Lbolt99
June 20th, 2002, 17:51
Hello,
I've been working on an app called Quick to-do pro v3.7 (this is the latest version, all prev versions aren't asprotected) on and off for several days. I found out about it from chameleon clock, both of these programs can work together.
The app is protected with Asprotect 1.2, recent build. Removing ASprotect was the easy part
Basically the only thing wrong is a startup nag,
I looked at it with Dede, it processed fine. Tracked the issue to the "about" procedure, which uses the "TAboutBox" form.
In the form script, I see clearly the " 'This copy of Quick To-Do PRO is licensed to:'" string.
The FormCreate procedure, however, when disassembled, reveals nothing.
Looks like this:
004C4C8C 55 push ebp
004C4C8D 8BEC mov ebp, esp
004C4C8F 6A00 push $00
004C4C91 53 push ebx
004C4C92 56 push esi
004C4C93 8BF0 mov esi, eax
004C4C95 33C0 xor eax, eax
004C4C97 55 push ebp
* Possible String Reference to: 'é½êóÿëð^[Y]ËÀU‹ì3ÀUhAML'
|
004C4C98 680E4D4C00 push $004C4D0E
***** TRY
|
004C4C9D 64FF30 push dword ptr fs:[eax]
004C4CA0 648920 mov fs:[eax], esp
004C4CA3 EB53 jmp 004C4CF8
004C4CA5 EB05 jmp 004C4CAC
here is just a bunch of garbage code. The strange thing is, these jumps skip by everything, basically down to the "FINALLY" code section.
Stepping thru it with Sice reveals nothing. I figured the actual routine might be somewhere else, like after or before this section, and figured that maybe the author confused Dede so that it displays the wrong stuff. But couldn't find anything. I have a feeling the garbage code is possibly encrypted EXE code, but it doesn't seem to ever "run" it.
Any help is appreciated
I tried looking at the whole prog with W32dasm, no luck there either. I have my doubts it does anything with the garbage code.. it doesn't seem to ever decrypt or run it, and the "unregistered copy" string is nowhere to be found either, so I deduced that somehow it has to be displaying that
I've been working on an app called Quick to-do pro v3.7 (this is the latest version, all prev versions aren't asprotected) on and off for several days. I found out about it from chameleon clock, both of these programs can work together.
The app is protected with Asprotect 1.2, recent build. Removing ASprotect was the easy part
Basically the only thing wrong is a startup nag,
I looked at it with Dede, it processed fine. Tracked the issue to the "about" procedure, which uses the "TAboutBox" form.
In the form script, I see clearly the " 'This copy of Quick To-Do PRO is licensed to:'" string.
The FormCreate procedure, however, when disassembled, reveals nothing.
Looks like this:
004C4C8C 55 push ebp
004C4C8D 8BEC mov ebp, esp
004C4C8F 6A00 push $00
004C4C91 53 push ebx
004C4C92 56 push esi
004C4C93 8BF0 mov esi, eax
004C4C95 33C0 xor eax, eax
004C4C97 55 push ebp
* Possible String Reference to: 'é½êóÿëð^[Y]ËÀU‹ì3ÀUhAML'
|
004C4C98 680E4D4C00 push $004C4D0E
***** TRY
|
004C4C9D 64FF30 push dword ptr fs:[eax]
004C4CA0 648920 mov fs:[eax], esp
004C4CA3 EB53 jmp 004C4CF8
004C4CA5 EB05 jmp 004C4CAC
here is just a bunch of garbage code. The strange thing is, these jumps skip by everything, basically down to the "FINALLY" code section.
Stepping thru it with Sice reveals nothing. I figured the actual routine might be somewhere else, like after or before this section, and figured that maybe the author confused Dede so that it displays the wrong stuff. But couldn't find anything. I have a feeling the garbage code is possibly encrypted EXE code, but it doesn't seem to ever "run" it.
Any help is appreciated
I tried looking at the whole prog with W32dasm, no luck there either. I have my doubts it does anything with the garbage code.. it doesn't seem to ever decrypt or run it, and the "unregistered copy" string is nowhere to be found either, so I deduced that somehow it has to be displaying that
