CRACK IT BUY IT or LEAVE IT !
[TARGET] HEX WORKSHOP v 2.54 http://www.bpsoft.com
[SOFTICE BREAKPOINT] BPX GETWINDOWTEXTA
If you had read my other TUTS, then this one won't be HARDER for you and it's seems very INTERESTING for your CRACKING knowledge, coz the purpose of this TUTS is CRACKING in a FAST way. The important thing is to understand what you are dealing with, you can use a DEAD LISTING trick to do that, just find the PROTECTION SCHEME and setting some BREAKPOINT in SOFTICE then everything is POSSIBLE !
What you have to do is : Go to the REGISTRATION AREA in HEX WORKSHOP enter it with some DUMMY CODE then set that BREAKPOINT above in SOFTICE, click the REGISTER button then SOFTICE will pops up, press F11 to get the CALLER. Finally TRACE along with F10 until you see something like this !
* Possible StringData Ref from Data Obj ->"JN11mARQ"
|
:0042627B 68E8F74700 push 0047F7E8
:00426280 8D45DC lea eax, dword ptr [ebp-24] -----> EAX = address of OUR CODE
:00426283 50 push eax
:00426284 E867450100 call 0043A7F0 ------> I almost get FOOLED with this
ASS HOLE, coz what inside the CALL
is comparing our CODE with 'JN11mARQ'
If EQUAL then EAX = 0
(remember that we don't want EAX = 0)
THEN JUMP to 004262A8
:00426289 83C408 add esp, 00000008 :0042628C 85C0 test eax, eax :0042628E 0F8414000000 je 004262A8
:00426294 8D45DC lea eax, dword ptr [ebp-24]
:00426297 50 push eax
-------------------------------------------------
:00426298 E823110100 call 004373C0 --------> This CALL is counting
-------------------------------------------------
:0042629D 83C404 add esp, 00000004 the lenght of our CODE.
Go inside this IMPORTANT
CALL !
------------------------------------------------------------- :004262A0 8945EC mov dword ptr [ebp-14], eax ------> NOTE that [ebp-14] have his FINAL VALUE from EAX ! :004262A3 E907000000 jmp 004262AF That mean EAX is the KEY from this STUPID PROTECTION ------------------------------------------------------------- and EAX must contain 1 if you want it to be REGISTERED.
* Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0042628E(C) | :004262A8 C745EC00000000 mov [ebp-14], 00000000 ----> BAD ! WE WANT [ebp-14] = 1
* Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004262A3(U) | :004262AF 837DEC00 cmp dword ptr [ebp-14], 00000000 :004262B3 0F8479000000 je 00426332 -----> F@CKIN BAD JUMP !
Let's figure out what inside the CALL 004373C0 !
* Referenced by a CALL at Addresses: |:00409C7E , :00426298 ______ :004373C0 83EC14 sub esp, 00000014 | :004373C3 B9FFFFFFFF mov ecx, FFFFFFFF | :004373C8 2BC0 sub eax, eax | :004373CA 56 push esi | Some ROUTINE to COUNT :004373CB 8B74241C mov esi, dword ptr [esp+1C] | our CODE Lenght. :004373CF 57 push edi | :004373D0 8BFE mov edi, esi | ECX contain the lenght of :004373D2 F2 repnz | our CODE :004373D3 AE scasb | :004373D4 F7D1 not ecx | :004373D6 49 dec ecx _____|
:004373D7 83F908 cmp ecx, 00000008 ---> The LENGHT of the REAL SERIAL MUST
:004373DA 7408 je 004373E4 BE EQUAL TO 8, IF NOT ZERO THE EAX
then get out from the CALL.
Now go back to the REGISTRATION AREA
and entered the CODE with 8 char of lenght.
:004373DC 33C0 xor eax, eax ---> BAD ! :004373DE 5F pop edi :004373DF 5E pop esi :004373E0 83C414 add esp, 00000014 :004373E3 C3 ret [CONTINUED IF OUR CODE LENGHT = 8]
Before you continued it's IMPORTANT to understand this situation, what we always want is EAX containing 00000001 then return from the CALL, so have a look at the end of this DEAD LISTING before returning from the CALL !
:004373E4 6A0A push 0000000A
------------- ------------- ------------- SOME JUNKS HERE ------------- -------------
------------------------------------------------ :004373FC E83FFFFFFF call 00437340 CREATE The first 2 char for the REAL SERIAL ------------------------------------------------ you can see it by typing D ESP+10 in SOFTICE or go inside the CALL if you don't believe me. ------------- ------------- ------------- ANOTHER JUNKS HERE ------------- -------------
:00437425 8D742408 lea esi, dword ptr [esp+08] ------> The first 2 char for the REAL SERIAL :00437429 8D4C240C lea ecx, dword ptr [esp+0C] ------> OUR CODE :0043742D 51 push ecx ------------------------------------------------ :0043742E E82D2D0000 call 0043A160 -------> If you entered some STRINGS as the CODE ------------------------------------------------ then this PROC convert it to UPPERCASE. :00437433 83C404 add esp, 00000004 The result is EAX = OUR CODE
* Possible Reference to Menu: MenuID_0002
|
* Possible Reference to String Resource ID=00002: "Hex Workshop"
|
:00437436 B902000000 mov ecx, 00000002 ---> coz ECX = 2 that mean compare only the first 2 char
:0043743B 8BF8 mov edi, eax ---> EDI = OUR CODE , ESI = REAL ONE, Look at the
:0043743D 2BC0 sub eax, eax explanation below !
:0043743F F3 repz
:00437440 A6 cmpsb
------------------------------------------------
:00437441 7405 je 00437448 -----> FINAL CHECK !JUMP then everything is fully REGISTERED
------------------------------------------------ coz it give the value of EAX = 00000001
:00437443 1BC0 sbb eax, eax (that's what we want when he get out from the CALL)
:00437445 83D8FF sbb eax, FFFFFFFF
* Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00437441(C) | :00437448 85C0 test eax, eax :0043744A B800000000 mov eax, 00000000 ------------------------------------------------ :0043744F 7505 jne 00437456 ------------------------------------------------pre>* Possible Reference to String Resource ID=00001: "Hex Workshop Version 2.54" | :00437451 B801000000 mov eax, 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043744F(C)
|
:00437456 5F pop edi
:00437457 5E pop esi
:00437458 83C414 add esp, 00000014
:0043745B C3 ret
[EXPLAINED]
:00437436 B902000000 mov ecx, 00000002
:0043743B 8BF8 mov edi, eax
:0043743D 2BC0 sub eax, eax
:0043743F F3 repz
:00437440 A6 cmpsb
:00437441 7405 je 00437448
REPZ CMPSB ---> Compare string between ES:[EDI] with DS:[ESI] after the comparison EDI and ESI
plus or minus 1 it depend on the DIRECTION FLAG.
So if you entered a DUMMY Code like XXXXXXXX in the REGISTRATION then EDI = XXXXXXXX and ESI = SY..XXXXXXXX (The char in ESI is created from the CALL 00437340)
ECX = 2 that mean COMPARE only 2 times in this case COMPARE our first two char with 'SY' if EQUAL then it's REGISTERED ! Do you see that ? I told you before that if you understand the situation then you can crack it much faster, just by analyzing at the DEAD LISTING in W32DASM then set a BPX GETWINDOWTEXTA and BPX 0043743F then TYPE D ESI finally you can see the REAL SN# in front of your UGLY FACE !
VOL. 5
OE'97 ITS 4397100xxx
oche_satriani@start.com.au
oblek@start.com.au