Cracking HEdit 2.0
(using wdasm as a debugger)

by x86

(19 August 1997, slightly edited by Fravia)


With an addition by itzMagik1, 4 January 1998
Cracking HEdit version 2.1.11
Courtesy of Fravia's page of reverse engineering

Well, this essay is interesting, for me, because it's the first time that somebody explains how to use Urbanik's disassembler as a "quick and dirty" debugger tool... now, you see, I mostly disassemble files in order to reverse engineer them, and use winice only if really compelled (why burn your eyes on a screen, as +ORC said, when you can crack relaxed in the shadows of your garden, sipping a good cocktail in fresh air?) so the idea of "remaining" inside wdasm to try a couple of probes is not bad at all...

Besides, HEdit is an hexeditor, and for hexeditors the chase is always open!

Yet I'm not happy that an +HCUker "leaves" a crack part to others... PROFESSIONAL PRIDE! If you're a +cracker (or if you want to be one) you should finish your cracks! Therefore I expect an addition to this essay FROM x86 (and nobody else :-)

ADDITION: 20 August 1997. ...and I got it! Good x86, right so +cracker! You'll find it as second part of this essay!


There is also an addition by itzMagik1, 4 January 1998
Cracking HEdit version 2.1.11

Cracking HEdit 2.0 By x86
HEdit 2.0 can be found at: ftp://ftp.cdrom.com/.23/simtelnet/win95/editor/hedit2.zip This is my first essay, and I'm still a bit of a beginner, so bear with me. I decided to do this crack using AS A DEBUGGER wdasm 8.9 instead of SoftIce, simply for a change of pace, and to show how the code patch utility can be quite a time saver for trying out cracks on the fly. This protection scheme is really stupid, given the amount of code dedicated to the registration routines (more on that later). I started HEdit to get an idea of what I was dealing with. No opening nag screen, that's nice. Close it down, still no nag screen. Hmmm, what is there to crack? Set my clock ahead 1 month, and bingo. A nice message telling me my 14 day trial had expired. - A quick aside here- I started off trying to crack the registration functions of the program, looking for the typical 'cmp good, bad' and 'test eax, eax'. To make a long story short, this program goes through tons of convoluted checks all over the place, and after about an hour, I decided screw it. I'll leave that to one of our more experienced crackers, and besides, once you crack the time-check mechanism, you're in home free. So, now we look for the call to Kernel32.GetLocalTime (see, I have learned something!). There is only one and the code around it looks like this: * Reference To: KERNEL32.GetLocalTime, Ord:00E2h | :00409CFC FF1524A94400 Call dword ptr [0044A924] :00409D02 8D4C2404 lea ecx, dword ptr [esp+04] :00409D06 51 push ecx * Reference To: KERNEL32.GetSystemTime, Ord:0121h | :00409D07 FF151CA94400 Call dword ptr [0044A91C] :00409D0D 668B0DDA7D4400 mov cx, word ptr [00447DDA] :00409D14 66394C240E cmp word ptr [esp+0E], cx :00409D19 753C jne 00409D57 :00409D1B 66A1D87D4400 mov ax, word ptr [00447DD8] :00409D21 663944240C cmp word ptr [esp+0C], ax :00409D26 752F jne 00409D57 :00409D28 66A1D67D4400 mov ax, word ptr [00447DD6] :00409D2E 663944240A cmp word ptr [esp+0A], ax :00409D33 7522 jne 00409D57 :00409D35 66A1D27D4400 mov ax, word ptr [00447DD2] :00409D3B 6639442406 cmp word ptr [esp+06], ax :00409D40 7515 jne 00409D57 :00409D42 66A1D07D4400 mov ax, word ptr [00447DD0] :00409D48 6639442404 cmp word ptr [esp+04], ax :00409D4D 7508 jne 00409D57 :00409D4F 8B15C87D4400 mov edx, dword ptr [00447DC8] :00409D55 EB46 jmp 00409D9D By tracing where this code goes, we eventually get a 'ret' and end up here: * Reference To: ADVAPI32.RegQueryValueExA, Ord:00E1h | :00403D55 FF154CA74400 Call dword ptr [0044A74C] :00403D5B 85C0 test eax, eax :00403D5D 0F85DE000000 jne 00403E41 :00403D63 83EC04 sub esp, 00000004 :00403D66 8965D0 mov dword ptr [ebp-30], esp :00403D69 FF75EC push [ebp-14] :00403D6C 8B4DD0 mov ecx, dword ptr [ebp-30] :00403D6F E8C5020000 call 00404039 :00403D74 8D45E0 lea eax, dword ptr [ebp-20] :00403D77 8D4DD4 lea ecx, dword ptr [ebp-2C] :00403D7A 50 push eax :00403D7B 51 push ecx :00403D7C E826320100 call 00416FA7 :00403D81 8BC8 mov ecx, eax :00403D83 E8BC020000 call 00404044 *** <-- Return here :00403D88 B980510100 mov ecx, 00015180 :00403D8D 8B45E0 mov eax, dword ptr [ebp-20] <--How many days :00403D90 99 cdq ; used so far? :00403D91 F7F9 idiv ecx :00403D93 83F80E cmp eax, 0000000E <--Less than 15? :00403D96 0F8E4BFFFFFF jle 00403CE7 <--Good boy! :00403D9C 6A00 push 00000000 :00403D9E 83F81C cmp eax, 0000001C :00403DA1 7D33 jge 00403DD6 :00403DA3 8D8D78FFFFFF lea ecx, dword ptr [ebp+FFFFFF78] :00403DA9 E8120F0000 call 00404CC0 :00403DAE C645FC01 mov [ebp-04], 01 :00403DB2 8D8D78FFFFFF lea ecx, dword ptr [ebp+FFFFFF78] :00403DB8 E88E6A0100 call 0041A84B :00403DBD C645FC00 mov [ebp-04], 00 :00403DC1 E805000000 call 00403DCB :00403DC6 E91CFFFFFF jmp 00403CE7 Now we know what to do! Make this a "jump always", and use the target as long as you want. To test this theory, set a break point on 00403d96. Run the program and when it breaks, hit the 'Patch Code' button which is on the lower-right debug window. It will show you the instruction at the current EIP. In the window below it, type in what you want it to be, in this case 'jmp 00403ce7'. Hit the 'apply patch' button. Now, notice that the new instruction is only 5 bytes, where we had 6 originally. So, once again, in the same window you entered the new jump, enter 'nop'. Now its 6 bytes and all is well. Apply that patch, and hit the 'run' button to test it out. Works like a champ. Ok, so HEdit is all yours for as long as you want it now. I wanted to show that although most of the time SoftIce is the superior debugger, W32Dasm does have some very nice features for debugging as well. I know that the same thing (code patching) can be done under SoftIce as well, but I find it pretty useful to patch our targets with wdasm. All that's left is to edit the HEdit executable (since the code "patch.class" tppabs="http://fravia.org/patch.class" is temporary) as follows: At offset 3196h: Change 0F8E4BFFFFFF To E94CFFFFFF90 I leave it to the more experienced (or at least those with more time!) to crack the registration function. Till next time, happy cracking x86

And this is the SECOND part to this session, that x86 sent me one day later (see: constructive critics works! :-)
Fravia - 
'Professional pride', ouch!  Got me where it hurts! :) 
Anyway, here is the addition to my previous essay.  It's now fully cracked,
and (hopefully!) no lame copouts. 


Cracking HEdit 2.0 Part II

By x86

Ok, Fravia had a good point, I should've finished what I started!  I am so 
ashamed!  Well, rest assured it won't happen again.
Ok, on to the crack.  This addendum to my original essay targets the 
registration functions of HEdit 2.0 and will allow you to enter any
name/number you want and be fully registered.  
I should point out that this crack actually supercedes my previous one, 
in that this crack will automatically take care of the expiration problem 
since the program will actually think you entered a valid registration 
number. 

There are a couple of different approaches to consider.  You can try to
figure out how the program decides if you are registered (what I originally 
tried to do... don't bother) or you can attack the registration key 
encrypt/decrypt section directly, which is what we will do!

Once again, I'll be using Wdasm as a debugger to try my patches on the fly,
so load up HEdit and follow along.
To start, I tried to find out what happened when I entered an invalid 
registration name/number.  
I got the message, "The user name and/or registration number you entered 
are incorrect."
Ok, Wdasm has a string reference listing of all the strings in the data
section, so let's see if we can find a match.  Sure enough, and there 
are 3 occurrences of it.  
Let's set breakpoints on each one, and run the program again. 
Enter a name and number into the registration box (Help/About/Register) 
and Wdasm will break here:

* String: "The user name and/or registration number you entered are inc"
                                  |
:00405099 6888000000              push 00000088
:0040509E E8BCFC0100              call 00424D5F  ? Display bad msg
:004050A3 EB14                    jmp 004050B9   ? Bye bye, try again

We know something is triggering this message so let's find it.  
We don't need to look far.  
Right above lies this code snippet:

:0040506B 56                      push esi
:0040506C 57                      push edi
:0040506D 8BF1                    mov esi, ecx
:0040506F E808AE0200              call 0042FE7C
:00405074 8B7804                  mov edi, dword ptr [eax+04]
:00405077 6A01                    push 00000001
:00405079 8BCE                    mov ecx, esi
:0040507B E870890100              call 0041D9F0
:00405080 85C0                    test eax, eax
:00405082 7435                    je 004050B9  
:00405084 FF7660                  push [esi+60] ? The number you entered
:00405087 FF765C                  push [esi+5C] ? The name you entered
:0040508A 8BCF                    mov ecx, edi
:0040508C E82DEFFFFF              call 00403FBE ? Main reg. check routine!
:00405091 85C0                    test eax, eax ? eax != 0 means `Go boy'!
:00405093 7510                    jne 004050A5
:00405095 6AFF                    push FFFFFFFF ? Begin beggar off routine.
:00405097 6A00                    push 00000000    


Now, at this point, you might be tempted to say, "Hey, we can just change 
the jne instruction to a jmp, and away we go!"  Well, go ahead and try it, 
it won't work.  
This is why my previous approach was such a lame way to go.  
There are other checks in this program besides this one, so what we need 
to do is to crack the main registration checking routine.  
Let's have a look.


* Referenced by a CALL at Addresses:00403A3D, :00403CDE, :00403E07, :0040508C   
|
:00403FBE 55                      push ebp
:00403FBF 8BEC                    mov ebp, esp
:00403FC1 81EC00010000            sub esp, 00000100
:00403FC7 6800010000              push 00000100
:00403FCC 8D8D00FFFFFF            lea ecx, dword ptr [ebp+FFFFFF00]
:00403FD2 FF7508                  push [ebp+08]
:00403FD5 51                      push ecx
:00403FD6 E8054F0000              call 00408EE0
:00403FDB 83C40C                  add esp, 0000000C
:00403FDE 8D8D00FFFFFF            lea ecx, dword ptr [ebp+FFFFFF00]
:00403FE4 51                      push ecx
:00403FE5 E856200100              call 00416040
:00403FEA 83C404                  add esp, 00000004
:00403FED B904000000              mov ecx, 00000004

* Referenced by a Jump at Address:00404015
|
:00403FF2 8BC1                    mov eax, ecx
:00403FF4 41                      inc ecx
:00403FF5 99                      cdq
:00403FF6 33C2                    xor eax, edx
:00403FF8 2BC2                    sub eax, edx
:00403FFA 83E003                  and eax, 00000003
:00403FFD 33C2                    xor eax, edx
:00403FFF 2BC2                    sub eax, edx
:00404001 8A940DFFFEFFFF          mov dl, byte ptr [ebp+ecx-00000101]
:00404008 30940500FFFFFF          xor byte ptr [ebp+eax-00000100], dl
:0040400F 81F900010000            cmp ecx, 00000100
:00404015 7CDB                    jl 00403FF2
:00404017 8B8500FFFFFF            mov eax, dword ptr [ebp+FFFFFF00]
:0040401D 85C0                    test eax, eax
:0040401F 7D02                    jge 00404023
:00404021 F7D8                    neg eax

* Referenced by a Jump at Address:0040401F
|
:00404023 39450C        cmp dword ptr [ebp+0C], eax  ***Here! [ebp+0C] 
:00404026 7509          jne 00404031                 is what the num.   
:00404028 85C0          test eax, eax                should be and eax
:0040402A B801000000    mov eax, 00000001            is what you 
:0040402F 7502          jne 00404033                 entered.

* Referenced by a Jump at Address:00404026
|
:00404031 33C0                    xor eax, eax

* Referenced by a Jump at Address:0040402F
|
:00404033 8BE5                    mov esp, ebp
:00404035 5D                      pop ebp
:00404036 C20800                  ret 0008


Ok, so here is what happens.  If your number doesn't match what is
expected, the jump to xor eax, eax is executed (remember, the program 
expects a non-zero return in eax if the registration number is correct).  
If it does match and isn't zero, 1 gets put into eax and we return and 
all is well.  
So, what we need to do is skip the bad jump if our numbers don't match.  
Let's test it to make sure.  
Clear all of the breakpoints and set a new one at 00404026 and run it, 
and enter something for the name/number.  When Wdasm breaks, use the code
patch utility to change the `jne 00404031' to `nop, nop'.  
Apply the patch and hit `run'.  Presto!  You are regged!  

Summary of the crack:
Offset (3426h)
Change 75 09 
To     90 90

You can use this crack rather than my previous one.  
Once again, sorry for my temporary lameness.  
I'm going to give myself 0x28 lashes and send myself to
bed with no dessert!  Until next time-

x86
Here is an addition to this essay by itzMagik1, added on 4 Jnuary 1998
Cracking HEdit version 2.1.11
Written by itzMagik1 on December 30, 1997.
Contact itzMagik1(at)aol(point)com for questions/comments.

Introduction: This is my first crack for the +HCU. 
Granted it's not very hard, but everyone has to start somewhere. 
The crack for HEdit version 2.1.11 was relatively simple thanks 
to x861's earlier essay, Cracking HEdit 2.0, that you can read 
above.

Tools Required: Windows Disassembler 8.x
A hex editor (why not use HEdit 2.1.11)
SoftIce (or WDASM for debugging)

Program History: HEdit 2.1.11 uses the same protection scheme as it's previous
version. I've never used anything before that, so I can't describe it's
scheme.

Let's get right to the crack. Start up HEdit, then click Help, then about
HEdit. Notice the button that says register. I love programs that have this
button: they are so easy to crack. Click the button. You'll get another dialog
with a place for your name and registration number. Type your name in the
first box and a 1 in the second. Click OK. You'll see some long, drawn out
error message about how your "registration" number isn't correct. That's our
key.

Now Run hedit.exe through WDASM. I think it's a good disassembler, but it's
not the best debugger, so I'll use SoftIce. Search for the word
"registration." You should find it 3 times. I set breakpoints on each one in
SoftIce (BPX 004017CF, 00402239, 004353DA). Now load it into SoftIce. When
SoftIce breaks, you'll land at 00402239. Here's what you'll see:

:00402239  push 00000088  
:0040223E  call 00427930

In WDASM, that corresponds to:

* Referenced by Jump at Address:0040221A(C)

:00402235  6AFF		push FFFFFFFF
:00402237  6A00		push 00000000

* Possible Reference to "The user name....."

:00402239  6888000000	push 00000088  
:0040223E  E8ED560200	call 00427930  - display bad message

Let's see where this is getting called from. Look up a few lines and you'll
see:

:00402209  8B4660	mov eax, dword ptr [esi+60] - The number you entered
:0040220C  8B4E5C	mov ecx, dword ptr [esi+5c] - The name you entered
:0040220F  50		push eax
:00402210  51		push ecx
:00402211  8BCF		mov ecx, edi
:00402213  E878170000	call 00403990	- Call the registration check routine
:00402218  85C0		test eax, eax	- If eax  != 0, you're good
:0040221A  7419		je 00402235

As with the previous HEdit, it does the same thing. How do we fix this?
Simple.

The main registration routine is exactly the same as in the previous version.
All we have to do is search for the block of code that checks what you entered
versus what the number should be. Lucky for us, x861 has already provided it
for us. Here's the code:

* Referenced by Jump at Address:004039ED(C)

:004039F1  3B84240C010000 cmp eax, dword ptr [esp+0000010C] - What you entered
vs the 							      "correct" number
:004039F8  7513		  jne 00403A0D - You're gone
:004039FA  85C0		  test eax, eax
:004039FC  740F		  je 00403A0D  - You're good
:004039FE  B801000000     mov eax, 00000001	
:00403A03  5B		  pop ebx
:00403A04  81C400010000   add esp, 00000100
:00403A0A  C20800	  ret 0008

* Referenced by Jump at Address 004039F8(C), :004039FC(C)

:00403A0D  33C0		  xor eax, eax
:00403A0F  5B		  pop ebx
:00403A10  81C400010000   add esp, 00000100
:00403A16  C20800	  ret 0008

What happened in HEdit 2.0 also happens here. If you're number isn't
"correct," the jump to xor eax, eax is executed and you're done. If it does
match, 1 gets put into eax and you're registered. So we can change the jne to
nop. Here's the crack:

At Offset 0x00002DF8
Change 75 13
To     90 90

Once changed, you can use any name and registration number you want.

HEdit 2.1.11 can be downloaded from http://www.yurisw.com/hedit/download.htm.

Hope you enjoyed this easy crack. Thanks to x861 for his previous essay.
Hopefully you'll see more of my essays in the future. I'll aim for something a
little more difficult next time.

itzMagik1
(c) itzMagik1 1998. All rights reversed
(c) x86 1997. All rights reversed
You are deep inside fravia's page of reverse engineering, choose your way out:

Back to project 1 (tools of the trade)
homepage links red anonymity +ORC students' essays academy database
tools cocktails antismut CGI-scripts search_forms mail_fravia+
Is reverse engineering legal?