h**p://www.reget.com/redir/redir.asp?lang=default&product=dx&link=betanew

There are 3 redirected calls that I can't understand in this target.
Here is what I do:
1. make a full dump at OEP (4CEDE0)
2. rebuild the IT (IAT start RVA = F1000, IAT length = 6A0)
3. fix the dumped exe.
But when I run it, I get access violations at the following 3 places. Here it is:


I don't know what's the purpose of the above calls. Any one has the idea? I can be sure that rebuilt IT is correct.

I have tried the following way to fix the above problems, but still fails.
1. dump the whole ASPR code(RVA:6F0000-----70B000) at OEP.
2. add a new section to the rebuilt exe to hold ASPR code, and rebuild EXE header.
But it still crashes after I press the "Evaluate" button in the NAG.

Hi solomon,

I am not very sure... but the 3 calls look exactly like the usual D-D in AsProtect... if you skip those dips before dumping, usually AsProtect API is not set up and hence wont be called... i dont know what they do exactly..

Normally, i skipped the dips and targets run fine, that 's what i did with buld 114... did not lok at this new target.. shall try if i am free tonite..

You are still playing with reget :>...?

yeah, ReGet is my favorite download manager
I want to examine its new online-activation protection.
Thx for your guidance.

Howdy Solomon :>,

Time to move this thread to Mike's forum :>... if you have read the thread about Advanced Archive Password Recovery... then you will find this familiar :>...

Yep... essentially this 2 calls decrypt section of the code... using a similiar algorithm to what i have found out in ARCHPR 2.0... MD5 HAsh with TEA :>... this time there is no need to find the key though cos the key is alreayd present :>....

The code section at 4060E3 is encrypted with the length E8 bytes.. these 2 calls decrypt it.. i am not sure what else do these 2 calls do.. if u skip these dip while unapcking it.. the code will not be decrypted and thus ur program will crash... (only after 30 second i think :>...

Regarding why you program wont even run when u click evaluate.. that is because the 2 calls you listed are performed.. hence 2 patches to bypass these calls and you program will run fine....

I have it up and running... however, it cant seem to connect to anywhere :<<... i suspect it is the size check etc but have not looked into it yet...

If you are interested in what those calls do, read the thread by me, Dakien and Mike... if you just wanna unpack... i suggest skip those d-d when dumping, then run the original program again, dump the decrypted code section i mentioned above and paste them in your dump... (i suggest this because i dont know if these 2 calls also set up other AsProtect flags so it's safer to skip them)... but it's up to you...

I am still looking at this target... but that is some pointers so we both can work together...

Hope this helps,

I knew that it was prolly decrypting some of the code too, so I tested it like so:

1. put a bpx on 00479169
2. when it got there, I locked it up.
3. Save Dump01.exe

4. leave bpx on 00479169
5. restore old locked up instructions...
6. F10 throught the asprotect call
7. lock up on the ret
8. Save Dump02.exe

9. Compare them in Hex Editor (Hex Workshop).

Strangely, the only differences it found were where I had modified the code ! grr. I thought it would show up where the decryption took place, so then of course I could do what you suggest above, know what area had changed, and dump that particular part out of the working asprotected app, and paste it into the dumped app so it was decrypted, and then skip the calls.

Why the heck didn't the hex editor show up any more differences...grrrrrr What the hell???

Also, it only ran thru the first asprotect call - you didn't want to land on the other two code sections as far as I could tell - they both will put up an error msgbox (Error 900 and Error 901)

Maybe I've been staring at SI too much the last few weeks working to get better.



-nt20

Hi Nikolatesla,

The first call is used to decrypt a table at AsProtect memory which contains the info abt sections of code to be decrypted....

The second call will decrypt that code section :>...

If you trace into the first call and look at eax, edx being pushed on stack of each call... you will see what i mean ... hope this help... if not u can refer to the thread in Crypto forum...

cheers,

OK I wasn't sure that it went into that second call, so I put a bpr on the range, and sure enough it did end up there (duh). SO I did the double dump trick from there, and sure enough just like you said binh81, got the decrypted section.

In Hex Workshop the decrypted data starts at 004060E4 and is length EC. Here is that data off my Win98 machine NOte it's a binary file, don't be opening it up in notepad unless you can read Japanese ! Open it in your hex editor...

Oh and also that asprotect call sets a flag at 0051CA58 to 1 so you might want to do that in the dump too, in case other things check it......

One of these days I'll get better at this..ho hum..

-nt20

Ok I got it unpacked and it worx just fine for me, tested the downloading , seems to function just fine

Dumped it at the OEP, pasted in the decrypted data, fixed and added the new imports section, set the flag at 0051CA58 to 00000001, and then cut out the asprotect calls:

changed 004791A6 from 7515 to EB15 (jump always)
changed 00479183 from FFD0 to 9090 (nop the call)

Doesn't look like there is any exe size check but I haven't decompiled it yet, just saying it seems to download stuff fine..

Cool. I think I am going to learn a lot on this messageboard.

-nt20

yeah, I learned a lot from your discussions
I will try to find Mike's thread and read it Thx!

I believe he's refering to the one in the crypto forum, part of which was turned into his tut on the Fravia Board. There are three together and I believe it is the bottom one, titled "Tutorial: finding encryption code". Good discussion of the issue by bin81 included, which Woodmann has suggested he also turn into a tut.

Wish I had more time to actually play with this stuff, instead of just reading about it, but hay, someone has to pay the bills.

Regards.

nothing special with the Activation Code. I patched the beta to never expire.

nikolatesla20 are you sure you got all right?

414 000F1688 77E16F8E 01FB USER32.dll RegisterClipboardFormatA

check this again, didn't look at the others but this one came to my eyes.

Will have a look at 117 later, I always love if Reget adds some new tricks to defeat us.

I got the same result as his

manually looking into imports I corrected this to:
RegisterWindowsMessageA whilst the following one is:
RegisterClipboardFormatA

I works fine, but maybe I'm wrong.

Result: Dumped Reget at it's OEP, pasted decrypted code,
fixed Asp calls, fixed size checks (2), patched expiration,
eliminated server checking for updates, elimated Debug Report.

Missed something?

Yes, to set the flag at 0051CA58 to 00000001, I'm ashamed, but being a newbie I don't know where to find this. I know that I need to put the code like mov dword ptr [0051CA58], 00000001,
but where?

Hi Stone,

You can hardcode the value 00000001 into ur dump :>....

Cheers,