In Version 4 this program allowed anyone to enter a valid serial number and the program would then be registered, however, in this new release (V4.2) this facility has been disabled, huh, the programmers must think crackers are dumb because they STILL use the SAME method from it's earlier releases to register this latest program!!!!. In the time it took me to load their wincopig.ini file and make two changes to it was all I needed to make this program fully *REGISTERED*.

For this essay I will explain how to crack their Helperware V4 product which you can then apply the knowledge gained from this essay to their latest version (V4.2).

The protection system employed within this program should give the newbie no problems in cracking it.  If your a newbie and already *cracked* one or two serial number programs then I suggest you download this program now and try and *crack* it before reading this easy. If you get stuck then by all means come back here and see where your going wrong but it's really easy to *crack*.
 
The protection system consists of a serial number, which you can enter via the 'Ordering Information' tab.
 
You will then be asked:
 
Your Name / Organization (seems to accept unlimited no of characters)
Password (accepts a max number of 12 numbers but only four is required)

Once this program is run the following entries are created in the C:\Windows\wincopig.ini file:

[Date]
End=28/07/98

[Program]
System=2    ;This tells the program it's still unregistered!!

When the program is registered then here's what this .ini file looks like.
 
[Date]
End=28/07/98

[Program]
System=1                           ;Look!, System now =1 meaning it's been registered!
Register=The Sandman   ;Here's where our name gets placed.
 
 

The Essay

     
I suggest you download V4 of Helperware before trying out their latest release so that you will understand this essay and more importantly, how this program works..
 
Once you have installed this program set about running it, go into the registration screen (via the Ordering Information) tab and type in your name\handle first (the program won't let you enter a password unless you enter a name first) then type in any random sequence of numbers into the password box.
 
Notice what happens when you try and register the program using the random password, it replaces your typed in password with the text 'Wrong Password', neat eh!. It means we can't use something like bpx messageboxa in Softice because their isn't any messagebox routines to trap!.. No problem, lets have a look at a 'Dead Listing' for this program, perhaps that will show us how to attack this program..

1. Use W32Dasm and create a dead listing of Helperware V4
2. Search for the words 'Wrong Password'. This is the text the program uses when we try and use an invalid password.

You should see this snippet of code:-
 
* Referenced by a (C)onditional Jump at Address: 00481D76(C)
 
:00482028 BA60214800              mov edx, 00482160 ;"Wrong Password"
:0048202D 8B86C0020000            mov eax, dword ptr [esi+000002C0]
:00482033 E8CC2CF9FF              call 00414D04
 
The important information here is the memory address of where this routine is called from, in this case there is a conditional jmp at 00481D76 so lets take a peek at it..
 
:00481D5F 8D55EC                  lea edx, dword ptr [ebp-14]
:00481D62 8B8608030000            mov eax, dword ptr [esi+00000308]
:00481D68 E8672FF9FF              call 00414CD4
:00481D6D 8B55EC                  mov edx, dword ptr [ebp-14]
:00481D70 58                      pop eax
:00481D71 E8D219F8FF              call 00403748 ;* type d edx at this point
                                                ; to see your REAL serial
                                                ; number

:00481D76 0F85AC020000            jne 00482028 ; Here is where the program
                                               ; jumps to the 'Beggar off
                                               ; cracker' routine when you
                                               ; type in a wrong password.
 
:00481D7C BAA4204800              mov edx, 004820A4 ;"Right Password"
:00481D81 8B86C0020000            mov eax, dword ptr [esi+000002C0]
:00481D87 E8782FF9FF              call 00414D04
:00481D8C 8D55F0                  lea edx, dword ptr [ebp-10]
 
Here's our BINGO code!. We can one of two things here..
 
We could simply place a breakpoint on memory location 00481D71 (call 00403748) and when Softice breaks on this line we can then type: d eax to see our real serial number that the program expects for the name the User has just entered into it, or, we could simply Nop (90h) out the jne 00482028 instruction so that the program accepts anything we type in..
 
OK, lets explore both options..

CRACK ONE: Sniffing out the serial number..

1. Run Helperware and go directly into the Registration screen via the 'Ordering Information' tab.

Example Only.
:
For the Name/Organisation type in: The Sandman
For the password type in: 7777777

2.  Once you've typed in the password press the SPACE BAR ONCE
3.  Now press Ctrl-D to enter Softice then type: bpx hmemcpy
4.  Press x to leave softice.
5.  Now delete the SPACE character from the end of your serial number.
 
6.  Softice now breaks at the beginning of the hmemcpy function. It was triggered when
     we tried to delete the space character from the end of our serial number.. I use this
     'trick' to gain quick and easy access to 99.9% of programs that have no obvious way
     into their code.
 
7.  At this point press the 'F11' key ONCE then followed by the  'F12' key 8 times
8.  Type bc * to clear away any previous Softice breakpoints.
9.  Since we already know where we want Softice to break we now type: bpx 00481D71
10. Press x to leave Softice and we return back to the program's registration screen.
 
11. Click on the 'OK' button to allow our target program to process our registration
      details,

12. Wham, Softice breaks at segment :00481D71 E8D219F8FF  call 00403748

13. If you now type: d edx you will see 3081 in Softice's Code Window, this is the serial
      number for the User name 'The Sandman', you might see a different serial number if
      you used a different User name/handle. The serial number seems to always be four
      numbers in total, regardless of how long the name is.  If you want to know where your
     random serial number (the one you first typed in) is stored then type: d eax

That's it, you now know how to sniff out the serial number in this program.
 
CRACK TWO: Nop'ing out a jump..

Follow the EXACT steps shown above from 1 to 12 to gain access to the section of code we're interested in...

13. Press the 'F10' key ONCE so that you are resting on this instruction:
 
:00481D76 0F85AC020000            jne 00482028

Softice should be telling you that this 'jne 0048208' instruction has been 'set' and that it will be jumping to this memory location because the program has found your password invalid.
 
14. Now type: r eip=00481D7C
This command tells softice to 'skip' and 'ignore' this jne instruction as though it does not exist and that Softice will begin execution  from the next instruction BELOW it.  In other words this is exactly like what would happen if we Nop (90h) this jne instruction, only this is being done manually by us.
 
15. Now press x to leave softice and now the program will proceed to register itself with whatever name you entered into it..  The program is now fully *REGISTERED*, we did this from alter the program from memory, however, to make this work for anyone else we need to 'patch' the program permanently and this is how we do this..

Load up helpware.exe into your favorite Hex Editor then:-
 
SEARCH FOR THE BYTES           :0F85AC020000
REPLACE HIGHLIGHTED BYTES WITH :909090909090BA
 

Finally...

Once the program has been registered the wincopig.ini file looks like this.

Now, the latest version of Helperware V4.2 ALSO uses this SAME method to store the registration details etc. and it's wincopig.ini file entries look like this when registered:-

[Date42]                ;Look!, it now uses a new [Date] heading adding '42' at the end of the
                            ;heading so that any previous versions of this program won't get
                            ;confused if it uses the same wincopig.ini file.
End=28/06/98

[Program42]          ;Look, it now uses a new [Program] heading adding '42' at the end of the
                            ;heading so that any previous versions of this program won't get
                            ;confused it it uses the same wincopig.ini file.
System=1
Register=The Sandman

Now you know how to *register* their latest version using the knowledge gained from an earlier release of Helperware V4.
 
Job Done.
 

The Crack

     
See above examples.
 

Final Notes

 
This essay explains how to crack helper V4, but with the arrival of V4.2 the programmers have disabled the serial registration side of the program but you can still get past this *small* hurdle if you read this essay..
 
My thanks and gratitude goes to:-
 
Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.
 
+ORC for showing me the light at the end of the tunnel.
 

Ob Duh

 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to  produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
 
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.