Contact Me : dheeraj_np@usa.net or gl_force@usa.net
             www.glcrackforce.50megs.com
Main | Index

WinHex 9.26

Type       : Multi editor
Protection : Key File - Serial No: [Flag check]
Tech       : Patching


Crack : WinHex uses numerous flag check at every step.Funny part is that
only a single flag is checked.

Memory position [0x44FE8C] >> 00 ==> BAD is used as flag.
Only at start up of the program the serial is computed.
On application start up ...

0x448B56 JZ 0x448B5C       >> GOOD
0x448B58 XOR EAX,EAX       >> Clear flag
0x448B5A JMP 0x448B5E      >> BAD
0x448B5C MOV AL,0x01       << SET FLAG [GOOD]
0x448B5E MOV [0x44FE8C],AL >> STORE FLAG
To Crack :

0x448B56 JMP 0x448B5C | EB 04
Offset : 0x47F56
File   : winhex.exe

Another check :

0x448B2D CALL 0x42C81C
0x448B32 CMP EAX,[0x44E184]
0x448B38 JNZ 0x448B58 >> BAD

To crack : 0x448B38 NOP
           0x448B39 NOP
Offset   : 0x47F38 - 0x47F39

Another check :

0x43849F CALL 0x436A74
0x4384A4 CMP [EDI+0x189F],00
0x4384AB JZ 0x4384B4       >> GOOD
0x4384AD MOV [0x44FE8C],00 <<BAD

To crack :

0x4384AB JMP 0x4384B4 | EB 07
Offset : 0x378AB

How to find a serial for winhex

Consider the check ..

0x448B28 MOV EAX,[0x44E180] << First S/N
0x448B2D CALL 0x42C81C
0x448B32 CMP EAX,[0x44E184] << Fake Second S/N ;EAX = REAL Second S/N
0x448B38 JNZ 0x448B58 >> BAD
EAX = 0xFFFFFFFF if First S/N is wrong range
EAX = REAL Second S/N if First S/N is within the range.

We will use the program it self to produce S/N :

When we reach at 0x448B28 use Soft ice command 'a eip' and enter the following key gen.

0x448B28 MOV EAX,[0x44E180] << First S/N
0x448B2D CALL 0x42C81C
0x448B32 CMP EAX,-1 = 0xFFFFFFFF
0x448B34 JNZ STOP
0x448B3E INC EAX
0x448B3F MOV [0x44E180],EAX
0x448B44 JMP 0x448B28

Registration info :I  Code = 444445
                   II Code = 599889