Cracking "Hex WorkShop 32 bit v 2.54"
Date: July 12, 1999
Author : +ViPeR+
[E]bola [V]irus [C]rew

Program Name : Hex WorkShop 32 bit v 2.54
Location     : http://www.bpsoft.com/

Method: CHARACTERS COMPARE

<<Note : this document is only for educational purpose ONLY>>
-------------------------------------------------------------------------------
I believe that every cracker knows this program - Hex WorkShop. And I believe
that I have seen tutorial somewhere on the net. 

It is a handy hex editor for patch program in order to bypass, for example, 
30 days time limit protection. 

The reason I write this tutorial is:
The protection scheme of this program seems changed and I need a program such
as this in order to patch one program I like. Like I told you before, I don't 
like to patch program, so you won't see any patch tutorial I write. 

As usual, locate the registration dialogbox. For this program, you need to 
enter the correct serial number in order to become registered. I enter
'54545454' and fire Soft-Ice to set a breakpoint by type 'bpx getwindowtexta'.
Get out of Soft-Ice and click 'Register' button. 

We back to Soft-Ice. 'F11' and 'F10' until you are at :0042627B.
Let's do some reasoning here.

:
:
:0042627B 68E8F74700              push 0047F7E8
:00426280 8D45DC                  lea eax, dword ptr [ebp-24]
:00426283 50                      push eax
:00426284 E867450100              call 0043A7F0
:00426289 83C408                  add esp, 00000008
:0042628C 85C0                    test eax, eax

First thing I want to check is the 'push 0047F7E8' at :0042627B. 
Why we should care about it? The reason is: after that push, it comes a 'call'
and 'test' instruction. By my experience, there are some programmer hard-coded
the serial number in the program. Maybe this is the case. Just some wild guess.

Ok, so, what do you see when you 'd 47F7E8'? I see 'JN11mARQ' in the data
window. I quit Soft-Ice and re-enter 'JN11mARQ' as the serial. Click 'register'
button and I still got the 'Registration Unsuccessful' messagebox. >_<

Fine. the above experience just tell me that 'JN11mARQ' is not the right 
serial number. Well then, why the author put it there and compare it with our
serial number??? probably that is the previous version's serial number.
What the heck, we don't really care.

Repeat the above process with the same old serial ('54545454') until you reach

:0042628E 0F8414000000            je 004262A8

You won't jump this time coz '54545454' is not equal to 'JN11mARQ'. 

:00426294 8D45DC                  lea eax, dword ptr [ebp-24]
:00426297 50                      push eax
:00426298 E823110100              call 004373C0

the above call is what we want to trace in.

:004373C0 83EC14                  sub esp, 00000014
:004373C3 B9FFFFFFFF              mov ecx, FFFFFFFF
:004373C8 2BC0                    sub eax, eax
:004373CA 56                      push esi
:004373CB 8B74241C                mov esi, dword ptr [esp+1C]
:004373CF 57                      push edi
:004373D0 8BFE                    mov edi, esi
:004373D2 F2                      repnz
:004373D3 AE                      scasb
:004373D4 F7D1                    not ecx
:004373D6 49                      dec ecx
:004373D7 83F908                  cmp ecx, 00000008
:004373DA 7408                    je 004373E4 ; <-- we need to jump here.
:004373DC 33C0                    xor eax, eax
:004373DE 5F                      pop edi
:004373DF 5E                      pop esi
:004373E0 83C414                  add esp, 00000014
:004373E3 C3                      ret

Basically, the above block code just check to see if the serial number you 
entered has length 8. (:004373D7 83F908 cmp ecx, 00000008). If yes, jump
to 004373E4. If not, you are a bad cracker.

:004373E4 6A0A                    push 0000000A
:004373E6 8D4602                  lea eax, dword ptr [esi+02]
:004373E9 6A00                    push 00000000
:004373EB 50                      push eax
:004373EC E8DF1F0000              call 004393D0
:004373F1 8D4C2414                lea ecx, dword ptr [esp+14]
:004373F5 83C40C                  add esp, 0000000C
:004373F8 8BFE                    mov edi, esi
:004373FA 51                      push ecx
:004373FB 50                      push eax
:004373FC E83FFFFFFF              call 00437340
:00437401 83C408                  add esp, 00000008
:00437404 B9FFFFFFFF              mov ecx, FFFFFFFF
:00437409 2BC0                    sub eax, eax
:0043740B F2                      repnz
:0043740C AE                      scasb
:0043740D F7D1                    not ecx
:0043740F 2BF9                    sub edi, ecx
:00437411 8BC1                    mov eax, ecx
:00437413 C1E902                  shr ecx, 02
:00437416 8BF7                    mov esi, edi
:00437418 8D7C240C                lea edi, dword ptr [esp+0C]
:0043741C F3                      repz
:0043741D A5                      movsd
:0043741E 8BC8                    mov ecx, eax
:00437420 83E103                  and ecx, 00000003
:00437423 F3                      repz
:00437424 A4                      movsb
:00437425 8D742408                lea esi, dword ptr [esp+08]
:00437429 8D4C240C                lea ecx, dword ptr [esp+0C]


Now, type 'd esi' to see 'BQ' in the data window and type 'd ecx' to 
see '54545454' in the data window. 

:0043742D 51                      push ecx
:0043742E E82D2D0000              call 0043A160 ; <-- erase space routine
:00437433 83C404                  add esp, 00000004

Ok. Now comes the important part: Compare routine.

:00437436 B902000000              mov ecx, 00000002
:0043743B 8BF8                    mov edi, eax
:0043743D 2BC0                    sub eax, eax
:0043743F F3                      repz
:00437440 A6                      cmpsb

Some explaination for the above 5 lines:

mov ecx, 00000002 ; <-- number of characters to compare
mov edi, eax ; <-- edi points to the fake serial number
sub eax, eax ; <-- ignore this
repz cmpsb ; <-- STOP ON THIS LINE, PLEASE

Now, in Soft-Ice, type

'd esi' to see 'BQ' in data window
'd edi' to see '54545454' in data window

Since ECX=2, so, 'repz cmpsb' only compare two bytes, i.e. two characters 
which are 'BQ' with the first two characters in your fake serial. Hence, 
the conclusion is: if the first two characters of your serial is 'BQ' and
the length of the serial is 8, you are registered.

:00437441 7405                    je 00437448 ; <-- if the result of comparison
                                              ; are the same, 
                                              ; zero flag will be set
					      ; and you will jump to 437448
:00437443 1BC0                    sbb eax, eax
:00437445 83D8FF                  sbb eax, FFFFFFFF
:00437448 85C0                    test eax, eax
:0043744A B800000000              mov eax, 00000000
:0043744F 7505                    jne 00437456
:00437451 B801000000              mov eax, 00000001
:00437456 5F                      pop edi
:00437457 5E                      pop esi
:00437458 83C414                  add esp, 00000014
:0043745B C3                      ret

Ok. Enter the following serial:

BQ545454

and you will see a dialog box shows up for you to enter the name and 
Organization. Done.


Final Note:
   none.


Ob Duh
   Do I really have to remind you all that by buying and NOT stealing the 
   software you use will ensure that these software houses will continue to
   produce even *better* software for us to use and more importantly, to
   continue offering even more challenges to breaking their often weak
   protection systems.

+ViPeR+
[E]bola [V]irus [C]rew
July 12, 1999


