1) "dead list" the target 2) seek for "regis" 3) see the jump 4) crack it (it could not be easier) 5) play a little with the target 6) throw it away
Before running my targets... I
often look at the Help file first... here it is:
Spam Exterminator is
available for $27.95 (US) from Unisyn.
Site license discounts
and reseller terms are available.
For more information,
contact Unisyn.
Contact Information:
Sales: (213)738-1700
FAX: (213)738-7665
eMail: spamex@unisyn.com
Web: http://www.unisyn.com
Mailing Address:
3450 Wilshire Blvd.
Suite 316
Los Angeles, CA 90010
Disassembling the main program file, Spamex.exe, we just cannot believe our eyes!
Take a look at this...
* Reference To: kernel32.GetWindowsDirectoryA,
Ord:0000h ;windows_dir garbage collector
:00453114 E8471AFBFF
Call 00404B60
* Possible StringData
Ref from Code Obj ->"\unisx.lic" ;if you're regged this file
will be in your windows dir
:00453119 BAC8324500
mov edx, 004532C8
:0045311E 8BC3
mov eax, ebx
:00453120 E89B2FFBFF
call 004060C0
...doing stuff...
:004531D5 58
pop eax
:004531D6 E80506FBFF
call 004037E0
:004531DB 7553
jne 00453230 ;This is the evil jump to
:004531DD 8BD3
mov edx, ebx ;"invalid registration code"
:004531DF 8D8524FEFFFF
lea eax, dword ptr [ebp+FE24]
:004531E5 E89B0FFBFF
call 00404185
:004531EA 8D8524FEFFFF
lea eax, dword ptr [ebp+FE24]
:004531F0 E85D13FBFF
call 00404552
:004531F5 E80EF5FAFF
call 00402708
Ref from Code Obj ->"dust23155543335u?n?i?s?y?n?w?i?l?l?b?e?a?t?m?s?#@@@46g"
;The contents of that file!
:004531FA BAF8324500
mov edx, 004532F8
:004531FF 8D8524FEFFFF
lea eax, dword ptr [ebp+FE24]
:00453205 E82208FBFF
call 00403A2C
:0045320A E81C14FBFF
call 0040462B
:0045320F E8F4F4FAFF
call 00402708
:00453214 8D8524FEFFFF
lea eax, dword ptr [ebp+FE24]
:0045321A E80910FBFF
call 00404228
:0045321F E8E4F4FAFF
call 00402708
* Possible StringData
Ref from Code Obj ->"Thanks for registering Unisyn Spam Exterminator! "
:00453224 B838334500
mov eax, 00453338
:00453229 E89ABAFDFF
call 0042ECC8
:0045322E EB11
jmp 00453241
* Referenced by a Jump at Address:004531DB(C)
* Possible StringData
Ref from Code Obj ->"You have entered an invalid registration "
->"number. If you are a registered "
->"user of Unisyn Spam Exterminator, "
->"please contact Unisyn for a valid "
->"code. "
:00453230 B874334500
mov eax, 00453374
:00453235 E88EBAFDFF
call 0042ECC8
:0045323A E8D900FBFF
call 00403318
:0045323F EB1D
jmp 0045325E
will beat M$?
With competition like this, no wonder Micro$oft is
still making mega-bucks for bugs!
oh yes...BTW...the "number
of trials left" counter is stored here...
(You may want to have a go at it :-)
* Reference To: kernel32.GetWindowsDirectoryA,
:00452D3E E81D1EFBFF
Call 00404B60
* Possible StringData
Ref from Code Obj ->"\sx.sac" ;counter unencrypted
:00452D43 BA302F4500
mov edx, 00452F30
9 July 97
plushmm, RiP'97
PS: A version of this crap is nowhere
File Size of Spamex.exe is 593,408 bytes