How To Generate Valid Serials For Hex Workshop 2.52
(c) 1998 Dynamite


For this tutorial, you will need SoftICE 3.0+ and
Hex Workshop 2.52 (www.bpsoft.com).

When we start Hex Workshop and enter a serial, we notice, that there is a
long break, until it shows the Wrong_Serial_Message. So let's set a BPX on
KERNEL32!Sleep. When SoftICE poped up, just press F11. Now scroll up in
the Codewindow, until you reach the following code.

* Possible StringData Ref from Data Obj ->"JN11mARQ"
                                  |
:0041EDC1 6844354800              push 00483544         ; PUSH "JN11mARQ"
:0041EDC6 8D45DC                  lea eax, [ebp+DC]     ; Load input in EAX
:0041EDC9 50                      push eax              ; PUSH input
:0041EDCA E851F80100              call 0043E620         ; CALL Reg_Check

Mhm? The "JN11mARQ" looks like an valid serial, which is compared with our
input serial. Let's check this.
Leave SoftICE and enter in the registration window "JN11mARQ".
Shit! Doesn't work! So go back to :0041EDC1 and step into the CALL to 0043E620.

:0043E620 55                      push ebp
:0043E621 8BEC                    mov ebp, esp
:0043E623 57                      push edi
:0043E624 56                      push esi
:0043E625 53                      push ebx
:0043E626 8B750C                  mov esi, [ebp+0C]
:0043E629 8B7D08                  mov edi, [ebp+08]
:0043E62C 8D0578784800            lea eax, [00487878]   ; Load Input to EAX
:0043E632 83780800                cmp [eax+08], 00000000
:0043E636 753B                    jne 0043E673
:0043E638 B0FF                    mov al, FF		; AL = FF
:0043E63A 8BC0                    mov eax, eax
:0043E63C 0AC0                    or al , al
:0043E63E 742E                    je 0043E66E           ; JMP Exit_Procedure
:0043E640 8A06                    mov al , [esi]        ; Move char of key to AL
:0043E642 46                      inc esi               ; Increase pointer to key
:0043E643 8A27                    mov ah, [edi]         ; Move char of Input to AH
:0043E645 47                      inc edi               ; Increase pointer to input
:0043E646 38C4                    cmp ah, al            ; Compare char of the key with the char of the input
:0043E648 74F2                    je 0043E63C           ; Loop, if they match
:0043E64A 2C41                    sub al, 41            ;  \
:0043E64C 3C1A                    cmp al, 1A            ;    \
:0043E64E 1AC9                    sbb cl , cl           ;      \
:0043E650 80E120                  and cl, 20            ;        \
:0043E653 02C1                    add al , cl           ;          \
:0043E655 0441                    add al, 41            ;           |  Some calculations are done
:0043E657 86E0                    xchg al , ah          ;           |
:0043E659 2C41                    sub al, 41            ;           /
:0043E65B 3C1A                    cmp al, 1A            ;         /
:0043E65D 1AC9                    sbb cl , cl           ;       /
:0043E65F 80E120                  and cl, 20            ;     /
:0043E662 02C1                    add al , cl           ;   /
:0043E664 0441                    add al, 41            ; /
:0043E666 38E0                    cmp al , ah           ; Compare char of the key with the char of the input
:0043E668 74D2                    je 0043E63C           ; Loop, if they match

Now you saw the main part of the procedure, that compares the string
"JN11mARQ" with our input string.
Mhm? Let's think a minute. If the entered string is exactly the same string
as "JN11mARQ", it shows the Error_Screen. But if only one char in the enterd
string, is not the same, it will jump to the code, that manipulates the
strings a little bit. So try to modify the entered string a little bit.
Just enter "JN11NARQ".
Yes! It worked! It seems to be, that the first 4 chars have to be "JN11",
the 5. char can be anything, except for number, and the last 3 chars can be
anything you want.
Hexworkshop is good for trying many serials, because you can unregister it very easy.
You just have to delete HEXWORKS.REG.
Now you can try some serials like "JN11+HCU" or "JN11HACK".
A very primitive way to generate SNs, isn't it?


That was it. I hope you enjoyed this short essay.

I will thank +ORC for his wonderful tutorial, all +HCUkers for the good
essays and fravia+ for managing this cool site :)



(c) 1998 Dynamite