Hex WorkShop-32 V2.54

July 1998	"Hex WorkShop-32 V2.54" ( 'Dealing with Reg Files' )	Win '95 PROGRAM Win Code Reversing
	by The Sandman
	Code Reversing For Beginners
	Program Details Program Name: hw32v25.exe Program Type: The Best Hex Editor! Program Location: Here Program Size: 1 MB
	Tools Used: W32Dasm V8.9 - Disassembler Softice V3.2 Hex Workshop32 or any other Hex Editor
Rating	Easy ( X ) Medium ( ) Hard ( ) Pro ( )	There is a crack, a crack in everything. That's how the light gets in.

Hex WorkShop-32 V2.54 ( 'Dealing With Reg Files' ) Written by The Sandman

Introduction

The author says about Hex Workshop :

"Hex Workshop is integrated with the Windows Explorer, the File Manager, and Microsoft Visual C++ so you can quickly hex edit files from your most frequently used workspaces. Hex Workshop also includes a Base Converter for converting between hex, decimal, and binary, and a Hex Calculator supporting arithmatic and logical operations.

Hex Workshop was recognized in ôThe 47 Best from the Net ö by Windows Sources and as the Windows Tech Journal Download of the Month. Hex Workshop is available at retail price of $20 (with volume discounts and site licenses also available). For more information, visit the BreakPoint Software Home Page at www.bpsoft.com or e-mail inquiries to sales@bpsoft.com.."

About this protection system

This program has a 14 day trial limit by which time the User is expected to register this program.

Access to the 'Registration Screen' is via the 'Help' menu option then via the 'About Hex Workshop...' option.

You are first asked for the serial number, entering a successful serial number will then allow you to enter your User Name/Handle and Company Name.

When the program is registered successfully it stores these details (minus the serial no ) in a file called HEXWORKS.REG rather than in your System Registry file. This file is created in the same directory as the program itself. This file is mostly comprised of ASCII text characters, with a couple of check bytes at the end.. Here's what my HEXWORKS.REG file looks like:-

00000000 01003737 37373737 37000000 00005468 ..7777777.....Th
00000010 65205361 6E646D61 6E000000 00000000 e Sandman.......
00000020 00000000 00000000 00000000 00000000 ................
00000030 00000000 00000000 00000000 00000000 ................
00000040 00000000 00000000 00000000 00005669 ..............Vi
00000050 7375616C 20537973 74656D73 00000000 sual Systems....
00000060 00000000 00000000 00000000 00000000 ................
00000070 00000000 00000000 00000000 00000000 ................
00000080 00000000 00000000 00000000 00000000 ................
00000090 00000000 00000000 00000000 00000000 ................
000000A0 00000000 00000000 00000000 00000000 ................
000000B0 00000000 00000000 00000000 00000000 ................
000000C0 00000000 00000000 00000000 000051AF ..............Q.
000000D0 33CA 3.

The Essay

This program is registered by entering a single serial number via the 'About Hex Workshop' screen.

Here's how you can *crack* this babe..

1. Go into the 'About Hex Workshop' screen, type in any sequence of numbers/characters you wish to use..

2. Press the Ctr-D keys together to fire up Softice.
3. Type bpx getwindowtexta then x to exit Softice.
4. Click on the 'Register' button.
5. Softice breaks.. Press the 'F11' key ONCE.
6. Now press the 'F10' key 28 TIMES.

We should now be at this code snippet.

:00426260 8B8DFCFEFFFF            mov ecx, dword ptr [ebp+FFFFFEFC]
:00426266 83C164                  add ecx, 00000064
:00426269 E812BAFDFF              call 00401C80
:0042626E 50                      push eax
:0042626F 8D45DC                  lea eax, dword ptr [ebp-24]
:00426272 50                      push eax
:00426273 E8C82D0100              call 00439040
:00426278 83C408                  add esp, 00000008
:0042627B 68E8F74700              push 0047F7E8 ;->"JN11mARQ"
:00426280 8D45DC                  lea eax, dword ptr [ebp-24]
:00426283 50                      push eax
:00426284 E867450100              call 0043A7F0
:00426289 83C408                  add esp, 00000008
:0042628C 85C0                    test eax, eax
:0042628E 0F8414000000            je 004262A8
:00426294 8D45DC                  lea eax, dword ptr [ebp-24]
:00426297 50                      push eax
:00426298 E823110100              call 004373C0
:0042629D 83C404                  add esp, 00000004
:004262A0 8945EC                  mov dword ptr [ebp-14], eax
:004262A3 E907000000              jmp 004262AF
:004262A8 C745EC00000000          mov [ebp-14], 00000000
:004262AF 837DEC00                cmp dword ptr [ebp-14], 00000000
:004262B3 0F8479000000            jz 00426332 ; Beggar off cracker
:004262B9 8B8DFCFEFFFF            mov ecx, dword ptr [ebp+FFFFFEFC]

7. Keep pressing the 'F10' key until you land on the je 004262B3 instruction.

Notice that Softice is indicating that it will jump to this memory location if we continue on from here, but we don't want that to happen.

8. Type r eip=4262B9 then press x to let the program run as normal. This tells Softice to ignore this jump instruction and carry on with the next instruction below it.

9. Hex Workshop is now asking for your Name & Company name, so fill in these details then press 'OK' to confirm.

10. Congratulations! You've just now registered Hex Workshop!.

Just in case you've missed what has just happened.. Hex Workshop uses a very simple protection system, it relies heavily on YOU entering a valid serial serial. If the program accepts this serial then it will ask for your User details and save this straight to file called Hexworks.REG. Nothing wrong here so far.. However, unlike many other programs, HexWorkshop chooses not to 'validate' the serial number each time it is run, so once we've disabled the initial serial check and the program accepts any number we choose to register it with Hexworkshop will run happily there-after.

If you want to unregister this program then go into the Hex Workshop Directory and delete the file called hexworks.REG. This will force Hexworkshop to run in it's default Shareware Mode.

Job Done.

The 'Crack'

Load up Hworks32l.exe into your favorite Hex-Editor ( I prefer hexWorkshop-32) but just about any will do..

SEARCH FOR THE FOLLOWING BYTES : 0F84790000008B8D
REPLACE WITH HIGHLIGHTED BYTES : 0F84000000008B8D

Once you've patched this program then the following lines:-

:004262AF 837DEC00                cmp dword ptr [ebp-14], 00000000
:004262B3 0F8479000000            jz 00426332 ; Beggar off cracker
:004262B9 8B8DFCFEFFFF            mov ecx, dword ptr [ebp+FFFFFEFC]

Will now look like this:-

:004262AF 837DEC00                cmp dword ptr [ebp-14], 00000000
:004262B3 0F8479000000            jz 004263B9 ; Register regardless..:)
:004262B9 8B8DFCFEFFFF            mov ecx, dword ptr [ebp+FFFFFEFC]

All I've done is to change the jz jump address so that even if it get's 'set' because you've entered an invalid serial number then it will now jump to the 'Good Guy' routine instead of the 'beggar off Cracker' routine.

Final Notes

This is an excellent utility all round, so please register it properly if you intend to use it after the 14 day trial period.

My thanks and gratitude goes to:-

Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.

+ORC for showing me the light at the end of the tunnel.

Ob Duh

Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.

If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.

Next

Return to Essay Index

Previous

Essay by: The Sandman
Page Created: 11th July 1998