A pretty stupid scheme: Spam Exterminator
(it's all there... "autocracked")

HCU

by plushmm

(09 July 1997)


Courtesy of Fravia's page of reverse engineering
~
Well, this is short and easy to follow: basically:

1)	"dead list" the target

2)	seek for "regis"

3)	see the jump

4)	crack it (it could not be easier)

5)	play a little with the target

6) 	throw it away

You would not believe you could still find such stupid protections, would you?


How Spam Exterminator cracks itself!

An essay, by plushmm

Before running my targets... I often look at the Help file first... here it is:
--------------------------------------------------------------------------------------
Spam Exterminator is available for $27.95 (US) from Unisyn.
Site license discounts and reseller terms are available.
For more information, contact Unisyn.

Contact Information:

Sales:  (213)738-1700
FAX: (213)738-7665
eMail: spamex@unisyn.com
Web: http://www.unisyn.com

Mailing Address:
Unisyn
3450 Wilshire Blvd.
Suite 316
Los Angeles, CA 90010
--------------------------------------------------------------------------------------

Disassembling the main program file, Spamex.exe, we just cannot believe our eyes!

Take a look at this...

* Reference To: kernel32.GetWindowsDirectoryA, Ord:0000h ;windows_dir garbage collector
                                  |
:00453114 E8471AFBFF              Call 00404B60

* Possible StringData Ref from Code Obj ->"\unisx.lic"  ;if you're regged this file will be in your windows dir
                                  |
:00453119 BAC8324500              mov edx, 004532C8
:0045311E 8BC3                    mov eax, ebx
:00453120 E89B2FFBFF              call 004060C0
...doing stuff...
:004531D5 58                      pop eax
:004531D6 E80506FBFF              call 004037E0
:004531DB 7553                    jne 00453230   ;This is the evil jump to
:004531DD 8BD3                    mov edx, ebx   ;"invalid registration code"
:004531DF 8D8524FEFFFF            lea eax, dword ptr [ebp+FE24]
:004531E5 E89B0FFBFF              call 00404185
:004531EA 8D8524FEFFFF            lea eax, dword ptr [ebp+FE24]
:004531F0 E85D13FBFF              call 00404552
:004531F5 E80EF5FAFF              call 00402708

StringData Ref from Code Obj ->"dust23155543335u?n?i?s?y?n?w?i?l?l?b?e?a?t?m?s?#@@@46g"
                                                ;The contents of that file!

|
:004531FA BAF8324500              mov edx, 004532F8
:004531FF 8D8524FEFFFF            lea eax, dword ptr [ebp+FE24]
:00453205 E82208FBFF              call 00403A2C
:0045320A E81C14FBFF              call 0040462B
:0045320F E8F4F4FAFF              call 00402708
:00453214 8D8524FEFFFF            lea eax, dword ptr [ebp+FE24]
:0045321A E80910FBFF              call 00404228
:0045321F E8E4F4FAFF              call 00402708

* Possible StringData Ref from Code Obj ->"Thanks for registering Unisyn Spam Exterminator! "
                                  |
:00453224 B838334500              mov eax, 00453338
:00453229 E89ABAFDFF              call 0042ECC8
:0045322E EB11                    jmp 00453241

* Referenced by a Jump at Address:004531DB(C)
|

* Possible StringData Ref from Code Obj ->"You have entered an invalid registration "
                                        ->"number.  If you are a registered "
                                        ->"user of Unisyn Spam Exterminator, "
                                        ->"please contact Unisyn for a valid "
                                        ->"code. "
                                  |
:00453230 B874334500              mov eax, 00453374
:00453235 E88EBAFDFF              call 0042ECC8
:0045323A E8D900FBFF              call 00403318
:0045323F EB1D                    jmp 0045325E


"dust23155543335u?n?i?s?y?n! ?w?i?l?l?b?e?a?t?m?s?#@@@46g"...hmm...Unisyn will beat M$?
With competition like this, no wonder Micro$oft is still making mega-bucks for bugs!

 

oh yes...BTW...the "number of trials left" counter is stored here...
(You may want to have a go at it :-)

* Reference To: kernel32.GetWindowsDirectoryA, Ord:0000h
                                  |
:00452D3E E81D1EFBFF              Call 00404B60

* Possible StringData Ref from Code Obj ->"\sx.sac"    ;counter unencrypted
                                  |
:00452D43 BA302F4500              mov edx, 00452F30
 
 

9 July 97
plushmm, RiP'97

PS:  A version of this crap is nowhere mentioned
     File Size of Spamex.exe is 593,408 bytes


(c) plushmm 1997

You are deep inside fravia's page of reverse engineering, choose your way out:

homepage links red anonymity +ORC students' essays tools cocktails
search_forms counter measures mailFraVia
Is reverse engineering legal?