Dark Heaven - Tutorial: Registration of HTML (Un)Compress v4.1 Program: HTML (Un)Compress v4.1 Description: HTML (Un)Compressor Author: (c)1998 Jan Jacobs Size: 420.352 Bytes (HTMLCOMP.EXE) Used Tools: - W32DSM89 1. First, we must find out which kind of protection use this program. To this we start "HTML (Un)Compress" and go we will see a NAG Screen, an option "Password" already can be seen there, too. Well, we click on "Password" and a window opens where we can enter Name and Serial. Well, "HTML (Un)Compress" use a Serial-Number as protection ! To get a clue about our Serial now, write down any data on the Registrations Menu now. e.g. Name: Dark Heaven Serial: 1122334455 Noticing the appearing error message absolutely !!! 2. Leave the program and Load W32DASM89 3. Now, you should disassemble the HTMLCOMP.EXE (to be on the safe side, save the code) and run the program via the Debugger [Debug/Load Process]. 4. Look for the error message "There seems to be a problem with either the name or the password" via [Refs/String Data References]. The corresponding lines are shown on the listing by double clicks. We find the reference(s) at the address(es) :0044D2D7. * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0044D27B(C) | :0044D2CC 6A00 push 00000000 ; <- searching JUMP to this point :0044D2CE 668B0D20D34400 mov cx, word ptr [0044D320] :0044D2D5 B201 mov dl, 01 * Possible StringData Ref from Code Obj ->"There seems to be a problem with " ->"either the name or the password. " ->"Make sure there are no spaces " ->"in front or after you name and/of " ->"password. Pay also special attention " ->"to the differance between O and " ->"0. If the problem persists, please " ->"contact me immediately." | :0044D2D7 B8BCD34400 mov eax, 0044D3BC ; <- the ERROR message :0044D2DC E85FC4FEFF call 00439740 :0044D2E1 EB15 jmp 0044D2F8 4. Now we must find the Jump to the Error message.Therefore we choose the menu [Goto] and the menu option [Goto Code Location] and enter the address 0044D27B. * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0044D1E1(C) | :0044D250 8D55FC lea edx, dword ptr [ebp-04] :0044D253 8B83F4010000 mov eax, dword ptr [ebx+000001F4] :0044D259 E882FDFCFF call 0041CFE0 :0044D25E 8B45FC mov eax, dword ptr [ebp-04] :0044D261 50 push eax :0044D262 8D55F8 lea edx, dword ptr [ebp-08] :0044D265 8B83EC010000 mov eax, dword ptr [ebx+000001EC] :0044D26B E870FDFCFF call 0041CFE0 :0044D270 8B45F8 mov eax, dword ptr [ebp-08] :0044D273 5A pop edx :0044D274 E84FD6FFFF call 0044A8C8 ; <- Execute Call :0044D279 3C01 cmp al, 01 :0044D27B 754F jne 0044D2CC ; <- Jump to ERROR message :0044D27D 8D55FC lea edx, dword ptr [ebp-04] :0044D280 8B83F4010000 mov eax, dword ptr [ebx+000001F4] :0044D286 E855FDFCFF call 0041CFE0 :0044D28B 8B45FC mov eax, dword ptr [ebp-04] :0044D28E 50 push eax :0044D28F 8D55F8 lea edx, dword ptr [ebp-08] :0044D292 8B83EC010000 mov eax, dword ptr [ebx+000001EC] :0044D298 E843FDFCFF call 0041CFE0 :0044D29D 8B45F8 mov eax, dword ptr [ebp-08] :0044D2A0 5A pop edx :0044D2A1 E8A2E0FFFF call 0044B348 :0044D2A6 6A00 push 00000000 :0044D2A8 668B0D20D34400 mov cx, word ptr [0044D320] :0044D2AF B202 mov dl, 02 5. We follow the JUMP at address 0044D274 via [Execute Text/Execute Jump]. * Referenced by a CALL at Addresses: |:0044A38E , :0044B384 , :0044D274 | :0044A8C8 55 push ebp ; <- from CALL at 0044D274 :0044A8C9 8BEC mov ebp, esp :0044A8CB 83C484 add esp, FFFFFF84 :0044A8CE 53 push ebx :0044A8CF 56 push esi :0044A8D0 57 push edi :0044A8D1 33C9 xor ecx, ecx :0044A8D3 894D84 mov dword ptr [ebp-7C], ecx :0044A8D6 894DD0 mov dword ptr [ebp-30], ecx :0044A8D9 8955F8 mov dword ptr [ebp-08], edx :0044A8DC 8945FC mov dword ptr [ebp-04], eax :0044A8DF 8B45FC mov eax, dword ptr [ebp-04] :0044A8E2 E8CD94FBFF call 00403DB4 :0044A8E7 8B45F8 mov eax, dword ptr [ebp-08] :0044A8EA E8C594FBFF call 00403DB4 :0044A8EF 33C0 xor eax, eax :0044A8F1 55 push ebp :0044A8F2 6801AC4400 push 0044AC01 :0044A8F7 64FF30 push dword ptr fs:[eax] :0044A8FA 648920 mov dword ptr fs:[eax], esp :0044A8FD 33C0 xor eax, eax :0044A8FF 8945EC mov dword ptr [ebp-14], eax :0044A902 8B45FC mov eax, dword ptr [ebp-04] :0044A905 E8F692FBFF call 00403C00 ; <- calculate length of name :0044A90A 894588 mov dword ptr [ebp-78], eax :0044A90D DB4588 fild dword ptr [ebp-78] :0044A910 D80D14AC4400 fmul dword ptr [0044AC14] :0044A916 DB7DD6 fstp tbyte ptr [ebp-2A] :0044A919 9B wait :0044A91A C745F0FFFFFFFF mov [ebp-10], FFFFFFFF :0044A921 BE01000000 mov esi, 00000001 :0044A926 8D45AC lea eax, dword ptr [ebp-54] :0044A929 8945CC mov dword ptr [ebp-34], eax * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0044A9CF(C) | :0044A92C 33C0 xor eax, eax :0044A92E 8945E8 mov dword ptr [ebp-18], eax :0044A931 33C0 xor eax, eax :0044A933 8945E4 mov dword ptr [ebp-1C], eax :0044A936 DB6DD6 fld tbyte ptr [ebp-2A] :0044A939 E8E680FBFF call 00402A24 :0044A93E 8BF8 mov edi, eax :0044A940 47 inc edi :0044A941 85FF test edi, edi :0044A943 7C66 jl 0044A9AB :0044A945 47 inc edi :0044A946 33DB xor ebx, ebx * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0044A9A9(C) | :0044A948 897588 mov dword ptr [ebp-78], esi :0044A94B DB4588 fild dword ptr [ebp-78] :0044A94E DB6DD6 fld tbyte ptr [ebp-2A] :0044A951 DEC9 fmulp st(1), st(0) :0044A953 E8CC80FBFF call 00402A24 :0044A958 8B55FC mov edx, dword ptr [ebp-04] :0044A95B 0FB60402 movzx eax, byte ptr [edx+eax] :0044A95F 0145E8 add dword ptr [ebp-18], eax :0044A962 895D88 mov dword ptr [ebp-78], ebx :0044A965 DB4588 fild dword ptr [ebp-78] :0044A968 DB6DD6 fld tbyte ptr [ebp-2A] :0044A96B DEC9 fmulp st(1), st(0) :0044A96D E8B280FBFF call 00402A24 :0044A972 8B55FC mov edx, dword ptr [ebp-04] :0044A975 0FB60402 movzx eax, byte ptr [edx+eax] :0044A979 50 push eax :0044A97A 8B45EC mov eax, dword ptr [ebp-14] :0044A97D 5A pop edx :0044A97E 2BC2 sub eax, edx :0044A980 85C0 test eax, eax :0044A982 7D06 jge 0044A98A :0044A984 33D2 xor edx, edx :0044A986 2BD0 sub edx, eax :0044A988 8BC2 mov eax, edx * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0044A982(C) | :0044A98A 0145E4 add dword ptr [ebp-1C], eax :0044A98D 895D88 mov dword ptr [ebp-78], ebx :0044A990 DB4588 fild dword ptr [ebp-78] :0044A993 DB6DD6 fld tbyte ptr [ebp-2A] :0044A996 DEC9 fmulp st(1), st(0) :0044A998 E88780FBFF call 00402A24 :0044A99D 8B55FC mov edx, dword ptr [ebp-04] :0044A9A0 0FB60402 movzx eax, byte ptr [edx+eax] :0044A9A4 8945EC mov dword ptr [ebp-14], eax :0044A9A7 43 inc ebx :0044A9A8 4F dec edi :0044A9A9 759D jne 0044A948 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0044A943(C) | :0044A9AB 8B45E8 mov eax, dword ptr [ebp-18] :0044A9AE 0345E4 add eax, dword ptr [ebp-1C] :0044A9B1 8D14B6 lea edx, dword ptr [esi+4*esi] :0044A9B4 0FAF55F0 imul edx, dword ptr [ebp-10] :0044A9B8 03C2 add eax, edx :0044A9BA 8B55CC mov edx, dword ptr [ebp-34] :0044A9BD 8902 mov dword ptr [edx], eax :0044A9BF 33C0 xor eax, eax :0044A9C1 2B45F0 sub eax, dword ptr [ebp-10] :0044A9C4 8945F0 mov dword ptr [ebp-10], eax :0044A9C7 46 inc esi :0044A9C8 8345CC04 add dword ptr [ebp-34], 00000004 :0044A9CC 83FE08 cmp esi, 00000008 :0044A9CF 0F8557FFFFFF jne 0044A92C :0044A9D5 33FF xor edi, edi :0044A9D7 C745E0E8030000 mov [ebp-20], 000003E8 :0044A9DE BE07000000 mov esi, 00000007 :0044A9E3 8D45AC lea eax, dword ptr [ebp-54] * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0044A9FA(C) | :0044A9E6 8B10 mov edx, dword ptr [eax] :0044A9E8 3BFA cmp edi, edx :0044A9EA 7D02 jge 0044A9EE :0044A9EC 8BFA mov edi, edx * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0044A9EA(C) | :0044A9EE 3B55E0 cmp edx, dword ptr [ebp-20] :0044A9F1 7D03 jge 0044A9F6 :0044A9F3 8955E0 mov dword ptr [ebp-20], edx * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0044A9F1(C) | :0044A9F6 83C004 add eax, 00000004 :0044A9F9 4E dec esi :0044A9FA 75EA jne 0044A9E6 :0044A9FC 2B7DE0 sub edi, dword ptr [ebp-20] :0044A9FF 47 inc edi :0044AA00 BE07000000 mov esi, 00000007 :0044AA05 8D5DAC lea ebx, dword ptr [ebp-54] * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0044AA3E(C) | :0044AA08 8B03 mov eax, dword ptr [ebx] :0044AA0A 2B45E0 sub eax, dword ptr [ebp-20] :0044AA0D 40 inc eax :0044AA0E 8903 mov dword ptr [ebx], eax :0044AA10 DB03 fild dword ptr [ebx] :0044AA12 897D88 mov dword ptr [ebp-78], edi :0044AA15 DB4588 fild dword ptr [ebp-78] :0044AA18 DEF9 fdivp st(1), st(0) :0044AA1A D80D18AC4400 fmul dword ptr [0044AC18] :0044AA20 E8FF7FFBFF call 00402A24 :0044AA25 8903 mov dword ptr [ebx], eax :0044AA27 830330 add dword ptr [ebx], 00000030 :0044AA2A 833B39 cmp dword ptr [ebx], 00000039 :0044AA2D 7E03 jle 0044AA32 :0044AA2F 830307 add dword ptr [ebx], 00000007 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0044AA2D(C) | :0044AA32 833B5A cmp dword ptr [ebx], 0000005A :0044AA35 7E03 jle 0044AA3A :0044AA37 830307 add dword ptr [ebx], 00000007 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0044AA35(C) | :0044AA3A 83C304 add ebx, 00000004 :0044AA3D 4E dec esi :0044AA3E 75C8 jne 0044AA08 :0044AA40 8B45FC mov eax, dword ptr [ebp-04] :0044AA43 E8B891FBFF call 00403C00 :0044AA48 8D1C80 lea ebx, dword ptr [eax+4*eax] :0044AA4B 83C337 add ebx, 00000037 :0044AA4E 895DC8 mov dword ptr [ebp-38], ebx :0044AA51 83FB39 cmp ebx, 00000039 :0044AA54 7E04 jle 0044AA5A :0044AA56 8345C807 add dword ptr [ebp-38], 00000007 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0044AA54(C) | :0044AA5A 837DC85A cmp dword ptr [ebp-38], 0000005A :0044AA5E 7E04 jle 0044AA64 :0044AA60 8345C807 add dword ptr [ebp-38], 00000007 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0044AA5E(C) | :0044AA64 837DC87A cmp dword ptr [ebp-38], 0000007A :0044AA68 7E04 jle 0044AA6E :0044AA6A 8345C807 add dword ptr [ebp-38], 00000007 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0044AA68(C) | :0044AA6E C645F701 mov [ebp-09], 01 * Possible StringData Ref from Code Obj ->"THE_q" ; What' that's that ? | :0044AA72 B824AC4400 mov eax, 0044AC24 :0044AA77 E84893FBFF call 00403DC4 :0044AA7C 89458C mov dword ptr [ebp-74], eax * Possible StringData Ref from Code Obj ->"FreeVer" | :0044AA7F B834AC4400 mov eax, 0044AC34 :0044AA84 E83B93FBFF call 00403DC4 :0044AA89 894590 mov dword ptr [ebp-70], eax :0044AA8C B844AC4400 mov eax, 0044AC44 :0044AA91 E82E93FBFF call 00403DC4 :0044AA96 894594 mov dword ptr [ebp-6C], eax * Possible StringData Ref from Code Obj ->"PC98" ; That's Phrozen Crew | :0044AA99 B850AC4400 mov eax, 0044AC50 :0044AA9E E82193FBFF call 00403DC4 :0044AAA3 894598 mov dword ptr [ebp-68], eax * Possible StringData Ref from Code Obj ->"HTMLcom" | :0044AAA6 B860AC4400 mov eax, 0044AC60 :0044AAAB E81493FBFF call 00403DC4 :0044AAB0 89459C mov dword ptr [ebp-64], eax * Possible StringData Ref from Code Obj ->"Black Thorne - PC'98" ; another PC member | :0044AAB3 B870AC4400 mov eax, 0044AC70 :0044AAB8 E80793FBFF call 00403DC4 :0044AABD 8945A0 mov dword ptr [ebp-60], eax * Possible StringData Ref from Code Obj ->"romeo" ; another cracker (EX - PC ?) | :0044AAC0 B890AC4400 mov eax, 0044AC90 :0044AAC5 E8FA92FBFF call 00403DC4 :0044AACA 8945A4 mov dword ptr [ebp-5C], eax * Possible StringData Ref from Code Obj ->"The Sandman" ; one more cracker (EX - PC ?) | :0044AACD B8A0AC4400 mov eax, 0044ACA0 :0044AAD2 E8ED92FBFF call 00403DC4 :0044AAD7 8945A8 mov dword ptr [ebp-58], eax :0044AADA BE08000000 mov esi, 00000008 :0044AADF 8D5D8C lea ebx, dword ptr [ebp-74] Clever ! If one of these names was found "HTML (Un)Compress" will be kill the registration. Sorry - Phrozen Crew ... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0044AAFD(C) | :0044AAE2 8D45FC lea eax, dword ptr [ebp-04] :0044AAE5 E8E692FBFF call 00403DD0 :0044AAEA 8B13 mov edx, dword ptr [ebx] :0044AAEC E813CAFBFF call 00407504 :0044AAF1 85C0 test eax, eax :0044AAF3 7504 jne 0044AAF9 :0044AAF5 C645F700 mov [ebp-09], 00 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0044AAF3(C) | :0044AAF9 83C304 add ebx, 00000004 :0044AAFC 4E dec esi :0044AAFD 75E3 jne 0044AAE2 :0044AAFF 8D45D0 lea eax, dword ptr [ebp-30] :0044AB02 E87D8EFBFF call 00403984 :0044AB07 BE01000000 mov esi, 00000001 :0044AB0C 8D7DAC lea edi, dword ptr [ebp-54] * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0044AB9C(C) | :0044AB0F 8B07 mov eax, dword ptr [edi] :0044AB11 8B55F8 mov edx, dword ptr [ebp-08] :0044AB14 3A4432FF cmp al, byte ptr [edx+esi-01] ; <- here we set a Breakpoint :0044AB18 7404 je 0044AB1E :0044AB1A C645F700 mov [ebp-09], 00 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0044AB18(C) | :0044AB1E 8B45FC mov eax, dword ptr [ebp-04] :0044AB21 8A5C30FF mov bl, byte ptr [eax+esi-01] :0044AB25 8BC3 mov eax, ebx :0044AB27 3C41 cmp al, 41 :0044AB29 7323 jnb 0044AB4E :0044AB2B 8D4584 lea eax, dword ptr [ebp-7C] :0044AB2E 8B17 mov edx, dword ptr [edi] :0044AB30 83C241 add edx, 00000041 :0044AB33 8B4DFC mov ecx, dword ptr [ebp-04] :0044AB36 33C9 xor ecx, ecx :0044AB38 8ACB mov cl, bl :0044AB3A 2BD1 sub edx, ecx :0044AB3C E8E78FFBFF call 00403B28 :0044AB41 8B5584 mov edx, dword ptr [ebp-7C] :0044AB44 8D45D0 lea eax, dword ptr [ebp-30] :0044AB47 E8BC90FBFF call 00403C08 :0044AB4C EB47 jmp 0044AB95 SNIP 6. At address 0044AB14 we set a breakpoint at the compare (cmp al, byte ptr [edx+esi-01]) via [F2]. Then we change to "HTML (Un)Compress" and enter our name and our dummy code : e.g.: Name : Dark Heaven Password : 1122334455 7. After entering our datas WDASM will break at our Breakpoint.Now we can take a look at the contents of the register addresses [eax] and [edx] , this one being filled with data from the compare at address 0044AB14 (cmp al, byte ptr [edx+esi-01]). This breakpoint will be called 8 times (now only 7 times again) . The following table showing the next changes in these registers : al edx+esi-01 Code-Input ----------------------------------- 6A 31 j1223344 72 31 jr223344 30 32 jr023344 55 32 jr0U3344 64 33 jr0Ud344 79 33 jr0Udy44 62 34 jr0Udyb4 83 34 jr0Udybƒ In this case the sign 'ƒ' will be stored as 83 (hex) (see in ASCII table). So is our right Code: jr0Udybƒ 8. Now we can register "HTML (Un)Compress" with this password.As result we will get the message "Thanks for registering HTML (Un)Compress!". e.g.: Name : Dark Heaven Password : jr0Udybƒ 9. Note : After successful registration "HTML (Un)Compress" writes down our datas into the registry. The datas can be found under the following key : [HKEY_LOCAL_MACHINE\Software\HTML (Un)Compress\Registration] "Name"="Dark Heaven" "Password"="jr0Udybƒ" I hope you have fun with cracking! Dark Heaven 29.03.1999