The program is packed with a quite old AsProtect version and there are no stolen bytes at all, as we'll see but the code responsible for the Nag is placed directly by AsProtect so removing it on the one hand becomes a little more complicated than modifying a conditional jmp, but on the other hand when you'll know how to do it the same method can be applied to any AsProtected program..

The characteristics of this crack is that the program is written in Delphi (the assembly is a little different than with MFC programs). Moreover Delphi's program ASM is generally built in a way that doesn't allow to Olly to trace stack calls, so whenver you stop at a specific handler the call stack is generally empty and you don't exactly know from where you're coming. The only informations are the return addresses from the application stack.  Beside this behaviour there's the protection added by AsProtect.

There are three sections in the remaining of this tutorial:
1. Finding the Original Entry point & unpacking the program
2. Dumping our Unpacked target
3. Rebuilding our importable and fixing our exe.
4. Fixing the created dump & at the same time remove the time limit.
 

Download:
Mirror 1: http://grinders.withernsea.com/tutorials/aspr+olly.rar
Mirror 2: http://exetools.com/forum/showthread.php?goto=newpost&t=4469

Ok lets begin. Open target in Olly and hit Shift + F9 once. Hit Ctrl+B and enter this byte pattern: 8B 17 89 02 (what is usually called Magic Call) and hit OK and land here:

0110F4D5 E8 7EFEFFFF CALL 0110F358 <------------ Put BP here by pressing F2 key
0110F4DA 8B17 MOV EDX,DWORD PTR DS:[EDI] <------You will land here so scroll up
0110F4DC 8902 MOV DWORD PTR DS:[EDX],EAX

Now after setting BP keep pressing Shift + F9 for 15 times and Oll breaks at our BP.

0110F4D5 E8 7EFEFFFF CALL 0110F358 <------------ Olly Breaks here.
0110F4DA 8B17 MOV EDX,DWORD PTR DS:[EDI]
0110F4DC 8902 MOV DWORD PTR DS:[EDX],EAX

Now NOP this CALL and hit Shift + F9 once, then hit " - " key and undo the NOP changes and then continue pressing Shift + F9 till you see this code (Last Exception):

0110FC2A 3100 XOR DWORD PTR DS:[EAX],EAX <------------- Stop when you are here
0110FC2C 64:8F05 0000000>POP DWORD PTR FS:[0]
0110FC33 58 POP EAX
0110FC34 833D 34391101 0>CMP DWORD PTR DS:[1113934],0
0110FC3B 74 14 JE SHORT 0110FC51
0110FC3D 6A 0C PUSH 0C <------------------------------ Remember this in all ASPR
0110FC3F B9 34391101 MOV ECX,1113934
0110FC44 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
0110FC47 BA 04000000 MOV EDX,4
0110FC4C E8 4BC7FFFF CALL 0110C39C
0110FC51 FF75 FC PUSH DWORD PTR SS:[EBP-4]
0110FC54 FF75 F8 PUSH DWORD PTR SS:[EBP-8]
0110FC57 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
0110FC5A 8338 00 CMP DWORD PTR DS:[EAX],0
0110FC5D 74 01 JE SHORT 0110FC60
0110FC5F 50 PUSH EAX
0110FC60 FF75 F0 PUSH DWORD PTR SS:[EBP-10]
0110FC63 FF65 EC JMP DWORD PTR SS:[EBP-14] <----- Put BP here.
0110FC66 5F POP EDI
0110FC67 5E POP ESI
0110FC68 5B POP EBX
0110FC69 8BE5 MOV ESP,EBP
0110FC6B 5D POP EBP
0110FC6C C3 RETN

Here we put BP on JMP command becasue it will jump beyond the RETN. In most ASPr targets we put BP on last RETN but in this case it is otherwise. Okay first set the debugging options as in the screenshot below. This is not required in this target but you do use these settings when unpacking ASPR.

After putting BP on JMP hit Shift + F9 once so Olly breaks at BP and then only hit F9 once and land here:

011EF248 FF06 INC DWORD PTR DS:[ESI] <------------- You land here
011EF24A ^ EB E8 JMP SHORT 011EF234
011EF24C 33DB XOR EBX,EBX            <------------- alternative BP point (see below)
011EF24E 64:8F03 POP DWORD PTR FS:[EBX]
011EF251 5B POP EBX
011EF252 E8 00000000 CALL 011EF257
011EF257 8B1C24 MOV EBX,DWORD PTR SS:[ESP]
011EF25A 58 POP EAX
011EF25B 81EB E32FA500 SUB EBX,0A52FE3
011EF261 90 NOP
011EF262 B8 D2BDACDF MOV EAX,DFACBDD2
011EF267 8BC8 MOV ECX,EAX
011EF269 81E9 2D8E07DF SUB ECX,DF078E2D
011EF26F 40 INC EAX
011EF270 03CB ADD ECX,EBX
011EF272 68 D1CFACDF PUSH DFACCFD1
011EF277 5E POP ESI
011EF278 81F6 D7CFACDF XOR ESI,DFACCFD7
011EF27E BA 00000000 MOV EDX,0
011EF283 81F2 16ABACDF XOR EDX,DFACAB16
011EF289 40 INC EAX
011EF28A 33C5 XOR EAX,EBP
011EF28C 3111 XOR DWORD PTR DS:[ECX],EDX
011EF28E 81C2 51ABACDF ADD EDX,DFACAB51
011EF294 C1C8 B6 ROR EAX,0B6 ; Shift constant out of range 1..31
011EF297 81C1 04000000 ADD ECX,4
011EF29D 0BC1 OR EAX,ECX
011EF29F 2BC1 SUB EAX,ECX
011EF2A1 F8 CLC
011EF2A2 4E DEC ESI
011EF2A3 2BC0 SUB EAX,EAX
011EF2A5 B8 00000000 MOV EAX,0
011EF2AA 48 DEC EAX
011EF2AB 03C6 ADD EAX,ESI
011EF2AD ^ 79 DD JNS SHORT 011EF28C
011EF2AF 83C0 7E ADD EAX,7E
011EF2B2 61 POPAD
011EF2B3 05 95DFACDF ADD EAX,DFACDF95
011EF2B8 C3 RETN <---------------------------- Put BP here on last RETN

After putting BP on RETN hit Shift + F9 once so Olly breaks. Now hit Alt + M to open the memory map window and then select click "code" section and clcik on Set Memory Breakpoint access. Now back in main window hit only F9 key once and land at our OEP :-).

Another alternative to do the same think is to place a BP at 011EF24C 33DB XOR EBX,EBX and press simply Ctrl + F9 to stop there. When you're stopped at this address press Alt + M as told above and place a memory breakpoint on access in the code section of the program. You'll land at the same OEP (of course, how may OEPs would you like to see in a program :D).

This is what you could see now:

00A1B998 55 DB 55 ; CHAR 'U' <---- OEP
00A1B999 8B DB 8B
00A1B99A EC DB EC
00A1B99B 83 DB 83
00A1B99C C4 DB C4
00A1B99D F4 DB F4
00A1B99E B8 DB B8

Right clcik-> Analysis -> Remove Analysis from module

00A1B998 55 PUSH EBP <------------- OEP
00A1B999 8BEC MOV EBP,ESP
00A1B99B 83C4 F4 ADD ESP,-0C
00A1B99E B8 B0A6A100 MOV EAX,MyManage.00A1A6B0

well, we don't have stolen bytes, so we are more happy then before now, less work to do!
 

We now have our program dumped.exe which will not run due to the import table being messed up
lets start ImpRec and get the imports.In ImpRec select attached to active process and choose our target program.

Enter OEP = A1B998 - 400000 = 61B998

Plesae note that if you don't know how to solve all the imports we strongly suggest to read the tutorial on Advanced PDF 2 HTML, released by Ferrari, which link is at the beginning of this page. There are described the detailed steps required to fix the IAT..
 

When there are no invalid imports all we have to do now is fix our dumped.exe. Click on Fix Dump and select our dumped.exe and we are done.
Our Dump will be saved as dumped_.exe and will not run :-( and keep crashing due to bad ASPr CALLs. So later we will fix that :-)
I hope you have not closed Olly. So back in Olly, you should be stopped at the OEP..
 

I hope you have not close Olly. So close Imprec and LordPE and back in Olly you were at the OEP after the last RETN.

00A1B998 55 PUSH EBP<----------------- You were here.
00A1B999 8BEC MOV EBP,ESP
00A1B99B 83C4 F4 ADD ESP,-0C
00A1B99E B8 B0A6A100 MOV EAX,MyManage.00A1A6B0
00A1B9A3 E8 DCE19EFF CALL MyManage.00409B84
00A1B9A8 A1 985FA200 MOV EAX,DWORD PTR DS:[A25F98]
00A1B9AD 8B00 MOV EAX,DWORD PTR DS:[EAX]
00A1B9AF 8B10 MOV EDX,DWORD PTR DS:[EAX]
00A1B9B1 FF52 0C CALL DWORD PTR DS:[EDX+C]
00A1B9B4 A1 985FA200 MOV EAX,DWORD PTR DS:[A25F98]
00A1B9B9 8B00 MOV EAX,DWORD PTR DS:[EAX]
00A1B9BB E8 F8B3FEFF CALL MyManage.00A06DB8
00A1B9C0 84C0 TEST AL,AL
00A1B9C2 75 1B JNZ SHORT MyManage.00A1B9DF
00A1B9C4 33C9 XOR ECX,ECX
00A1B9C6 B2 01 MOV DL,1
00A1B9C8 B8 1CBAA100 MOV EAX,MyManage.00A1BA1C ; ASCII "MyManager"
00A1B9CD E8 BE42FEFF CALL MyManage.009FFC90
00A1B9D2 8B15 C869A200 MOV EDX,DWORD PTR DS:[A269C8] ; MyManage.00A287D8
00A1B9D8 8B12 MOV EDX,DWORD PTR DS:[EDX]
00A1B9DA 3B42 24 CMP EAX,DWORD PTR DS:[EDX+24]
00A1B9DD 75 2F JNZ SHORT MyManage.00A1BA0E
00A1B9DF A1 C869A200 MOV EAX,DWORD PTR DS:[A269C8]
00A1B9E4 8B00 MOV EAX,DWORD PTR DS:[EAX]
00A1B9E6 E8 E91FA5FF CALL MyManage.0046D9D4
00A1B9EB A1 C869A200 MOV EAX,DWORD PTR DS:[A269C8]
00A1B9F0 8B00 MOV EAX,DWORD PTR DS:[EAX]
00A1B9F2 BA 30BAA100 MOV EDX,MyManage.00A1BA30 ; ASCII "EMS MySQL Manager"
00A1B9F7 E8 841AA5FF CALL MyManage.0046D480
00A1B9FC FF15 DC57A200 CALL DWORD PTR DS:[A257DC] <--This is interesting CALL for us
00A1BA02 A1 C869A200 MOV EAX,DWORD PTR DS:[A269C8]
00A1BA07 8B00 MOV EAX,DWORD PTR DS:[EAX]
00A1BA09 E8 7A20A5FF CALL MyManage.0046DA88
00A1BA0E E8 558E9EFF CALL MyManage.00404868

Why is this call interesting for us? Because anytime you see a call that uses the [........] at the beginning of the program it will be an ASPR trick to hide the code, so what we have to do for the moment is write down the called place address A257DC to the paper and trace into this call (F7)!

The address A257DC contains the real address of the called routine so Olly bring us here

011CC784 833D A8351D01 0>CMP DWORD PTR DS:[11D35A8],0
011CC78B 74 06 JE SHORT 011CC793
011CC78D FF15 A8351D01 CALL DWORD PTR DS:[11D35A8] ; MyManage.00A1A5A8
011CC793 C3 RETN

Ok watch, we are in ASPR code!
On address 011CC784 the program will look if there is something on the address 11D35A8, if not it will jump and return from the call. This will also happen when you unpack & dump the target!
So, just for undestanding more, follow the call of the JE at 011CC793 and try to underestand what it does. Anyway it's not important for patching the program: what interest us is the call at the address pointed at 11D35A8.

After pressing "dump 11D35A8" (if you have the Commandbar plugin in Olly) or going with the dump window at 11D35A8 you will see this:

011D35A8 A8 A5 A1 00 00 00 00 00 00 00 00 00 00 00 00 00 ¨¥¡.............

Ok this means that the CALL we are examining will call the address A1A5A8 to go on... if the 30 day expires or you unpack the target at this address there will be nothing (all zeros) or another address (the address of the routine which shows the nag), which will bring the program to tell you that the time is up.
So this address is the address of the correct routine which you should have to call to not have nags..

So I suggest to write down the address 00A1A5A8 onto the paper! ;)

This trick is often used by ASPR and you will see it in on alot of targets! So don´t forget it

Patching:
Now, we have all the elements required to patch the application, and we can close the Olly session with the packed program, stopped at the OEP.
Now load in Olly the unpacked and imprec fixed app (dumped_.exe) which crashes in Olly and stop at the OEP. The code is the same reported at the beginning of the previous section of course.

Well, remember the direct call at:

00A1B9FC FF15 DC57A200 CALL DWORD PTR DS:[A257DC]

If you trace the program from the EP with F8 till here you will see that this is the call that makes the program crashing..if you followed this tut up to here it should be clear why (the address has been dumped but not the AsProtect corresponding little routine).
What we have to do now is just to fix the call to the right point, which is the one we wrote on the paper before (A1A5A8).

So, modify the dumped program in the following way (Use Ctrl + E or hit space bar to modify):

Original code: 00A1B9FC FF15 DC57A200 CALL DWORD PTR DS:[A257DC]

Modified Code: 00A1B9FC E8 A7EBFFFF CALL MyManage.00A1A5A8
               00A1BA01 90 NOP

So to save the changes permanent Right click-->Copy to executable-->All Modification. Then right click on window that pop's up-->save file, double click on dumped_.exe and select overwrite file. Exit from Olly and run the program, of course it never expires and the 30 days are always 30 and program runs registered 8-) Have phun!

Method 2 by Ferrari:  To fix the crashing dump

Original code: 00A1B9FC FF15 DC57A200 CALL DWORD PTR DS:[A257DC]

Modified Code: 00A1B9FC ^\E9 A7EBFFFF JMP dumped_.00A1A5A8
               00A1BA01 90 NOP

Original code: 00A1A642 C3 RETN
               00A1A643 ^ E9 809C9EFF JMP dumped_.004042C8

Modified Code: 00A1A642 90 NOP
               00A1A643 E9 BA130000 JMP dumped_.00A1BA02

Add code     : 00400401 - E9 C23E0000 JMP dumped_.004042C8

Original code: 00A1A5B0 68 43A6A100 PUSH dumped_.00A1A643

Modified Code: 00A1A5B0 68 01044000 PUSH dumped_.00400401

Still awake?!? As usual we try to summarize what we learnt during this tutorial..hope at least one of the points were new for you :)

1. unpack an AsProtect 1.22 program
2. remove generic nag & time limit placed by AsProtect
3. Patch in different ways the same think

[MAIN TEAM]
| Nilrem | Enforcer | Ferrari | Pompeyfan(ex-member) | MaDMAn_H3rCuL3s | EJ12N | Kruger |
Shub-Nigurrath | Jdog45 |

[TRIAL MEMBERS]
| R@Dier |

*****************************

Exetools | Woodmann | VCT | TSRh | Sir JMI | SatyricOn | LaBBa | R@dier | Britedream | MarKuS-DJM | Hacnho | cl0ud (Mephisto) | Zest | Hobgoblin | Peroquin | GlObaL | Everyone we missed & you
Thanks to the authors of ASPR, Ollydbg, LordPE, Imprec, PEiD and EMS MySQLManager
 

[^~=~ (.)Ferrari(.) ~=~^]
(.|.)
 ).( (¯`·._.·[¯¨´*·~-.¸¸,.-~*´¨&8~) Ŝħůβ¬Ňïĝµŕřāŧħ ¨´*·~-.¸¸,.-~*´¨]·._.·´¯)
( v )
 \|/