September 1998
"HTML (UN)Compress V4"
( 'Targeting The String Handling Routines'  )
Win Code Reversing
by The Sandman 
Code Reversing For Beginners 
Program Details
Program Name:
Program Type: HTML Web Page Compressor
Program Location: Here 
Program Size: 711K 
Tools Used:
 Softice V3.2 - Win'95 Debugger
Easy ( X )  Medium ( )  Hard ( )  Pro (    ) 
There is a crack, a crack in everything. That's how the light gets in.
HTML (UN)Compress V4
( 'Targeting The String Handling Routines'  )
Written by The Sandman
  This is an 'authorized' tutorial.
The author of HTML (un)Compress  says:-
"With the HTML (Un)Compress tool, you can easily compress your HTML files resulting in shorter downloading time. Your pages will appear in exactly the same way in your browser, but they will be about 20% smaller. Afterwards, you can uncompress your files to enable editing once again. When you uncompress, the files will automatically be perfectly outlined, to make them very structured and easy editable by hand. Editing your files in a WYSIWYG editor (as FrontPage, Netscape Composer) is still possible, as well in compressed as in uncompressed form. Please do tell me what you think about this tool at the following address:

The Compress tool removes all information used for editing in the HTML file. This information is unneeded for viewing the HTML file but is simply used to make its editing a lot easier. The UnCompress function of this tool though adds this formatting information once again by using the common standards of HTML files like indents etc.

Since the author of HTML (un)Compress  has consented to this tutorial being published on my web page, all he asks in return is that we don't write any on his latest version, which is currently V4.1.  Please respect his wishes.  Thank You.
About this protection system
The protection system employed relies heavily on four key points..

1. The program itself was created in Visual Basic 5. A newbies worst nightmare.

2. Dead listings while possible, will make no sense because VB programs contain just routines to the main Visual Basic runtime library.

3. It performs five checks on the User name and looks to see if the User is trying to register this program using one of five well known handles belonging to certain cracking groups. Once satisfied that the User is not using any of these handles it will begin processing the serial number.

4. Once this program is first run it will create a 16 byte file called HTMLComp.dat and place this in your C:\Windows directory. Opening this file reveals the following information:-

"99J 99J1",535  <--Our default name is: 99J 99J1 and our default serial is 535

A quick check in the System registry file also reveals this same default name & serial number..

HKEY_CURRENT_USER\Software\VB and VBA Program Settings\HTML (Un)Compress\Registration

Name     =The Sandman

This tells us that the software author knows that the registry entry can be tampered with so he has made sure there is always a backup copy which the program can use and which it can replace the corrupted or deleted entry with.

On successful registration, the User's details (Name & Password) are stored in the System registry file and are once again found here:-
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\HTML (Un)Compress\Registration

Name     =The Sandman

Interestingly, this is NOT the main repository for your Registration details, you can delete this entry as many times as you want, the program will keep re-creating it.  This tells us that the program must therefore be getting this information from somewhere else.

What happens is that the HTMLComp.dat also now contains the User's new registration details which the program also checks each time it is run.
The Essay 
This essay will try and show that while Visual Basic is often thought by newbies as a nightmare to crack, knowing it's weaknesses can make short work of an otherwise difficult protection system.

Visual Basic programs contain nothing but meaningless routines that then call further routines in the main VB5 Runtime library. Anyone who has tried to follow these routines will know how easily the cracker can become lost and disorientated amongst all this hideous code.

However, by studying how Visual Basic programs are structured we can find it's weak points. Unless the programmer uses third party protection systems such as encryption handling routines then he/she will have little option but to rely on the ones provided by the Visual Basic runtime library.

The simplest type of protection routine we can use is the straight forward 'compare one serial number against another', then either display "beggar off cracker' if both serials are not the same, or, to allow the program to register itself if both serials are correct.  In Visual Basic this is to some degree, all the programmer has at his disposal, so then here is where we must start our initial explorations. Considering that protection routines are vital if a program is to remain a 'sellable' product for any length of time, then why Microsoft in their wisdom made no effort to provide better string handling routines is beyond me.  I speak of experience as I used to program in VB3 & 4..

In my previous essay on cracking Minimize Magic (Essay No 59) which is a Visual Basic 4 program, I explained that thanks to Razzia, who first found the String Compare routines for VB4 programs, I developed a quick approach to cracking Minimize Magic using Softice to search for the beginning of this String Compare routine.  For those who haven't yet setup Softice to use ALT-F4 for cracking VB programs then please go and read this essay NOW!. You will not be able to follow this essay much further if you haven't made the two changes to your winice.dat file!.

The importance of setting up Softice so that we can redefine the ALT-F4 keys to search for the memory location of the String Compare routine is because this ALSO works in Visual Basic 5 programs without requiring any modifications to the original search string. An all in one tool..:)

On starting up HTML (un)Compress we are greeted with a nag screen informing us that we are now on day '0' of our 30 day evaluation period. It is here also where we are given the opportunity to register this program.

OK, lets click on the 'Password' button, a small registration box appears.

Type in your name/handle and a fake serial number..

For this example I use:

Name      = The Sandman
Password = 999999999
Before clicking on the 'OK' button lets fire up Softice by pressing the CTRL-D keys together..

Our first task is to get softice to break once we press the 'OK' button, one system function that will almost guarantee this is hmemcpy because it is used in conjunction with a whole host of other functions so it's highly likely this program will use a system function that requires this routine.

Now type: bpx hmemcpy then x to leave softice.

Now you can click on the 'OK' button..

Softice now breaks at the start of the hmemcpy function..

From here all you have to do is press the ALT-F4 keys together.

Softice reports...

Pattern found at 0030:0F00d9 ;This memory address will be different on your pc

From here type in full, the memory address Softice has just shown you.

Type: u XXXX:XXXXXX     ; Insert the address Softice gave you in here.

You should now see that you are looking at the follow section of code:

XXXX:XXXXXXXX 56             push esi
XXXX:XXXXXXXX 57             push edi
XXXX:XXXXXXXX 8B7C2410       mov edi, [esp + 10]
XXXX:XXXXXXXX 8B74240C       mov esi, [esp + 0C]
XXXX:XXXXXXXX 8B4C2414       mov ecx, [esp + 14]
XXXX:XXXXXXXX 33C0           xor eax, eax
XXXX:XXXXXXXX F366A7         repz cmpsw
XXXX:XXXXXXXX 7405           je 0F79B362
XXXX:XXXXXXXX 1BC0           sbb eax, eax
XXXX:XXXXXXXX 83D8FF         sbb eax, FFFFFFFF
XXXX:XXXXXXXX 5F             pop edi
XXXX:XXXXXXXX 5E             pop esi
XXXX:XXXXXXXX C20C00         ret 000C

The XXXX:XXXXXXXX represent a memory address where this routine was found and which, will be different on every one's computer.

From here we type:

Type: bpx XXXX:XXXXXX ; Insert the address Softice gave you in here, it should create a new softice breakpoint at the start of the above routine.

Next, you will need to type: bc 00 this will clear away our previous softice breakpoint. It has served it's purpose and is now no longer needed.

Type x to leave softice and allow HTML (un)Compress to carry on with what it was doing..

Softice now breaks again..

It has stopped on on our newly created breakpoint.

Press the F10 key just Four times so that we have executed the following lines of code:-

XXXX:XXXXXXXX 56             push esi           ;save esi register for safe keeping
XXXX:XXXXXXXX 57             push edi           ;save edi register for safe keeping 
XXXX:XXXXXXXX 8B7C2410       mov edi, [esp + 10];String to check for
XXXX:XXXXXXXX 8B74240C       mov esi, [esp + 0C];Our entered User Name.
XXXX:XXXXXXXX 8B4C2414       mov ecx, [esp + 14];We are now here..

OK, if we now type: D esi we should see our User name and if we now type: d edi we should also see what this routine is going to check our name against.

Typing: d esi will show the string r.o.m.e.o
Typing: d esi will show our User name.
If you don't see this THEN press x and then move your mouse a little. Then press the F10 key four times and repeat the above instructions.  This is because this routine is also used by many other routines in Visual Basic and you may have arrived here before the program has had chance to get round to actually checking the User names.

OK, assuming you have got this far, then you should now see around 6 names in your Softice code window.  These names are handles used by some cracking groups.  The author of HTML (un)Compress is checking to see if you are trying to register this program using a serial number they have used in the past to crack this program.

From here all we need to do is to press X then when we return back into Softice press the 'F10' key again four times and type: d edi.

keep doing this UNTIL when you type: d edi you see H.T.M.L.c.o.m.
What we are doing is cycling through the list of 'crackers' names this program checks for until we reach the last one.
For the last time press X then when we return back into Softice press the 'F10' key again four times and type: d edi

Your should now see YOUR *fake* serial number and if you type: d esi you will also see the *real* serial number which the program has created based on your User Name.

From here type: BC to clear all our Softice breakpoints followed by X to leave softice.

Re-run this program and type in the *real* serial number you have just seen and the program will now be *fully* registered.

Once this program is registered and you wish to practice on it then you must delete the file HTMLComp.dat file found in your window's directory and also delete the registration entry:-

HKEY_CURRENT_USER\Software\VB and VBA Program Settings\HTML (Un)Compress\Registration

This will convince HTML (un)Compress that this is the first time it's being run.
 Job Done.
The Crack
None required.
Final Notes 
Because we can 'program' softice to search and find our VB routine that compares two strings against each other means we don't have to worry or be concerned about trying to trace through huge amounts of code in order to find where this type of program checks our User Name or Serial number.

My thanks and gratitude goes to:-
Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.
+ORC for showing me the light at the end of the tunnel.
Ob Duh 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will be encouraged to producing even *better* software for us to use and enjoy.

Ripping off software through serials and cracks is for lamers..
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.

 Next   Return to Essay Index   Previous 

Essay by:          The Sandman
Page Created: 3rd September 1998