[(/$$¤-SaMSoUL CRAcKInG-¤$$\)][(/$$¤-SaMSoUL CRAcKInG-¤$$\)][(/$$¤-SaMSoUL CRAcKInG-¤$$\)]

							


Name       : Winhex

Version    : 8.3

availabity :  http://www.muenster.de/~sf 
              or http://move.to/sf (secondary URL)

Target     : WinHex.exe (358912 bytes)

Protections:- Limitations 
            - Impossible to safeguard a file of + 200 KB (!!!)
            - Nagscreens (when you quit and when winhex start) 
            - Trial periode...

Tools      :  Softice 3.25 
              Brain  

CRaCKer    :  TaMaMBoLo
Contact us :  Samsoul99@Hotmail.com (Welcome frenchies!)

Hello!  

Here is my first tutor written for the newbies... I remained as simplest as possible
in my explanations to be understood by  everyone...Excuse me for bad gramatical 
english but i'am french... For this crack ,I chose as target ,WinHEx 8.3, which is  
a hexadecimal editor, ideal for you,crackers...   


Step one:  

Install Winhex 8.3 and launch On .You sees immediately that there are several protections: 
- Limitations 
- Impossible to safeguard a file of + 200 KB (!!!)
- Nagscreens (when you quit and when winhex start) 
- Trial periode...

  

Ok!  You saw that there are several limitations in this software.Now, ROCK'n ROll !


Step Two:  

Take windasm 8.93 and desassemble the executable (Winhex.exe = 351 KB). When you launch
winhex several times in succession,Winhex  will send you a nagscreen:  
" PLEASE REGISTER SOON. ". 
With windasm you double-click on " STRING DATA REFERENCE " and seek the sentence of
the nag (" PLEASE REGISTER SOON. "). You find it without problem and while clicking
on it ,we see that:   


:00422330 803D7364440000 cmp byte ptr [ 00446473 ], 00 --Very interresting!! 
:00422337 jne 00422375 ----------------------------------jump if you are a  english user registered! 
:00422339 mov eax, dword ptr [ 00444A2C ]---------------- else post nagscreen Deutch user  

*  Possible ref. to Menu:  MenuID_0001, Item:  " Neu... Strg+N "  

*  Possible Reference to Dialog:  DialogID_000E, CONTROL_ID:000A, " &Warnen vor Änderungen year Dateien dieser " 
 
:0042233E mov ecx, 0000000A 
:00422343 cdq 
:00422344 idiv ecx 
:00422346 cmp edx, 00000008 
:00422349 jne 00422375 -------------------------------- jump if Deutch user registered...  
:0042234B cmp byte ptr [ 00445660 ], 00 --------------- Else... 
:00422352 jne 00422362 --------------------------------...  jump if English user not registered!  

*  Possible StringData ref. from Obj Code - >"Da Sie dieses Programm relativ " --------------------NaGSCrEEn Deutsh to use! 
- >"h " 
 
:00422354 mov eax, 00422524 
:00422359 mov dl, 03 
:0042235B call 0040BC94 ------------------------------- NaGscreen posted
:00422360 jmp 0042236E  

*  Referenced by has (U)nconditional gold (C)onditional Jump At Address: 
|:00422352(C)  

*  Possible StringData ref. from Obj Code - >"Please register soon."----  NaGSCrEEn English user! 
| 
:00422362 mov eax, 00422590 
:00422367 mov dl, 03 
:00422369 call 0040BC94 ------------------------------- NaGscreen posted

*  Referenced by has (U)nconditional gold (C)onditional Jump At Address: 
|:00422360(U) 
| 
:0042236E mov Al, 04 
:00422370 call 0040B384 ------------------------------- end NaG (English user AND Deutch to user)  

*  Referenced by has (U)nconditional gold (C)onditional Jump At Addresses: 
|:00422337(C),:00422349(C) 
| 
:00422375 push 00000000 ------------------------------- GooD BOy!no-NaGSCrEEn! 
:00422377 mov eax, dword ptr [ 00442014 ] 
:0042237C push eax 
:0042237D push 00000000 
:0042237F mov eax, dword ptr [ 00446EE8 ] 
  

Ok!  You immediately see something very interressant: 
If you go up a little bit in the code,you see that the prog will test many memory addresses.
With address 42234B there is a comparison:  cmp byte ptr [ 00445660 ], 00 .
This comparison is not important for us . Address 445560 is used for the prog to test 
if it is a German user who is registered or not. Comparison  determining if the English
user is registered or not ,is located at address 422330:  cmp byte ptr [ 00446473 ], 00.  
It is the address 446473 which determines if the English user is registered .If 446473=0,
user not-registered and if 446473=1 user registered... It is not very hard to understand,
isn't-it?    



Step THRee:  

At a moment the program will put address 446473 to 0 .It's necessary to locate in 
the code this moment when the prog initializes the address 446473 to 1. 
In assembler,there are many ways to putt 1 in a address .We doesn't know how 
the progammor managed to put 1 to 446473, so we will seek in the code, the places 
where the program use the address 446473.We inevitably find out a place where the 
prog puts 1 at the address 446473.For the  research, take WINDASM and go to  
option " SEARCH " ,go  and click on " FIND TEXT " and enter 736444. It's OK,I 
entered the address memory upside down (446473=736444...) , but it is normal 
because in Hexa, puts the byte of reavy weight in front of and the byte low weight 
behind (look at desassemblage 1,address 422330 to understand).   



Step For:  

You will find much places in the code where the address is called. But 
if you notice,you will always see a XOR EAX,EAX .It is not very interressant 
for us because function XOR puts EAX at 0, however it is better for us to force 
it to 1.Watch This !

:0043F662 call 0040E0D8 
:0043F667 cmp eax, dword ptr [ 00446024 ] 
:0043F66D je 0043F673  

*  Referenced by has (U)nconditional gold (C)onditional Jump At Address: 
|:0043F65E(C)  

:0043F66F xor eax, eax ---------------- BAd BOy!  EAX=0 and... 
:0043F671 jmp 0043F675 ----------------... jump to 43f675 to could 446473 to 0  

*  Referenced by has (U)nconditional gold (C)onditional Jump At Address: 
|:0043F66D(C)  

:0043F673 mov Al, 01 ------------------ GOOd BOy!  AL=1 and...  

*  Referenced by has (U)nconditional gold (C)onditional Jump At Address: 
|:0043F671(U)  

:0043F675 A273644400 mov byte ptr [ 00446473 ], Al -------------... could 446473 to 1 (It' S GOOd FoR YOu!)  

Programmer put his  initialization's routine  at the end of prog! This is why the
research is long... At address 43F66F there are  XOR EAX,EAX and a jump which send
us to the address 43F675 where the prog puts the Al contents in 446473... But to address
43F673 there is  a MOV AL,1 very interressant!... And if we erase XOR EAX,EAX and
JUMP 43F675, what does  it occur?  

Step FiVe:  

Takes an editor Hexa , go to offset 3EA6F and puts 90,90,90,90. Now the prog  will no
more put EAX at 0 but will put Al at 1 and will put Al in 446473... 
Make the patch and launch WinHex . bOOM!  *!REGIsTeReD!*.       

For ReMArKs,CRiTiKs,COnTaKts ===>  Samsoul99@Hotmail.com 

Frenchies : if you want some tutors written in french,send me a mail.

                                                            A crACk By 
                                                          TaMaMBoLo From
                                                  [(/$$¤-SaMSoUL CRAcKInG-¤$$\)]
												 				 TaMaMBoLo 99