*This is a txt file I wrote originally for anyone that might be curious enough about this to take a look. Obviously I've modified it so as not to break any rules here (hopefully). It was originally intended for someone to read while also looking at the app itself*
-------------------------------------------------------------------
Ok, this is the installer for a program that requires definition updates. The installer will download new definitions one time before it runs the setup. It accomplishes this by internally creating a serial number based on some unknown elements... then it creates another shorter code based on this serial number... then it creates a url that includes this code that asks a remote server for definitions.
If I can get it to create a different valid random serial number each time it is run.. then I think it will always get the updates.
-------------------------------------------------------------------
There are two important files. The installer we'll call installer.exe, and a dll that we'll call installer.dll
I believe this is the sequence of events:
1) At 4016E5 of installer.exe, the 00C50000 memory space is made available. (Later a serial number will be placed at 00C51CD0)
Code:
004016DA | 6A 04 |PUSH 4 ; Protect = PAGE_READWRITE
004016DC | 68 00100000 |PUSH 1000 ; |AllocationType = MEM_COMMIT
004016E1 | 2BFB |SUB EDI, EBX ;
004016E3 | 57 |PUSH EDI ; Size = 4000 (16384.)
004016E4 | 53 |PUSH EBX ; Address = 00C50000
004016E5 | E8 26FCFFFF |CALL <JMP.&kernel32.VirtualAlloc> ; VirtualAlloc
2) at 402765 (after many visits to this address) a serial number common to ALL machines is placed at 00C51CD0. The number is all capital letters, and is 20 digits.
Code:
00402738 / 56 PUSH ESI
00402739 | 57 PUSH EDI
0040273A | 89C6 MOV ESI, EAX
0040273C | 89D7 MOV EDI, EDX
0040273E | 89C8 MOV EAX, ECX
00402740 | 39F7 CMP EDI, ESI
00402742 | 7F 13 JG SHORT 00402757
00402744 | 74 2F JE SHORT 00402775
00402746 | C1F9 02 SAR ECX, 2
00402749 | 78 2A JS SHORT 00402775
0040274B | F3:A5 REP MOVS DWORD PTR ES:[EDI], DWORD PTR D>
0040274D | 89C1 MOV ECX, EAX
0040274F | 83E1 03 AND ECX, 3
00402752 | F3:A4 REP MOVS BYTE PTR ES:[EDI], BYTE PTR DS:>
00402754 | 5F POP EDI
00402755 | 5E POP ESI
00402756 | C3 RETN
00402757 | 8D740E FC LEA ESI, DWORD PTR DS:[ESI+ECX-4]
0040275B | 8D7C0F FC LEA EDI, DWORD PTR DS:[EDI+ECX-4]
0040275F | C1F9 02 SAR ECX, 2
00402762 | 78 11 JS SHORT 00402775
00402764 | FD STD
00402765 | F3:A5 REP MOVS DWORD PTR ES:[EDI], DWORD PTR D>
00402767 | 89C1 MOV ECX, EAX
00402769 | 83E1 03 AND ECX, 3
0040276C | 83C6 03 ADD ESI, 3
0040276F | 83C7 03 ADD EDI, 3
00402772 | F3:A4 REP MOVS BYTE PTR ES:[EDI], BYTE PTR DS:>
00402774 | FC CLD
00402775 | 5F POP EDI
00402776 | 5E POP ESI
00402777 \ C3 RETN
3) at EEC22C of the module installer.dll, a call is made that takes this serial number and uses it to create a 20 digit code that will be sent to the app's online servers. This code will be common to all machines and is also 20 digits, but can be made of any character.
4) Next, a window will appear with a welcome screen and the option of hitting NEXT
5) After hitting next, a procedure will be run in installer.exe to create a serial number specific to this machine. I don't know where this happens, but I know that It will be placed in memory using the same procedure as before (402765), except this time the location in memory that it is placed will be different from 00C51CD0. It is a random address and thus, I don't know how to track backwards to where the serial number is created.
6) Using this new serial, another 20 digit code will be created based off this serial number at the same place as before (EEc22C). It is this 20 digit code, that I believe is then sent to the app's servers using a URL created at EE8297 of the installer.dll
7) If the URL formed has valid information that has not been sent to the app's server before, it will respond with the url that the installer may download the definitions from.