Software Reverse Engineering - Host Scan v1.3 - Nag Screen Removal = Registration?
Copyright (c) 1998 Volatility
Document Courtesy of The Immortal Descendants - http://pages.prodigy.net/volatility

	After trial and error, I figured this one out.  We'll remove the nag/registration
screen, skipping over the registration, thus registering the program.  This crack may be
"sloppy" from an advanced cracker's point of view, but hell, it works, so I'm stickin' with
it.

---------------------------------------------------------------------------------------------
Target:  Host Scan v1.3 - (hs.exe) 349,683 bytes.  Download this at:

	       http://www.savant-software.com/hs_dl.htm

Tools Needed:  Wdasm - recommended (or disassembler of your choice)
               HIEW - recommended (or hex editor of your choice)
               PMTK - recommended (or patcher of your choice)
---------------------------------------------------------------------------------------------

Prepare To Crack:

	Setup hc.exe, then run HOSTSCAN.  The very first thing we see is a nag/regisration
screen.  Only one box to enter a code, that should make it a bit easier.  I first tried to
set a breakpoint in SOFT-ICE to see if I could find the proper registration code that way.  I
grew tired of trying to find the breakpoint after about 5 minutes though, so I decided to try
a dead-listing to see what I could find out.

Starting The Crack:

	Fire up Wdasm, and disassemble HOSTSCAN.exe ("disassembler", "Open file to disassemble",
then choose HOSTSCAN.exe).  Once the program is disassembled, open the SDR (String Data 
Reference) window ("Refs", "String Data References").  Towards the bottom, you'll see the 
strings "RegCode", "Registration Recorded" and various other registration strings.  This 
looked like it should be our registration routine, so I double clicked on "Registration 
Succeeded" (Don't do this!!!).  I scrolled up, then down, to see what I had.  I found the jump 
I needed to patch in order to make the program accept any serial number... so I patched it.  
I started HOSTSCAN.exe, and entered a registration.  "Registration Succeeded".  Bingo!  I 
cracked it!  Since I cracked it, I shut it down... hmm...... wait a minute... the registration 
screen again?  just to make sure it wasn't just calling the registration screen in another 
location, I started HOSTSCAN.exe up again.  NO!!! The registration screen is back!  Sux!

	Now I had to stop, relax and think for a bit... I remembered what that meant if the
registration wasn't stored.  The code gets stored in the Windows Registry.  ugh!  Oh well,
let's keep going.  Since I knew that the code was stored in the registry, I did a text search
for "RegOpen".  I landed here:

---------------------------------------------------------------------------------------------
* Reference To: ADVAPI32.RegOpenKeyA, Ord:0000h
                                  |
:0044287F E8D3150000          call 00443E57
---------------------------------------------------------------------------------------------

	Now let's scroll down a bit, to see if we can find where the key is entered, or 
decoded, or stored.  You'll see this code:

---------------------------------------------------------------------------------------------
* Reference To: hostscan.decode(char*,char*,char*)
                                  |
:004428D4 E86FEFFFF           call 00442744
---------------------------------------------------------------------------------------------

	Hmm... interesting.  I'd never seen anything like this before, but it looks to me like
the spot where the code we entered is getting compared with the real one!  Just a few lines
below this, you'll see a jump:

---------------------------------------------------------------------------------------------
:004428E5 7404                je 004428EB
---------------------------------------------------------------------------------------------

	Looks to me like if we patch here, it'll jump right outta the Registry with any value.  
Let's try.  Highlight the line, and get the offset below. Should be
00041EE5h (41EE5).

---------------------------------------------------------------------------------------------
Making the Crack:
---------------------------------------------------------------------------------------------
Open nc.exe with HIEW ( c:\whatever\hiew c:\wherever\HOSTSCAN.exe )
Press F4 to go to hex view
Press F7 to search
Enter your search string: 41EE5
Press enter
Press F3 to edit the code
Change je to jne
Press F9 to update
Press F10 to quit

Now, if you don't have one already, you'll need to enter a key into the registry.
Run regedit
Go to HKEY_LOCAL_MACHINE
Go to SOFTWARE
Look for a key called "savant"
If you have it, double click on it, and click on the "RegCode" key
If there is a value there, you're fine, if not, you'll need to add one (anything will work).
---------------------------------------------------------------------------------------------

	Run HOSTSCAN.exe.  Kickass!  No nag screen!  I shut the program down, just to make 
sure the screen didn't pop up on exit.  It didn't.  I'm still not sure if this causes the 
program to think it's registered, or if it just removed the screen, but I checked everything 
out, and all the options work, so I'm happy.  (maybe later on I'll get into a +ORC state of 
mind - "there's always another way")

	I can't make a patcher with this approach, the offset difference is more than 32k,
even though the file sizes are exactly the same.... oh well.

-Volatility-