Untitled Document

CRACKING...YOUR FIRST STEPS WITH WINDASM AND HIEW!

This tutorial will teach you the first steps into the world of reversing, so if you are not a complete newbie, there is nothing here to learn for you! This tutor is only ment to teach newbies the very first steps in using WINDASM and HIEW.

Our target: Webpublisher 2.3 (www.brizsoft.com)

Tools used: Windasm and Hiew (www.protools.com)

Lets get started...

Install webpublisher and run it.. have a look at it and notice what the programm does, and more important, what it doesnt do!

Now, make a copy of your webpublisher.exe file, just in case we might screw it up.

right, back to the programm.. When you start the program you get welcomed by a NAGSCREEN, which tells us to register.. right... we wont be ripping a serial this time as i will show you how to patch this programm.

THE WELCOME NAGSCREEN

If you take a further look into the programm, especially looking in the ABOUT screen, we notice that we have indeed a UNREGISTERED VERSION.. duh.. anyhow, this text is important for us, so write it down. Notice that any text which says anything about a unregistered version is important!

THE ABOUT BOX

Ok, lets really get to work now.. load up WINDASM (w32dsm89). Go to the menu called 'DISASSEMBLER' (left top side) and choose 'Open file to dissasemble'. Select the directory where you installed webpublished and select the webpublished.exe file. Wait a few seconds and following screen appears..

Now push the button 'Strn Ref'. It's next to the printer button. A huge list with all kinds of words and sentences appears.Now scroll down and look for the text you wrote down... UNREGISTERED VERSION. Found it? good! Dubbleclick on it and you get zapped to a different place inside the code.

And yes.. This part of code is important for us!! In fact this tells us how we can (and will) crack this programm. If you look at the screen you see both UNREGISTERD aswell REGISTERED version. Ofcourse we want the registered version. When you look above REGISTERED VERSION you notice 3 important lines of code. MOV, CMP and JE. (look at the photo down)

Following happens here.. the value of 48f16c gets moved (MOV) into the EAX register.

Then, that value gets compared with 00 (CMP)

Next is JE, which is means JUMP IF EQUAL. So if the value inside 48f16c is 00 then we are equal and the programm jumps to the unregistered version! This means, that if the value is NOT 00 we are registered!! GOOD! So what we will do is change that JE function into JNE (jump if NOT equal). Doing this will make the programm think it is registered. But ofcourse this is not the only place the programm checks this value!

So, write down that value 48f16c and go to the top of the code again!

THE IMPORTANT CODE!

Push the flashlight button (3rd button on the left) and fill in the value 48f16c.

Now windasm stops everytime that value is beeing found.

SEARCH THE VALUE

Everytime it stops and this value is found, look a few lines below wether there is a JE or a JNE command. Now, doubleclick on that line. Then look at the bottom of your screen and you'll notice the word OFFSET. (as shown in the photo)

Write down the value which stands beheind it (in the photo it is 0008A43Bh. we only need 8A43B). So, do this everytime windasm stops and you have double clicked on the JE or JNE below it. All in all it should stop about 4 and so you have noticed 4 offset adresses aswell! These are the adresses we are going to ajust, or as you prefer , to PATCH.

OFFSET

You should have found the follwing offset adresses : 7db64, 7e056, 89953, 8a43b (This to check wether you did a good job,hehe)

Right, lets ajust these adresses shall we..This is done using a hexeditor. There are many good hexeditors available, but i prefer HIEW myself. So lets use that one then.

Exit windasm if you didnt allready and run HIEW. Following screen should appear:

HIEW

Find your webpublished directory and select the .exe file again.

Press F5 and you may enter your offset adress now. When you hit enter, you will land at the correct location.

As you can see, this is the line we need to ajust. We need to change the JE into JNE. Stand on the value 74 and press F3. Now you are able to change that value. So change 74 into 75 and press F9. You can see that JE has changed into JNE.

PATCHING THE CODE

Original byte:

Patched byte:

So we changed the JE (74) into JNE (75). Reversing the code command.

Remember we had 4 offset adresses, so repeat the above steps with all the adresses. When you have finished all 4 of them, press F10 to close HIEW. All changes have been saved into the programm now.

Finally, run webpublished again, and see wether you succeeded!

SUCCESSFULL SCREEN

When receiving this message and your nagscreen has vanished, you did a good job!!

And thats all for this tutorial. you now should atleast be able to work with windasm and hiew. Again, it is completely written for the absolute beginners among us, as it is difficult enough to get started!

Sempai^LasH