HexDecCharEditor 1.02
|
|
HexDecCharEditor 1.02
|
|
|||||||
|
|
|||||||||
|
|
|||||||||
|
|
|||||||||
|
|
HexDecCharEditor is a hex editor
with a lot of functions and as the File Analyzer identifies,it
's compiled by Borland Delphi 3.0
|
|
|
|
Here 502KB , or at the developers site http://beyersdorf.com
|
|
The HexDecCharEditor is more than a common hex-editor for programmers
who want to view, modify, search, compare and analyze binary files. Due to the
possibility to set, save and search for colored marks the HexDecCharEditor is
especially suited to analyze file formats. It can be switched between hexadecimal
and decimal output and input. At the same time the bytes are displayed as characters.
Of course it is also possible to enter the bytes as characters from the keyboard.
The HexDecCharEditor offers a lot of easy to use options for the search for
and replacement of sequences of hexadecimal or decimal byte-values and characters.
Several jump-functions are implemented. Data can be loaded directly from the
clipboard. This makes the HexDecCharEditor the perfect tool for analyzing clipboard-formats.
Obvious to mention that hex-dumps can be printed with and without marks.
|
|
This program is a 30 days time limited program and needs a name and key to become a registered software. So press the register button and enter name PIRATE COPY and key 12345 .Press OK ,a message will appear telling us that the name and key cannot be accepted together .Lets try again ,write the name and the key but before pressing OK enter softice and set a breakpoint type "bpx hmemcpy" and "x"or F5 to leave softice ,press OK and you are again into softice.Press "bd*" (breakpoint disable, * means all of them) or bd 00 (because our breakpoint is the 00.If you press "bl" you will see all the breakpoints) and press F12 so you will start jumping into the code in your computer's memory. After pressing "F12" seven times you will be at the code of HEXDECCHAREDITOR and now you have to search for the calculation-comparison code of the good name-key which will usually be a Call followed by a Test and after that a Jump to the bad or good registration message. Press "F10" so you will step into the code of the HEXDECCHAREDITOR.If you press "F10" for about 22 time you will find this code
:0043584F 8B83DC010000 mov eax, dword ptr [ebx+000001DC] :00435855 E8EEC2FFFF (1) call 00431B48 :0043585A 84C0 (2) test al, al :0043585C 7432 (3) je 00435890
You see the (1) Call
where the calculation-comparison is done, the
(2) test between the flags and the
(3) jump to the bad message if al=0 .Firstly I think of testing
if this is really the place I'm looking for so I place one or two breakpoints
by double clicking at the call.Then I change the
(3) je from JUMP into NO JUMP by writing "r fl z"
(reverse flag zero) and I'm pressing "F10" several times ,the message
that I'm registered is appearing .Cool I'm in the right place.
I'm restarting the program , entering name and key .Softice will break where
I had put tha breakpoint before.
Lets take a look into that Call by pressing "F10"
:00431B48 55 push ebp :00431B49 8BEC mov ebp, esp :00431B4B 83C4E0 add esp, FFFFFFE0 :00431B4E 53 push ebx :00431B4F 56 push esi :00431B50 57 push edi :00431B51 33DB xor ebx, ebx :00431B53 895DE4 mov dword ptr [ebp-1C], ebx here our serial is entering :00431B56 895DE0 mov dword ptr [ebp-20], ebx :00431B59 895DF0 mov dword ptr [ebp-10], ebx :00431B5C 894DF8 mov dword ptr [ebp-08], ecx :00431B5F 8955FC mov dword ptr [ebp-04], edx :00431B62 8BD8 mov ebx, eax :00431B64 8B45FC mov eax, dword ptr [ebp-04] :00431B67 E8DC1BFDFF call 00403748 :00431B6C 8B45F8 mov eax, dword ptr [ebp-08] :00431B6F E8D41BFDFF call 00403748 :00431B74 8B4508 mov eax, dword ptr [ebp+08] :00431B77 E8CC1BFDFF call 00403748 :00431B7C 33C0 xor eax, eax :00431B7E 55 push ebp :00431B7F 68631D4300 push 00431D63 :00431B84 64FF30 push dword ptr fs:[eax] :00431B87 648920 mov dword ptr fs:[eax], esp :00431B8A C645F700 mov [ebp-09], 00 :00431B8E 33C0 xor eax, eax :00431B90 55 push ebp :00431B91 68211D4300 push 00431D21 :00431B96 64FF30 push dword ptr fs:[eax] :00431B99 648920 mov dword ptr fs:[eax], esp :00431B9C 8D55E4 lea edx, dword ptr [ebp-1C] doing maths :00431B9F 8B45F8 mov eax, dword ptr [ebp-08] :00431BA2 E8653DFDFF call 0040590C :00431BA7 8B55E4 mov edx, dword ptr [ebp-1C] :00431BAA 8D45F8 lea eax, dword ptr [ebp-08] :00431BAD E80219FDFF call 004034B4 :00431BB2 8D55E4 lea edx, dword ptr [ebp-1C] :00431BB5 8B4508 mov eax, dword ptr [ebp+08] :00431BB8 E84F3DFDFF call 0040590C :00431BBD 8B55E4 mov edx, dword ptr [ebp-1C] :00431BC0 8D4508 lea eax, dword ptr [ebp+08] :00431BC3 E8EC18FDFF call 004034B4 :00431BC8 8B55F8 mov edx, dword ptr [ebp-08] :00431BCB 8BC3 mov eax, ebx :00431BCD E886FEFFFF call 00431A58 :00431BD2 8BF0 mov esi, eax :00431BD4 8B4508 mov eax, dword ptr [ebp+08] :00431BD7 E8EC3EFDFF call 00405AC8 :00431BDC 3BF0 (4) cmp esi, eax here is comparing our code with the real code :00431BDE 0F8533010000 jne 00431D17 in case that we change this into je the program will acept our code as corect :00431BE4 8B45F8 mov eax, dword ptr [ebp-08] :00431BE7 E8A819FDFF call 00403594 :00431BEC 83F80A cmp eax, 0000000A here is checking if your name has more than 10(=0A) letters :00431BEF 0F8C22010000 jl 00431D17 if no bye bye cracker :00431BF5 B201 mov dl, 01 :00431BF7 B8E8F74200 mov eax, 0042F7E8 :00431BFC E89BDCFFFF call 0042F89C :00431C01 8945E8 mov dword ptr [ebp-18], eax :00431C04 33C0 xor eax, eax
So when you are at (4) [cmp esi, eax ]
(=comparing eax with esi) press "?EAX" to see the value
of eax at hex and decimal which is is the serial we entered 12345 .Then write
"?ESI" which is the correct key. Two values will be created in the
registry (use regedit.exe to check) at [HKEY_LOCAL_MACHINE\Software\Beyersdorf\HexDecCharEditor]
Name and Key
|
|
I would characterize this protection scheme weak as you can clearly see the
real serial number at the comparison routine while it should have been hidden.
|
|