|
Zexersoft - some research
Unfortunatelly, I fully out of time to check it, so I hope someone else
will be test my suggestion.
This site (h**p://w*w.zexersoft.com) offer an attarctive set resource
hunters: bitmaps, cursors, jpg, wav, midi, strings, and of course, Delphi
forms.
Each proggy is self-installer (just rename setup to what need), packed
with ASPack 2.12 and contain a lot crypto stuff (SHA, Blowfish, HAVAL).
I know nothing about registration procedure, but seem it use 160 bit hash
(SHA-160 ?) to check if it is registered.
Don't worry about all the shit.
Unpack proggy and search for the MAGIC value 15180h. Why ? 15180h = 86400.
This is a TIP: 86400 = 60 * 60 * 24 :-)
Another MAGIC value is 08088405h (Used in Delphi Pseudo-Random Generator).
Finally U fall in somewhere like follow (STRING EXTRACTOR, Version 1.4):
CODE:004452A0 push ebx
CODE:004452A1 push esi
CODE:004452A2 push edi
CODE:004452A3 add esp, 0FFFFFFF0h
CODE:004452A6 mov ebx, eax
CODE:004452A8 call IsRegistered_43B628
CODE:004452AD test al, al
CODE:004452AF jnz short Ret_44532E
CODE:004452B1 call IsExpired_0043B63C
CODE:004452B6 test al, al
CODE:004452B8 jz short Ret_44532E
CODE:004452BA mov eax, 3
CODE:004452BF
CODE:004452BF Randomize_4452BF:
CODE:004452BF call PRNG_402AA4
CODE:004452C4 test eax, eax
CODE:004452C6 jg short Ret_44532E
CODE:004452C8 mov eax, [ebx+1E8h]
CODE:004452CE mov edi, [eax+3Ch]
CODE:004452D1 mov eax, edi
CODE:004452D3 mov ecx, 3
CODE:004452D8 cdq
CODE:004452D9 idiv ecx
CODE:004452DB mov esi, [ebx+1E8h]
CODE:004452E1 mov edx, edi
CODE:004452E3 sub edx, eax
CODE:004452E5 lea ecx, [esp+8]
CODE:004452E9 mov eax, [esi+38h]
CODE:004452EC sar eax, 1
CODE:004452EE jns short loc_4452F3
CODE:004452F0 adc eax, 0
CODE:004452F3
CODE:004452F3 loc_4452F3: ; CODE XREF: CODE:004452EE�j
CODE:004452F3 call sub_40B9EC
CODE:004452F8 lea edx, [esp+8]
CODE:004452FC mov ecx, esp
CODE:004452FE mov eax, esi
CODE:00445300 call TImageList@_PROC_0041D724
CODE:00445305 dec dword ptr [esp]
CODE:00445308 mov eax, [esp+4]
CODE:0044530C push eax
CODE:0044530D mov eax, [esp+4]
CODE:00445311 push eax
CODE:00445312 call SetCursorPos
CODE:00445317 inc dword ptr [esp]
CODE:0044531A mov eax, [esp+4]
CODE:0044531E push eax
CODE:0044531F mov eax, [esp+4]
CODE:00445323 push eax
CODE:00445324 call SetCursorPos
CODE:00445329 call sub_432FF4
CODE:0044532E
CODE:0044532E Ret_44532E: ; CODE XREF: CODE:004452AF�j
CODE:0044532E ; CODE:004452B8�j
CODE:0044532E ; CODE:004452C6�j
CODE:0044532E add esp, 10h
CODE:00445331 pop edi
CODE:00445332 pop esi
CODE:00445333 pop ebx
CODE:00445334 retn
Correct IsRegistered() return value to be always TRUE and correct IsExpired()
return value to be always FALSE. Now it work and newer expired.
Also it have (I think encrypted elsewhere) string ' - Unregistered evaluation
copy' in the Titlebar, but I haven't yet play with it.
|
Linear Mode
