"WebDisk is a light weight yet fully functional web server for Windows 95/NT. It supports forms, provides access control by IP addresses and/or directories, logging. It can be used as a:

1)  Personal web server.  WebDisk is extremely easy to configure and it provides enough functionality to publish your HTML pages on the web.

2)  Tool for testing your websites.  Multiple websites can be tested simultaneously by running multiple WebDisks on different ports.  Even when your HTML pages are on a CD-ROM or floppy disks, WebDisk is able to resolve absolute and relative links. You do not need to move the pages between directories or rename directories, all you need is to tell WebDisk the document root directory you want.
 
3)  Tool that allows you to access your computer remotely through a web browser.  You will be able to browse through directories, view, download and upload files. WebDisk makes files on your PC accessible from any computer, including Unix workstations and Macs.  All you need is a copy of WebDisk and a web browser."
 

About this protection system

 
The protection system within this program comprises of a single registration number, which is checked twice before the program accepts it.. On start up the program also checks for any valid serial numbers from the System Registration file.

The program stores its (40 uses only) counter and user details here:-
 
HKEY_CURRENT_USER\Software\Ararat\User

With the following entries:-

Email=
RegID=
Usage="QAg6b5cH2243"  *changes each time it is run*
UserName=
 

The Essay

     
I'm going to show you one way to *crack* this program, although there are many others like finding out where the real serial number is stored in memory while the program compares it against the one the User has typed in.

For my approach I will need to patch this program in three places, the first two patches will disable the two checks the program makes on our serial number as we try and register it and the third patch will disable the checking of the serial number as the program is first run.
 
 
PATCH 1 & 2 - Disabling two Serial number checks - Registration Screen.
 
The program uses it's 'About' Screen as a way of displaying a nag screen, it's also here where we can *register* this program...

1. Start up Web Disk, select the 'Register' button.

For the User Name type in your name or handle.
 
For the Email Address type in whatever you want, you can use your *real* email address since nothing happens to it..
 
For the Registration No you can again type in any sequence of numbers here.

2. Press the Ctrl-D keys together to fire up Softice.
3. Type bpx messageboxa then x to leave Softice.
4. Press the 'Register' button.
5. Softice breaks.... Press the 'F11' key ONCE.

We should at this stage see the following code snippet...
 
:00402F04 83F90C           cmp ecx, 0000000C
:00402F07 731D             jnb 00402F26  ;1st serial No check.
                                         ;Correct serial #? jump if yes
:00402F09 6A30             push 00000030
:00402F0B 68D4724100       push 004172D4 ;="Error"
:00402F10 68BC724100       push 004172BC ;=Invalid Registration #"
:00402F15 55               push ebp
:00402F16 FF15F4E44100     Call USER32.MessageBoxA
:00402F1C B801000000       mov eax, 00000001 ;We land here.
:00402F21 E968FEFFFF       jmp 00402D8E

6.   Double Click on the jnb 00402F26 instruction or, type bpx 00402F26 which will set a new breakpoint for Softice.
 
7.   Type bd 00 then x to leave softice and return back to our target program.
8.   Re-run the registration process again, click on the 'register' button once you have filled in all the User details.

9.   Softice breaks on line :00402D07           jnb 00402F26
10. Type r eip=402F26 this will force Softice to jump to the memory location indicated by our jnb instruction.  We've now by passed our 1st of 2 serial number checks..
 
We should now see the following code snippet.  Now keep pressing the 'F10' UNTIL you land on the jne 00402FD1 instruction.

* Referenced by a (C)onditional Jump at Address :00402F07(C)
 
:00402F26 8D8424B0000000          lea eax, dword ptr [esp+000000B0]
:00402F2D 8D4C2410                lea ecx, dword ptr [esp+10]
:00402F31 50                      push eax
:00402F32 51                      push ecx
:00402F33 E8A8970000              call 0040C6E0
:00402F38 83C408                  add esp, 00000008
:00402F3B 85C0                    test eax, eax
:00402F3D 0F858E000000            jne 00402FD1 ;2nd Serial No Check!
:00402F43 8D7C2430                lea edi, dword ptr [esp+30]
:00402F47 B9FFFFFFFF              mov ecx, FFFFFFFF

;Now tell the rest of the program it's been registered!
;The next instruction places a value of '1' in memory location 0041BE80
;that signifies that the program has been registered. Default value='0'
 
:00402F4C C70580BE410001000000    mov dword ptr [0041BE80], 00000001
:00402F56 2BC0                    sub eax, eax
 
11. Once you land on jne 00402FD you need to type r eip=00402F43 which will once again force Softice to start executing the program at a new location within the program itself, thereby 'ignoring' this jump instruction and continuing on with the next instruction below it!.

12. Type x to leave softice and allow the program to run as normal.
13. Bingo!. Our program is now fully registered, click on the 'About' menu option for confirmation..
14.  Now exit Web Disk and then re-run it again. It's gone back to being a 'Shareware' program again, however, our User details have been safely stored within the System Registry file so all we need to do now is to patch the program once more so that we can disable the program's checking of our serial number each time it is run.
 

PATCH 3 - Disabling the Serial Check on loading.

A quick look in our dead listing (you did create one didn't you?) for the text "UNREGISTERED COPY" displayed in the 'About' screen each time the program is run shows us this code snippet, which is heavy in 'Shareware' type messages...

:00402A89 A180BE4100         mov eax, dword ptr [0041BE80] ;Get reg status
:00402A8E 83F8FF             cmp eax, FFFFFFFF   ;still unregistered?
:00402A91 7412               je 00402AA5         ;then "Beggar off Cracker"
:00402A93 85C0               test eax, eax
:00402A95 7477               je 00402B0E         ;"Beggar off Cracker"
:00402A97 83F801             cmp eax, 00000001   ;Are we registered?
:00402A9A 0F840D010000       je 00402BAD         ;then "Good Cracker Jump"
:00402AA0 E9B9020000         jmp 00402D5E
:00402AA5 683C724100         push 0041723C       ;="UNREGISTERED COPY"
:00402AAA 8B3DD8E44100       mov edi, dword ptr [0041E4D8]
:00402AB0 6813050000         push 00000513    ;="This copy of web disk...."
:00402AB5 56                 push esi
:00402AB6 FFD7               call edi
:00402AB8 833D88BE410029     cmp dword ptr [0041BE88], 00000029
:00402ABF 740D               je 00402ACE
:00402AC1 682C724100         push 0041722C        ;="Invalid License"
:00402AC6 6811050000         push 00000511        ;="License Expired"
:00402ACB 56                 push esi
:00402ACC FFD7               call edi

Hey look, notice that all these checks by the program start off by first reading the contents of memory location 41bE80 with the instruction:
 
mov eax, dword ptr [0041BE80]
 
This is a good clue to follow, it's feels like a 'registration flag' where by the program, just by reading what's inside can tell wether or not the program has been registered or not!.
 
Before I proceed any further let me explain something here.. We *could* crack this program here and now without going any further simply by changing the instruction je 00402AA5  into a jmp 00402A9A and we would then have a 100% *cracked* program but as a cracker who strives to create clean and straight forward *cracks* there is a much better way to *crack* this babe..

While still in Softice...

1. Type bc * to clear away any previous Softice breakpoints.
2. Type bpm 0041BE80 to set a memory breakpoint on this memory location.
3. Type x to leave softice.
4. Exit Web Disk. If Softice breaks while exiting Web Disk just keep typing x in Softice.

Now...

5. Start up Web Disk once more...
6. Softice breaks on our 1st memory breakpoint on location 0041BE80
7. BINGO!

Our first Softice memory breakpoint shows us this snippet of code!
 
:00406513 FF150CE54100          Call dword ptr [0041E50C]

;Returns with either:
;edi=FFFFFFFF if serial no invalid or not found in the Registry file.
;edi=0 if a serial number was found and is correct

:00406519 83C410                add esp, 00000010
:0040651C 893D80BE4100          mov dword ptr [0041BE80], edi ;Save edi
:00406522 8D4C2468              lea ecx, dword ptr [esp+68] ;We land here
:00406526 51                    push ecx
:00406527 6890BE4100            push 0041BE90
:0040652C E8AF610000            call 0040C6E0
:00406531 83C408                add esp, 00000008
:00406534 85C0                  test eax, eax
:00406536 750A                  jne 00406542 ;jump if invalid serial #

;If we nop out the above jne instruction the the program will come here
;and automatically place a value of '1' into our 0041BE80 memory location
;which then tells the rest of the program that this software is registered.
 
 

:00406538 C70580BE410001000000  mov dword ptr [0041BE80], 00000001
:00406542 833D80BE410001        cmp dword ptr [0041BE80], 00000001
:00406549 7428                  je 00406573
 
It's clear then, if we Nop (90h) out the jne 00406542 instruction then the program will ALWAYS register itself each time it is run.. Because of this, that's why it's important to enter our details into the program first before we 'patch' this routine, else when the program comes to this registering itself here it won't display our User details, since we've not let the program save them to the system registry file!.
 
Job Done.
 

The 'Crack'

 
Load up webdiskl.exe into your favorite Hex-Editor ( I prefer hexWorkshop-32) but just about any will do..
 
SEARCH FOR THE FOLLOWING BYTES : 83F90C731D6A3068
REPLACE WITH HIGHLIGHTED BYTES : 83F90CEB1D6A3068
 
SEARCH FOR THE FOLLOWING BYTES : 0F858E0000008D7C
REPLACE WITH HIGHLIGHTED BYTES : 9090909090908D7c

Now run the program and *register* it as normal, use any serial number you want. Then exit the program completely. Now for the final 'Patch'...
 
SEARCH FOR THE FOLLOWING BYTES : 83C40885C0750AC7
REPLACE WITH HIGHLIGHTED BYTES : 83C40885C09090C7
 

Final Notes

 
As a rule, program's don't normally require so much patching to it's code as we have just done but this essay demonstrates just one method of *cracking* this program.  We could have gone for the 'serial sniffing' approach, which would not require any patch of the code.. Perhaps you might want to try this approach...
 
My thanks and gratitude goes to:-
 
Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.
 
+ORC for showing me the light at the end of the tunnel.
 

Ob Duh

 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to  produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
 
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.