Aspack 2.11c- Inline Problem

The Target: http://www.runtime.org/gdbnt.zip

The Problem:
Another Runtime software protected by ASPACk 2.11c (same as Captain Nemo).I had no problem inline patching Captain Nemo but I'm unable to inline patch this Getdataback.
To crack the program:

Code:

004F8763   . /74 08         JE SHORT gdbnt1.004F876D

 Change To

004F8763     /EB 23         JMP SHORT gdbnt1.004F8788

While manual unpacking I found these signature bytes:

Code:

006353B6   /75 08           JNZ SHORT gdbnt.006353C0
006353B8   |B8 01000000     MOV EAX,1
006353BD   |C2 0C00         RETN 0C
006353C0   \68 B06C5700     PUSH gdbnt.00576CB0

Now for inline patching when I goto "006353B6" I see this :?

Code:

006353B6    DCA1 11A8A9A9   FSUB QWORD PTR DS:[ECX+A9A9A811]
006353BC    A9 6BA5A9C1     TEST EAX,C1A9A56B
006353C1    A9 A9A9A96A     TEST EAX,6AA9A9A9
006353C6    222C85 E3EDA924 AND CH,BYTE PTR DS:[EAX*4+24A9EDE3]

So I cannot see that JNZ to make it jump to my injected code. How to do the patching now? Plz help.

Regards,

[MaRKuS-DJM]

seems it has some mistery... maybe it's modified in some way? this is not standard-aspack...

EDIT:
the complete file is xor'ed in some way.
all is done here:
00635518 80B7 5DC99F45 A9 XOR BYTE PTR DS:[EDI+459FC95D],0A9
maybe you can place your inline-patch somewhere after this

[britedream]

Hi Ferrari

I am running windows xp, I did patch the two locations you indicated without any problem.

what do you mean by inline patching them?, do you mean at run time?, I didn't try this one.

[hobgoblin]

As said earlier, some of the starting aspack code is decrypted at 00635518. After the decryption is done, the program does not make the jump at 00635590. The following jump at 00635599 is hardcoded from the beginning. I'm sure you can find that useful for some inovative use of code injection?

regards,
hobgoblin

Oh I completely forgot about this thread For the past few days I'm facing problems connecting to exetools with my actual IP. Anyways I'll try out your suggestions guys. But can you explain one thing guys. Before cracking "Runtime's GetDataBack" I cracked "Runtime's Captain Nemo" which is packed with the same Aspack 2.11c. Here is my crack:

http://grinders.withernsea.com/patches/captain_nemo3.31_crk.rar

And I didn't face this problem while inline patching Captain Nemo. Why?

Thnx Markus, Brite, hob

Regards,
ferrari

[hobgoblin]

I just took a brief look at Captain Nemo (hmm, seems like a nice little proggie),and from what I saw both program have some encryption going on at the beginning. The difference is that when it comes to Nemo, the encryption doesn't cover the jumping code to the unpacked code. I don't really know what this is, but it may very well be some modified kind of Aspack. Maybe the programs are packed with Aspack, and then later on the opening code is encrypted in some way. Don't really know whether this is caused by Aspack itself or some 3rd party program. The encryption method used is very simple though.I have every now and then seen programs modified after being packed, but usuallu they don't cause too much trouble. I'll have to take a deeper look at this to come up with some more info...

regards,
hobgoblin