Cracking "Hex WorkShop 32 bit v 2.54" Date: July 12, 1999 Author : +ViPeR+ [E]bola [V]irus [C]rew Program Name : Hex WorkShop 32 bit v 2.54 Location : http://www.bpsoft.com/ Method: CHARACTERS COMPARE <> ------------------------------------------------------------------------------- I believe that every cracker knows this program - Hex WorkShop. And I believe that I have seen tutorial somewhere on the net. It is a handy hex editor for patch program in order to bypass, for example, 30 days time limit protection. The reason I write this tutorial is: The protection scheme of this program seems changed and I need a program such as this in order to patch one program I like. Like I told you before, I don't like to patch program, so you won't see any patch tutorial I write. As usual, locate the registration dialogbox. For this program, you need to enter the correct serial number in order to become registered. I enter '54545454' and fire Soft-Ice to set a breakpoint by type 'bpx getwindowtexta'. Get out of Soft-Ice and click 'Register' button. We back to Soft-Ice. 'F11' and 'F10' until you are at :0042627B. Let's do some reasoning here. : : :0042627B 68E8F74700 push 0047F7E8 :00426280 8D45DC lea eax, dword ptr [ebp-24] :00426283 50 push eax :00426284 E867450100 call 0043A7F0 :00426289 83C408 add esp, 00000008 :0042628C 85C0 test eax, eax First thing I want to check is the 'push 0047F7E8' at :0042627B. Why we should care about it? The reason is: after that push, it comes a 'call' and 'test' instruction. By my experience, there are some programmer hard-coded the serial number in the program. Maybe this is the case. Just some wild guess. Ok, so, what do you see when you 'd 47F7E8'? I see 'JN11mARQ' in the data window. I quit Soft-Ice and re-enter 'JN11mARQ' as the serial. Click 'register' button and I still got the 'Registration Unsuccessful' messagebox. >_< Fine. the above experience just tell me that 'JN11mARQ' is not the right serial number. Well then, why the author put it there and compare it with our serial number??? probably that is the previous version's serial number. What the heck, we don't really care. Repeat the above process with the same old serial ('54545454') until you reach :0042628E 0F8414000000 je 004262A8 You won't jump this time coz '54545454' is not equal to 'JN11mARQ'. :00426294 8D45DC lea eax, dword ptr [ebp-24] :00426297 50 push eax :00426298 E823110100 call 004373C0 the above call is what we want to trace in. :004373C0 83EC14 sub esp, 00000014 :004373C3 B9FFFFFFFF mov ecx, FFFFFFFF :004373C8 2BC0 sub eax, eax :004373CA 56 push esi :004373CB 8B74241C mov esi, dword ptr [esp+1C] :004373CF 57 push edi :004373D0 8BFE mov edi, esi :004373D2 F2 repnz :004373D3 AE scasb :004373D4 F7D1 not ecx :004373D6 49 dec ecx :004373D7 83F908 cmp ecx, 00000008 :004373DA 7408 je 004373E4 ; <-- we need to jump here. :004373DC 33C0 xor eax, eax :004373DE 5F pop edi :004373DF 5E pop esi :004373E0 83C414 add esp, 00000014 :004373E3 C3 ret Basically, the above block code just check to see if the serial number you entered has length 8. (:004373D7 83F908 cmp ecx, 00000008). If yes, jump to 004373E4. If not, you are a bad cracker. :004373E4 6A0A push 0000000A :004373E6 8D4602 lea eax, dword ptr [esi+02] :004373E9 6A00 push 00000000 :004373EB 50 push eax :004373EC E8DF1F0000 call 004393D0 :004373F1 8D4C2414 lea ecx, dword ptr [esp+14] :004373F5 83C40C add esp, 0000000C :004373F8 8BFE mov edi, esi :004373FA 51 push ecx :004373FB 50 push eax :004373FC E83FFFFFFF call 00437340 :00437401 83C408 add esp, 00000008 :00437404 B9FFFFFFFF mov ecx, FFFFFFFF :00437409 2BC0 sub eax, eax :0043740B F2 repnz :0043740C AE scasb :0043740D F7D1 not ecx :0043740F 2BF9 sub edi, ecx :00437411 8BC1 mov eax, ecx :00437413 C1E902 shr ecx, 02 :00437416 8BF7 mov esi, edi :00437418 8D7C240C lea edi, dword ptr [esp+0C] :0043741C F3 repz :0043741D A5 movsd :0043741E 8BC8 mov ecx, eax :00437420 83E103 and ecx, 00000003 :00437423 F3 repz :00437424 A4 movsb :00437425 8D742408 lea esi, dword ptr [esp+08] :00437429 8D4C240C lea ecx, dword ptr [esp+0C] Now, type 'd esi' to see 'BQ' in the data window and type 'd ecx' to see '54545454' in the data window. :0043742D 51 push ecx :0043742E E82D2D0000 call 0043A160 ; <-- erase space routine :00437433 83C404 add esp, 00000004 Ok. Now comes the important part: Compare routine. :00437436 B902000000 mov ecx, 00000002 :0043743B 8BF8 mov edi, eax :0043743D 2BC0 sub eax, eax :0043743F F3 repz :00437440 A6 cmpsb Some explaination for the above 5 lines: mov ecx, 00000002 ; <-- number of characters to compare mov edi, eax ; <-- edi points to the fake serial number sub eax, eax ; <-- ignore this repz cmpsb ; <-- STOP ON THIS LINE, PLEASE Now, in Soft-Ice, type 'd esi' to see 'BQ' in data window 'd edi' to see '54545454' in data window Since ECX=2, so, 'repz cmpsb' only compare two bytes, i.e. two characters which are 'BQ' with the first two characters in your fake serial. Hence, the conclusion is: if the first two characters of your serial is 'BQ' and the length of the serial is 8, you are registered. :00437441 7405 je 00437448 ; <-- if the result of comparison ; are the same, ; zero flag will be set ; and you will jump to 437448 :00437443 1BC0 sbb eax, eax :00437445 83D8FF sbb eax, FFFFFFFF :00437448 85C0 test eax, eax :0043744A B800000000 mov eax, 00000000 :0043744F 7505 jne 00437456 :00437451 B801000000 mov eax, 00000001 :00437456 5F pop edi :00437457 5E pop esi :00437458 83C414 add esp, 00000014 :0043745B C3 ret Ok. Enter the following serial: BQ545454 and you will see a dialog box shows up for you to enter the name and Organization. Done. Final Note: none. Ob Duh Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems. +ViPeR+ [E]bola [V]irus [C]rew July 12, 1999