How to crack it? The useless Zoppotrump3 aka Sascha Szalata failed to crack it and I managed to crack it. Here’s how:
There’s the “usual” WinVerifyTrust call, plus a custom calculation based on … hmmm, You need to PAY me $50 to know further!
Take a look here (hint: it’s reading from PE header) and you’ll probably understand
005592BD 8B4D D8 MOV ECX,DWORD PTR SS:[EBP-0x28]
005592C0 0FB671 07 MOVZX ESI,BYTE PTR DS:[ECX+0x7]
005592C4 0FB641 06 MOVZX EAX,BYTE PTR DS:[ECX+0x6]
005592C8 C1E6 08 SHL ESI,0x8
005592CB 03F0 ADD ESI,EAX
005592CD 0FB641 15 MOVZX EAX,BYTE PTR DS:[ECX+0x15]
005592D1 0FB649 14 MOVZX ECX,BYTE PTR DS:[ECX+0x14]
005592D5 C1E0 08 SHL EAX,0x8
005592D8 03C1 ADD EAX,ECX
005592DA 8B4D DC MOV ECX,DWORD PTR SS:[EBP-0x24]
005592DD 8D7C07 18 LEA EDI,DWORD PTR DS:[EDI+EAX+0x18]
005592E1 8D04B6 LEA EAX,DWORD PTR DS:[ESI+ESI*4]
005592E4 8D04C7 LEA EAX,DWORD PTR DS:[EDI+EAX*8]
005592E7 50 PUSH EAX
005592E8 8D45 B8 LEA EAX,DWORD PTR SS:[EBP-0x48]
005592EB 57 PUSH EDI
005592EC 50 PUSH EAX
005592ED 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-0x28]
005592F0 50 PUSH EAX
005592F1 E8 64EEEBFF CALL 0041815A
005592F6 8B4D D8 MOV ECX,DWORD PTR SS:[EBP-0x28]
005592F9 3BF3 CMP ESI,EBX
005592FB 895D E0 MOV DWORD PTR SS:[EBP-0x20],EBX
005592FE 895D 08 MOV DWORD PTR SS:[EBP+0x8],EBX
00559301 0F86 B2000000 JBE 005593B9
00559307 8D41 12 LEA EAX,DWORD PTR DS:[ECX+0x12]
0055930A 8BD1 MOV EDX,ECX
0055930C 2BD0 SUB EDX,EAX
0055930E 8975 EC MOV DWORD PTR SS:[EBP-0x14],ESI
00559311 83C2 13 ADD EDX,0x13
00559314 8955 BC MOV DWORD PTR SS:[EBP-0x44],EDX
00559317 8BD1 MOV EDX,ECX
