Is there a crackme that is packed with the above protector to practice on?

thanks.

Not a crackme, but a program which apparently has this version of the protector:

hxxp://www.webtoolmaster.com/download/cdprot.exe

You can download the product and give it a try. A member on the exetools forum has posted a loader which he claims removes the copy protection. Do a search there for "WTM CD Protect v1.51 loader" and study his exe file and maybe you can learn something usefull about the protection and the creation of loaders. The member has not posted his source, however.

Regards,

I tried that loader and it works. But there are still nag messages like shareware.
This file is only packed with ASPR not protected. He has its internal time protection (3o DAYS), so if you unpack it, it will be still protected. Protection is not hard, so you will easily find the way to defeat. So JMI gave you real crackme. Nothing better than this he could find for some new guy.

thanks for the link,
i will give it a go, and realy hope its not overbloaded with useless dlls, ocx's and whatever. Those are the virtues of a crackme

You can try avi/mpeg/rn/wmv joiner from hxxp://boilsoft.com Stolen bytes isnt problem but a lot of calls are redirected to aspr code.

JMI,

I searched for the post you suggested (I even browsed the pages for the main forum) but exetool's search engine doesn't seem to return anything for any word one may supply. Could you post a link to the topic?

yaa

It was concluded in another thread a few days ago that the search engine for the exetools forum doesn't seem to work propely if you are not logged in as a registered user over there...

Is it supposed to be like that JMI? Otherwise maybe you (or some other admin over there) would want to take a look at this problem?

Unfortunately, I am only a Moderator and do not, at least at the moment have access to the adminCP to update the counters and such. Maybe after Aaron and Beverly get back from there honeymoon, it will get taken care of. Or maybe they will deside to give me access to do it myself.

Regards,

JMI,

i have started playing with your suggested app..I was wondering if you have worked with it as well. I have reached somewhere where is think its the oep. of course the stolen bytes are missing..
here is some code:
......
Stolen bytes!??
....
436d41: MOV EBX,DWORD PTR [000437A90h]
MOV EAX,DWORD PTR [EBX]
CALL LOC_004294B4
MOV ECX,DWORD PTR [000437B0Ch]
MOV EAX,DWORD PTR [EBX]
MOV EDX,DWORD PTR [000433710h]
CALL LOC_004294CC
MOV ECX,DWORD PTR [000437A70h]
MOV EAX,DWORD PTR [EBX]
MOV EDX,DWORD PTR [0004327C0h]
CALL LOC_004294CC
MOV ECX,DWORD PTR [000437A04h]
MOV EAX,DWORD PTR [EBX]
MOV EDX,DWORD PTR [0004332DCh]
CALL LOC_004294CC
MOV ECX,DWORD PTR [000437ABCh]
MOV EAX,DWORD PTR [EBX]
MOV EDX,DWORD PTR [000433528h]
CALL LOC_004294CC
MOV EAX,DWORD PTR [EBX]
CALL LOC_00429558
POP EBX
CALL LOC_00403558
NOP
ADD BYTE PTR [EAX],AL
ADD BYTE PTR [EAX],AL
ADD BYTE PTR [EAX],AL
....
......

am i in the right place or just waisting my time?
thanks.

Sorry, I haven't had time to look at it myself. But from all the reports I've read, stolen bytes tend to be from startup code found at the beginning of the program and which tend to be particular for individual compilers. Do a search here for "stolen bytes" and look at the code they have identified. Usually it is some form of initialization code, different from what you have identified. Remember, however, I have not looked at this one at all.

Regards,

Forgive my post in advanced its not to flame anyone here.
Seems a fair few people on efnet latly have been asking me how to unpack aspr. I suggest to these people the following
Protection structures are simular in many ways, Dont use/follow a tutorial on unpacking these are VERY specific and will tend to leave you scratching your head when its changed in next version or so.
Basicly a protection loader is going to decrypt/uncompress code/data/resources and fix relocations/imports. Use these things to your advantage. To decrypt the shit its gotta read it from the sections where the crypted stuff is stored so bpm on access is very handy. For fixing imports and such well chances are its going to use getprocaddress but dont set a BP on the first instruction in that call, rather the 3rd or beyond. Also some protections now scan the export table of a library instead of using getprocaddress and in this case bpm on the export data is fine too (its most likly still going to loadlibrary)
Dips in aspr can be used against it easily too by working out how many there are and (using bpm x) trace out of the last one then through a SEH and shortly around there is stolen bytes if there is any else ul be on the OEP with next bpmx.
Theres some very cool features coming in aspr soonish that are very interesting i dont post much but when these new features pop up i will post some very detailed stuff for those here interested.

p.s this post is not a tutorial pls pls pls dont ask me how ;\

oh and ray, dont quote me on this but that looks like some borland entry bytes you pasted so maybe your stolen ones cept its missing a bit at the top, probely 12 bytes that are fairly generic throughout borland compiliers

Hi;
stolen bytes:

00436E9C > $ 55 PUSH EBP
00436E9D . 8BEC MOV EBP,ESP
00436E9F . 83C4 F4 ADD ESP,-0C
00436EA2 . 53 PUSH EBX
00436EA3 . B8 9C6D4300 MOV EAX,dd_.00436D9C

oep as above

iat 39104 size 55c

biretdream

you can try your handa at Dvd2one 1.4 from dvd2one.com

Regards.

if the protection is time limit, then the program is packed and protected by asprotect, I did unpack it , and forward
the time one year a head , and still working fine,so it is protected by aspr.

So far I found only two:

Some timing checks (RTDSC?) in protector's code with silent exit, if there
were breakings in SICE,

BSOD, if bpm esp-4 or in near OEP region.

Also, seems, stack is misaligned @OEP now, at least for half a dozen unpacked
delphi exes. I can't believe that these are only improvements of protection-
this don't make unpacking considerably more difficult!
Neviens.

btw,
can someone point to me the correct code that handles the missing bytes is this app? i cant seem to locate the exact code that erases them, or at least their location!

the location changes with each run, but for this program when you are at the final exception set your debuger to
stop when ecx is 145e , you will be right on the location erasing the stolen bytes

thanks brite,
i'll give it a try, and hopefully that last exception wont be difficult to spot since oep is known!
later.
Ray.

h**p://ems-hitech.com/pgmanager/download.phtml

thanks zyou.
if anybody else is kind enough to post some more & more links of apps packed with this packer ?

here is a very nice resource editor )
hxxp://www.sicomponents.com/rbldr.html

CommView v4.1.340(latest)
hxxp://www.tamos.com/products/commview/

PEiD
ASProtect 1.23 RC4 Registered

p.s.
CommView gathers information about data passing through your dial-up connection or Ethernet card and decodes the analyzed data. Loop-back is also supported.

>CommView v4.1.340(latest)
>

Can't believe, MD5 checksums of CODE section with resources trashing are gone?!
Neviens.

This exe from elcomsoft.com came up as ASprotect v1.23 RC4 with PEiD.

I am just a beginner but will attempt to follow Labba's guide with this target.

voo-ha-ha!

so finally Tamos was bored by .rsrc_crypting & tried newer asspr for
ripping OEP's...3 instuction. L000000LLLLLLLL..

solomon, slpaj, spekkel, all.. letz LAUGH-LAUGH-LAUGH-LAUGH