#1
|
|||
|
|||
Zexersoft - some research
Unfortunatelly, I fully out of time to check it, so I hope someone else
will be test my suggestion. This site (h**p://w*w.zexersoft.com) offer an attarctive set resource hunters: bitmaps, cursors, jpg, wav, midi, strings, and of course, Delphi forms. Each proggy is self-installer (just rename setup to what need), packed with ASPack 2.12 and contain a lot crypto stuff (SHA, Blowfish, HAVAL). I know nothing about registration procedure, but seem it use 160 bit hash (SHA-160 ?) to check if it is registered. Don't worry about all the shit. Unpack proggy and search for the MAGIC value 15180h. Why ? 15180h = 86400. This is a TIP: 86400 = 60 * 60 * 24 :-) Another MAGIC value is 08088405h (Used in Delphi Pseudo-Random Generator). Finally U fall in somewhere like follow (STRING EXTRACTOR, Version 1.4): CODE:004452A0 push ebx CODE:004452A1 push esi CODE:004452A2 push edi CODE:004452A3 add esp, 0FFFFFFF0h CODE:004452A6 mov ebx, eax CODE:004452A8 call IsRegistered_43B628 CODE:004452AD test al, al CODE:004452AF jnz short Ret_44532E CODE:004452B1 call IsExpired_0043B63C CODE:004452B6 test al, al CODE:004452B8 jz short Ret_44532E CODE:004452BA mov eax, 3 CODE:004452BF CODE:004452BF Randomize_4452BF: CODE:004452BF call PRNG_402AA4 CODE:004452C4 test eax, eax CODE:004452C6 jg short Ret_44532E CODE:004452C8 mov eax, [ebx+1E8h] CODE:004452CE mov edi, [eax+3Ch] CODE:004452D1 mov eax, edi CODE:004452D3 mov ecx, 3 CODE:004452D8 cdq CODE:004452D9 idiv ecx CODE:004452DB mov esi, [ebx+1E8h] CODE:004452E1 mov edx, edi CODE:004452E3 sub edx, eax CODE:004452E5 lea ecx, [esp+8] CODE:004452E9 mov eax, [esi+38h] CODE:004452EC sar eax, 1 CODE:004452EE jns short loc_4452F3 CODE:004452F0 adc eax, 0 CODE:004452F3 CODE:004452F3 loc_4452F3: ; CODE XREF: CODE:004452EEj CODE:004452F3 call sub_40B9EC CODE:004452F8 lea edx, [esp+8] CODE:004452FC mov ecx, esp CODE:004452FE mov eax, esi CODE:00445300 call TImageList@_PROC_0041D724 CODE:00445305 dec dword ptr [esp] CODE:00445308 mov eax, [esp+4] CODE:0044530C push eax CODE:0044530D mov eax, [esp+4] CODE:00445311 push eax CODE:00445312 call SetCursorPos CODE:00445317 inc dword ptr [esp] CODE:0044531A mov eax, [esp+4] CODE:0044531E push eax CODE:0044531F mov eax, [esp+4] CODE:00445323 push eax CODE:00445324 call SetCursorPos CODE:00445329 call sub_432FF4 CODE:0044532E CODE:0044532E Ret_44532E: ; CODE XREF: CODE:004452AFj CODE:0044532E ; CODE:004452B8j CODE:0044532E ; CODE:004452C6j CODE:0044532E add esp, 10h CODE:00445331 pop edi CODE:00445332 pop esi CODE:00445333 pop ebx CODE:00445334 retn Correct IsRegistered() return value to be always TRUE and correct IsExpired() return value to be always FALSE. Now it work and newer expired. Also it have (I think encrypted elsewhere) string ' - Unregistered evaluation copy' in the Titlebar, but I haven't yet play with it. |
#2
|
|||
|
|||
Re: Zexersoft - some research
Quote:
any of Zexersoft 's proggy - try Ur cracking skills :-) |
#3
|
|||
|
|||
Thanks guys will check it out
|
#4
|
|||
|
|||
Funny
To prevent lazy peoples write single KG for all his progs, Zexer
slightly modified cipher S Boxes (he use Blowfish or smth Blowfish based - not yet checked). At least, it include all Blowfish P & S Boxes (may be from lib from Eric Young - eay@mincom.oz.au ?) S1 & S2 are virgin, S3 modified commnly for all 11 progs and finally, S4 modified uniquely for each proggy. Of course, CC do know about the trick :-) |
|
|