您的位置:首页精文荟萃破解文章 → 破解ASPack 2.000 及其补丁制作教学

破解ASPack 2.000 及其补丁制作教学

时间:2004/10/15 1:01:00来源:本站整理作者:蓝点我要评论(0)

 

ASPack 2.000 Trial Version Crack Tutorial



             BIG5 Chinese Version: Heibow Ken (China Tai Wan)



             English Abroad Version: Luo Ran (China mainland)



               ONLY TO NEWBIES, SENIOR CRACKERS DO NOT READ.



Product: ASPack 2.000 (231424 bytes)


         Protect by ASProtect, Compress by ASPack 2.000. (Detector: FileInfo)



Tools:   TRW2000 1.06 Beta (release at Jan 18~23 2000)



         Register Fee = 69 $USD (if you go to register, remember metion me :)



         The latest trail version for now is 1.07 Beta.



         visit http://trw2000.t500.net for more details.



Tutorial:



1: For newbie in newbies, use regedit.exe remove its key in


   HKEY_CURRENT_USER\software\aspack, you will get 30 days more.



2: Use TRW2000 load it now, you will see



         00466001  60                  PUSHAD


         00466002  E801000000          CALL      00466008 ; F8 here


         00466007  90                  NOP


         00466008  5D                  POP       EBP


         00466009  81EDF3C54400        SUB       EBP,0044C5F3


         0046600F  BBECC54400          MOV       EBX,0044C5EC


         00466014  03DD                ADD       EBX,EBP


         00466016  2B9D80D24400        SUB       EBX,[EBP+0044D280]


         0046601C  83BD68D1440000      CMP       DWORD PTR [EBP+0044D168],00


         00466023  899DCECE4400        MOV       [EBP+0044CECE],EBX


         00466029  0F8573090000        JNZ       004669A2


         0046602F  8D8570D14400        LEA       EAX,[EBP+0044D170]


         00466035  50                  PUSH      EAX


         00466036  FF95BCD24400        CALL      [EBP+0044D2BC]


         0046603C  89856CD14400        MOV       [EBP+0044D16C],EAX


         00466042  8BF8                MOV       EDI,EAX


         00466044  8D9D7DD14400        LEA       EBX,[EBP+0044D17D]


         0046604A  53                  PUSH      EBX


         0046604B  50                  PUSH      EAX


         0046604C  FF95B8D24400        CALL      [EBP+0044D2B8]


         00466052  898588D24400        MOV       [EBP+0044D288],EAX


         00466058  8D9D8AD14400        LEA       EBX,[EBP+0044D18A]


         0046605E  53                  PUSH      EBX


         0046605F  57                  PUSH      EDI


         00466060  FF95B8D24400        CALL      [EBP+0044D2B8]


         00466066  89858CD24400        MOV       [EBP+0044D28C],EAX


         0046606C  8B85CECE4400        MOV       EAX,[EBP+0044CECE]


         00466072  898568D14400        MOV       [EBP+0044D168],EAX


         00466078  6A04                PUSH      04


         0046607A  6800100000          PUSH      00001000


         0046607F  6875090000          PUSH      00000975


         00466084  6A00                PUSH      00


         00466086  FF9588D24400        CALL      [EBP+0044D288]


         0046608C  898584D24400        MOV       [EBP+0044D284],EAX


         00466092  8D9DAFC64400        LEA       EBX,[EBP+0044C6AF]


         00466098  50                  PUSH      EAX


         00466099  53                  PUSH      EBX


         0046609A  E899090000          CALL      00466A38


         0046609F  8BC8                MOV       ECX,EAX


         004660A1  8DBDAFC64400        LEA       EDI,[EBP+0044C6AF]


         004660A7  8BB584D24400        MOV       ESI,[EBP+0044D284]


         004660AD  F3A4                REPZ MOVSB


          ; Check ESI,EDI,ECX value, changed, it's SMC(self modifying code)


         |


         |


         |; What a long time trace here, should be the ASProtect


         |; decry code and ASPack 2.000 decompress code.


         |


         |


         004664DD  6801F0C100          PUSH      00C1F001 ; This call to be


         004664E2  C3                  RET                ; end now


          ; You can simply type g 4664dd to stop here


         00C1F001  60                  PUSHAD


         00C1F002  E844060000          CALL      00C1F64B


         00C1F007  EB44                JMP       00C1F04D


         00C1F009  0000                ADD       [EAX],AL


         | ; continue


         00C1F107  50                  PUSH      EAX


         00C1F108  C3                  RET                ; Call seems end


         00C1F30D  8B9D192A4400        MOV       EBX,[EBP+00442A19]


         00C1F313  0BDB                OR        EBX,EBX


         00C1F315  740A                JZ        00C1F321


         00C1F317  8B03                MOV       EAX,[EBX]


         00C1F319  87851D2A4400        XCHG      EAX,[EBP+00442A1D]


         00C1F31F  8903                MOV       [EBX],EAX


         | ; continue


         00C1F5D0  683C15C100          PUSH      00C1153C


         00C1F5D5  C3                  RET


         | ; continue


         00C1153C  55                  PUSH      EBP


         00C1153D  8BEC                MOV       EBP,ESP


         00C1153F  83C4F4              ADD       ESP,-0C


         00C11542  E8B91AFFFF          CALL      00C03000


         00C11547  0F854F29FFFF        JNZ       00C03E9C


         00C1154D  E8062EFFFF          CALL      00C04358


         00C11552  E82154FFFF          CALL      00C06978


         00C11557  E8F871FFFF          CALL      00C08754


         00C1155C  E8EFC7FFFF          CALL      00C0DD50


         00C11561  E8CAFFFFFF          CALL      00C11530


         00C11566  E83129FFFF          CALL      00C03E9C


           ; if you're using SoftICE to trace, you will kick


           ; out by this call, but trw2000 can pass it perfertly.


         |


         |


         | ; Ken teach us how to bypass its debuger detector,


         | ; because he is using SoftICE 4.01, but i am using


         | ; TRW2000, so this part removed, and i haven't got


         | ; enough time to translate.


         |


         |


         00C1141D  8B4508              MOV       EAX,[EBP+08]


         00C11420  E87BFCFFFF          CALL      00C110A0


           ; after this call, time expired windows display :) F8 enter it


         00C111E2  E80DEEFFFF          CALL      00C0FFF4


         00C111E7  84C0                TEST      AL,AL


         00C111E9  7456                JZ        00C11241


           ; key point here


         00C111EB  8B55F4              MOV       EDX,[EBP-0C]


         00C111EE  8B45E8              MOV       EAX,[EBP-18]


         00C111F1  E8A2EFFFFF          CALL      00C10198


         00C111F6  8D55C8              LEA       EDX,[EBP-38]


         00C111F9  8B45E8              MOV       EAX,[EBP-18]


         00C111FC  E81FF0FFFF          CALL      00C10220


         00C11201  8B55C8              MOV       EDX,[EBP-38]


         00C11204  B8F076C100          MOV       EAX,00C176F0


         00C11209  E8A21EFFFF          CALL      00C030B0


         00C1120E  8D55CE              LEA       EDX,[EBP-32]


         00C11211  8B45E8              MOV       EAX,[EBP-18]


         00C11214  E893F0FFFF          CALL      00C102AC


         00C11219  33C0                XOR       EAX,EAX


         00C1121B  8A45CF              MOV       AL,[EBP-31]


         00C1121E  50                  PUSH      EAX


         00C1121F  8D45D0              LEA       EAX,[EBP-30]


         00C11222  50                  PUSH      EAX


         00C11223  E8C0F0FFFF          CALL      00C102E8


         00C11228  84C0                TEST      AL,AL


         00C1122A  751A                JNZ       00C11246


         00C1122C  6A00                PUSH      00


         00C1122E  68DC12C100          PUSH      00C112DC


         00C11233  68E412C100          PUSH      00C112E4


         00C11238  6A00                PUSH      00


         00C1123A  E8CD32FFFF          CALL      USER32!MessageBoxA


         00C1123F  EB05                JMP       00C11246


         00C11241  E88AF4FFFF          CALL      00C106D0


           ; this call display time expired window


         00C11246  33C0                XOR       EAX,EAX


         00C11248  5A                  POP       EDX


         00C11249  59                  POP       ECX


         00C1124A  59                  POP       ECX


         00C1124B  648910              MOV       FS:[EAX],EDX


         00C1124E  EB0F                JMP       00C1125F


         00C11250  E99F19FFFF          JMP       00C02BF4


         00C11255  E876F4FFFF          CALL      00C106D0


         00C1125A  E8011BFFFF          CALL      00C02D60


         00C1125F  33C0                XOR       EAX,EAX



   So we know we need modify where now


   From: 00C111E9  7456                JZ        00C11241


     To:           EB74                JMP       00C1125F



   But aspack.exe is protected and packed, and  i can not modify itself.


   (though ProcDump 1.6.2 support aspack2000, but can not


    support asprotect,and also ASPatch 1.2.1 from TMG)



   So nothing we can do but find some direct memory patcher, need not


   modify the exe file, but modify the code in the memory.(ex. PP and more)



Example:



#Process Patcher Configuration File


Version=3.60



DisplayName= ASPack 2.000 Time Limit Remover


Filename=aspack.exe


Filesize=231424


Arguments=/quiet


WaitInfinite=true



Address=0xc10f1a:0x74:0xe9 ;


Address=0xc10f1b:0x45:0x4e ; These modify use to


Address=0xc10f1c:0x6a:0x01 ; defend ASPack detect


Address=0xc10f1d:0x00:0x00 ;  SoftICE. Add them


Address=0xc10f1e:0xa1:0x00 ;   while you need.



Address=0xc111e9:0x74:0xeb ; Only want to crack,


Address=0xc111ea:0x56:0x74 ; only add these two.



#End of Configuration File



   Cracked, but it still display red UNREGISTERED, and remain 0 days.


   You also can find its code, and modifyed them in memory to you like.



End. (Translate in a hurry)



   Original Chinese version contain how to remove its debuger kicker,


   and use SMC code to direct modify exe file, removed here, sorry.


   If i can, i will add them in the future release issue.



   Why TRW2000? 1) If you use SoftICE to trace, FrogICE should need.


                2) And you will still always break by the debuger kicker.


                3) I need read TRW2000's manual, and TRW2000 have a


                   command suspend, you can stop trace and go to view


                   manual or any other thing. I also need to read the


                   original chinese version, and write english version.


                4) Do you like MP3 while tracing?



   If this tutorial helps you on your future ASPack 2.000


   perfert crack, remember metion us too. Tnx.



To [CORE] Egis (JH on CFido, still remember me? search mail to you at Mar-98)


ASPack 2.000 use RSA4096? and CFido still alive? it already dead in my city.


    
    
     
    
    
     

相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么

文章评论
发表评论

热门文章 去除winrar注册框方法

最新文章 比特币病毒怎么破解 比去除winrar注册框方法 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据

人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程