Aug 1998
"SpamEater Pro 2.12"
( 'A simple protection system'  )
Win Code Reversing
by The Sandman 
Code Reversing For Beginners 
Program Details
Program Name:
Program Type: Email Anti-Spam
Program Location: Here 
Program Size: 1.3 MB 
Tools Used:
 Softice V3.2 - Win'95 Debugger
W32Dasm V8.9 - Win'95 Dissembler
Easy ( X  )  Medium (   )  Hard (    )  Pro (    ) 
There is a crack, a crack in everything. That's how the light gets in.
SpamEater Pro V2.12
( 'A simple  protection system'  )
Written by The Sandman
The author(s) of SpamEator  says:-
"SpamEater Pro is an application that will clean your POP3 mailbox of spam (unsolicited junk email) BEFORE you download it with your POP3 email client. Features extensive listing of known spammers, ability to add entries to the spammers listing, unlimited number of spammers in the listing, unlimited number of valid email address, and more.

SpamEater features an easy to use user interface and a step by step assistant for setting it up."
About this protection system
On startup, this program creates a file called sephlpr.dat which is 80 bytes in length and contains your 30 day counter details and the default shareware details shown in the 'About' Screen.

The contents of this file is as shown:-
00000000 48C5 9173 4704 222D 2BEF 8926 H..sG."-+..&
0000000C 1E44 741B 01C6 ED57 5D10 2F2C .Dt....W]./,
00000018 23F4 8E7D 455B 6973 68AA CD38 #..}E[ish..8
00000024 015B 6973 68AA CD38 015B 6973 .[ish..8.[is
00000030 68AA CD1B 0F30 776C 77B7 A551 h....0wlw..Q
0000003C 6D5B 6973 B899 D233 2A1A 0A59 m[is...3*..Y
00000048 4280 E712 ABEA A219           B.......

Now compare this to the one created when you fully register this program.

00000000 49D4 8F77 0B22 2237 26ED 867C I..w.""7&..|
0000000C 7B71 4359 FAA2 A712 D381 2C59 {qCY......,Y
00000018 9EA2 A712 C853 0359 0380 E712 .....S.Y....
00000024 6605 C859 3E73 8812 2B71 4359 f..Y>s..+qCY
00000030 2254 6C1B 0F30 011F 76B2 A356 "Tl..0..v..V
0000003C 1E93 BAE6 B899 D233 2B82 2C59 .......3+.,Y
00000048 4280 E712 2B71 4359           B...+qCY

This file [sephlpr.dat] is treated by the program as a 'Key file', so even if you delete the entries in your System Registry file then when you re-run this program it will read the info contained within this file [sephlpr.dat] and re-write the entries in your system registry file.  So if you wish to re-start your 30 day trial period again or want to re-register this program again them make sure you not only delete the registry entries in your System Registry file but also DELETE this file [sephlpr.dat].
The Registration entries for this program are stored here:-
HKEY_USERS\.Default\Software\High Mountain Software\SpamEater Pro\Data
The Essay 
The best way I found to crack this program was to create a 'Dead Listing' first, simply because I couldn't get Softice to break anywhere near it's protection routine, even when trying bpx messageboxa  bpx getwindowtexta etc.  Here's where the dead listing came to the rescue..  It showed me almost straight away two possible places to I could patch this program as well as telling me a little more about how this program operated.  In order to gain access into the program's code so that I could debug the routines shown below  I setup Softice to break on any accesses theprogram made to the getlocaltime system function, which it uses each time it is run. You do this by:-
1. Press Ctrl-D to fire up softice.
2. Type bpx getlocaltime
3. type X to leave Softice.

OK, create a dead listing of spamEtrp.exe using W32Dasm.

Open up the program's String Dialog Resources and search for the text: "Thanks for your support of SpamEater Pro!"

You should now see this snippet of code:-
:0049B300 50                 push eax
:0049B301 E8AEB6F6FF         Call kernel32.SetFileAttributesA
:0049B306 6A00               push 00000000
:0049B308 668B0D48B44900     mov cx, word ptr [0049B448]
:0049B30F B202               mov dl, 02

* StringData Ref from Code Obj ->"Thanks for your support of SpamEater Pro"
:0049B311 B854B44900         mov eax, 0049B454
:0049B316 E83D95FBFF         call 00454858
:0049B31B E980000000         jmp 0049B3A0

From here I now scroll UP this dead listing UNTIL I come across the first occurrence of the following sequence of assembly instructions:-

Call Memory Address
cmp register,register or test register, register
jnz or  jz or  je memory address

Notice as you scroll up this listing the following strings:-

* Possible StringData Ref from Code Obj ->"Serial Number: "
* Possible StringData Ref from Code Obj ->"Licensed to: "

A good indication of what this long routine does..:)

Our first occurrence of the above assembly instructions (which are used in 100's of protected programs ) is found here..
:0049B13A E82DE4FEFF         call 0048956C  ;
Create and check serials
                                            ;Returns in low byte of eax
                                            ;al = 0 if serial invalid.
                                            ;al = 1 if serial valid.

:0049B13F 84C0               test al, al    ;result returned in al
:0049B141 0F8459020000       je 0049B3A0    ;jump if wrong serial
:0049B147 A1E8144A00         mov eax, dword ptr [004A14E8]
:0049B14C 8B00               mov eax, dword ptr [eax]
:0049B14E 8B9898030000       mov ebx, dword ptr [eax+00000398]
:0049B154 80BB7503000000     cmp byte ptr [ebx+00000375], 00 ;days left=0?
:0049B15B 0F85BF010000       jne 0049B320 ;no? then continue as Shareware.
From here it's obvious what our next step should be, we should follow where the call 0048956C takes us.
The above call in fact will lead us to this section of code:-

* Referenced by a CALL at Addresses:
|:0048969B   , :00489745   , :00489919   , :0049B13A
:0048956C 53             push ebx ;Preserve ebx register
:0048956D 56             push esi ;    "    esi  "
:0048956E 57             push edi ;    "    edi  "
:0048956F 83C4B4         add esp, FFFFFFB4
:00489572 8BF1           mov esi, ecx           ;esi = Your *fake* serial
; Your *fake* serial looks like this

; 07 7777777
;  : :.............. You *fake* serial number
;  :................ The number of digits (hex) used. (max 09)

:00489574 8D3C24         lea edi, dword ptr [esp]
:00489577 33C9           xor ecx, ecx
:00489579 8A0E           mov cl, byte ptr [esi];cl =len of your serial
:0048957B 80F909         cmp cl, 09            ;is it 9 numbers of less?
:0048957E 7202           jb 00489582           ;jump if below 9 numbers
:00489580 B109           mov cl, 09            ;else set len to max of 9
:00489582 880F           mov byte ptr [edi], cl;save len in temp work area
:00489584 46             inc esi               ;esi=start of your serial
:00489585 47             inc edi               ;edi=start of temp work area
:00489586 F3             repz                  ;repeat 9 times
:00489587 A4             movsb
:00489588 8BF2           mov esi, edx          ;esi= Your handle/name

; Your name looks like this
; 09 The Sandman
;  : :.............. The name/handle you want to use.
;  :................ The number of characters (hex) in your name (max 32)

:0048958A 8D7C240A       lea edi, dword ptr [esp+0A]
:0048958E 33C9           xor ecx, ecx
:00489590 8A0E           mov cl, byte ptr [esi] ;get len of name/handle
:00489592 80F932         cmp cl, 32             ;is it 32 or less?
:00489595 7202           jb 00489599            ;jmp if len below 32
:00489597 B132           mov cl, 32             ;else set len to max 32
:00489599 880F           mov byte ptr [edi], cl ;save len of your name
:0048959B 46             inc esi                ;esi = start of your name
:0048959C 47             inc edi
:0048959D F3             repz                   ;repeat upto 32 times
:0048959E A4             movsb
:0048959F 8BF0           mov esi, eax
:004895A1 33DB           xor ebx, ebx
:004895A3 889E75030000   mov byte ptr [esi+00000375], bl
:004895A9 8D442440       lea eax, dword ptr [esp+40]
:004895AD 50             push eax
:004895AE 8BCB           mov ecx, ebx
:004895B0 8D54240E       lea edx, dword ptr [esp+0E]
:004895B4 8BC6           mov eax, esi
:004895B6 E805FEFFFF     call 004893C0   ;Create *real* serial No

Once you've executed the line call 004893C0 type: d edx to see the serial number you should use for the name/handle you've used. It will be the first set of nine alpha-numeric characters that you see in Softice.  There are one or two other 'sets' like this but ignore them.  Your serial will look something like this:-


It's important to include the $ (dollar sign) in front of your serial number.

Now run SpamEater Pro, select the 'Help' menu then the 'About' option and type in your User details using the *real* serial number you've just found then press the 'Register' button.

Job Done.
The Crack
None required.

If you intend on using this program beyond it's evaluation period then please BUY IT!
Final Notes 
This is quite a useful program to have around and one that is worth newbies spending some time getting to learn it's protection system.

My thanks and gratitude goes to:-
Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.
+ORC for showing me the light at the end of the tunnel.
Ob Duh 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will be encouraged to producing even *better* software for us to use and enjoy.

Ripping off software through serials and cracks is for lamers..
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.

 Next   Return to Essay Index   Previous 

Essay by:          The Sandman
Page Created: 23rd August 1998