May 1998
"Hot Chilly V2.5"
( An Open and shut case )
Win Code Reversing
by The Sandman 
Code Reversing For Beginners 
Program Details
Program Name:
Program Type: Homepage Tool - Java Applets
Program Location: Here or  Here
Program Size: 893K 
Tools Used:
Easy ( X )  Medium (   )  Hard (    )  Pro (    ) 
There is a crack, a crack in everything. That's how the light gets in.
Hot Chilli V.2.5
( An open and shut case  )
Written by The Sandman
The author(s) of this utility can be found at:
This utility will help you insert a number of Java classes into the web page of your choice.  Special FX available are:

LED Scroll
Super Scroll
Fading Scroll
Status Scroll
Cool Button
Pulldown Menu

Once installed you have just six uses from it before the program disables itself.
About this protection system
Registration is via the initial Nag Screen shown each time you run the program.  Click on the 'Register Now!' button where you are then asked to enter:

User RegKey:
RegKey          :

When first run the program creates a number of entries in the system registry file, the one of interest to us is hidden deep within the registry file itself, and even uninstalling the product won't remove this entry. Notice that this entry has no identifiable features to it that could be associated with Hot Chilli, this is a common feature of many programs today, to hide the 'expire/counter' information so you won't be able to find it, he he, have they never heard of Regmon??. If you still haven't got Regmon then GET IT NOW!.

Here's that hidden entry within the Registry File:-

One entry created:

workTime1        "6"  <=====This is the countdown value

The program 'reads' the value for workTime1 then decreases this value by one until it reaches 1, where the program will then only let you access the 'Registration Screen'.
The Essay 
After running this program for the first time I was quite impressed with the whole layout of the program so expected to have a hard time cracking it, hehehe, I worry too much..:)
OK, first things first, run up W32Dasm and lets see a 'Dead Listing' of this program, we want to try and work out how best to crack this program.  Newbies often wonder how 'experienced' crackers decied on what method to use to crack a program, well the answer is they DON'T, the program itself does the choosing for them!. The 'experienced' cracker only looks at the clues given to him from observing the target program running and then from the results of his assortment of tools available to him. Then, and only then can he deiced on the best approach of attack.

You wouldn't go about 'patching' a program so it always 'registers' itself when you type in a fake Regkey if the program uses just one Regkey hard coded into the program itself, you could but why would you want to do this?. Like-wise, why spend your time de-coding the Registration Key routine if a simple Nop (90h) can bypass the whole process. (There are of course, those rare times when Nop'ng is not always the best way to crack a program).
Right, we now have a 'Dead Listing' of Hot Chilli, what next.. Let's check out the program's String Data references, an excellent source of tasty clues..

Excuse the long listing but there is a very good reason for this..:)

String Resource ID=00001: "Untitled"
String Resource ID=00002: "OK to overwrite %s"
String Resource ID=65535: "Floating point overflow"
"                 "
"    ("
"  Delay="
"  Flash="
"  Starting Action={"
" Finish="
" Start="
" Style="
" VALUE=""
" VALUE="<"
" VALUE="<5><Color=#000000><left>Please "
" VALUE="<5><Color=#000000><left>This "
" VALUE="UNREGISTERED version of "
""  ( FONT="
""  (Color="
"" VALUE=""
"" VALUE=""
"" value=""
"" VALUE="">"
"" VALUE="TimesRoman,PLAIN,12">"
"" VALUE="Unregistered version "
"}  )"
"<!Copyright 1997, Hot Chilli, "
"<HTML><HEAD><TITLE>Hot Chilli "
"<HTML><TITLE>Hot Chili Applet "
"<PARAM NAME="BackColor" value=""
"<param name="bgcolor" value=""
"<PARAM NAME="bgColor" VALUE="black">"
"<PARAM NAME="BorderColor" value=""
"<PARAM NAME="BorderWidth" value=""
"<param name="changefactor" value=""
"<PARAM NAME="font"
"<PARAM NAME="LEDSize" value=""
"<PARAM NAME="link"
"<PARAM NAME="number" VALUE=""
"<PARAM NAME="Speed" value=""
"<PARAM NAME="target" VALUE=""
"<PARAM name="Text"
"<PARAM NAME="text"
"<PARAM name="Text"
"<PARAM NAME="text"
"<param name="txtcolor" value=""
"<PARAM NAME=bgcolor VALUE="#"
"<PARAM NAME=bgcolor VALUE="getBackground()">"
"<PARAM NAME=line"
"C:\WINDOWS\winhlp32.exe "
"Delphi Component"
"Delphi Picture"
"Finishing Action={"
"Hot Chilli V2.5 -  Registered "
"Hot Chilli V2.5"
"Hot Chilli will now copy to your "
"Incorrect Key!"
"layout text"
"mmmm d, yyyy"
"Please select a browser for previewing "
"Registered Version"
"Runtime error     at 00000000"
"System\CurrentControlSet\Control\Keyboard "
"The contents of the file will "
"The evaluation period for Hot "
"You must first click the "Add" "
"You must first open a file"
"You must first open a HTML file."

If you have quickly scrolled down this window without properley looking at the above then you will have missed some huge clues to how a cracker will deiced to crack this program.  In fact, looking at the above string resource data allowed me to crack this program without even looking at the actual code W32Dasm had created for me!.

Lets first state what we know from the target program from a crackers point of view..
1. The User RegKey will accept 50 characters in total.
2. The RegKey Code will accept any number of characters, most likely consisting of alpha numeric characters.

3. We can't be certain at this point weather or not this Regkey is based on the User name or wether it is generated internally based on some sort of product serial code.

4. We can be certain that it's storing the 'Times the program has been used' Counter somewhere in the System Registry File.
Before proceeding on with this essay make a note of possible clues you can gain about the protection system used in this program from the above String Resource Data. I will wait here until you've finished...
Time passes....
OK, did your notes contain these two items?
They should have because if you had read my last essay I said that the first things I do when looking at the String Resource Data from W32Dasm is:-
1. Any sequence of alpha numeric characters that resemble a Keycode, you never know..:)

2. Locations and names of any .ini files and, more importantly, the references to any items of data that gets posted into the system registry file.
3. References to any likely 'Beggar off' or 'Thanks for buying' messages, these will help to pin point the associate routines within the program, they are like a neon signs saying 'crack me, crack me" to crackers!.
Taking the first priority, "any sequence of alpha numeric characters that resemble a keycode".

Doesn't this string reference: "1765-7654-8765" look like a registration code to you?. You would be amazed just how many programs still use hard code registration numbers within their code AND which, the programmer hasn't bothered trying to hide it!.
There's only one way to find out.. Run up Hot Chilli, enter in the User Regkey Your name or handle, then, in the RegKey Code type in this number.. 1765-7654-8765
Yep, that's right, it's the keycode the program was looking for!.  Once you've pressed the 'Register' button the program won't display any 'Thank you for purchasing this product etc' but rest assured it's been registered.. Now quite the program and re-run it, this will allow the program to update the System Registry file with the new details.

Is this the end of of this essay?.  No, we still want to learn a bit more about it so that if we come across another similar product from the authors we will know how to deal with it without wasting our time starting from scratch again..

Taking my second priority, Locations and names of any .ini files and, more importantly, the references to any items of data that gets posted into the system registry file.

We want to know about what entries in the System Registry file this program uses for it's protection system, that annoying '6 times you can use it and your out' counter.
If you now go into your your System Registry  file using C:\Windows\RegeEdit.exe and now look for the above entry's you will quickly see that at:
Now contains:-

id                          "YOUR ENTERED NAME/HANDLE"
workTime1        "1234"

What the program has done when it was registered was to insert your entered name/handle under the ID heading, then, in the variable workTime1 (which up until now had been used as a countdown) it has placed the value of "1234".

The significance of workTime1 = "1234" becomes clearer if you delete this entry key, in which case when you re-run Hot Chilly it will go back to being unregistered!.  So, if we now manually re-enter this string ourselves in the same place within the System Registry and re-run Hot Chilli again it will become fully registered again!!. Had we known before hand of this we could have simply done this in the first place and not bother with anything else..
We don't need to bother with my third and fourth priority since we've done the job we origially set out to do.  However, we could still examine the code to see other 'gems' may lurk behined the jungle of code.
Job Done.....
The 'Crack' 
None required.
Final Notes 
This was a yet another good program to *crack*, it must rate high as having one of the most useless protection systems on the web, which is a shame considering the time the author(s) have spent on this program.

Registration payment of US$29.95 sounds about right for this homepage utility, but if the author is reading this then may I suggest you at least try and hide the registration code, even using the well known XOR method would be better than none.
My thanks and gratitude goes to:

Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.
+ORC for showing me the light at the end of the tunnel.

Ob Duh 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to  produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.

 Next   Return to Essay Index   Previous 

Essay by:          The Sandman
Page Created: 26th May 1998