Hehe. Continuing the saga of this program and its protector, since I find newer and newer tricks, either from dedicated people (kioresk at CRACKL@B, one of the best reverser-analyzers of this protector) or by analyzing the code myself. I'll explain what I mean with both options I mentioned ;)
A few days ago, kioresk managed to come up with a method that allows un-blacklisting of banned accounts in EXECryptor-protected programs. Am talking about serials generated by EC's own licensing algorithm. Analyzing EC's console part in IDA, he found what needs to be modified at the end of EXECryptor_VerifySerialNumber internal API. Without going too much into details (though I know people want this on a golden platter), know that a 1-byte patch is enough to be able to register with banned keys ;)
Today the author of Uninstall Tool decided it's not worth having patchers floating around and (as well as yesterday or any other day in his life) he made a silent update, which brings soft to build 2454. Of course, don't expect fixed bugs - if any - or newly added stuff. This update's sole purpose was to enforce the newly discovered method of un-blacklisting ;)
Long story short, if application is patched properly, once you try to see registration details in About window, Uninstall Tool will crash. Been lurking around trying to figure out what causes this crash, since program runs fine, without complaining. If you don't feel the urge to check that window, then app won't crash and you can work it just fine.
But I am stubborn and my fingers itch. I feel Olly's calling so I start analyzing the fucker. I check the patches I've made, disable some breakpoint-checks in EC (discussed in another article here) and before you know it I find this:
Hehe. lstrcmpW. Hell yea! Guess what. He is checking a buffer of blacklisted names (all his customers) against the buffer that holds the current registration name. If the two strings match, EAX=0, used later to return a wrong address in EC code, thus crashing us.
So, I said to myself - why not trick this? How? Simple, noticed the XOR above (54DC84), did some calculus and figured out how to change that value being XOR-ed with, so that the result in EAX would be the SERIAL buffer. Comparing a buffer with name-strings against a buffer containing my serial will result in EAX!=0 ;)
So I patched it this way:
0054DC84 81F0 30D65D5C XOR EAX,5C5DD630
//XOR-ing EC's generated value in EAX with 5C5DD630 -> 46E010 (which is the serial buffer)
Result - application works, and doesn't whine or crashes. Up yours, developer! :D