View Full Version : only demo version?

May 5th, 2001, 10:54
target:AED Tools

program is packed and protected by
ASProtect (? maybe that's why one section name is .aspr)
Program was unpacked and IT was rebuilt
(thank's go to revirgin)
OEip=4633e6 IAT begin at RVA 66000

Now it seems to me that the program is only demo version which can't be registered. The test on address 41c569
gives always the same result because the local variable (ebp-10h) is set to the constant value regardless of any check
(reg./not reg) => dialog with unregistered
message is always displayed. The original unpacked version look into win registers for item named Key. It's here possibility
that the code of unpacker can unpack 2 different versions (reg./not reg) of program ?

subroutine of unpacked program:

0041C4F0 push ebp
0041C4F1 mov ebp, esp
0041C4F3 push 0FFFFFFFFh
0041C4F5 push offset aXig ; "+xdG"
0041C4FA mov eax, large fs:0
0041C500 push eax
0041C501 mov large fs:0, esp
0041C508 sub esp, 88h
0041C50E push ebx
0041C50F push esi
0041C510 push edi
0041C511 mov [ebp-88h], ecx
0041C517 mov dword ptr [ebp-10h], 6 (!)
0041C51E mov eax, [ebp-88h]
0041C524 cmp dword ptr [eax+800h], 1
0041C52B jnz short loc_41C542
0041C52D mov ecx, [ebp-88h]
0041C533 mov dword ptr [ecx+804h], 1
0041C53D jmp loc_41C85D
0041C542 ; ---------------------------------------------------------------------------
0041C542 loc_41C542: ; CODE XREF: seg000:0041C52Bj
0041C542 mov edx, [ebp-88h]
0041C548 cmp dword ptr [edx+800h], 1
0041C54F jnz short loc_41C556
0041C551 jmp loc_41C85D
0041C556 ; ---------------------------------------------------------------------------
0041C556 loc_41C556: ; CODE XREF: seg000:0041C54Fj
0041C556 jmp loc_41C569
0041C556 ; ---------------------------------------------------------------------------
0041C55B db 4Ch ; L
0041C55C db 5Dh ; ]
0041C55D db 12h ;
0041C55E db 1Ch ;
0041C55F db 51h ; Q
0041C560 db 0C0h ; +
0041C561 db 0C8h ; +
0041C562 db 32h ; 2
0041C563 db 3Dh ; =
0041C564 db 0A7h ;
0041C565 db 0A2h ;
0041C566 db 0EAh ; O
0041C567 db 4Ah ; J
0041C568 db 0A5h ;
0041C569 ; ---------------------------------------------------------------------------
0041C569 loc_41C569: ; CODE XREF: seg000:0041C556j
0041C569 cmp dword ptr [ebp-10h], 6
0041C56D jnz short WithoutDialog
0041C56F push 0
0041C571 lea ecx, [ebp-74h]
0041C574 call sub_417EA0
0041C579 mov dword ptr [ebp-4], 0
0041C580 lea ecx, [ebp-74h]
0041C583 call j_MFC42_2514
0041C588 mov dword ptr [ebp-4], 0FFFFFFFFh
0041C58F lea ecx, [ebp-74h]
0041C592 call sub_40B0F0
0041C597 WithoutDialog: ; CODE XREF: seg000:0041C56Dj

thank for ANY help, vlada

May 5th, 2001, 13:04
Similar that the part of a code is encrypted. It cannot be deciphered without availability of a correct key. A capability partially encrypt a code, that unavialable in the nonregistered version and to decipher it "on fly" if there is a key is one from main dignities of ASProtect.