Cracking Tutorial - Part 4 20/06/2000  Tutorial done by: SiFu (Viseus@hotmail.com), a BSRF member (blacksun.box.sk) For better reading, I advice you to print out this tutorial or at least MAXIMIZE it :) . ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  Index  0. Disclamer 1. Introduction 2. What you need 3. Analising the program 4. Disassembling the program 5. Cracking the program 6. Conclusion  0. Disclaimer:  I created this tutorial for informational purposes only! Much of the information in this document can be used to perform illegal activities! Don't attempt to do anything stated in this document! If you do attempt to do anything, you are solely and fully responsible for what you do! If you get caught and get in any kind of trouble, it's your own fault! If you intend to use this information to impress your friends, leave it and grow up! If you don't agree to this, do not read any more! If you crack a program, and either sell the crack or offer it for free, it is a crime!  1. INTRODUCTION:  Hi everyone! Sorry for taking so long to write another tut but I had exams at school and stuff... In this tutorial we're going to do a step-by-step cracking of HEXWORKSHOP 2.54 program. This is going to be quite easy, but it's a good thing to do 'cause you'll get more of a notion of WDASM and it's cracking capabilities. In the end we'll do a patch with the new version of RTD patcher. As for the program itself, it's a nice piece of software, another hex editor. These programs are sometimes used in cracking, but most of you will know these programs because they're used in game-cheating. Let us go on to the next section now...  2. WHAT YOU NEED:  * WDasm disassembler (I'll assume you've got it from the previous tutorials) * Hiew (I'll assume you've got it from previous tutorials) * New version of the RTD patcher (can be found at: http://members.xoom.com/dumpster66/patcher2.zip) * My version of Hex WorkShop, so that we all crack the same version (can be found at: http://members.xoom.com/dumpster66/hex.zip)  3. ANALISING THE PROGRAM:  IMPORTANT: Before you change the program you'd better make a backup of it. Install and run Hex WorkShop. It shows us a nag screen the first time we run it saying it's a evaluation version which you can use for 90 days and a brief description of the program. Click OK and lets get to the stuff :-)! Play around with the program a bit... Seems to be registered almost. WAIT! It has something on the top right corner of the screen, it says "Demonstration Version"! What might this be? Click on it. If you did this a screen should pop up asking us to enter a serial number but (un)fortunately we don't have one. How are we going to register this program? I know! Let's go and crack it :)))!  4. DISASSEMBLING THE PROGRAM:  Remember in the previous section when you clicked on the "Demonstration Version"? Well do it again and enter any number like "123456" or something... Click REGISTER, a window pops up saying: ------------------------------------ Registration Unsuccessful ------------------------------------ You have entered an invalid registration number...etc... ------------------------------------ - WRITE THIS MESSAGE DOWN and quit Hex WorkShop - Go to the directory to where you installed Hex WorkShop and make a backup copy to your DESKTOP of "HWORKS32.EXE" (main EXE file, that runs the program). Run WDASM and open "HWORKS32.EXE", the one you made a backup and placed on your DESKTOP. You have now the dead listings of "HWORKS32.EXE". Click SEARCH, FIND TEXT. Now, remember the stuff you wrote down? That message box? Well, what was its' header? Yep, it was: "Registration Unsuccessful". Write this (without the quotes) in the window you opened in WDASM. This is what you should get: ----------------------- HWORKS32.EXE ----------------------- Name: DialogID_0075, # of Controls=003, Caption:"Registration Unsuccessful", ClassName:"" 001 - ControlID:FFFF, Control Class:"STATIC" Control Text:"You have entered an invalid registration number." 002 - ControlID:FFFF, Control Class:"STATIC" Control Text:"Please confirm you entered a valid registration number or contact BreakPoint S" 003 - ControlID:0001, Control Class:"BUTTON" Control Text:"&OK" ----------------------- HWORKS32.EXE ----------------------- Well this looks interesting :)! Here we have the window that is opened when we enter an invalid registration number. We also know that it's header is referenced by "DialogID_0075". Well click SEARCH, FIND TEXT. Write down: "DialogID_0075" (without the quotes) and click FIND. You should land here: ----------------------- HWORKS32.EXE ----------------------- * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00409C99(C) | :00409D18 E8838AFFFF call 004027A0 :00409D1D 89850CFFFFFF mov dword ptr [ebp+FFFFFF0C], eax :00409D23 8B850CFFFFFF mov eax, dword ptr [ebp+FFFFFF0C] :00409D29 8B00 mov eax, dword ptr [eax] :00409D2B 898508FFFFFF mov dword ptr [ebp+FFFFFF08], eax * Possible Reference to String Resource ID=00001: "Hex Workshop Version 2.54" | :00409D31 6A01 push 00000001 :00409D33 8B8508FFFFFF mov eax, dword ptr [ebp+FFFFFF08] :00409D39 8B8D0CFFFFFF mov ecx, dword ptr [ebp+FFFFFF0C] :00409D3F FF9094000000 call dword ptr [eax+00000094] :00409D45 68D0070000 push 000007D0 * Reference To: KERNEL32.Sleep, Ord:0218h | :00409D4A FF1588194900 Call dword ptr [00491988] :00409D50 E84B8AFFFF call 004027A0 :00409D55 898504FFFFFF mov dword ptr [ebp+FFFFFF04], eax :00409D5B 8B8504FFFFFF mov eax, dword ptr [ebp+FFFFFF04] :00409D61 8B00 mov eax, dword ptr [eax] :00409D63 898500FFFFFF mov dword ptr [ebp+FFFFFF00], eax :00409D69 6A00 push 00000000 :00409D6B 8B8500FFFFFF mov eax, dword ptr [ebp+FFFFFF00] :00409D71 8B8D04FFFFFF mov ecx, dword ptr [ebp+FFFFFF04] :00409D77 FF9094000000 call dword ptr [eax+00000094] :00409D7D 6A00 push 00000000 :00409D7F 6A00 push 00000000 * Possible Reference to String Resource ID=00001: "Hex Workshop Version 2.54" | :00409D81 6A01 push 00000001 * Possible Reference to Dialog: DialogID_0075 <---- YOU LANDED HERE!!! | :00409D83 6A75 push 00000075 :00409D85 8D8D10FFFFFF lea ecx, dword ptr [ebp+FFFFFF10] :00409D8B E890F3FFFF call 00409120 ----------------------- HWORKS32.EXE ----------------------- Well this looks a bit confusing I know, but try and understand, take a time looking at it :). As you can see here, the only thing that makes this Dialog apear is the Condicional (C) jump right at the beginning of this sequence: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00409C99(C) Click on the menu GOTO, GOTO CODE LOCATION. enter the condicional jump adress: 00409C99 and choose OK. You should land here: ----------------------- HWORKS32.EXE ----------------------- * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00409C89(U) | :00409C95 837DEC00 cmp dword ptr [ebp-14], 00000000 :00409C99 0F8479000000 je 00409D18 <--- YOU LANDED HERE!!! :00409C9F 8B8DFCFEFFFF mov ecx, dword ptr [ebp+FFFFFEFC] :00409CA5 83C15C add ecx, 0000005C :00409CA8 E8D37FFFFF call 00401C80 :00409CAD 50 push eax etc... ----------------------- HWORKS32.EXE ----------------------- Look at the bottom of you screen in WDASM, where it says @Offset... Take note of the number write next to that. It should be: "9099"h (without he quotes and the "h" which only stands for HEX). For now you got one location where the "invalid reg info" screen is displayed. You also wrote down the offset location of the jump that calls this sequence, and we'll later use HIEW to get rid of it :). But we have to do something first... We have to verify if the program has more than one routine to call this "invalid reg info" window. In WDASM, press "CTRL + S" to goto to the beginning of the disassembly. Click SEARCH, FIND TEXT and continue with the search of that "DialogID_0075". You landed on the first "DialogID_0075", but this one we have already taken care of :)! Press F3 to continue with the search. This is what you get: ----------------------- HWORKS32.EXE ----------------------- * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004262B3(C) | :00426332 E869C4FDFF call 004027A0 :00426337 89850CFFFFFF mov dword ptr [ebp+FFFFFF0C], eax :0042633D 8B850CFFFFFF mov eax, dword ptr [ebp+FFFFFF0C] :00426343 8B00 mov eax, dword ptr [eax] :00426345 898508FFFFFF mov dword ptr [ebp+FFFFFF08], eax * Possible Reference to String Resource ID=00001: "Hex Workshop Version 2.54" | :0042634B 6A01 push 00000001 :0042634D 8B8508FFFFFF mov eax, dword ptr [ebp+FFFFFF08] :00426353 8B8D0CFFFFFF mov ecx, dword ptr [ebp+FFFFFF0C] :00426359 FF9094000000 call dword ptr [eax+00000094] :0042635F 68D0070000 push 000007D0 * Reference To: KERNEL32.Sleep, Ord:0218h | :00426364 FF1588194900 Call dword ptr [00491988] :0042636A E831C4FDFF call 004027A0 :0042636F 898504FFFFFF mov dword ptr [ebp+FFFFFF04], eax :00426375 8B8504FFFFFF mov eax, dword ptr [ebp+FFFFFF04] :0042637B 8B00 mov eax, dword ptr [eax] :0042637D 898500FFFFFF mov dword ptr [ebp+FFFFFF00], eax :00426383 6A00 push 00000000 :00426385 8B8500FFFFFF mov eax, dword ptr [ebp+FFFFFF00] :0042638B 8B8D04FFFFFF mov ecx, dword ptr [ebp+FFFFFF04] :00426391 FF9094000000 call dword ptr [eax+00000094] :00426397 6A00 push 00000000 :00426399 6A00 push 00000000 * Possible Reference to String Resource ID=00001: "Hex Workshop Version 2.54" | :0042639B 6A01 push 00000001 * Possible Reference to Dialog: DialogID_0075 <--- YOU LANDED HERE!!! | :0042639D 6A75 push 00000075 :0042639F 8D8D10FFFFFF lea ecx, dword ptr [ebp+FFFFFF10] :004263A5 E8762DFEFF call 00409120 ----------------------- HWORKS32.EXE ----------------------- Just to make sure that thi is the last reference, press F3 again, to see if there are any left. Good! This the last one. Once again, this all happens due to the Condicional (C) jump at the beginning of this sequence: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004262B3(C) Click on the menu GOTO, GOTO CODE LOCATION. enter the condicional jump adress: 004262B3 and choose OK. As the other take note of the number besides the @Offset location; it should be: 256B3. In the end, we have now two OFFSET locations written down (9099 and 256B3) which we'll use in HIEW. You can now close WDASM. Let us move on to the cracking :))))))) !  5. CRACKING THE PROGRAM:  Open "HWORKS32.EXE" in HIEW (the ORIGINAL one, not the one you made backup of and is on your DESKTOP). Press F4 and choose DECODE. Press F5 and write down the first offset location: 9090; press ENTER. Press F3 to edit and write: 404840484048 (If you don't now what this means, read my previous tutorial on Register Modifying); Press F9 do update. We've got rid of the first condicional jump, hehehe! Now for the second one. Press F5 and write the second offset location: 256B3; press ENTER. Press F3 to edit, and write: 404840484048. Press F9 do update. Done! We made both jumps dissapear! Press F10 to quit HIEW. Now run HEX WORKSHOP, choose the menu HELP and click ABOUT HEX WORKSHOP... . The register screen pops up! This is the momment! If we did this thing right we should now enter any number and the program should accept it as valid. Go ahead write any number. HURRAY!!! It says registration successful; write any thing down for the USER NAME and the ORGANIZATION. Now use the patcher I told you to get at the begining of this tutorial :)! It's really simple, so I'm not telling you how to use it. Any doubts, email me!  6. CONCLUSION:  This program wasn't that difficult to crack, but this is suppose to help begginers, right :) ? Hope you've liked it! By the way, if you can't make a patch for this program, go to: http://members.xoom.com/dumpster66/hexws254.exe and download it. C ya ! SiFu (contact by email: Viseus@hotmail.com) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Other tutorials by BSRF (blacksun.box.sk) ----------------------- * FTP Security. * Sendmail Security. * Overclocking. * Ad and Spam Blocking. * Anonymity. * Info-Gathering. * Phreaking. * Advanced Phreaking. * More Phreaking. * IRC Warfare. * Proxies, Wingates and SOCKS Firewalls. * RM Networks. * The Windows Registry. * ICQ Security. * Hardware. * Cracking. * HTML. * Javascript. * Easy Linux Installation Guide. * Basic Local/Remote Unix Security. And many more!