|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
||
|
|
|
There is a crack, a crack in everything. That's how the light gets in. |
|
|
"Help-to-HTML allows you to create Microsoft HTML Help, WebHelp, Windows CE Help, Netscape NetHelp 1.0, Netscape NetHelp 2.0, and Web Sites (for Intranet or Internet use) quickly and easily from any Help file. Just follow the Wizard screens and select your preferences û itÆs that easy! Help-to-HTML creates all the files you need.
Key features
· Automatically creates Microsoft HTML Help, Windows CE Help, Netscape NetHelp 1.0, Netscape NetHelp 2.0, and Web sites, either from a RoboHELP Help project or from any standard Windows HLP file.
· Creates a Help table of contents and index (if supported in the final HTML format).
· Supports HTML Help popup windows.
· Creates standard HTML Help features such as navigation buttons, frames, related topics, splash screens and more.
· Supports long filenames and traditional DOS short filenames.
· Transforms each Help Topic into an HTML page.
· Creates HTML filenames using Help topic titles.
· Converts each bitmap into a GIF image file (Web graphic). Maintains the same graphic names after conversion (*.GIF filenames match their former *.BMP filenames).
· Transforms SHED graphics into Web hotspot GIFs with corresponding map files.
· Supports CSIM, the most widely-used image map format.
· Converts any standard WinHelp 3 or WinHelp 4 HLP file.
· Windows Help file source code is not required.
· Converts Windows
Help files created with any Help authoring tool."
|
|
So, from our point of view we must attack the program from two points:-
1. To
disable the 30 day expire limit
2.
To make the program 'think' it's been registered and not always assume
it's a Shareware program.
|
|
Rather than hand you this program on a plate I will explain to you how to crack this program so that:
1.
There is no time limit on it's use - Will run forever..:)
2.
It loads and behaves exactly as though it's a fully registered version.
but I will leave it to you to work out how to get it's 'About Screen' to display your name/handle and company name instead of showing a now, non-working 30 day trial notice. It's the only way you'll learn how to crack. As I've already said, I've done about 99% of the *crack* for you, now you finish it off..
Tip:
The program expects to fetch your name/handle and company name from the
System Registry file, so you need to find out what entries *would* be placed
in here had the program been registered properly so that the program can
then find your name/handle and company name to show who the program is
registered to.
TASK ONE - Make the program 'think' it's been registered..
Our first task is to create a 'Dead Listing' of Robohtml.exe using W32Dasm, it's a large program so it might take a few minutes to disassemble.. Once you've done this take a look at the program's String Data Resources.. We want to home in on 'Shareware' related error messages, and more to the point, those that reference the 'Serial No'. Don't forget, since the program does not allow you to enter a serial number then any references to a serial number must be to do with the default 30-day serial number that the program uses.
String Resource ID=00758:
"Your
RoboHELP HTML Edition serial number registry entry is invalid or missing"
OK, you've probably seen two similar messages
to the one above, but only one refers to the HTML Edition of RoboHelp,
this is the one we shall examine more closely.. Right, double click
on this String Reference, you should now see this code snippet..
* Referenced by a (C)onditional
Jump at Address: :0048C5A5(C)
:0048C7A6 8B4DF0
mov ecx, dword ptr [ebp-10]
:0048C7A9 6AFF
push FFFFFFFF
:0048C7AB 6A00
push 00000000
:0048C7AD 83B99001000000
cmp dword ptr [ecx+00000190], 00000000
:0048C7B4 7407
je 0048C7BD
* Possible Reference
to String Resource ID=00767: "Your RoboHELP serial number registry entry
is invalid or missing."
:0048C7B6 68FF020000
push 000002FF
:0048C7BB EB05
jmp 0048C7C2
* Possible Reference
to String Resource ID=00758: "Your RoboHELP HTML
Edition serial number registry entry is invalid or missing."
:0048C7BD 68F6020000
push 000002F6
As *crackers* we must learn to gather all the information we can from our dead listings if we are to have any chance of understanding how the protection system within our target program operates..
When I saw the above code snippet I came to the following conclusions:-
1. When\if the program gets to this code snippet it has only one of two choices to make based on wether memory location pointed to by ecx+00000190 had a value of 0 or 1.
2. If ecx+00000190 = 0 then program is unregistered but a problem was found when it tried to access the serial number, so display message "Your RoboHELP serial number registry entry is invalid or missing."
3. If ecx+00000190 =1 then program is registered but a problem was found when it tried to access the serial number, so display the message "Your RoboHELP HTML Edition serial number registry entry is invalid or missing."
4. This
code snippet was called from another part of the program at memory location:
:0048C5A5
Can you see the
subtle differences in the wording of both messages?.
Your proberbly asking yourself how do
I know that the ecx+00000190 instruction refers to the registration status
of the program?. All I can say is that once you've *cracked*
a number of programs you get a 'feeling' about certain how programs operate
and how they need to use some sort of 'flag' to tell the program how to
react to certain conditions depending on wether they are registered or
not.. In the above code snippet the program is checking a memory location
to see which message to display, depending on wether it has been registered
or not..
At this point I needed to check my theory that what ecx+00000190 was pointing to was in fact, the actual memory location where it stores the program's regsitered/unregistered status. Before we exit our dead listing we need to find another location within the program that uses this exc+00000190 to check on the program's status so that we can have softice break on it.. The reason why we need to do this is because unless we deliberately delete the shareware 30 day trial serial number from our System registry file this code snippet won't get executed, hence why we must find another location within the program to have Softice break on..
Scroll up to the top of your Dead listing
then search for: 83b99001000000
This is the hex code of our cmp
dword ptr [ecx+00000190], 00000000 instruction.
W32Dasm should now show you this new code
snippet:-
:0048C433 E828F70000
Call 0049BB60
:0048C438 8B4DF0
mov ecx, dword ptr [ebp-10]
:0048C43B C745FC00000000
mov [ebp-04], 00000000
:0048C442
83B99001000000 cmp dword ptr [ecx+00000190],
00000000
:0048C449 7407
je 0048C452
OK, we know have 'breakpoint' for Softice
to use, so save off your 'Dead Listing' and fire up RoboHelp..
Select 'Cancel' to the prompt to select a new help file project..
At this point we need to 'break' into the
program's actual code, I was able do this by:-
1. Select the menu option 'Tools'
then 'Options..' from within RoboHelp.
2. Press Ctr-D to fire up
Softice.
3. Type bpx getwindowtexta
4. Type x to leave Softice.
5. Select
the 'General' Tab option.
6. Softice
now breaks...
7. Press the
'F11' key THREE TIMES followed by the 'F10'
key 15 TIMES
8. We should
now be in RoboHelp's code..
9. Type u
48C442
10. Type bc *
11. Type bpm
ecx+00000190
*Please note *
What we are doing here is now telling Softice to break EVERY TIME the program attempts to read or write any value to this memory location. If you think about the program has to first make sure this memory location is first empty before it can use it.
This is often know as the Initialization part of the program and is common in ALL programs regardless of what they are.. Then, after it has checked for a valid serial number record the results in this memory location pointed by the ecx+00000190 instruction.
12. type x to leave Softice.
At this point Softice will keep breaking, just ignore these breaks for now by pressing x each time to let the program continue on.
13. Now Exit RoboHelp. Keep pressing x each time softice breaks until Robohelp has properly finished.
14. NOW restart RoboHelp again..
15. Softice now breaks at XXXXXXXX:48A98D
:0048A958
E803120100
Call 0049BB60
:0048A95D
C645FC13
mov [ebp-04], 13
:0048A961
899E40030000
mov dword ptr [esi+00000340], ebx
:0048A967
899E44030000
mov dword ptr [esi+00000344], ebx
:0048A96D
899E48030000
mov dword ptr [esi+00000348], ebx
:0048A973
C706D8E94900
mov dword ptr [esi], 0049E9D8
:0048A979
8BC6
mov eax, esi
:0048A97B
889EC0010000
mov byte ptr [esi+000001C0], bl
:0048A981
889E24020000
mov byte ptr [esi+00000224], bl
:0048A987
899E90010000
mov dword ptr [esi+00000190], ebx
:0048A98D
C745FCFFFFFFFF mov
[ebp-04], FFFFFFFF
:0048A994
8B4DF4
mov ecx, dword ptr [ebp-0C]
:0048A997
5E
pop esi
:0048A998
64890D00000000 mov
dword ptr fs:[00000000], ecx
:0048A99F
5B
pop ebx
:0048A9A0
8BE5
mov esp, ebp
:0048A9A2
5D
pop ebp
:0048A9A3
C3
ret
OK, this is our
first Softice break in RoboHelp and an important one. Can you see
that the program is 'initializing' many locations with a value of '0',
check the value stored in the ebx register, it's showing EBX = 00000000.
If you press the 'F4' key you'll see that the RoboHelp splash screen
hasn't yet been displayed, a good indicator that this is where the program
initializes all it's variables before it uses them. Press 'F4' to
display the Softice screen again.
At this point type x to exit Softice so that RoboHelp can continue on..
Softice breaks again...
BINGO!
:0049088F
E808B30000
Call 0049BB9C
:00490894
8B8694010000
mov eax, dword ptr [esi+00000194]
:0049089A
A802
test al, 02
:0049089C
7510
jne 004908AE
:0049089E
85C0
test eax, eax
:004908A0
740C
je 004908AE
:004908A2
C7869001000000000000 mov dword ptr [esi+00000190], 00000000
:004908AC
EB0A
jmp 004908B8
:004908AE
C7869001000001000000 mov dword ptr [esi+00000190], 00000001
This is a VERY important piece of code, it's here that the program decides wether it's been 'registered' or not. It's here that it places a value of '0' = not registered or a value of '1' = Registered into the memory location pointed to by esi+00000190.
Can you see that je 004908A instruction, if we turn it into a jmp 004908A then regardless of the results from the test eax,eax it will ALWAYS proceed to place a value of '1' in our program status memory location that tells the rest of the program to behave as though it's been registered!.
Lets test this right now before doing anything else..
Type r eip=4908AE
We're telling Softice to let the program continue on as though our serial number was found to be valid.. It wasn't really but we can simulate this by making the program start off as though it was!.
now type x
to exit Softice then keep typing x until RoboHelp displays a message
telling you that your serial number is invalid, it will then exit back
to windows. This is perfectly OK, we're going to fix that in just a second..
Hey, while you were pressing x to exit softice did you notice that
the program displayed a DIFFERENT splash screen!.. That's
the one displayed on the REGISTERED version of RoboHelp Express!. We're
getting close..
TASK TWO - Disabling
the Invalid Serial No check.
Were almost there..
Just to quickly recap on what we've so far done.. We have located where
the program decides to either run as a registered program or run as a Shareware
program with 30 days time limit. Now, some where later on from this
the program does a second check on our serial number and it's here we must
also patch...
This part is dead easy, just follow these instructions..
1. Start up RoboHelp..
2. Softice breaks
for the first time.. Just type x
3. Softice breaks
again for the second time.
4. type r eip=4908AE
3. Now Keep pressing
x UNTIL you get here.
:0048C433
E828F70000
Call 0049BB60
:0048C438
8B4DF0
mov ecx, dword ptr [ebp-10]
:0048C43B
C745FC00000000 mov
[ebp-04], 00000000
:0048C442
83B99001000000 cmp
dword ptr [ecx+00000190], 00000000
:0048C449
7407
je 0048C452 'SOFTICE BREAKS HERE!
:0048C44B
68F3020000
push 000002F3
:0048C450
EB05
jmp 0048C457
Right, when you get here the program has just checked to see if it's been *registered*, it has, but from this point onwards it will perform another check on our 'nonexistent' serial number which we can't allow.. So after much testing I found that if we change the je 0048C452 instruction that we're current sitting on to jmp 48C75E then this will disable the who serial checking routine, as well as the routines that deal with the 30 day time limit.
5. So, at this point
type r eip=48C75E
6. Type bd *
then type x to let the program run as normal.
Now we have a fully working RoboHelp program, you can change the computer's date and it will still run as normal..:)
Job Done.
|
|
|
|
Anyone who writes
an essay on how to make the program display your name/handle and company
name instead of the 30-day trial limit etc will have their essay attached
to this one.. Who's going to be first I wonder?...
My thanks and gratitude goes to:-
Fravia+ for providing possibly the greatest
source of Reverse Engineering
knowledge on the Web.
+ORC for showing me the light at the end
of the tunnel.
|
|
| Next | Return to Essay Index | Previous |