"CSE HTML Validator v3.01"
( Turning HTML Validator into it's Key Generator )
Win '95/'98 PROGRAM
Win Code Reversing
Cracking 4 Newbies
Program Name: Csesetup.exe
Program Type: HTML Validator
Program Location: http://www.htmlvalidator.com/
Program Size: 1.61 mb
Softice 3.2 - Debugger
Hacker's View 5.92 - Hex Editor
Easy ( X ) Medium ( ) Hard ( ) Pro ( )
There is a crack, a crack in everything. That's how the light gets in.
CSE HTML Validator 3.01
( Changing a program into it's own KeyGen )
Written by Punisher
"CSE HTML Validator is part of an HTML
development environment. Before publishing HTML documents, especially
documents created manually or with a 'dumb' HTML editor, you should
have the documents checked for syntactical errors. HTML Validator
functions as that checker, helping make sure that your documents are
written in correct syntax to help ensure that they are viewed as
intended in a variety of HTML browsers."
About this protection system
The program uses your name to calculate the registration key.
We will use the memory echo to find the valid registration key for HTML Validator. Then we will turn this target into its own key generator.
Well enough with the talk.
Install the target and have a look at the different features.
You will notice that it has the word unregistered in the title bar,
Choose File menu and select Register Program. You will be presented
with a dialogbox with two fields to enter your name and registration code.
Type in your name. I use 'Punisher'. Then type in a fake registration key. I use '3333333'.
Enter softice by pressing ctrl-d. let's set a break point on GetDlgItemTextA.
-- BPX GetDlgItemTextA
Now leave softice by pressing crtl-d. We are back in the registration dialog box.
Press the Ok button and softice breaks on GetDlgItemtextA since there is two calls to GetdlgItemtextA to get our name and
reg key we will type x and press enter to let softice run. It will break on GetDlgItemTextA again.
Now Press F11 to get back to the caller. You will now see the following code.
lea ecx, [ebp+FFFFFE00] ;you land here after pressing F11
cmp eax, 05
cmp eax, 50
lea eax, [ebp+FFFFFA00]
lea edx, [ebp+FFFFFE00] ;your name is in edx here
push edx ; 'd edx' to see it
call 0042F398 ; -- this call calculates the
add esp, 00000008 ; correct serial number.
lea ecx, [ebp+FFFFFC00] ; your fake serial is in ecx
push ecx ; to see it 'd ecx'
lea eax, [ebp+FFFFFA00] ; the real serial is loaded into eax
push eax; to see it 'd eax'
add esp, 00000008
test eax, eax
xor esi, esi
test esi, esi
jnz 004312D2; bad cracker bug-off jump
Call USER32!MessageBoxA ; shows accepted registration message box.
test esi, esi
je 00431306 ; here is where bug-off jump to.
lea eax, [ebp+FFFFFA00]
call 0043B8B8 ; -- this call deletes the real reg key
add esp, 0000000C ; from memory. So we will nop it out
push 00010010 ; 5 nops
push 0045F8AD ; -- this is the address of the text in the failed
push ebx ; messagebox we will change that to push eax and
Call USER32!MessageBoxA ; nop the rest of bytes. 4 nops.
After coming back from the call to GetDlgItemTextA we land at
lea ecx, [EBP+FFFFFE00]
trace through the code using F10 until you get to
lea edx, [EBP+FFFFFA00]
Your name is loaded into edx. to see your name dump the memory by typing "d edx" and pressing enter. you will see your name.
Now trace using F10 to the next call which is
This call calculates the serial number for the name entered. and stores it in ecx.
Trace using F10 to
lea ecx, [EBP+FFFFFC00]
Now dump the ecx you will see you fake serial number.
Trace using F10 again to
lea eax, [EBP+FFFFFA00]
Here the real serial number is loaded into eax.
Type "d eax" to get the real serial number.
You can now disable your breakpoint by type bd * and exit softice by pressing x and enter the real serial for your name and the program
will be registered. or you can continue and change the program into a key generator.
Trace with F10 to
Test esi, esi
this is where the program test to see whether the serial number is correct or not if it is correct it does not jump and continues to
execute the instructions after the jump which sets up the message telling you your registration is accepted.
If the test fails then the program jumps to
Test esi, esi E8CFA50000
We will replace it (using a hex editor) with
We trace using F10 to this piece of code
The messagebox function takes four parameters, these are push on the stack before the function is call.
The third push is the address of the text to be displayed in the
messagebox. We will replace this push with push eax which contains the address of the real serial number.
The third push is five bytes and push eax is only one byte so we will have to nop the next four bytes after push eax.
The code for push 0045F8AD is
We will replace this with
You must now take down the codes for the to search for and those
to replace them with. get out of softice. (ctrl-d)
Now use your hex editor to do the rest. I use hiew.
Open up Htmlval30.exe in hiew592
1. Press F4 then F3 to get code view.
2. Press F7 and enter E8CFA50000. Then press enter to search.
3. When Hiew finds it press F3 to edit and Enter 9090909090.
4. Now Press F9 to save.
Now do steps 1 to 4 with the other to codes.
search for 68ADF84500 replace it with 5090909090
Now whenever you run HTML Validator and choose the 'File Register Program' item it will bring up a dialog box with the correct Reg Key / Serial Number for the name you entered.
Well isn't that nice.
You should buy this program if you intend to use it longer than the