破解ASPack 2.000 及其补丁制作教学

关注+2004-10-15作者：蓝点

ASPack 2.000 Trial Version Crack Tutorial

BIG5 Chinese Version: Heibow Ken (China Tai Wan)

English Abroad Version: Luo Ran (China mainland)

ONLY TO NEWBIES, SENIOR CRACKERS DO NOT READ.

Product: ASPack 2.000 (231424 bytes)

Protect by ASProtect, Compress by ASPack 2.000. (Detector: FileInfo)

Tools: TRW2000 1.06 Beta (release at Jan 18~23 2000)

The latest trail version for now is 1.07 Beta.

visit http://trw2000.t500.net for more details.

Tutorial:

1: For newbie in newbies, use regedit.exe remove its key in

HKEY_CURRENT_USER\software\aspack, you will get 30 days more.

2: Use TRW2000 load it now, you will see

00466001 60 PUSHAD

00466002 E801000000 CALL 00466008 ; F8 here

00466007 90 NOP

00466008 5D POP EBP

00466009 81EDF3C54400 SUB EBP,0044C5F3

0046600F BBECC54400 MOV EBX,0044C5EC

00466014 03DD ADD EBX,EBP

00466016 2B9D80D24400 SUB EBX,[EBP+0044D280]

0046601C 83BD68D1440000 CMP DWORD PTR [EBP+0044D168],00

00466023 899DCECE4400 MOV [EBP+0044CECE],EBX

00466029 0F8573090000 JNZ 004669A2

0046602F 8D8570D14400 LEA EAX,[EBP+0044D170]

00466035 50 PUSH EAX

00466036 FF95BCD24400 CALL [EBP+0044D2BC]

0046603C 89856CD14400 MOV [EBP+0044D16C],EAX

00466042 8BF8 MOV EDI,EAX

00466044 8D9D7DD14400 LEA EBX,[EBP+0044D17D]

0046604A 53 PUSH EBX

0046604B 50 PUSH EAX

0046604C FF95B8D24400 CALL [EBP+0044D2B8]

00466052 898588D24400 MOV [EBP+0044D288],EAX

00466058 8D9D8AD14400 LEA EBX,[EBP+0044D18A]

0046605E 53 PUSH EBX

0046605F 57 PUSH EDI

00466060 FF95B8D24400 CALL [EBP+0044D2B8]

00466066 89858CD24400 MOV [EBP+0044D28C],EAX

0046606C 8B85CECE4400 MOV EAX,[EBP+0044CECE]

00466072 898568D14400 MOV [EBP+0044D168],EAX

00466078 6A04 PUSH 04

0046607A 6800100000 PUSH 00001000

0046607F 6875090000 PUSH 00000975

00466084 6A00 PUSH 00

00466086 FF9588D24400 CALL [EBP+0044D288]

0046608C 898584D24400 MOV [EBP+0044D284],EAX

00466092 8D9DAFC64400 LEA EBX,[EBP+0044C6AF]

00466098 50 PUSH EAX

00466099 53 PUSH EBX

0046609A E899090000 CALL 00466A38

0046609F 8BC8 MOV ECX,EAX

004660A1 8DBDAFC64400 LEA EDI,[EBP+0044C6AF]

004660A7 8BB584D24400 MOV ESI,[EBP+0044D284]

004660AD F3A4 REPZ MOVSB

; Check ESI,EDI,ECX value, changed, it's SMC(self modifying code)

|; What a long time trace here, should be the ASProtect

|; decry code and ASPack 2.000 decompress code.

004664DD 6801F0C100 PUSH 00C1F001 ; This call to be

004664E2 C3 RET ; end now

; You can simply type g 4664dd to stop here

00C1F001 60 PUSHAD

00C1F002 E844060000 CALL 00C1F64B

00C1F007 EB44 JMP 00C1F04D

00C1F009 0000 ADD [EAX],AL

| ; continue

00C1F107 50 PUSH EAX

00C1F108 C3 RET ; Call seems end

00C1F30D 8B9D192A4400 MOV EBX,[EBP+00442A19]

00C1F313 0BDB OR EBX,EBX

00C1F315 740A JZ 00C1F321

00C1F317 8B03 MOV EAX,[EBX]

00C1F319 87851D2A4400 XCHG EAX,[EBP+00442A1D]

00C1F31F 8903 MOV [EBX],EAX

| ; continue

00C1F5D0 683C15C100 PUSH 00C1153C

00C1F5D5 C3 RET

| ; continue

00C1153C 55 PUSH EBP

00C1153D 8BEC MOV EBP,ESP

00C1153F 83C4F4 ADD ESP,-0C

00C11542 E8B91AFFFF CALL 00C03000

00C11547 0F854F29FFFF JNZ 00C03E9C

00C1154D E8062EFFFF CALL 00C04358

00C11552 E82154FFFF CALL 00C06978

00C11557 E8F871FFFF CALL 00C08754

00C1155C E8EFC7FFFF CALL 00C0DD50

00C11561 E8CAFFFFFF CALL 00C11530

00C11566 E83129FFFF CALL 00C03E9C

; if you're using SoftICE to trace, you will kick

; out by this call, but trw2000 can pass it perfertly.

| ; Ken teach us how to bypass its debuger detector,

| ; because he is using SoftICE 4.01, but i am using

| ; TRW2000, so this part removed, and i haven't got

| ; enough time to translate.

00C1141D 8B4508 MOV EAX,[EBP+08]

00C11420 E87BFCFFFF CALL 00C110A0

; after this call, time expired windows display :) F8 enter it

00C111E2 E80DEEFFFF CALL 00C0FFF4

00C111E7 84C0 TEST AL,AL

00C111E9 7456 JZ 00C11241

; key point here

00C111EB 8B55F4 MOV EDX,[EBP-0C]

00C111EE 8B45E8 MOV EAX,[EBP-18]

00C111F1 E8A2EFFFFF CALL 00C10198

00C111F6 8D55C8 LEA EDX,[EBP-38]

00C111F9 8B45E8 MOV EAX,[EBP-18]

00C111FC E81FF0FFFF CALL 00C10220

00C11201 8B55C8 MOV EDX,[EBP-38]

00C11204 B8F076C100 MOV EAX,00C176F0

00C11209 E8A21EFFFF CALL 00C030B0

00C1120E 8D55CE LEA EDX,[EBP-32]

00C11211 8B45E8 MOV EAX,[EBP-18]

00C11214 E893F0FFFF CALL 00C102AC

00C11219 33C0 XOR EAX,EAX

00C1121B 8A45CF MOV AL,[EBP-31]

00C1121E 50 PUSH EAX

00C1121F 8D45D0 LEA EAX,[EBP-30]

00C11222 50 PUSH EAX

00C11223 E8C0F0FFFF CALL 00C102E8

00C11228 84C0 TEST AL,AL

00C1122A 751A JNZ 00C11246

00C1122C 6A00 PUSH 00

00C1122E 68DC12C100 PUSH 00C112DC

00C11233 68E412C100 PUSH 00C112E4

00C11238 6A00 PUSH 00

00C1123A E8CD32FFFF CALL USER32!MessageBoxA

00C1123F EB05 JMP 00C11246

00C11241 E88AF4FFFF CALL 00C106D0

; this call display time expired window

00C11246 33C0 XOR EAX,EAX

00C11248 5A POP EDX

00C11249 59 POP ECX

00C1124A 59 POP ECX

00C1124B 648910 MOV FS:[EAX],EDX

00C1124E EB0F JMP 00C1125F

00C11250 E99F19FFFF JMP 00C02BF4

00C11255 E876F4FFFF CALL 00C106D0

00C1125A E8011BFFFF CALL 00C02D60

00C1125F 33C0 XOR EAX,EAX

So we know we need modify where now

From: 00C111E9 7456 JZ 00C11241

To: EB74 JMP 00C1125F

But aspack.exe is protected and packed, and i can not modify itself.

(though ProcDump 1.6.2 support aspack2000, but can not

support asprotect,and also ASPatch 1.2.1 from TMG)

So nothing we can do but find some direct memory patcher, need not

modify the exe file, but modify the code in the memory.(ex. PP and more)

Example:

#Process Patcher Configuration File

Version=3.60

DisplayName= ASPack 2.000 Time Limit Remover

Filename=aspack.exe

Filesize=231424

Arguments=/quiet

WaitInfinite=true

Address=0xc10f1a:0x74:0xe9 ;

Address=0xc10f1b:0x45:0x4e ; These modify use to

Address=0xc10f1c:0x6a:0x01 ; defend ASPack detect

Address=0xc10f1d:0x00:0x00 ; SoftICE. Add them

Address=0xc10f1e:0xa1:0x00 ; while you need.

Address=0xc111e9:0x74:0xeb ; Only want to crack,

Address=0xc111ea:0x56:0x74 ; only add these two.

#End of Configuration File

Cracked, but it still display red UNREGISTERED, and remain 0 days.

You also can find its code, and modifyed them in memory to you like.

End. (Translate in a hurry)

Original Chinese version contain how to remove its debuger kicker,

and use SMC code to direct modify exe file, removed here, sorry.

If i can, i will add them in the future release issue.

Why TRW2000? 1) If you use SoftICE to trace, FrogICE should need.

2) And you will still always break by the debuger kicker.

3) I need read TRW2000's manual, and TRW2000 have a

command suspend, you can stop trace and go to view

manual or any other thing. I also need to read the

original chinese version, and write english version.

4) Do you like MP3 while tracing?

If this tutorial helps you on your future ASPack 2.000

perfert crack, remember metion us too. Tnx.

To [CORE] Egis (JH on CFido, still remember me? search mail to you at Mar-98)

ASPack 2.000 use RSA4096? and CFido still alive? it already dead in my city.