Tried unpacking DVDIdle Pro - AsProtect

[upb]

btw, is there only one seh handler function that it uses or many ?
if there is only 1, you could just nop out the portion that clears the hardware breakpoints in the CONTEXT struct.

I "believe" that because AsProtect decrypts runs, clears stack, clears memory, decrypts over cleared memory, *repeat* that just NOPing the SEH Handler function won't work.

There are 27 Memory Access Violations all occuring in different places in memory. That would be to easy to just NOP one call for the SEH handler. I just can't imagine Alexey allowing something like that.

I will try my trace in a few hours when I finish work and report back.

-Malt

Well I've finally did it!

I have successfully traced the AsProtect code to the point it loads the Serial# from the Registry without any SEH ERRORs

I have confirmed that it makes 4 copies of the key (for a total of 5).
It will try to strip out any spaces from the key. Valid keys have no spaces.
DVDIldle Pro uses the following string for a look-up (which I believe is to re-create the name of the registered person- working on this now.. not sure just yet on this one):
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/= $()[]{},::-_\*

I am taking VERY good notes at the moment to see how the code is tracing thru the key. I'm tired at the moment. I'll continue tomorrow.

For those that wish to participate.... my research was correct on my last message. You must trace into the code from the beginning with MOV DWORD PTR FS:[EAX],ESP in the SET CONDITION BOX.

When Olly breaks you must NOP the following XOR[EAX],EAX
then continue with CTRL+F11 until you NOP the XOR[EAX],EAX at address location: $974350.

Once you've NOPd $974350 single step past... then BP on address $974652, single step till after the CALL $965264. Now BP on $96962D.

You will now be at the RegOpenKeyExA call. Just F8 till you get to the RegQueryKeyExA. And viola...

Hope this helps.

Now the fun part begins...

Not bad for a Newbie huh?

-Malt

P.S. You can use the same technique for PowerStrip too guys... the address's are different...but use the same technique.

Race you to the finish MaRKuS.... LOL (I would lose that one).

LOL.. i hope you are enjoying yourself Maltese ...
cos i hate to spoil your fun but when you are done you will realise that there will be easier way to do what you want... but then again you LEARN a lot MORE the hard way ...

perhaps a search for aspr tools ard will be good, woodmann forum is the place to find...

like you can get AntiIsDebuggerPresent plugin for Olly... bypass seh setting in Olly, you have realised now what breakpoint to set ...

One more thing that will help you a lot if you havent done so, dump the aspr.dll (manual or search for tool), disassemble it with IDA and your life will be much simpler ...

Enjoy,
crUs

crusader,

I have Hide Debugger plugin for Olly. Not sure it's the same one you mentioned. If there is a different one, please point me in the right direction.

Yes I am having fun LOL

Since I am new to IBM cracking I need to sift and sink thru the code to become more familiar with the lastest x86 tricks.

If you have any suggestions please PM me or share them here.

My focus now is learning the algorithm to create a valid key.

The problem with AsProtected programs is that once you break one... you can break them all.

-Malt

Quote:

Originally Posted by Maltese

The problem with AsProtected programs is that once you break one... you can break them all.

-Malt

No no no. How can you see this as a "problem" ?

Regarding the name...

Once the name is extracted from the Key, it has no other significance... there are no more checks to the size or the value.

Basically... this is important for the Keygen to assist in creating a serial# from a Name.... but other than that... it's not where the check for validity is or where it's generated entirely.

-Malt

KEEP ON DIGGIN'