Your asked to enter:

Your First,LastName
Company Name,
Address Line 1
Address Line 2
Serial Number
Password
 

before registration begins.

The actual password is based on the Serial No, and it's the password that the program looks for each time it is run.  Unlike many programs, once you've registered the program it will store your User details and the password itself at C:\Windows\wxr95.ini file instead of in your registry file!.
 
This program is not compacted or encrypted in anyway.
 
 

The Essay

     
Our task is to register this program so that it will no-longer check that our 30 day trial period has come to an end and to also stop the program displaying nag screens as we use it to monitor registry manipulations.
 
Start up Win eXpose and go  into the registration screen.  Now fill in all the details the program asks of you.. For the Company Name & Address lines use a <SPACE> character if you wish to leave these lines blank.  Once done, press Ctrl-D and type into Softice:

BPX messageboxA  (If this program runs in 32-bit then trap this 32-bit function)
BPX messagebox     (If this program runs in 16-bit then trap this 16-bit function)

Some people prefer to have Softice break during the actual creation of the target program's registration sequence by having Softice break on one of a number of system functions such as LSTCMP & LSTLEN but I much prefer to break after all of this for the following reasons.

1. It's much easier to visually back-track the route the program took to arrive at the 'invalid password' message box.
 
2. We can be almost certain that the program has not yet had time to erase the memory location where it stores the 'real' password it used to compare with our entered fake password.
 
Now type X to leave Softice and press the 'OK' button so that Win eXpose can get on with checking the details we've just typed into it.

Softice breaks at the start of the MessageboxA routine, from here press F11 once then answer 'OK' to the 'Invalid Password, please re-enter again' notice' and once gain, we're back into the target program's code.

We should see the following snippet of code in Softice.
 
 

TEST  ???,???                                 ;test one register or address against another.
JZ or JNZ or JE, JG ????????      ;If same,not the same,equals,greater then jump.

OR

CMP ???,???                            ;Compare one register or address against another.
JZ or JNZ or JE, JG ????????    ;If same,not the same,equals,greater then jump.
 
What the above examples do is to check two registers against each other then, depending on the outcome tells the computer which section of the program's code to execute after this check has been performed.

Right, lets scroll up Softice's Code Window and see if there is something that resembles any of the two examples shown up. Hey this looks interesting:-

Now type:
 
BD 00                                ;This disables our previous breakpoint.
BPX 004024F9                ;Creates a new Softice breakpoint on the JZ instruction.
X                                         ;Exits Softice
 
Now press the 'OK' button so we can once again run Win eXpose's registration process and almost right away Softice breaks again and as expect it stops on the line that decides wether or not to jump to a different memory location based on the results from the TEST instruction.

If, while still within Softice we now press the F4 key we can see that the program has not yet created the 'Invalid Password' messagebox so we're pretty sure that the program has not yet checked our entered (fake) password with the real one it has created somewhere in memory. OK, press the F4 key once more to restore the Softice code screen.

The point where we have made Softice break is where the program is about to make a decision of some kind. Looking again at the code snippet above we can see that if it the program continues on it's course it will hit the CALL [User!messageboxA] routine where we know it will tell us that the password is incorrect. Hmmm, what we want to do it to make the program choose a different direction, one that is the opposite of 'Bad Password', perhaps to 'Good Password'!.

Lets us think a bit more here... Unless we've been extremely lucky, we know for a fact our password is incorrect, and here we have Softice telling us that at THIS POINT in the program that there will be  'NO JUMP', so therefore the program execution will continue on and hit the 'BAD PASSWORD' messagebox, not exactly what we're looking for..  So why not 'tell' Softice to still do this jump regardless of what the outcome of the TEST was.

Type into Softice:-
 
r eip=004025CE

What we've done is to manually tell Softice that the next time we press the F10 key it will proceed at memory location 004025CE instead of continuing at the next line below the JZ instruction.
 
The value 004025CE was taken from the JZ instruction below the line with the TEST EAX,EAX.
 
OK, with that done press the X key and Softice will let Win eXpose run as normal.
 
If you have followed the steps given above Win eXpose should now be fully registered, you can test this out by exiting Win eXpose completely then running it again.  Check out the 'About Win eXpose' dialog box to see your entered details and the fake Serial No shown in this message box.
 
Most of the programs I've so far come across don't save the 'real' serial number/password to a ini file when you bypass the 'Beggar off' routine as this program does, instead it normally saves the 'fake' information you have typed in, but this program automatically 'assumes' that if you get to the 'good guy' routine that your password is correct and instead of saving the memory location of our entered password ( in my case the fake password I originally used it saves the one IT has created!. A cracker's dream crack!!.
 

If you now go into the C:\Windows directory and load into Notepad 'wxr95.ini' file you should see something like this:-

[Win-eXpose-Registry 95]
Name=The Sandman
Company=#
AddrLine1=#
AddrLine2=#
SerialNumber=7777777 ;My fake serial number
Key=EXPREF062F05     ;The password generated from the
                     ;fake Serial Number I used!

Please don't use my Handle or Password, that's lame, use one of your own please.

For those still not sure of how the password is created let me just say that the program creates passwords based on the 'SERIAL NUMBER' you type in, the other details are there just for cosmetic purposes only.

If you wish to re-enter the Registration screen again so that you can learn more about how the program comes up with the password then you can without having to delete the wxr95.ini file first, the program kindly lets us do this..:)

Job Done.....
 

The 'Crack'

 
Just one byte change is required so that the program will *register* itself with what-ever password we choose..:)

Using any hex editor loadup the file wxr95.exe then:-

SEARCH FOR:-

85C00F84CF000000 then replace it with:
85C00EBD00000000
            |------|  <--Change these bytes only.

 

Final Notes

 
This *crack* in reality took me just a few minutes to *fix*.  The programmer(s) of this utility could have made my task harder if they had simply made the 'Good Guy' routine save ONLY the information the User had typed in when they register the program instead of automatically saving the 'real' password created by the program itself!. That way, if a *cracker* does what I did, and fool the program into going to the 'Good Guy' routine then the program should ONLY save the information I had typed in, so when the program was run again it would then see that my password was in fact, the wrong one!.

So now each time the program runs, it see the real password and not my fake one because the program had placed it there!

My thanks and gratitude goes to:

Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.
 
+ORC for showing me the light at the end of the tunnel.

 

Ob Duh

 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to  produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
 
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.