[(/$$¤-SaMSoUL CRAcKInG-¤$$\)][(/$$¤-SaMSoUL CRAcKInG-¤$$\)][(/$$¤-SaMSoUL CRAcKInG-¤$$\)] Name : Winhex Version : 8.3 availabity : http://www.muenster.de/~sf or http://move.to/sf (secondary URL) Target : WinHex.exe (358912 bytes) Protections:- Limitations - Impossible to safeguard a file of + 200 KB (!!!) - Nagscreens (when you quit and when winhex start) - Trial periode... Tools : Softice 3.25 Brain CRaCKer : TaMaMBoLo Contact us : Samsoul99@Hotmail.com (Welcome frenchies!) Hello! Here is my first tutor written for the newbies... I remained as simplest as possible in my explanations to be understood by everyone...Excuse me for bad gramatical english but i'am french... For this crack ,I chose as target ,WinHEx 8.3, which is a hexadecimal editor, ideal for you,crackers... Step one: Install Winhex 8.3 and launch On .You sees immediately that there are several protections: - Limitations - Impossible to safeguard a file of + 200 KB (!!!) - Nagscreens (when you quit and when winhex start) - Trial periode... Ok! You saw that there are several limitations in this software.Now, ROCK'n ROll ! Step Two: Take windasm 8.93 and desassemble the executable (Winhex.exe = 351 KB). When you launch winhex several times in succession,Winhex will send you a nagscreen: " PLEASE REGISTER SOON. ". With windasm you double-click on " STRING DATA REFERENCE " and seek the sentence of the nag (" PLEASE REGISTER SOON. "). You find it without problem and while clicking on it ,we see that: :00422330 803D7364440000 cmp byte ptr [ 00446473 ], 00 --Very interresting!! :00422337 jne 00422375 ----------------------------------jump if you are a english user registered! :00422339 mov eax, dword ptr [ 00444A2C ]---------------- else post nagscreen Deutch user * Possible ref. to Menu: MenuID_0001, Item: " Neu... Strg+N " * Possible Reference to Dialog: DialogID_000E, CONTROL_ID:000A, " &Warnen vor Änderungen year Dateien dieser " :0042233E mov ecx, 0000000A :00422343 cdq :00422344 idiv ecx :00422346 cmp edx, 00000008 :00422349 jne 00422375 -------------------------------- jump if Deutch user registered... :0042234B cmp byte ptr [ 00445660 ], 00 --------------- Else... :00422352 jne 00422362 --------------------------------... jump if English user not registered! * Possible StringData ref. from Obj Code - >"Da Sie dieses Programm relativ " --------------------NaGSCrEEn Deutsh to use! - >"h " :00422354 mov eax, 00422524 :00422359 mov dl, 03 :0042235B call 0040BC94 ------------------------------- NaGscreen posted :00422360 jmp 0042236E * Referenced by has (U)nconditional gold (C)onditional Jump At Address: |:00422352(C) * Possible StringData ref. from Obj Code - >"Please register soon."---- NaGSCrEEn English user! | :00422362 mov eax, 00422590 :00422367 mov dl, 03 :00422369 call 0040BC94 ------------------------------- NaGscreen posted * Referenced by has (U)nconditional gold (C)onditional Jump At Address: |:00422360(U) | :0042236E mov Al, 04 :00422370 call 0040B384 ------------------------------- end NaG (English user AND Deutch to user) * Referenced by has (U)nconditional gold (C)onditional Jump At Addresses: |:00422337(C),:00422349(C) | :00422375 push 00000000 ------------------------------- GooD BOy!no-NaGSCrEEn! :00422377 mov eax, dword ptr [ 00442014 ] :0042237C push eax :0042237D push 00000000 :0042237F mov eax, dword ptr [ 00446EE8 ] Ok! You immediately see something very interressant: If you go up a little bit in the code,you see that the prog will test many memory addresses. With address 42234B there is a comparison: cmp byte ptr [ 00445660 ], 00 . This comparison is not important for us . Address 445560 is used for the prog to test if it is a German user who is registered or not. Comparison determining if the English user is registered or not ,is located at address 422330: cmp byte ptr [ 00446473 ], 00. It is the address 446473 which determines if the English user is registered .If 446473=0, user not-registered and if 446473=1 user registered... It is not very hard to understand, isn't-it? Step THRee: At a moment the program will put address 446473 to 0 .It's necessary to locate in the code this moment when the prog initializes the address 446473 to 1. In assembler,there are many ways to putt 1 in a address .We doesn't know how the progammor managed to put 1 to 446473, so we will seek in the code, the places where the program use the address 446473.We inevitably find out a place where the prog puts 1 at the address 446473.For the research, take WINDASM and go to option " SEARCH " ,go and click on " FIND TEXT " and enter 736444. It's OK,I entered the address memory upside down (446473=736444...) , but it is normal because in Hexa, puts the byte of reavy weight in front of and the byte low weight behind (look at desassemblage 1,address 422330 to understand). Step For: You will find much places in the code where the address is called. But if you notice,you will always see a XOR EAX,EAX .It is not very interressant for us because function XOR puts EAX at 0, however it is better for us to force it to 1.Watch This ! :0043F662 call 0040E0D8 :0043F667 cmp eax, dword ptr [ 00446024 ] :0043F66D je 0043F673 * Referenced by has (U)nconditional gold (C)onditional Jump At Address: |:0043F65E(C) :0043F66F xor eax, eax ---------------- BAd BOy! EAX=0 and... :0043F671 jmp 0043F675 ----------------... jump to 43f675 to could 446473 to 0 * Referenced by has (U)nconditional gold (C)onditional Jump At Address: |:0043F66D(C) :0043F673 mov Al, 01 ------------------ GOOd BOy! AL=1 and... * Referenced by has (U)nconditional gold (C)onditional Jump At Address: |:0043F671(U) :0043F675 A273644400 mov byte ptr [ 00446473 ], Al -------------... could 446473 to 1 (It' S GOOd FoR YOu!) Programmer put his initialization's routine at the end of prog! This is why the research is long... At address 43F66F there are XOR EAX,EAX and a jump which send us to the address 43F675 where the prog puts the Al contents in 446473... But to address 43F673 there is a MOV AL,1 very interressant!... And if we erase XOR EAX,EAX and JUMP 43F675, what does it occur? Step FiVe: Takes an editor Hexa , go to offset 3EA6F and puts 90,90,90,90. Now the prog will no more put EAX at 0 but will put Al at 1 and will put Al in 446473... Make the patch and launch WinHex . bOOM! *!REGIsTeReD!*. For ReMArKs,CRiTiKs,COnTaKts ===> Samsoul99@Hotmail.com Frenchies : if you want some tutors written in french,send me a mail. A crACk By TaMaMBoLo From [(/$$¤-SaMSoUL CRAcKInG-¤$$\)] TaMaMBoLo 99