Contact Me : dheeraj_np@usa.net or gl_force@usa.net
             www.glcrackforce.50megs.com
Main | Index

WinHex 9.54

Type       : Multi editor
Protection : Serial
Tech       : Serial fishing

Crack : Here the programmer made a worng move.In ver 9.26 the serial is only
computed at start up,which made it little bit more hard to find.In this version
serial is computed and no restarting is required.Made our job easy.Very very
wrong move.

Enter fake values.And in SICE BPX HMEMCPY

0x425FB6 MOV EDX,[EBP-04]     << First code
0x425FB9 MOV [0x455208],EDX
0x425FBF MOV EDX,[EBP-08]     << Second code
0x425FC2 MOV [0x45520C],EDX      Note : All S/N in hex format

In SICE use BPR xxx xxx where S/N is found i.e [0x455208] ....

We will reach

0x42BB3B LEA EAX,[ESP+E0]
0x42BB42 SUB EAX,08
0x42BB45 MOV EAX,[EAX]
0x42BB47 MOV [EBX],EAX
0x42BB49 CMP [EBX],0xD9038 >> S/N Max limit
0x42BB4F JG 0x42BC4D       >> BAD
.................................
0x42BBC0 CMP EDX,54        >> EDX depends on 7777xx
0x42BBC3 JNZ 0x42BC4D      >> BAD

0x42BBE7 MOV EAX,[ESP+D8]  >> First S/N
0x42BBEE CALL 0x42F7F4
0x42BBF3 CMP EAX,[ESP+DC]  >> Second S/N,EAX = 0xFFFFFFFF if wrong
                              And real S/N if first S/N is correct

Inside CALL 0x42F7F4

0x42F90D CMP EAX,0x336
0x42F913 JL 0x42F919    >> BAD
0x42F915 MOV EAX,ECX    << REAL Second S/N
0x42F917 JMP 0x42F91C
0x42F919 OR EAX,-01     >> Reset EAX = 0xFFFFFFFF

To Crack let as make a key gen inside the program itself.
In SICE at 0x42BBE7 assemble the code by command 'a eip'

0x42BBE7 MOV EAX,[ESP+D8]
0x42BBEE CALL 0x42F7F4
0x42BBF3 CMP EAX,-01 = 0xFFFFFFFF
0x42BBF8 JNZ STOP
0x42BBFA MOV EAX,[ESP+D8] >> First S/N
0x42BC01 ADD EAX,64       >> ADD 100 to protect last two digit
                             and increment other.
0x42BC06 MOV DW PTR[ESP+D8],EAX
0x42BC0D JMP 0x42BBE7

Registration Info : Code I  = 201884
                    Code II = 284958