.---. .---. .----------. | \ / | .-. | | | |\ \ / /| | | | .--------. .-----------. .---------. .-------. | .-------' | | \ \ / / | | `-' | .------' `----. .----' | .-------' | ,---. | | | | | \ \/ / | | .-. | | | | | | | | | | | `----. | | \__/ | | | | \ \ | | | `----. | `---' | | ,----' | | | | | | \ `-----. | | | ,----' | .---' | | | | | | | | `----. | | | | | | , \ | | | | | | | | | | | | | | | |\ \ | | | | | | | | | | | | | | | | \ \ | '-------. | | | | | | .------' | | | | '------. | | \ \ | | `--' `--' `-' `--------' `-' `--------' `-' `-' `----------' .----------------------. .-----------| Proudly Presents |-----------. .--------------+----------------------------------------------+--------------. | A cracking tutor for: | | WinHex | `----------------------------------------------------------------------------' Crack Rating: easy Programs I have used: - SoftIce V3.2 - A HexEditor (HexWorkShop V2.50) - WinHex V7.1 (www.muenster.de/~sf) .-----------------------------------------------------------------------------------------------. `-----------------------------------------------------------------------------------------------' Make a copy of your winhex.cfg, we need it later. Open WinHex and enter your registration code (I used 123454 and 1234565) Place a breakpoint on hmemcpy. Note: WinHex is a 16-bit program Start running the program. BANG! You get kicked back into SoftIce. Press F11 to return from the call. Now we are going to do a search, this time we are going to use ES as selector. We use ES, because this selector is important for 16-bit programs. I don't know why. I even had a 16-bit program that dumped the real s/n in es:???? This is the search we do: s ES:0 l ffff "123454" I found this address: es:D484 You are likely to find another address, just continue my tutor using your address instead. Place a breakpoint on thsi address, type BPM D484 Continue the program. KLABOOM! We are in SoftIce again. You should end up here: CMP BYTE PTR ES:[SI], 20 <= check if you have entered a s/n JZ 2C66 <= if not ....... If you type: D es:si You should see your s/n let's do some tracing (F8) Watch the ax register carefully. You should notice that it gets the value 31 at this instruction: MOV AL,ES:[BX] <= load character from your s/n As you should know 31h = 49 decimal = "1" ASCII code, the FIRST character from our s/n Place a breakpoint here by doubleclicking on the instruction. Continue running the program. AX gets some other value's of your s/n At some point you get kicked back into SoftIce because it excecuted hmmecpy. The second code has now been loaded into memory. Run the program until ax = 35 Now do some tracing. At some time a API is called, press F12 to get out of this. Trace until you get here: CMP WORD PTR [9920],00 <= compare something JNZ B9EB <= if not zero, continue program JMP BA76 <= if zero, say "incorrect s/n" You see that something is getting compared, I don't know what, but if you continue the program, you get the "incorrect s/n" message. To prevent this, you could patch the program. But it would take you some time to patch. Another way is to reset the zero flag, you do this by clicking on the upper right "Z" in softice, now it changes to "z". Continue the program. Remember: jumping to BA76 means you get the "incorrect s/n" message. You get another five CMP's. Set the zero flag this way the program does NOT jump to BA76. Continue running the program and... YOU HAVE REGISTERED THE PROGRAM, you cracked another one!!!!! Now, say you wanted to spread our crack. You could write a patch that changed all JNZ to JZ and all JZ to JNZ, but then you would have to change six times a JNZ/JZ. BAH, that is too much. There must be a faster way of registering this program. And there IS one. Remember I said you had to make a copy of winhex.cfg? Well, we are going to use that file. WinHex has somewhere out your registration info in there. Lets find out where. Fire you HexEditor and open the the copy of winhex.cfg and the registered one. Compare the two files. The HexEditor should say that at 13EB some value's are different. Here is the registration code (64 76 9B 05). If you remove this code, the program is unregistered. Now you only have to write a patch that edits the winhex.cfg ONE time. This is much better. .-----------------------------------------------------------------------------------------------. `-----------------------------------------------------------------------------------------------' Well, I hope you learned SOMETHING from this tutor. If you have any comments, questions, or whatever, mail me at MisterE@freemail.nl OR look for me at EFNET => #cracking4newbies or #cracking .-----------------------------------------------------------------------------------------------. `-----------------------------------------------------------------------------------------------'R">OE'97 ITS 4397100xxx