how to crack Hyper Maker v3.2


	<a target="_top" href="http://ad.doubleclick.net/jump/fc.us468/member/tech;abr=!ie;s1=m;s3=tech;pos=1;tag=i;sz=468x60;mtile=1;ord=2001?"><img src="http://ad.doubleclick.net/ad/fc.us468/member/tech;abr=!ie;s1=m;s3=tech;pos=1;tag=i;sz=468x60;mtile=1;ord=2001?" border=0 height="60" width="468"></a>		<a target="_top" href="http://ad.doubleclick.net/jump/us/members_temp_nojs;abr=!ie;sz=120x60;tile=2;pos=2;ord=2001?"><img src="http://ad.doubleclick.net/ad/us/members_temp_nojs;abr=!ie;sz=120x60;tile=2;pos=2;ord=2001?" border=0 height="60" width="120"></a>

March 2000	"Qimage Pro v7.52" ( 'Another easy protection' )	Win '95 PROGRAM Win Code Reversing
	by The Snake
	Code Reversing For Beginners
	Program Details Program Name: Qpro752.exe Program Type: Image utility Program Location: Here Program Size: 2.4mb
	Tools Used: Softice V4.0 - Win'95 Debugger W32Dasm V8.93 - Win'95 Dissembler
Rating	Easy (X) Medium ( ) Hard ( ) Pro ( )

Qimage Pro v7.52
('Another easy protection')
Written by The Snake

Introduction

The author of Qimage Pro v7.52 says :

If you've found it difficult to print or view multiple images while
optimizing the use of your expensive printer paper, your headaches are
over! No more sizing the canvas, cutting, pasting, dragging or dropping
images! Printing multiple images just doesn't get any easier than this!
You're only three mouse clicks away from printing all the photos from your
digital camera at once, and most importantly, in the least amount of
space! Don't waste any more time arranging images on pages when all you
need to do is tell Qimage what arrangement method you like. Just supply
the image size(s) and let the software do the dirty work for you!

About this protection system

It's been long time since the last tutorial i've wrote, but i was kind of busy with learning to code key-gens in
asm32 that you can see in the key-gens section.
I chooses this program because i think it can be a good one for begginers.
The program have a nag reminder screen at start-up with a delay of 5 seconds, then you get the registration
screen that can be ignored, but you can get it thru the help menu.
In the registration screen, if you type a wrong Unlock code or you click on the "ignore and continue", you'll
see at the window title "[Unregistered DEMO]". There is no "invalid code.." message.
This is enough for us, this will light up our way in cracking this program.

The program keeps its settings in the registry :

HKEY_USERS\.DEFAULT\Software\Qimage\"Name/Company"=
HKEY_USERS\.DEFAULT\Software\Qimage\"Unlock Code"=

The Essay

Create a dead list with W32dasm and in the string references look for "[Unregistered DEMO]". There are
2 occurrences for it, but the first one is what we need :

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C164D(C)
|
:004C175B 8D55F8                  lea edx, dword ptr [ebp-08]
:004C175E A1F8764F00              mov eax, dword ptr [004F76F8]
:004C1763 8B00                    mov eax, dword ptr [eax]
:004C1765 E85EFEF6FF              call 004315C8
:004C176A 8B55F8                  mov edx, dword ptr [ebp-08]
:004C176D B854184C00              mov eax, 004C1854
:004C1772 E809BC0100              call 004DD380
:004C1777 6685C0                  test ax, ax
:004C177A 752B                    jne 004C17A7
:004C177C 8D55F8                  lea edx, dword ptr [ebp-08]
:004C177F A1F8764F00              mov eax, dword ptr [004F76F8]
:004C1784 8B00                    mov eax, dword ptr [eax]
:004C1786 E83DFEF6FF              call 004315C8
:004C178B 8D45F8                  lea eax, dword ptr [ebp-08]

* Possible StringData Ref from Code Obj ->" [Unregistered DEMO]"
                                  |
:004C178E BA60184C00              mov edx, 004C1860
:004C1793 E84C28F4FF              call 00403FE4

Take a look above our string, can you see that we will jump here from location 004C164D ? We like to see
what will take us here, don't we ?

:004C163D 8B45F4                  mov eax, dword ptr [ebp-0C]
:004C1640 8B1560754F00            mov edx, dword ptr [004F7560]
:004C1646 8B12                    mov edx, dword ptr [edx]
:004C1648 E89F2AF4FF              call 004040EC               ; probably checking the serial
:004C164D 0F8508010000            jne 004C175B                ; wrong serial, jump to DEMO
:004C1653 B201                    mov dl, 01
:004C1655 A1C4E34800              mov eax, dword ptr [0048E3C4]
:004C165A E8A5CEFCFF              call 0048E504
:004C165F 8B15B0774F00            mov edx, dword ptr [004F77B0]
:004C1665 8902                    mov dword ptr [edx], eax
:004C1667 A1B0774F00              mov eax, dword ptr [004F77B0]
:004C166C 8B00                    mov eax, dword ptr [eax]
:004C166E B101                    mov cl, 01

* Possible StringData Ref from Code Obj ->"\Software"
|
:004C1670 BAF8174C00 mov edx, 004C17F8

We can see that if the Zero falg is set-up, the unlock-code is correct and the program won't jump and will keep
to save the details entered into the registry. Time to check our theory.
Run Qimage.exe and go into Registration screen. Feel in the Name/Company and Unlock code. Don't click
the "Unlock Software" key yet. Before you click it press the "ctrl+d" keys to fire up Softice.
This program don't use the 2 bpx's i usually use, "Getwindowtexta" or "Getdlgitemtexta", so, we are going to
use the "hmemcpy" function. Type "bpx hmemcpy" and type x to leave... click "Unlock Software" and SI breaks.
The actual part that interest us is after the second time that hmemcpy takes place, that is after it reads the
name and the Unlock-code.
So, click 'x' once, and now, press F11 once to get out of hmemcpy function and then press 'f12' 6 times to
get where last hmemcpy were called from the program. We should be now in Qimage code. Disabled the
hmemcpy bpx "bd *" and set a new break point on location 004C1648 call 004040EC.

Press F10 once and we are now on the jne 004C175B that we think that is the one to decide if it's the correct
unlock-code or we continue with Demo mode. Softice shows us <jump>, so we see that we are now on our
way to the Demo mode. Did we looked what going on before the call and the jump ? No, and we can do it now.
Type "x" in SI, and go again into the registration screen, our details are in the input boxes so hit the button and
we break on the call. Scroll 3 lines up and we can see that registers EAX and EDX will get some values before
executing the call :

:004C163D 8B45F4                  mov eax, dword ptr [ebp-0C]
:004C1640 8B1560754F00            mov edx, dword ptr [004F7560]
:004C1646 8B12                    mov edx, dword ptr [edx]
:004C1648 E89F2AF4FF              call 004040EC               ; we break here

To see what in edx type "d edx", you'll ses the fake code you've entered, so type now "d eax' and guess what's
there, yes, the correct code to unlock this program.

Now, type the code in the registration window and press 'Unlock'. Is the Demo title is still there ?

The Patches

Nothing is needed.

REMEMBER, i'm doing my cracks as a hobby and challenge, so please, if you like
this utility and want to keep using it, support the author and pay for it.

Final Notes

Is there any newbie that want to take the challenge to find out how to patch this program so it will validate any
name and unlock code from the registry ? Write a short tutorial about how to do it, and i'll attach it to my tut.

My thanks and gratitude goes to:-

The Sandman for all what he is doing for us, newbies.

Rhayader for helping me with Reverse Code Engineering and useful tips.

ShADe for all asm knolege he taught me in the last months.

Essay by: The snake
Page Created: 11th March 2000