Gaston v2.19.1 (french mail program)

Lucifer48 - July, 2nd 2001.

Few word about the protection scheme

First part (when you register normally) :

It's written with Delphi 3 :(
0047158E   8B55E8                 mov     edx, [ebp-$18]
00471591   8D45FC                 lea     eax, [ebp-$04]
00471594   59                     pop     ecx
00471595   E83628F9FF             call    00403DD0		<---
0047159A   8D55EC                 lea     edx, [ebp-$14]
0047159D   8B45FC                 mov     eax, [ebp-$04]
004715A0   E89B6A0300             call    004A8040		<---
004715A5   8B45EC                 mov     eax, [ebp-$14]
004715A8   50                     push    eax

And the "usual" strcmp check :
004715CD   8B55E8                 mov     edx, [ebp-$18]
004715D0   58                     pop     eax
004715D1   E8BE28F9FF             call    00403E94		<---
004715D6   7435                   jz      0047160D

Second part (after registering, when you restart the app) :

There are 5 checks (see around XXXX:004AB57C and MOV BYTE PTR [EBP-15], 00)

1) The forbidden name is (i love hidden messages!!) :

2074 09B4 4A84 27EC 2418 49AC 46B8 3E04 3904 0BC0 0FF7 3C38 19A5 1920 1194 3810 2766 4B8B
divided by:
0x7C 0x24 0xFB 0x8C 0x8C 0xE6 0xF8 0xBD 0xA4 0x5E 0x3D 0xBC 0x65 0x60 0x3C 0xD0 0x7B 0xE9
equal:
0x43 0x45 0x4C 0x49 0x42 0x52 0x49 0x54 0x59 0x20 0x43 0x52 0x41 0x43 0x4B 0x45 0x52 0x53

CELIBRITY CRACKERS

(it's a french, or belgian? cracking group..)

2) "Num field" length = 7

3) No space in the "Num Field"

4) At least one "G" in the "Num Field"

5) The first char of the "Num Field" must be <0x3A ('0' .. '9' is perfect ..)

XXXX:004ACC9E  CMP  BYTE PTR [EBP-15], 00	;the starting check
XXXX:004ACCA2  JNZ  004ACDAF

Last words

- All messages boxes are not called with the USER32!MessageBoxA api (then cross on the upper right corner is not grayed)
- To unregister, delete this [HKEY_LOCAL_MACHINE\Software\MB\Gaston] (it containts 3 keys: UI1, UI2 and UI3)