SpamEater features an easy
to use user interface and a step by step assistant for setting it up."
The contents of this file is as shown:-
48C5 9173 4704 222D 2BEF 8926 H..sG."-+..&
1E44 741B 01C6 ED57 5D10 2F2C .Dt....W]./,
23F4 8E7D 455B 6973 68AA CD38 #..}E[ish..8
015B 6973 68AA CD38 015B 6973 .[ish..8.[is
68AA CD1B 0F30 776C 77B7 A551 h....0wlw..Q
6D5B 6973 B899 D233 2A1A 0A59 m[is...3*..Y
4280 E712 ABEA A219
Now compare this to the one created when you fully register this program.
49D4 8F77 0B22 2237 26ED 867C I..w.""7&..|
7B71 4359 FAA2 A712 D381 2C59 {qCY......,Y
9EA2 A712 C853 0359 0380 E712 .....S.Y....
6605 C859 3E73 8812 2B71 4359 f..Y>s..+qCY
2254 6C1B 0F30 011F 76B2 A356 "Tl..0..v..V
1E93 BAE6 B899 D233 2B82 2C59 .......3+.,Y
4280 E712 2B71 4359
This file [sephlpr.dat]
is treated by the program as a 'Key file', so even if you delete the entries
in your System Registry file then when you re-run this program it will
read the info contained within this file [sephlpr.dat]
and re-write the entries in your system registry file. So if you
wish to re-start your 30 day trial period again or want to re-register
this program again them make sure you not only delete the registry entries
in your System Registry file but also DELETE this file [sephlpr.dat].
The Registration
entries for this program are stored here:-
Mountain Software\SpamEater Pro\Data
OK, create a dead listing of spamEtrp.exe using W32Dasm.
Open up the program's String Dialog Resources and search for the text: "Thanks for your support of SpamEater Pro!"
You should now see this snippet of code:-
:0049B300 50
push eax
:0049B301 E8AEB6F6FF
Call kernel32.SetFileAttributesA
:0049B306 6A00
push 00000000
:0049B308 668B0D48B44900
mov cx, word ptr [0049B448]
:0049B30F B202
mov dl, 02
* StringData Ref from
Code Obj ->"Thanks for your support of SpamEater Pro"
:0049B311 B854B44900
mov eax, 0049B454
:0049B316 E83D95FBFF
call 00454858
:0049B31B E980000000
jmp 0049B3A0
From here I now scroll UP this dead listing UNTIL I come across the first occurrence of the following sequence of assembly instructions:-
Call Memory Address
cmp register,register
or test register, register
jnz or
jz or je
memory address
Notice as you scroll up this listing the following strings:-
* Possible StringData
Ref from Code Obj ->"Serial Number: "
* Possible StringData
Ref from Code Obj ->"Licensed to: "
A good indication of what this long routine does..:)
Our first occurrence
of the above assembly instructions (which are used in 100's of protected
programs ) is found here..
E82DE4FEFF call 0048956C
;Create and check serials
in low byte of eax
;al =
0 if serial invalid.
;al =
1 if serial valid.
test al, al ;result returned
in al
0F8459020000 je 0049B3A0
;jump if wrong serial
A1E8144A00 mov eax, dword
ptr [004A14E8]
mov eax, dword ptr [eax]
8B9898030000 mov ebx, dword ptr [eax+00000398]
80BB7503000000 cmp byte ptr [ebx+00000375], 00
;days left=0?
0F85BF010000 jne 0049B320 ;no?
then continue as Shareware.
From here it's
obvious what our next step should be, we should follow where the call
0048956C takes us.
The above call
in fact will lead us to this section of code:-
Referenced by a CALL at Addresses:
, :00489745 , :00489919 , :0049B13A
push ebx ;Preserve ebx register
push esi ; "
esi "
push edi ; "
edi "
83C4B4 add esp, FFFFFFB4
8BF1 mov esi,
ecx ;esi
= Your *fake* serial
Your *fake* serial looks like this
07 7777777
: :.............. You *fake* serial number
:................ The number of digits (hex) used. (max 09)
8D3C24 lea edi, dword ptr
33C9 xor ecx,
8A0E mov cl,
byte ptr [esi];cl =len of your serial
80F909 cmp cl, 09
;is it 9 numbers of less?
7202 jb 00489582
;jump if below 9 numbers
B109 mov cl,
09 ;else
set len to max of 9
880F mov byte
ptr [edi], cl;save len in temp work area
inc esi
;esi=start of your serial
inc edi
;edi=start of temp work area
;repeat 9 times
8BF2 mov esi,
edx ;esi=
Your handle/name
Your name looks like this
09 The Sandman
: :.............. The name/handle you want to use.
:................ The number of characters (hex) in your name (max 32)
8D7C240A lea edi, dword ptr [esp+0A]
33C9 xor ecx,
8A0E mov cl,
byte ptr [esi] ;get len of name/handle
80F932 cmp cl, 32
;is it 32 or less?
7202 jb 00489599
;jmp if len below 32
B132 mov cl,
;else set len to max 32
880F mov byte
ptr [edi], cl ;save len of your name
inc esi
;esi = start of your name
inc edi
;repeat upto 32 times
8BF0 mov esi,
33DB xor ebx,
889E75030000 mov byte ptr [esi+00000375], bl
8D442440 lea eax, dword ptr [esp+40]
push eax
8BCB mov ecx,
8D54240E lea edx, dword ptr [esp+0E]
8BC6 mov eax,
E805FEFFFF call 004893C0 ;Create
*real* serial No
Once you've executed the line call 004893C0 type: d edx to see the serial number you should use for the name/handle you've used. It will be the first set of nine alpha-numeric characters that you see in Softice. There are one or two other 'sets' like this but ignore them. Your serial will look something like this:-
It's important to include the $ (dollar sign) in front of your serial number.
Now run SpamEater Pro, select the 'Help' menu then the 'About' option and type in your User details using the *real* serial number you've just found then press the 'Register' button.
Job Done.
My thanks and gratitude goes to:-
Fravia+ for providing possibly the greatest
source of Reverse Engineering
knowledge on the Web.
+ORC for showing me the light at the end
of the tunnel.
Ripping off software through serials
and cracks is for lamers..
If your looking for cracks or serial
numbers from these pages then your wasting your time, try searching elsewhere
on the Web under Warze, Cracks etc.
