It's been two days without activity !!! Keep up Keep up !! Trust your instinct
Hahahah
I'm still here, just busy on stuff that makes me money
Not as much fun, but it keeps the roof over my head.
A little update, I'm trying to find out how to get IDA Pro to recognized code that has been statically linked in from a DLL.
Why?
There is zblib inflate in the updater, but its not the same zlib that is in the INDY libraries from what I can tell.
The string,
"inflate 1.2.3 Copyright 1995-2005 Mark Adler" appears in the updater.exe, but not in the indy libraries. However this string does appear in the official zlib1.dll now that could mean.
1) The updater code statically linked the code from zlib1.dll into its build.
2) The updater code compiled the zlib inflate routine from the publically available source.
3) The updater uses a different version of the INDY libraries, I have looked at INDY versions 9.0.18 and 10.1.5.0
If anyone has any answers or suggestions, please post.
In the mean time I will try and get zlib1.dll into IDA Pro and see if can recognize the code in the updater.exe when it disassembles it.
IDA is a pretty deep program, so there's a fair bit to learn at each step, it took me an evening to research how to use flirt to make signature files (.SIG). But now the disassembly does recognise 34 references of the CYAPI.LIB which where just unknown function calls/references before.
So thats where its at, currently.