T=9000: ; HOW MANY ATTEMPTS BEFORE QUITTING
F=cv.exe: ; PROCESS TO PATCH CommView 2.3 build 67
O=callcv2.exe: ; LOADER TO CREATE
P=11DBF94/53,56,57,8B,FA,8B,F0,B2,01,B8,F8,44,1D,01,E8,41,69,FF,FF,8B/81,FA,8D,04,07,00,75,06,B8,B2,1D,71,09,C3,B8,F1,F6,C3,77,C3: ; bypass 2 MD4derived checks
P=4ECDD7/80,38,00,75/C6,00,01,EB:; no more demo(below this one, code to set various versions Professional,MultiOS etc not tested)
P=4AC58F/83,38/EB,07: ;NOT REALLY NEEDED
P=4AC5C4/8B,00/90,90: ;NOT REALLY NEEDED BUT SEE About Box after
P=48E15B/DF,E0,9E/66,33,C0: ;this is to bypass another check for expired
P=4664BA/74,08/EB,08: ;bypass NTICE and SICE check from cv.exe
P=4EB7FD/C6,00,00/C6,00,01: bypass "unlicence"

$

this is a method for memory patching Asprotect with csir.cjb.net Risc loader

first MD4 derived checksum is 09711DB2
second MD4 derived checksum is 77C3F6F1
find MD4hash by bpx MapViewOfFile immediatly after found MD4hash routine


this is quick hack:
more interesting is to set these variables:

4F6D0C dword pointer to regusername
4F6D10 dword pointer to 1 or 2 string ascii set Professional or MultiOS
4F6D14 dword pointer regusername+8AEh
4F6D18 dword UPGRADETIME
4F6D1C byte 1 licenced/0-eval
4F6D1D byte 0 good/ 1 expired
4F6D1E byte 0 idem
4F6D1F byte 0=Personal / 1 Personal or Prof or MultiOS
last value is used in combination with byte @4F6D1C

immediatelly after verifylicencecwl @0048DA28
other useful resources:
-------------
push pointer buffer to store unencrypted string
push key for decrypt
push pointer encrypted string
:0048D9C0 decryptstring procedure
----------------


if expired in registry RLS\ExtFilter2 == 1
there are other two checks randomized ( one in win.ini ADAPTER and one in LOGS):
checkexpired procedure @0048E0ED
randomize procedure @00402CE0