Windows Klipfolio Developer Edition: FOR SALE

How to crack it? The useless Zoppotrump3 aka Sascha Szalata failed to crack it and I managed to crack it. Here’s how:

There’s the “usual” WinVerifyTrust call, plus a custom calculation based on … hmmm, You need to PAY me $50 to know further!

Take a look here (hint: it’s reading from PE header) and you’ll probably understand

005592BD    8B4D D8         MOV ECX,DWORD PTR SS:[EBP-0x28]
005592C0    0FB671 07       MOVZX ESI,BYTE PTR DS:[ECX+0x7]
005592C4    0FB641 06       MOVZX EAX,BYTE PTR DS:[ECX+0x6]
005592C8    C1E6 08         SHL ESI,0x8
005592CB    03F0            ADD ESI,EAX
005592CD    0FB641 15       MOVZX EAX,BYTE PTR DS:[ECX+0x15]
005592D1    0FB649 14       MOVZX ECX,BYTE PTR DS:[ECX+0x14]
005592D5    C1E0 08         SHL EAX,0x8
005592D8    03C1            ADD EAX,ECX                     
005592DA    8B4D DC         MOV ECX,DWORD PTR SS:[EBP-0x24]
005592DD    8D7C07 18       LEA EDI,DWORD PTR DS:[EDI+EAX+0x18]
005592E1    8D04B6          LEA EAX,DWORD PTR DS:[ESI+ESI*4]
005592E4    8D04C7          LEA EAX,DWORD PTR DS:[EDI+EAX*8]
005592E7    50              PUSH EAX
005592E8    8D45 B8         LEA EAX,DWORD PTR SS:[EBP-0x48]
005592EB    57              PUSH EDI                        
005592EC    50              PUSH EAX
005592ED    8D45 D8         LEA EAX,DWORD PTR SS:[EBP-0x28]
005592F0    50              PUSH EAX
005592F1    E8 64EEEBFF     CALL 0041815A
005592F6    8B4D D8         MOV ECX,DWORD PTR SS:[EBP-0x28]
005592F9    3BF3            CMP ESI,EBX
005592FB    895D E0         MOV DWORD PTR SS:[EBP-0x20],EBX
005592FE    895D 08         MOV DWORD PTR SS:[EBP+0x8],EBX
00559301    0F86 B2000000   JBE 005593B9
00559307    8D41 12         LEA EAX,DWORD PTR DS:[ECX+0x12]
0055930A    8BD1            MOV EDX,ECX                     
0055930C    2BD0            SUB EDX,EAX
0055930E    8975 EC         MOV DWORD PTR SS:[EBP-0x14],ESI 
00559311    83C2 13         ADD EDX,0x13
00559314    8955 BC         MOV DWORD PTR SS:[EBP-0x44],EDX 
00559317    8BD1            MOV EDX,ECX

Leave a Reply

Your email address will not be published. Required fields are marked *