,after I doing this,I ran it.It is crashing!Someone who has the experience in unpacking ASPR 1.23 RC4 Registered,plz give me some advice.

The target :hxxp://www.kmint21.com/serial-port-monitor/

[hosiminh]

Oh man , JMI will be pleased when he see your post

I suggest you to use "Search: Key Word(s): ASProtect" . With this one i got 194 results


You can also go h**p://tothesky.us/tut.htm and look for "MUP ASProtect 1.xx" tutorials.

If you still cannot unpack it , use "Aspr stripper_v211rc2" from h**p://syd.nightmail.ru/stripper or "ASPR Dumper" .


After all , if you have successfully unpacked your target , found the stolen bytes,fix the OEP and the IAT , maybe it has some anti-unpacking/dumping tricks (crc/hash check etc...) added by the author of the program . Use some debugger to find out what is hidding inside

to hosiminh:

kind man,I've saw almost all the ASProtect tut here,I can't find one of tut tell us how can we fix the ASPR trick .Maybe I should post one ,although not very good.

here is the dump,fixed the trick.

Thanks again for your advice.

[peleon]

so, ain't you gonna tell us about that "new" trick?

to peleon:
Poor tut is here.

BTW:Another program packed with "ASProtect 1.23 RC4 - 1.3.08.24 -> Alexey Solodovnikov",I have spent 5 days on fixing the tricks,but still unsuccessful.Anyone could help me?

Here is the packing target & unpacking target with fixing Stolen,IAT,OEP,but not the tricks.

i found this today
btw i was checking it and i got it full loaded but there are many check and tricks because it crash sometimes when opening the setting dialog and when is loaded ...i believe this is because and active hidden crc check that stop decrypting some parts of the code after it founds it was unpacked .. i removed all aspr. tricks .. but i guess that's not matter of aspr. any longer ...all aspr tricks and check you can find them from 005B3C70 ..maybe there are some others...

real OEP is: 001B4378 ( 005B4378 )

Stolen bytes: 558BEC535657B8183d5B00

To Crk: I think you are right!
BTW:Have you saw it?

Quote:

Another program packed with "ASProtect 1.23 RC4 - 1.3.08.24 -> Alexey Solodovnikov",I have spent 5 days on fixing the tricks,but still unsuccessful

I can fix some tricks,now the problem of "file corrupted!" solved,it can full loaded,there is a Register dialog first,but all the command-buttons can't work normally except "Enter code" one.So,I think this must be the trick of the author maked.How to fix the trick,let all the buttons work normally,It is difficult I believe. I'll try my best to solved it.I'm glad if anyone would like to talking about it with me.

[britedream]

Hi Nemda2k3!,
I just looked at your dump to see if you cleared usual asprotect antidump, there are some you didn't clear , such as the checking of your entry point to see if it still the protector entry point , if not , the target is unpacked , and will give you a problem :

0047DFF3 8B35 18C75500 MOV ESI,DWORD PTR DS:[55C718]
0047DFF9 8B46 3C MOV EAX,DWORD PTR DS:[ESI+3C]
0047DFFC 8B4430 28 MOV EAX,DWORD PTR DS:[EAX+ESI+28]
0047E000 66:3D 0010 CMP AX,1000
0047E004 74 04 JE SHORT dumped_f.0047E00A

here you can see it is loading the entry point from the target pe header and comparing with the protector entrypoint [rva].

follow the return and you will see also the next call isnot corrected, and so on.

britedream

i know someone which has unpacked and have full working exe of this .... but there are many sections of code encrypted..without key can't unlock some functions.... anyone has a key for private purpose to unlock the encrypted parts??

[britedream]

Hi crk!

here the code snippet where the target checks the registration flag, if you set this flag ,it should eliminate the nag and activiate the disabled options.

0047DFB8 833D 907F5500 0>CMP DWORD PTR DS:[557F90],0
0047DFBF 74 09 JE SHORT target.0047DFCA
0047DFC1 833D 8C7F5500 0>CMP DWORD PTR DS:[557F8C],0
0047DFC8 74 13 JE SHORT target.0047DFDD
0047DFCA 33C9 XOR ECX,ECX
0047DFCC B2 01 MOV DL,1
0047DFCE A1 44874000 MOV EAX,DWORD PTR DS:[408744]
0047DFD3 E8 80FEF8FF CALL target.0040DE58
0047DFD8 E8 8F61F8FF CALL target.0040416C
0047DFDD C3 RETN

the first cmpareson is for reg. flag, follow the value to dump and set the first byte to 1.
Regards.

Hi britedream,
You are right! I found myself really lacked of these knowledge.

Quote:

I just looked at your dump to see if you cleared usual asprotect antidump, there are some you didn't clear , such as the checking of your entry point to see if it still the protector entry point

So,How can I improve myself .Could you give me some advices?

Regards
nimda2k3

[Michel]

To Crk :

Quote:

...without key can't unlock some functions....

Removing all aspr tricks seems to be a Great-Art....
For all those (like me) who aren't so Great-Artist, it's more easy to merge the requested aspr sections at the dumped. Then this last will never crash (but of course works only on the machine where the dump was done, and with the dlls versions used ).

If you really want tu use the prog, don't forget AsLoad, wich works fine with all aspr 1.23 RC4 I have tryed....