[MaRKuS-DJM]

padawan, you used stripper??? then i understand. look here:

005996BA |. 8945 D4 MOV DWORD PTR SS:[EBP-2C],EAX ; |
005996BD |. C645 D8 0B MOV BYTE PTR SS:[EBP-28],0B ; |
005996C1 |. 8D55 D4 LEA EDX,DWORD PTR SS:[EBP-2C] ; |
005996C4 |. 33C9 XOR ECX,ECX ; |
005996C6 |. B8 74975900 MOV EAX,_PHPProc.00599774 ; |ASCII "Can't load language library: %s.lng"
005996CB |. E8 7016E7FF CALL _PHPProc.0040AD40 ; \_PHPProc.0040AD40
005996D0 |. 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
005996D3 |. E8 A4B8E6FF CALL _PHPProc.00404F7C
005996D8 |. 8BD0 MOV EDX,EAX
005996DA |. B9 98975900 MOV ECX,_PHPProc.00599798 ; ASCII "Error!"
005996DF |. A1 D0735A00 MOV EAX,DWORD PTR DS:[5A73D0]
005996E4 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
005996E6 |. E8 9162EDFF CALL _PHPProc.0046F97C
005996EB |. E8 48B2E6FF CALL _PHPProc.00404938
005996F0 |> FF15 2C6F5A00 CALL DWORD PTR DS:[5A6F2C] if you use stripper, this DWORD will be 00598F3C. this means: program expired (this dword is set by aspr). you have to modify this offset to 00598E28 and all works perfect.
005996F6 |. A1 D0735A00 MOV EAX,DWORD PTR DS:[5A73D0]
005996FB |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
005996FD |. E8 EA60EDFF CALL _PHPProc.0046F7EC
00599702 |. 33C0 XOR EAX,EAX
00599704 |. 5A POP EDX
00599705 |. 59 POP ECX
00599706 |. 59 POP ECX
00599707 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
0059970A |. 68 24975900 PUSH _PHPProc.00599724
0059970F |> 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
00599712 |. BA 05000000 MOV EDX,5
00599717 |. E8 D4B3E6FF CALL _PHPProc.00404AF0
0059971C \. C3 RETN
0059971D .^E9 0AADE6FF JMP _PHPProc.0040442C
00599722 .^EB EB JMP SHORT _PHPProc.0059970F

MaRKuS TH-DJM / SnD TeaM

PS: it doesn't use any APIs like you mentioned. but all the parameters (or lets say: DWORDS) for the program are set while ASProtect unpacks the target. so it is able to lead the code to other location (like here) where the program says: unregistered. so you can't find a way to crack it. but as you see, it is possible.