<HTML>
<HEAD>
<!--  formamus.htm version 09 January 1999 
      INSTRUCTIONS FOR SUBMITTING: DO NOT USE HTML EDITORS!
      SEARCH THIS TEXT FOR THE STRING "Your_" 
      AND REPLACE WITH WHATEVER YOU WANT TO PUBLISH! 
      THANKS A LOT: this will allow automated retrieval -->

	<META NAME="VPSiteProject" CONTENT="file:///C|/Documents%20and%20Settings/Administrator/My%20Documents/My%20Webs/fravia/Project.vpp"><TITLE>xxxxxxxx.htm: 
Your_title
</TITLE></HEAD><BODY BGCOLOR=#C0C0C0 TEXT=#001010 VLINK=#405040>
<TABLE CELLPADDING="1" CELLSPACING="2" BORDER="1" 
WIDTH= "100%"  HEIGHT="22">
<TR><td></td><td>
<p align="center">
<!-- Choose  a TITLE and a subtitle, choose well! --><font size="+2">Anonymity 4
Proxy 2.0</font><center><br><font size="+1">Interesting protection for a useful
app.</font></center></p>
  </td><td>
<!-- Choose  a PROJECT GIF, leave this if unsure -->
<center><a href="student.htm#student_loo_na"><IMG SRC="images/notassi3.gif" 
ALT="student" ALIGN=CENTER WIDTH=114 HEIGHT=43 BORDER=0 VSPACE=0 
HSPACE=0></a><br><font color=gray>Not Assigned</FonT>
</center></td></tr><tR><td bgcolor="#FFFFEA"><center><FONT COLOR="890000">
<!-- CHOOSE A DATE (will probably be changed) -->April 2000</FONT></center></td><td bgcolor="#FFFFEA"><center>by <font size=+3>
<!-- CHOOSE A HANDLE , i.e. your pseudo (wont be changed) -->
 +Tsehp</fonT></center></td><td VALIGN="center" bgcolor="#FFFFEA">
<!--
<a href="hcu98_3.htm"><IMG SRC="hcu1.gif" ALT="+cracker" ALIGN=BOTTOM 
WIDTH=114 HEIGHT=43 BORDER=0 VSPACE=0 HSPACE=0></a>
-->
</td></tr><TR><td><center><a href="index.htm"><IMG SRC="images/bulletr.gif" ALIGN="BOTTOM" 
BORDER="0" VSPACE="0" HSPACE="0" width="13" height="13"></a></center></td>
<TD BGCOLOR="898030"><center>Courtesy of Reverser's page of 
reverse engineering</center> 
</center></TD><td BGCOLOR="898030"><center>
<!-- Your truly+ will edit only if really necessary -->
slightly edited
<br>
by +Tsehp
</center></td></TR>
<!-- this is for the data.....fra_00xx....yymmdd....handle..beg+int...not ass... -->
<TR><td></td>
<!-- Leonard Coehn's old song, because we are poets, not only crackers -->
<TD BGCOLOR="898030"><center></i><b>There is a crack, a crack in everything 
That's how the light gets in</b></center>
<!-- Leonard Coehn's old song, because we are poets, not only crackers -->
</center></TD><td></td></TR><TR><td VALIGN= "MIDDLE" 
bgcolor="#C6E7C6"><font color=blue><center>Rating</FONT></FONT></center>
</TD><td VALIGN = "MIDDLE" bgcolor="#C6E7C6"><font color=blue><center>
<!-- CHOOSE A RATING (may be changed) -->
( )<B>Beginner</B> (x)<B>Intermediate</B> ( )<B>Advanced</B> ( )<B>Expert</B></FONT>
</center></td><td></td></tr></table>
<!-- END HEAD  --><bR>
<!-- CORPUS  -->
<!-- CHOOSE A COMMENT (may be changed)  -->
 Anonymity matters, those days, the web is becoming more and more filled by
commercial crooks, they collect<br>
more and more info about you, they use cgi apps to collect your browser's
environment variables, they record<br>
your ip, feed you with cookies and advertisements.<br>
Lets definitly stop all this, at your pc level, imagine an app that will impeach
every browser to send the info you<br>
don't want to. Now they can program everything they want, this great program
will stop everything and cover your<br>
cracker's ass. It's not expensive but the protection deserves a look because
it's original.
<hR>
<p align="center"><font size="+2">Anonymity 4 Proxy</font><br><font size="+1">Interesting
protection for a useful app.</font><BR><FONT COLOR="0B7FC1">
<!-- REPEAT YOUR CHOSEN HANDLE HERE -->Written by +Tsehp</FONT><br><br>

<!-- INTRO STARTS HERE -->
</p>
<TABLE CELLPADDING="1" CELLSPACING="2" BORDER="1" WIDTH= "100%"  HEIGHT="22" >
<tr><td bgcolor="#C6E7C6"><center><font size=+2><font color=blue>Introduction</fonT>
</fonT></center></td></tr></table><pre>
This is just a shareware, built by a little company, without ready-made commercial protections.When you install 
it, you see the usual demo.key and say immediatly another serial protection, but this is not as simple as you 
think.
This app is very usuful when unprotected, if you buy it they send you a good serial and a ready-made list of 
proxies to import, but you can do it also in the demo version using a txt file, big mistake. 
The work here is not to worry about the demo.key, just leave it like it is, the only restriction is that you 
just can't check all the proxies in the list at the same time, just one by one.
They used a unusual technique to block the trial, let's see what's all about. Just remember that this app is
crippled, I just used a trick to enable the all proxies check at once; if you want to have the real 
functionality, you have to rewrite the code.

Note : This app sometimes put some buying msgs in your browser, this might be fixed in a updated essay.
<!-- TOOLS STARTS HERE --></prE>
<TABLE CELLPADDING="1" CELLSPACING="2" BORDER="1" WIDTH= "100%"  HEIGHT="22" >
<tr><td bgcolor="#C6E7C6"><center><font size=+2><font color=blue>Tools required</fonT>
</fonT></center></td></tr></table>
Ida pro 4.03<br>
Softice 4.05
<br><br>

<!-- TARGET URL STARTS HERE -->
<TABLE CELLPADDING="1" CELLSPACING="2" BORDER="1" WIDTH= "100%"  HEIGHT="22" >
<tr><td bgcolor="#C6E7C6"><center><font size=+2><font color=blue>Target's URL/FTP</fonT>
</fonT></center></td></tr></table>
<!-- DON'T FORGET TO PASTE HERE THE URL/FTP OF YOUR TARGET(S) -->http://www.inetprivacy.com/welcome.htm
<br><br>

<!-- PROGRAM HISTORY STARTS HERE --><!-- REAL ESSAY  STARTS HERE -->
<TABLE CELLPADDING="1" CELLSPACING="2" BORDER="1" WIDTH= "100%"  HEIGHT="22" >
<tr><td bgcolor="#C6E7C6"><center><font size=+2><font color=blue>Essay</fonT></fonT>
</center></td></tr></table>
<!-- PASTE HERE THE TEXT OF YOUR ESSAY
     THIS IS OF COURSE THE MOST IMPORTANT PART
     PLEASE CHECK THE MARGINS WHEN YOU ARE FINISHED! 
     SHOULD NOT BLAST OPERA'S MARGINS OUT! HAVE A LOOK INSIDE
     YOUR OWN BROWSER WHEN YOU FINISH!  -->
<pre>
After you installed the prog, you select several proxies and click the check proxy button.
A messagebox appears, saying that's not possible in the demo version.
You bpx the messageboxa and after one p ret you land here:

.text:0040CCF2                 jnz     short loc_0_40CD0B
.text:0040CCF4                 mov     eax, [esi+0F0h]
.text:0040CCFA                 push    0
.text:0040CCFC                 push    0
.text:0040CCFE                 push    1032h
.text:0040CD03                 push    eax
.text:0040CD04                 call    ebx ; SendMessageA
.text:0040CD06                 cmp     eax, 1
.text:0040CD09                 jbe     short loc_0_40CD2A
.text:0040CD0B 
.text:0040CD0B loc_0_40CD0B:                           ; CODE XREF: sub_0_40CCE0+12&#24;j
.text:0040CD0B                 push    0
.text:0040CD0D                 push    0
.text:0040CD0F                 push    offset aDemoVersionDoe ; &quot;Demo version does not support simultane&quot;...
.text:0040CD14                 mov     ecx, esi
.text:0040CD16                 call    j_?MessageBoxA@CWnd@@QAEHPBD0I@Z ; CWnd::MessageBoxA(char const *,char const *,uint)
.text:0040CD1B &lt;-land here     mov     eax, [esi+118h]
.text:0040CD21                 test    eax, eax
.text:0040CD23                 jz      short loc_0_40CD2A
.text:0040CD25                 pop     esi
.text:0040CD26                 xor     eax, eax
.text:0040CD28                 pop     ebx
.text:0040CD29                 retn

Well, it seems so simple, at line 40cd04, this app sends a wm message to syslistview32 (the a4proxy control
list of proxies displayed) that sends back to a4proxy the number of proxies selected.
The number is returned in eax and if more than one line selected, the messagebox appears, but the first
proxy selected is checked.
You just patch 40cd09 to jmp short loc_0_40CD2A, the nag doesn't appears but only the first proxy is still
checked.</prE>
<pre>What's happening ? The demo.key file ? I located the validity checks, used a user.key that this app is
asking...No way.</prE>
<pre>Here's a asm source that +Q from Phrozen crew sent me, it will help to study the serial decryption of this
app, but remember that it is crippled, so even if you have a valid serial, it will not work if you don't apply
my changes.</prE>
<pre>***/*** Written by +Q from Phrozen crew. You can download the full prog <a href="zipped/A4p_kg.zip">here</a>.</prE>
<p>Extrn CreateFileMappingA:PROC<br>
Extrn MapViewOfFile:PROC<br>
Extrn UnmapViewOfFile:PROC<br>
Extrn lstrcpyA:PROC</p>
<p>.DATA<br>
;-------<br>
ConstTable1 db
04Dh,042h,048h,044h,046h,04Fh,04Bh,041h,04Ah,049h,043h,04Eh,045h,040h,04Ch,047h<br>
db
0BDh,0B2h,0B8h,0B4h,0B6h,0BFh,0BBh,0B1h,0BAh,0B9h,0B3h,0BEh,0B5h,0B0h,0BCh,0B7h<br>
db
02Dh,022h,028h,024h,026h,02Fh,02Bh,021h,02Ah,029h,023h,02Eh,025h,020h,02Ch,027h<br>
db
0EDh,0E2h,0E8h,0E4h,0E6h,0EFh,0EBh,0E1h,0EAh,0E9h,0E3h,0EEh,0E5h,0E0h,0ECh,0E7h<br>
db
0FDh,0F2h,0F8h,0F4h,0F6h,0FFh,0FBh,0F1h,0FAh,0F9h,0F3h,0FEh,0F5h,0F0h,0FCh,0F7h<br>
db
00Dh,002h,008h,004h,006h,00Fh,00Bh,001h,00Ah,009h,003h,00Eh,005h,000h,00Ch,007h<br>
db
08Dh,082h,088h,084h,086h,08Fh,08Bh,081h,08Ah,089h,083h,08Eh,085h,080h,08Ch,087h<br>
db
0DDh,0D2h,0D8h,0D4h,0D6h,0DFh,0DBh,0D1h,0DAh,0D9h,0D3h,0DEh,0D5h,0D0h,0DCh,0D7h<br>
db
03Dh,032h,038h,034h,036h,03Fh,03Bh,031h,03Ah,039h,033h,03Eh,035h,030h,03Ch,037h<br>
db
0CDh,0C2h,0C8h,0C4h,0C6h,0CFh,0CBh,0C1h,0CAh,0C9h,0C3h,0CEh,0C5h,0C0h,0CCh,0C7h<br>
db
09Dh,092h,098h,094h,096h,09Fh,09Bh,091h,09Ah,099h,093h,09Eh,095h,090h,09Ch,097h<br>
db
07Dh,072h,078h,074h,076h,07Fh,07Bh,071h,07Ah,079h,073h,07Eh,075h,070h,07Ch,077h<br>
db
05Dh,052h,058h,054h,056h,05Fh,05Bh,051h,05Ah,059h,053h,05Eh,055h,050h,05Ch,057h<br>
db
0ADh,0A2h,0A8h,0A4h,0A6h,0AFh,0ABh,0A1h,0AAh,0A9h,0A3h,0AEh,0A5h,0A0h,0ACh,0A7h<br>
db
06Dh,062h,068h,064h,066h,06Fh,06Bh,061h,06Ah,069h,063h,06Eh,065h,060h,06Ch,067h<br>
db
01Dh,012h,018h,014h,016h,01Fh,01Bh,011h,01Ah,019h,013h,01Eh,015h,010h,01Ch,017h</p>
<p>ConstTable2 db
02Ch,021h,02Ah,02Fh,029h,022h,026h,028h,020h,02Dh,023h,024h,02Eh,027h,025h,02Bh<br>
db
0CCh,0C1h,0CAh,0CFh,0C9h,0C2h,0C6h,0C8h,0C0h,0CDh,0C3h,0C4h,0CEh,0C7h,0C5h,0CBh<br>
db
04Ch,041h,04Ah,04Fh,049h,042h,046h,048h,040h,04Dh,043h,044h,04Eh,047h,045h,04Bh<br>
db
01Ch,011h,01Ah,01Fh,019h,012h,016h,018h,010h,01Dh,013h,014h,01Eh,017h,015h,01Bh<br>
db
07Ch,071h,07Ah,07Fh,079h,072h,076h,078h,070h,07Dh,073h,074h,07Eh,077h,075h,07Bh<br>
db
0ACh,0A1h,0AAh,0AFh,0A9h,0A2h,0A6h,0A8h,0A0h,0ADh,0A3h,0A4h,0AEh,0A7h,0A5h,0ABh<br>
db
0BCh,0B1h,0BAh,0BFh,0B9h,0B2h,0B6h,0B8h,0B0h,0BDh,0B3h,0B4h,0BEh,0B7h,0B5h,0BBh<br>
db
06Ch,061h,06Ah,06Fh,069h,062h,066h,068h,060h,06Dh,063h,064h,06Eh,067h,065h,06Bh<br>
db
08Ch,081h,08Ah,08Fh,089h,082h,086h,088h,080h,08Dh,083h,084h,08Eh,087h,085h,08Bh<br>
db
05Ch,051h,05Ah,05Fh,059h,052h,056h,058h,050h,05Dh,053h,054h,05Eh,057h,055h,05Bh<br>
db
03Ch,031h,03Ah,03Fh,039h,032h,036h,038h,030h,03Dh,033h,034h,03Eh,037h,035h,03Bh<br>
db
0FCh,0F1h,0FAh,0FFh,0F9h,0F2h,0F6h,0F8h,0F0h,0FDh,0F3h,0F4h,0FEh,0F7h,0F5h,0FBh<br>
db
0DCh,0D1h,0DAh,0DFh,0D9h,0D2h,0D6h,0D8h,0D0h,0DDh,0D3h,0D4h,0DEh,0D7h,0D5h,0DBh<br>
db
00Ch,001h,00Ah,00Fh,009h,002h,006h,008h,000h,00Dh,003h,004h,00Eh,007h,005h,00Bh<br>
db
0ECh,0E1h,0EAh,0EFh,0E9h,0E2h,0E6h,0E8h,0E0h,0EDh,0E3h,0E4h,0EEh,0E7h,0E5h,0EBh<br>
db
09Ch,091h,09Ah,09Fh,099h,092h,096h,098h,090h,09Dh,093h,094h,09Eh,097h,095h,09Bh</p>
<p>ConstTable3 db
0A7h,0ADh,0AEh,0A3h,0A0h,0A6h,0A9h,0AAh,0A1h,0A2h,0A8h,0A5h,0ABh,0ACh,0A4h,0AFh<br>
db
007h,00Dh,00Eh,003h,000h,006h,009h,00Ah,001h,002h,008h,005h,00Bh,00Ch,004h,00Fh<br>
db
097h,09Dh,09Eh,093h,090h,096h,099h,09Ah,091h,092h,098h,095h,09Bh,09Ch,094h,09Fh<br>
db
0E7h,0EDh,0EEh,0E3h,0E0h,0E6h,0E9h,0EAh,0E1h,0E2h,0E8h,0E5h,0EBh,0ECh,0E4h,0EFh<br>
db
067h,06Dh,06Eh,063h,060h,066h,069h,06Ah,061h,062h,068h,065h,06Bh,06Ch,064h,06Fh<br>
db
037h,03Dh,03Eh,033h,030h,036h,039h,03Ah,031h,032h,038h,035h,03Bh,03Ch,034h,03Fh<br>
db
0F7h,0FDh,0FEh,0F3h,0F0h,0F6h,0F9h,0FAh,0F1h,0F2h,0F8h,0F5h,0FBh,0FCh,0F4h,0FFh<br>
db
057h,05Dh,05Eh,053h,050h,056h,059h,05Ah,051h,052h,058h,055h,05Bh,05Ch,054h,05Fh<br>
db
017h,01Dh,01Eh,013h,010h,016h,019h,01Ah,011h,012h,018h,015h,01Bh,01Ch,014h,01Fh<br>
db
0D7h,0DDh,0DEh,0D3h,0D0h,0D6h,0D9h,0DAh,0D1h,0D2h,0D8h,0D5h,0DBh,0DCh,0D4h,0DFh<br>
db
0C7h,0CDh,0CEh,0C3h,0C0h,0C6h,0C9h,0CAh,0C1h,0C2h,0C8h,0C5h,0CBh,0CCh,0C4h,0CFh<br>
db
077h,07Dh,07Eh,073h,070h,076h,079h,07Ah,071h,072h,078h,075h,07Bh,07Ch,074h,07Fh<br>
db
0B7h,0BDh,0BEh,0B3h,0B0h,0B6h,0B9h,0BAh,0B1h,0B2h,0B8h,0B5h,0BBh,0BCh,0B4h,0BFh<br>
db
047h,04Dh,04Eh,043h,040h,046h,049h,04Ah,041h,042h,048h,045h,04Bh,04Ch,044h,04Fh<br>
db
027h,02Dh,02Eh,023h,020h,026h,029h,02Ah,021h,022h,028h,025h,02Bh,02Ch,024h,02Fh<br>
db
087h,08Dh,08Eh,083h,080h,086h,089h,08Ah,081h,082h,088h,085h,08Bh,08Ch,084h,08Fh</p>
<p>ConstTable4 db
0EFh,0E1h,0E8h,0EEh,0E6h,0EBh,0E3h,0E4h,0E9h,0E7h,0E2h,0EDh,0ECh,0E0h,0E5h,0EAh<br>
db
04Fh,041h,048h,04Eh,046h,04Bh,043h,044h,049h,047h,042h,04Dh,04Ch,040h,045h,04Ah<br>
db
0DFh,0D1h,0D8h,0DEh,0D6h,0DBh,0D3h,0D4h,0D9h,0D7h,0D2h,0DDh,0DCh,0D0h,0D5h,0DAh<br>
db
01Fh,011h,018h,01Eh,016h,01Bh,013h,014h,019h,017h,012h,01Dh,01Ch,010h,015h,01Ah<br>
db
02Fh,021h,028h,02Eh,026h,02Bh,023h,024h,029h,027h,022h,02Dh,02Ch,020h,025h,02Ah<br>
db
0FFh,0F1h,0F8h,0FEh,0F6h,0FBh,0F3h,0F4h,0F9h,0F7h,0F2h,0FDh,0FCh,0F0h,0F5h,0FAh<br>
db
0BFh,0B1h,0B8h,0BEh,0B6h,0BBh,0B3h,0B4h,0B9h,0B7h,0B2h,0BDh,0BCh,0B0h,0B5h,0BAh<br>
db
08Fh,081h,088h,08Eh,086h,08Bh,083h,084h,089h,087h,082h,08Dh,08Ch,080h,085h,08Ah<br>
db
03Fh,031h,038h,03Eh,036h,03Bh,033h,034h,039h,037h,032h,03Dh,03Ch,030h,035h,03Ah<br>
db
0AFh,0A1h,0A8h,0AEh,0A6h,0ABh,0A3h,0A4h,0A9h,0A7h,0A2h,0ADh,0ACh,0A0h,0A5h,0AAh<br>
db
06Fh,061h,068h,06Eh,066h,06Bh,063h,064h,069h,067h,062h,06Dh,06Ch,060h,065h,06Ah<br>
db
0CFh,0C1h,0C8h,0CEh,0C6h,0CBh,0C3h,0C4h,0C9h,0C7h,0C2h,0CDh,0CCh,0C0h,0C5h,0CAh<br>
db
05Fh,051h,058h,05Eh,056h,05Bh,053h,054h,059h,057h,052h,05Dh,05Ch,050h,055h,05Ah<br>
db
09Fh,091h,098h,09Eh,096h,09Bh,093h,094h,099h,097h,092h,09Dh,09Ch,090h,095h,09Ah<br>
db
00Fh,001h,008h,00Eh,006h,00Bh,003h,004h,009h,007h,002h,00Dh,00Ch,000h,005h,00Ah<br>
db
07Fh,071h,078h,07Eh,076h,07Bh,073h,074h,079h,077h,072h,07Dh,07Ch,070h,075h,07Ah</p>
<p>DecryptedHead db &quot;User Key: Cracked By The+Q -FULL&quot;<br>
db 20h*3 dup (0)<br>
EncryptedHead db 20h dup (0)<br>
A DD 0<br>
B DD 0<br>
C DD 0<br>
i DD 0</p>
<p>FileName DB &quot;user.key&quot;,0<br>
hFile DD 0<br>
hMapFile DD 0<br>
pMapFile DD 0</p>
<p>.CODE<br>
;-------<br>
CreateKeyFile PROC<br>
USES ebx,ecx,edx,esi,edi,ebp<br>
Call CreateFile,OFFSET FileName,GENERIC_WRITE+GENERIC_READ,0,NULL, \<br>
CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0<br>
Mov hFile,eax<br>
.IF eax!=INVALID_HANDLE_VALUE<br>
Call CreateFileMappingA,hFile,NULL,PAGE_READWRITE,0,0C0h,NULL<br>
.IF eax!=0<br>
Mov hMapFile,eax<br>
Call MapViewOfFile, hMapFile,FILE_MAP_ALL_ACCESS,0,0,0<br>
Mov pMapFile,eax</p>
<p>Call EncryptHead</p>
<p>Call GetDlgItemTextA, mainhwnd, Edit_Name, OFFSET FName, 30<br>
Mov edi, pMapFile<br>
Add edi,40h<br>
Call lstrcpyA,edi, OFFSET FName<br>
Call GetDlgItemTextA, mainhwnd, Edit_Email, OFFSET FName, 30<br>
Mov edi, pMapFile<br>
Add edi,80h<br>
Call lstrcpyA,edi, OFFSET FName<br>
Call GetDlgItemTextA, mainhwnd, Edit_Addr, OFFSET FName, 30<br>
Mov edi, pMapFile<br>
Add edi,60h<br>
Call lstrcpyA,edi, OFFSET FName</p>
<p>Call UnmapViewOfFile, pMapFile<br>
Call CloseHandle, hMapFile</p>
<p>.ENDIF<br>
Call CloseHandle, hFile<br>
.ENDIF<br>
RET<br>
CreateKeyFile ENDP<br>
;-------<br>
EncryptHead Proc<br>
Mov edi, (OFFSET DecryptedHead+20h) ; Build table<br>
Mov ebx,3<br>
@BuildTable1:<br>
Mov esi, (OFFSET DecryptedHead+1Ch)<br>
Mov ecx, 8<br>
@BuildTable2:<br>
Std<br>
Lodsd<br>
Cld<br>
Stosd<br>
Loop @BuildTable2<br>
Dec ebx<br>
Jnz @BuildTable1</p>
<p>Mov esi, OFFSET DecryptedHead ; Save decrypted head to file<br>
Mov edi, pMapFile<br>
Mov ecx, 8<br>
Repnz Movsd</p>
<p>Mov edi, OFFSET EncryptedHead ; Encrypt head<br>
Mov ebx, OFFSET ConstTable1</p>
<p>Xor ecx,ecx<br>
@Encrypt1:<br>
Push ecx<br>
Mov i, 7Ch<br>
Mov esi, OFFSET DecryptedHead<br>
Shl ecx,3<br>
Add esi,ecx<br>
Mov eax, dword ptr [esi] ; Text to encrypt<br>
Mov A, eax<br>
Mov eax, dword ptr [esi+4]<br>
Mov C, eax</p>
<p>; B = [Translate(A+Head[i]) Rol 3] Xor C;<br>
; if (i--==0) break;<br>
; C = A;<br>
; A = B;<br>
@Encrypt2:<br>
Mov esi, OFFSET DecryptedHead<br>
Add esi, i<br>
Mov eax, A<br>
Mov edx, C<br>
Add eax, dword ptr [esi]<br>
Xlat<br>
Add ebx, 100h<br>
Ror eax, 8<br>
Xlat<br>
Add ebx, 100h<br>
Ror eax, 8<br>
Xlat<br>
Add ebx, 100h<br>
Ror eax, 8<br>
Xlat<br>
Sub ebx, 300h<br>
Rol eax, 3<br>
Xor eax, edx<br>
Mov B, eax</p>
<p>Sub i, 4<br>
Cmp i, -4<br>
Jz @Encrypt3</p>
<p>Push A<br>
Pop C<br>
Push B<br>
Pop A<br>
Jmp @Encrypt2</p>
<p>@Encrypt3:<br>
Mov eax, A<br>
Stosd<br>
Mov eax, B<br>
Stosd</p>
<p>Pop ecx<br>
Inc ecx<br>
Cmp ecx,4<br>
Jnz @Encrypt1</p>
<p>Mov esi, OFFSET EncryptedHead ; Save encrypted head to file<br>
Mov edi, pMapFile<br>
Add edi, 20h<br>
Mov ecx, 8<br>
Repnz Movsd<br>
RET<br>
EncryptHead Endp<br>
;-------</p>
<p>***/***</p>
<pre>&nbsp;</prE>
<pre>I looked in the ida's disassembly for a lot of memory flags, nothing more.</prE>
<pre>Now we really have to understand what this program does, trying to think like it. Maybe there is a flag
attached to the proxies, they crypted the proxy file aproxy.cdb, they must have a serious reason.
I will repeat it again and again, ida is the *best* tool that you can use, using the mfc signatures, look
what's after this check :</prE>
<pre>.text:0040CD5D loc_0_40CD5D:                           ; CODE XREF: sub_0_40CCE0+76&#24;j
.text:0040CD5D                 push    edi
.text:0040CD5E                 lea     edi, [eax-1]
.text:0040CD61                 mov     eax, [esi+0F0h]
.text:0040CD67                 push    2
.text:0040CD69                 push    edi
.text:0040CD6A                 push    100Ch
.text:0040CD6F                 push    eax
.text:0040CD70                 call    ebx
.text:0040CD72                 lea     ebx, [esi+0D0h]
.text:0040CD78                 push    edi
.text:0040CD79                 mov     ecx, ebx
.text:0040CD7B                 call    j_?GetItemData@CListCtrl@@QBEKH@Z ; CListCtrl::GetItemData(int)
.text:0040CD80                 or      eax, 1000000h
.text:0040CD85                 mov     ecx, ebx
.text:0040CD87                 push    eax
.text:0040CD88                 push    0
.text:0040CD8A                 push    0
.text:0040CD8C                 push    0
.text:0040CD8E                 push    0
.text:0040CD90                 push    4
.text:0040CD92                 push    0
.text:0040CD94                 push    edi
.text:0040CD95                 call    j_?SetItem@CListCtrl@@QAEHHHIPBDHIIJ@Z ; CListCtrl::SetItem(int,int,uint,char const *,int,uint,uint,long)
.text:0040CD9A                 cmp     dword_0_419748, 5
.text:0040CDA1                 jnz     short loc_0_40CDD0
.text:0040CDA3                 push    offset unk_0_4183EC
.text:0040CDA8                 push    13h
.text:0040CDAA                 push    edi
.text:0040CDAB                 mov     ecx, ebx
.text:0040CDAD                 call    j_MFC42_6907
.text:0040CDB2                 push    offset unk_0_4183EC
.text:0040CDB7                 push    15h
.text:0040CDB9                 push    edi
.text:0040CDBA                 mov     ecx, ebx
.text:0040CDBC                 call    j_MFC42_6907
.text:0040CDC1                 push    offset unk_0_4183EC
.text:0040CDC6                 push    14h
.text:0040CDC8                 push    edi
.text:0040CDC9                 mov     ecx, ebx
.text:0040CDCB                 call    j_MFC42_6907
</prE>
<pre>At line 40cd7b, you have a clistctrl method that is used, GetItemData(n), according to m$ doc, retrieves a
app dedicated value for the item number n, or the proxy number n is the proxy list.
Just do a bpx at this line,you will see that the edi val pushed before is exactly the same number in order
that the first proxy you selected.</prE>
<pre>The value is then stored in eax and a logical and with 01000000 is done on it. What for ? Just impeach that
and with softice, and the proxy is not checked.</prE>
<pre>All the proxies in that list are flagged with a non x1xxxxxx value, this &amp; 01000000 just enables them
to be checked. So there is a check for this value inside a4proxy, to stop the proxy check when the first is
checked. In the registered version, this routine must enable all the proxies you selected.</prE>
<pre>Searching in ida for 01000000h, you find this :</prE>
<pre>.text:0040C0B0 loc_0_40C0B0:                           ; CODE XREF: sub_0_40C040+210&#25;j
.text:0040C0B0                 push    edi
.text:0040C0B1                 mov     ecx, ebx
.text:0040C0B3                 call    j_?GetItemData@CListCtrl@@QBEKH@Z ; CListCtrl::GetItemData(int)
.text:0040C0B8 naughty -&gt;      test    eax, 1000000h
.text:0040C0BD                 mov     [esp+38h+var_1C], eax
.text:0040C0C1                 jz      short loc_0_40C106
.text:0040C0C3                 mov     ecx, offset unk_0_418D80
.text:0040C0C8                 xor     esi, esi
.text:0040C0CA                 mov     [esp+38h+var_24], ecx
.text:0040C0CE 
.text:0040C0CE loc_0_40C0CE:                           ; CODE XREF: sub_0_40C040+B7&#25;j
.text:0040C0CE                 cmp     dword ptr [ecx+4], 0FFFFFFFFh
.text:0040C0D2                 jnz     short loc_0_40C0E9
.text:0040C0D4                 push    0
.text:0040C0D6                 push    33h
.text:0040C0D8                 push    1
.text:0040C0DA                 push    0
.text:0040C0DC                 call    j_?Create@CAsyncSocket@@QAEHIHJPBD@Z ; CAsyncSocket::Create(uint,int,long,char const *)
.text:0040C0E1                 test    eax, eax
.text:0040C0E3                 jnz     short loc_0_40C13A
.text:0040C0E5                 mov     ecx, [esp+48h+var_34]

When a4proxy arrives here, it checks for the first proxy selected that passes the 40c0b8 test, it's param
was updated above. When the second proxy arrives, it's param was not  x1xxxxxx like, so it goes out at line
40c0c1. Just nop the 40c0c1 line, and all the proxies after the first you selected will be checked.</prE>
<pre>Sure this is not a definite crack, the unregistered feature still appears on the about window, the crack is
enough to use this app , if someone manage to find the global reg check, just send me the ideas, they are
welcomed.</prE>
<pre>					+Tsehp April 2000</prE>
<br><br>

<!-- FINAL NOTES STARTS HERE -->
<TABLE CELLPADDING="1" CELLSPACING="2" BORDER="1" WIDTH= "100%"  HEIGHT="22" >
<tr><td bgcolor="#C6E7C6"><center><font size=+2><font color=blue>Final Notes</fonT>
</fonT></center></td></tr></table>
<pre>
The global protection resides inside the proxy list they send you when you buy it. So you have to wait for
them to send you the updates, or manually build a text listing everytime. Very stupid because this kind
of protection removes the auto update they could have made. Maybe in the next version. ;-) 
<!-- PASTE HERE YOUR FINAL NOTES (if any) -->
						+Tsehp</pre>
<br><br>

<!-- OB DUH STARTS HERE -->
<TABLE CELLPADDING="1" CELLSPACING="2" BORDER="1" WIDTH= "100%"  HEIGHT="22" >
<tr><td bgcolor="#C6E7C6"><center><font size=+2><font color=blue>Ob Duh</fonT></fonT>
</center></td></tr></table><center><i>I wont even bother explaining you 
   that you should BUY this target program if you intend to use it for a 
   longer period than the allowed one. Should you want to STEAL this 
   software instead, you don't need to crack its protection scheme at all: 
   you'll find it on most Warez sites, complete and already regged, 
   farewell, don't come back.</i></center>

<!-- WAY OUT STARTS HERE -->
<hr><center><i>You are deep inside reverser's page of reverse engineering,  
choose your way out:<br><br></i></center>
<br><center>
<!-- EITHER A NICE GIF LIKE THIS -->
<!-- 
<a href="project3.htm"><IMG SRC="project3.gif" 
ALT="projecT3" ALIGN=CENTER WIDTH=114 HEIGHT=43 BORDER=0 VSPACE=0 HSPACE=0></a>
<br>
<font color=gray>Back to project 3</FonT>
<br><bR>
-->
<!-- OR JUST A LINK LIKE THIS -->

<!--
<IMG SRC="bulletr.gif" ALT="red" ALIGN=BOTTOM WIDTH=13 HEIGHT=13 
BORDER=0 VSPACE=0 HSPACE=0><A HREF="project1.htm">Back to Your_chosen_project</A> 
<hr width=33%>
-->

<IMG SRC="images/bulletr.gif" ALT="red" ALIGN=BOTTOM WIDTH=13 HEIGHT=13 
BORDER=0 VSPACE=0 HSPACE=0><A HREF="index.htm" >homepage</A>
<IMG SRC="images/bulletr.gif" ALT="red" ALIGN=BOTTOM WIDTH=13 HEIGHT=13 
BORDER=0 VSPACE=0 HSPACE=0><A HREF="links.htm">links</A> 
<IMG SRC="images/bulletr.gif" ALT="red" ALIGN=BOTTOM WIDTH=13 HEIGHT=13 
BORDER=0 VSPACE=0 HSPACE=0><A HREF="searengi.htm">search_forms</A>
<IMG SRC="images/bulletr.gif" ALT="red" ALIGN=BOTTOM WIDTH=13 HEIGHT=13 
BORDER=0 VSPACE=0 HSPACE=0><A HREF="orc.htm">+ORC</A>
<IMG SRC="images/bulletr.gif" ALT="red" ALIGN=BOTTOM WIDTH=13 HEIGHT=13 
BORDER=0 VSPACE=0 HSPACE=0><A HREF="protec.htm">how to protect</A>
<IMG SRC="images/bulletr.gif" ALT="red" ALIGN=BOTTOM WIDTH=13 HEIGHT=13 
BORDER=0 VSPACE=0 HSPACE=0><A HREF="academy.htm">academy database</A>
<br>
<IMG SRC="images/bulletr.gif" ALT="red" ALIGN=BOTTOM WIDTH=13 HEIGHT=13 
BORDER=0 VSPACE=0 HSPACE=0><A HREF="realicra.htm">reality cracking</A>
<IMG SRC="images/bulletr.gif" ALT="red" ALIGN=BOTTOM WIDTH=13 HEIGHT=13 
BORDER=0 VSPACE=0 HSPACE=0><A HREF="howtosea.htm">how to search</A>
<IMG SRC="images/bulletr.gif" ALT="red" ALIGN=BOTTOM WIDTH=13 HEIGHT=13 
BORDER=0 VSPACE=0 HSPACE=0><A HREF="javascri.htm">javascript wars</A>
<br>
<IMG SRC="images/bulletr.gif" ALT="red" ALIGN=BOTTOM WIDTH=13 HEIGHT=13 
BORDER=0 VSPACE=0 HSPACE=0><A HREF="tools.htm">tools</A>
<IMG SRC="images/bulletr.gif" ALT="red" ALIGN=BOTTOM WIDTH=13 HEIGHT=13 
BORDER=0 VSPACE=0 HSPACE=0><A HREF="noanon.htm">anonymity academy</A> 
<IMG SRC="images/bulletr.gif" ALT="red" ALIGN=BOTTOM WIDTH=13 HEIGHT=13 
BORDER=0 VSPACE=0 HSPACE=0><A HREF="cocktail.htm">cocktails</A>
<IMG SRC="images/bulletr.gif" ALT="red" ALIGN=BOTTOM WIDTH=13 HEIGHT=13 
BORDER=0 VSPACE=0 HSPACE=0><A HREF="ideale.htm">antismut CGI-scripts</A>

<IMG SRC="images/bulletr.gif" ALT="red" ALIGN=BOTTOM WIDTH=13 HEIGHT=13 
BORDER=0 VSPACE=0 HSPACE=0><A HREF="info.htm">mail_reverser</A>
<br>
<IMG SRC="images/bulletr.gif" ALT="red" ALIGN=BOTTOM WIDTH=13 HEIGHT=13 
BORDER=0 VSPACE=0 HSPACE=0><A HREF="legal.htm">Is reverse engineering legal?</A>
</CENTER>
<hr>
<!-- THAT'S ALL, THANKS A LOT this will allow automated retrieval -->
</BODY>
</HTML>