hw.dll check ------------------------------------------------ (code 58) 7FE34CED 8B15 241FE87F mov edx, dword ptr ds:[7FE81F24] ; hardcoded crc of the table 7FE34CF3 3B95 14F5FFFF cmp edx, dword ptr ss:[ebp-AEC] ; calculated crc 7FE34CF9 0F84 0C010000 je 7FE34E0B ; ensure that it's always okay :-) -> jmp glxxx Checks: ------------------- Code 28: 7fe3477b 7FE3C6CC 817D D4 64A11800 cmp dword ptr ss:[ebp-2C], 18A164 7FE3C6D3 75 08 jnz short 7FE3C6DD code 21: 7FE3476E 8985 1CF2FFFF mov dword ptr ss:[ebp-DE4], eax 7FE34774 83BD 1CF2FFFF 00 cmp dword ptr ss:[ebp-DE4], 0 7FE3477B 0F84 0C010000 je 7FE3488D cd.bin Crc ( Successfully Removed ): ---------------------------------------------------------- (code 25) 7FE349C5 8985 F4F2FFFF mov dword ptr ss:[ebp-D0C], eax 7FE349CB 8B8D F4F2FFFF mov ecx, dword ptr ss:[ebp-D0C] 7FE349D1 3B8D 14F5FFFF cmp ecx, dword ptr ss:[ebp-AEC] 7FE349D7 0F84 0A010000 je 7FE34AE7 -> jmp (auth failure) 7FE547C4 8B7D EC mov edi, dword ptr ss:[ebp-14] 7FE547C7 8B75 08 mov esi, dword ptr ss:[ebp+8] 7FE547CA 8BC8 mov ecx, eax 7FE547CC 33D2 xor edx, edx 7FE547CE F3:A6 repe cmps byte ptr es:[edi], byte ptr> 7FE547D0 0F84 D8000000 je 7FE548AE -> jmp EngineFuncs Protect ( Successfully Removed ): -------------------------------------------------- 7FE4B130 53 push ebx 7FE4B131 51 push ecx 7FE4B132 52 push edx 7FE4B133 50 push eax 7FE4B134 8B4424 14 mov eax, dword ptr ss:[esp+14] 7FE4B138 3B05 B4BBE77F cmp eax, dword ptr ds:[7FE7BBB4] ; hl.01900000 7FE4B13E 0F97C1 seta cl 7FE4B141 3B05 64BCE77F cmp eax, dword ptr ds:[7FE7BC64] ; hl.0199607D 7FE4B147 0F92C3 setb bl 7FE4B14A 22CB and cl, bl 7FE4B14C 3D 0000D001 cmp eax, 1D00000 7FE4B151 0F97C2 seta dl 7FE4B154 3B05 58BCE77F cmp eax, dword ptr ds:[7FE7BC58] ; hl.01E0FB76 7FE4B15A 0F92C3 setb bl 7FE4B15D 22D3 and dl, bl 7FE4B15F 0ACA or cl, dl 7FE4B161 3B05 E8BBE77F cmp eax, dword ptr ds:[7FE7BBE8] ; hl.00401000 7FE4B167 0F97C2 seta dl 7FE4B16A 3B05 00BBE77F cmp eax, dword ptr ds:[7FE7BB00] ; <&ADVAPI32.RegCreateKeyA> 7FE4B170 0F92C3 setb bl 7FE4B173 22D3 and dl, bl 7FE4B175 0ACA or cl, dl 7FE4B177 3B05 28BBE77F cmp eax, dword ptr ds:[7FE7BB28] 7FE4B17D 0F97C2 seta dl 7FE4B180 3B05 70BCE77F cmp eax, dword ptr ds:[7FE7BC70] 7FE4B186 0F92C3 setb bl 7FE4B189 22D3 and dl, bl 7FE4B18B 0ACA or cl, dl 7FE4B18D 3B05 04BBE77F cmp eax, dword ptr ds:[7FE7BB04] 7FE4B193 0F97C2 seta dl 7FE4B196 3B05 88BCE77F cmp eax, dword ptr ds:[7FE7BC88] 7FE4B19C 0F92C3 setb bl 7FE4B19F 22D3 and dl, bl 7FE4B1A1 0ACA or cl, dl 7FE4B1A3 74 05 je short 7FE4B1AA ; jmp to detect routine -> fnop 7FE4B1A5 59 pop ecx 7FE4B1A6 58 pop eax 7FE4B1A7 5A pop edx 7FE4B1A8 5B pop ebx 7FE4B1A9 C3 retn CRC_Routine: ------------ 7FE31130 8B4424 0C mov eax, dword ptr ss:[esp+C] 7FE31134 85C0 test eax, eax 7FE31136 53 push ebx 7FE31137 55 push ebp 7FE31138 57 push edi 7FE31139 8BD9 mov ebx, ecx 7FE3113B 74 4A je short 7FE31187 7FE3113D 8B6C24 14 mov ebp, dword ptr ss:[esp+14] 7FE31141 33FF xor edi, edi 7FE31143 85ED test ebp, ebp 7FE31145 76 57 jbe short 7FE3119E 7FE31147 56 push esi 7FE31148 8BF5 mov esi, ebp 7FE3114A 8D9B 00000000 lea ebx, dword ptr ds:[ebx] 7FE31150 8B4424 14 mov eax, dword ptr ss:[esp+14] 7FE31154 03C7 add eax, edi 7FE31156 81FE 00100000 cmp esi, 1000 7FE3115C 76 05 jbe short 7FE31163 7FE3115E BE 00100000 mov esi, 1000 7FE31163 8B0B mov ecx, dword ptr ds:[ebx 7FE31165 56 push esi 7FE31166 50 push eax 7FE31167 51 push ecx 7FE31168 E8 93FEFFFF call CRC_Routine_2 7FE3116D 83C4 0C add esp, 0C 7FE31170 33C9 xor ecx, ecx 7FE31172 8903 mov dword ptr ds:[ebx], eax 7FE31174 03FE add edi, esi 7FE31176 FF5424 1C call dword ptr ss:[esp+1C] 7FE3117A 8BF5 mov esi, ebp 7FE3117C 2BF7 sub esi, edi 7FE3117E ^75 D0 jnz short 7FE31150 7FE31180 5E pop esi 7FE31181 5F pop edi 7FE31182 5D pop ebp 7FE31183 5B pop ebx 7FE31184 C2 0C00 retn 0C 7FE31187 8B5424 14 mov edx, dword ptr ss:[esp+14] 7FE3118B 8B4424 10 mov eax, dword ptr ss:[esp+10] 7FE3118F 8B0B mov ecx, dword ptr ds:[ebx] 7FE31191 52 push edx 7FE31192 50 push eax 7FE31193 51 push ecx 7FE31194 E8 67FEFFFF call 7FE31000 7FE31199 83C4 0C add esp, 0C 7FE3119C 8903 mov dword ptr ds:[ebx], eax 7FE3119E 5F pop edi 7FE3119F 5D pop ebp 7FE311A0 5B pop ebx 7FE311A1 C2 0C00 retn 0C CRC_Routine_2: ----------------------- 7FE31000 53 push ebx 7FE31001 56 push esi 7FE31002 8B7424 10 mov esi, dword ptr ss:[esp+10] 7FE31006 57 push edi 7FE31007 8B7C24 10 mov edi, dword ptr ss:[esp+10] 7FE3100B 8BCF mov ecx, edi 7FE3100D 81E1 FFFF0000 and ecx, 0FFFF 7FE31013 C1EF 10 shr edi, 10 7FE31016 85F6 test esi, esi 7FE31018 75 15 jnz short 7FE3102F 7FE3101A 8B4424 18 mov eax, dword ptr ss:[esp+18] 7FE3101E 85C0 test eax, eax 7FE31020 0F86 FD000000 jbe 7FE31123 7FE31026 5F pop edi 7FE31027 5E pop esi 7FE31028 B8 01000000 mov eax, 1 7FE3102D 5B pop ebx 7FE3102E C3 retn 7FE3102F 8B5C24 18 mov ebx, dword ptr ss:[esp+18] 7FE31033 85DB test ebx, ebx 7FE31035 0F86 E8000000 jbe 7FE31123 7FE3103B 55 push ebp 7FE3103C 8D6424 00 lea esp, dword ptr ss:[esp] 7FE31040 81FB B0150000 cmp ebx, 15B0 7FE31046 8BC3 mov eax, ebx 7FE31048 72 05 jb short 7FE3104F 7FE3104A B8 B0150000 mov eax, 15B0 7FE3104F 2BD8 sub ebx, eax 7FE31051 83F8 10 cmp eax, 10 7FE31054 0F8C 97000000 jl 7FE310F1 7FE3105A 8BD0 mov edx, eax 7FE3105C C1EA 04 shr edx, 4 7FE3105F 8BEA mov ebp, edx 7FE31061 F7DD neg ebp 7FE31063 C1E5 04 shl ebp, 4 7FE31066 03C5 add eax, ebp 7FE31068 0FB62E movzx ebp, byte ptr ds:[esi] 7FE3106B 03CD add ecx, ebp 7FE3106D 0FB66E 01 movzx ebp, byte ptr ds:[esi+1] 7FE31071 03F9 add edi, ecx 7FE31073 03CD add ecx, ebp 7FE31075 0FB66E 02 movzx ebp, byte ptr ds:[esi+2] 7FE31079 03F9 add edi, ecx 7FE3107B 03CD add ecx, ebp 7FE3107D 0FB66E 03 movzx ebp, byte ptr ds:[esi+3] 7FE31081 03F9 add edi, ecx 7FE31083 03CD add ecx, ebp 7FE31085 0FB66E 04 movzx ebp, byte ptr ds:[esi+4] 7FE31089 03F9 add edi, ecx 7FE3108B 03CD add ecx, ebp 7FE3108D 0FB66E 05 movzx ebp, byte ptr ds:[esi+5] 7FE31091 03F9 add edi, ecx 7FE31093 03CD add ecx, ebp 7FE31095 0FB66E 06 movzx ebp, byte ptr ds:[esi+6] 7FE31099 03F9 add edi, ecx 7FE3109B 03CD add ecx, ebp 7FE3109D 0FB66E 07 movzx ebp, byte ptr ds:[esi+7] 7FE310A1 03F9 add edi, ecx 7FE310A3 03CD add ecx, ebp 7FE310A5 0FB66E 08 movzx ebp, byte ptr ds:[esi+8] 7FE310A9 03F9 add edi, ecx 7FE310AB 03CD add ecx, ebp 7FE310AD 0FB66E 09 movzx ebp, byte ptr ds:[esi+9] 7FE310B1 03F9 add edi, ecx 7FE310B3 03CD add ecx, ebp 7FE310B5 0FB66E 0A movzx ebp, byte ptr ds:[esi+A] 7FE310B9 03F9 add edi, ecx 7FE310BB 03CD add ecx, ebp 7FE310BD 0FB66E 0B movzx ebp, byte ptr ds:[esi+B] 7FE310C1 03F9 add edi, ecx 7FE310C3 03CD add ecx, ebp 7FE310C5 0FB66E 0C movzx ebp, byte ptr ds:[esi+C] 7FE310C9 03F9 add edi, ecx 7FE310CB 03CD add ecx, ebp 7FE310CD 0FB66E 0D movzx ebp, byte ptr ds:[esi+D] 7FE310D1 03F9 add edi, ecx 7FE310D3 03CD add ecx, ebp 7FE310D5 0FB66E 0E movzx ebp, byte ptr ds:[esi+E] 7FE310D9 03F9 add edi, ecx 7FE310DB 03CD add ecx, ebp 7FE310DD 0FB66E 0F movzx ebp, byte ptr ds:[esi+F] 7FE310E1 03F9 add edi, ecx 7FE310E3 03CD add ecx, ebp 7FE310E5 03F9 add edi, ecx 7FE310E7 83C6 10 add esi, 10 7FE310EA 4A dec edx 7FE310EB ^0F85 77FFFFFF jnz 7FE31068 7FE310F1 85C0 test eax, eax 7FE310F3 74 0B je short 7FE31100 7FE310F5 0FB616 movzx edx, byte ptr ds:[esi] 7FE310F8 03CA add ecx, edx 7FE310FA 46 inc esi 7FE310FB 03F9 add edi, ecx 7FE310FD 48 dec eax 7FE310FE ^75 F5 jnz short 7FE310F5 7FE31100 8BC1 mov eax, ecx 7FE31102 33D2 xor edx, edx 7FE31104 B9 F1FF0000 mov ecx, 0FFF1 7FE31109 F7F1 div ecx 7FE3110B 8BC7 mov eax, edi 7FE3110D BF F1FF0000 mov edi, 0FFF1 7FE31112 8BCA mov ecx, edx 7FE31114 33D2 xor edx, edx 7FE31116 F7F7 div edi 7FE31118 85DB test ebx, ebx 7FE3111A 8BFA mov edi, edx 7FE3111C ^0F87 1EFFFFFF ja 7FE31040 7FE31122 5D pop ebp 7FE31123 8BC7 mov eax, edi 7FE31125 5F pop edi 7FE31126 C1E0 10 shl eax, 10 7FE31129 5E pop esi 7FE3112A 0BC1 or eax, ecx 7FE3112C 5B pop ebx 7FE3112D C3 retn hw.dll check ------------------------------------------------ (code 58) 7FE34CED 8B15 241FE87F mov edx, dword ptr ds:[7FE81F24] ; hardcoded crc of the table 7FE34CF3 3B95 14F5FFFF cmp edx, dword ptr ss:[ebp-AEC] ; calculated crc 7FE34CF9 0F84 0C010000 je 7FE34E0B ; ensure that it's always okay procedure remove_code58; begin barray := pointer(integer(oldcd)+$4ce7); barray^[0] := $ba; barray^[1] := $72; barray^[2] := $5d; barray^[3] := $71; barray^[4] := $d1; barray^[5] := $90; barray := pointer(integer(oldcd)+$156a3); barray^[0] := $b8; barray^[1] := $72; barray^[2] := $5d; barray^[3] := $71; barray^[4] := $d1; barray := pointer(integer(oldcd)+$15264); barray^[0] := $e9; barray^[1] := $0f; barray^[2] := $01; barray^[3] := $00; barray^[4] := $00; barray^[5] := $90; end;