October 1998

"CSE HTML Validator v3.01"

( Turning HTML Validator into it's Key Generator  )

Win '95/'98 PROGRAM

Win Code Reversing

 

 

by Punisher 

 

 

Cracking 4 Newbies 

 

 

Program Details

Program Name: Csesetup.exe

Program Type: HTML Validator

Program Location: http://www.htmlvalidator.com/

Program Size: 1.61 mb 

 

   

Tools Used:

Softice 3.2 - Debugger

Hacker's View 5.92 - Hex Editor

 

Rating

Easy ( X )  Medium (   )  Hard (    )  Pro (    ) 

There is a crack, a crack in everything. That's how the light gets in.

 


CSE HTML Validator 3.01

( Changing a program into it's own KeyGen  )

Written by Punisher

  

Introduction

 
The author(s) of this program can be found at:  http://www.htmlvalidator.com/
 
The author says:

"CSE HTML Validator is part of an HTML development environment. Before publishing HTML documents, especially documents created manually or with a 'dumb' HTML editor, you should have the documents checked for syntactical errors. HTML Validator functions as that checker, helping make sure that your documents are written in correct syntax to help ensure that they are viewed as intended in a variety of HTML browsers."
 

About this protection system

 
Registration is via selecting the 'File Register Program' menu.. Here you will be asked to enter:-

Registration    :
Registration Key    :

The program uses your name to calculate the registration key.
 

The Essay 

     

We will use the memory echo to find the valid registration key for HTML Validator. Then we will turn this target into its own key generator.
Well enough with the talk.
Install the target and have a look at the different features.
You will notice that it has the word unregistered in the title bar,
that sucks.
 
Choose File menu and select Register Program. You will be presented
with a dialogbox with two fields to enter your name and registration code.
Type in your name. I use 'Punisher'. Then type in a fake registration key. I use '3333333'.
Enter softice by pressing ctrl-d. let's set a break point on GetDlgItemTextA.
-- BPX GetDlgItemTextA
Now leave softice by pressing crtl-d. We are back in the registration dialog box. 
Press the Ok button and softice breaks on GetDlgItemtextA since there is two calls to GetdlgItemtextA to get our name and
reg key we will type x and press enter to let softice run. It will break on GetDlgItemTextA again.
Now Press F11 to get back to the caller. You will now see the following code.
Call User32!GetDlgItemTextA
lea ecx, [ebp+FFFFFE00]                           ;you land here after pressing F11 
push ecx
call 0043BA14
pop ecx
cmp eax, 05
jl 004312B9
cmp eax, 50
jge 004312B9
lea eax, [ebp+FFFFFA00]
push eax
lea edx, [ebp+FFFFFE00]                        ;your name is in edx here
push edx               ; 'd edx' to see it
call 0042F398                   ; -- this call calculates the
add esp, 00000008                 ; correct serial number.
lea ecx, [ebp+FFFFFC00]           ; your fake serial is in ecx
push ecx                                                             ; to see it 'd ecx'
lea eax, [ebp+FFFFFA00]              ; the real serial is loaded into eax
push eax; to see it 'd eax'
call 0043B998
add esp, 00000008
test eax, eax
jnz 004312B9
xor esi, esi
test esi, esi
jnz 004312D2; bad cracker bug-off jump
push 00010040
push 0045F887
push 0045F7D7
push ebx
Call USER32!MessageBoxA         ; shows accepted registration message box.
test esi, esi
je 00431306                                 ; here is where bug-off jump to.
push 00000200
push 00000000
lea eax, [ebp+FFFFFA00]
push eax
call 0043B8B8                              ; -- this call deletes the real reg key
add esp, 0000000C                    ; from memory. So we will nop it out
push 00010010                           ; 5 nops
push 0045FA12
push 0045F8AD                            ; -- this is the address of the text in the failed
push ebx                                        ; messagebox we will change that to push eax and
Call USER32!MessageBoxA      ; nop the rest of bytes. 4 nops.
After coming back from the call to GetDlgItemTextA we land at 
lea ecx, [EBP+FFFFFE00]
trace through the code using F10 until you get to
lea edx, [EBP+FFFFFA00]
Your name is loaded into edx. to see your name dump the memory by typing "d edx" and pressing enter. you will see your name.
Now trace using F10 to the next call which is
call 0042F398 
This call calculates the serial number for the name entered. and  stores it in ecx.
Trace using F10 to 
lea ecx, [EBP+FFFFFC00]
Now dump the ecx you will see you fake serial number. 
Trace using F10 again to 
lea eax, [EBP+FFFFFA00]
Here the real serial number is loaded into eax.
Type "d eax" to get the real serial number.
You can now disable your breakpoint by type bd *  and exit softice by pressing x and enter the real serial for your name and the program
will be registered. or you can continue and change the program into a key generator.


KEYGEN


Trace with F10 to 
Test esi, esi
JNZ 004312D2
this is where  the program test to see whether the serial number is correct or not if it is correct it does not jump and continues to 
execute the instructions after the jump which sets up the message telling you your registration is accepted.
If the test fails then the program jumps to 
Test esi, esi           E8CFA50000
We will replace it (using a hex editor) with
9090909090
We trace using F10 to this piece of code
push 00010010
push 0045FA12
push 0045F8AD
push ebx
call User!MessageBoxA
The messagebox function takes four parameters, these are push on the stack before the function is call. 
The third push is the address of the text to be displayed in the 
messagebox. We will replace this push with push eax which contains the address of the real serial number. 
The third push is five bytes and push eax is only one byte so we will have to nop the next four bytes after push eax.
The code for  push 0045F8AD is 
68ADF84500
We will replace this with
5090909090
You must now take down the codes for the to search for and those 
to replace them with. get out of softice. (ctrl-d)
 
Now use your hex editor to do the rest. I use hiew.
 
Open up Htmlval30.exe in hiew592
 
1. Press F4 then F3 to get code view.
2. Press F7 and enter E8CFA50000. Then press enter to search.
3. When Hiew finds it press F3 to edit and Enter 9090909090.
4. Now Press F9 to save.
Now do steps 1 to 4 with the other to codes.
search for 68ADF84500 replace it with 5090909090
 
Now whenever you run HTML Validator and choose the 'File Register Program' item it will bring up a dialog box with the correct Reg Key / Serial Number for the name you entered.
Well isn't that nice.


I will like to say thanks to +Fravia, Sandman, CrackZ, Cruehead, Iczelion and all the others out there who help by providing the knowledge to make this possible.


You should buy this program if you intend to use it longer than the
evaluation period.


  TUTORIALS ENTER>Final Notes