Aug 1998
"CSE HTML Validator V3 Beta 1b"
( 'A Sniff Then Register Example'  )
Win Code Reversing
by The Sandman 
Code Reversing For Beginners 
Program Details
Program Name: CSEbeta.exe
Program Type: HTML Validator
Program Location: Here 
Program Size: 1.5 Mb 
Tools Used:
 Softice V3.2 - Win'95 Debugger
W32Dasm V8.9 - Win'95 Dissembler
Easy ( X  )  Medium (   )  Hard (    )  Pro (    ) 
There is a crack, a crack in everything. That's how the light gets in.
CSE HTML Validator V3 Beta 1b
( 'A Sniff Then Register Example  '  )
Written by The Sandman
The author(s) of CSE HTML Validator  says:-
"  CSE HTML Validator (referred to here also as HTML Validator) is part of an HTML
   development environment. Before publishing HTML documents, especially documents
   created manually or with a 'dumb' HTML editor, you should have the documents checked
   for syntactical errors. HTML Validator functions as that checker, helping make sure that
   your documents are written in correct syntax to help ensure that they are viewed as
   intended in a variety of HTML browsers.

   NOTE: CSE HTML Validator cannot check for a completely syntactically correct
   document, although it can find many syntactic errors and offer useful advice and
   assistance in creating your documents.

   Checking your document for syntax cannot be done in a standard HTML browser
   because the browser is designed to only let you view HTML documents. If syntactic
   errors exist in the document being viewed, the browser attempts to display the
   document in a less predictable manner (it guesses as to how it thinks the document
   should be displayed), thus resulting in syntactic errors causing your document to be
   displayed in a variety of fashions that are likely to vary depending on the browser and
   even with the version of the browser. Sometimes, if a document has enough errors, it
   will not even display. But why worry about it when you can easily check your
   documents with HTML Validator? Simply have HTML Validator validate your documents
   prior to them being published. You may also notice that your documents display faster
   and with less problems. "
About this protection system
This program when run, displays a nag reminder informing you to register and that you can only validate 50 web pages before you must register this program.
This program uses the System Registry file to store your User Details and serial number once you've properly registered this program. These User details and others can be found here..
HKEY_Current_User\Software\AI Internet Solutions\CSE 3310 HTML Validator
Also, once the program has been registered it creates an ascii file called 'HTMLVal.Key' which is placed in the same directory as the program itself. This file does not have anything to do with the program's protection system, it's there to remind the user of his/her serial number etc and looks something like this:-
The Sandman

Do not change this file! It contains your registration information.
The 15 digit serial code is based on your User Name/Handle and is also placed in your System Registry file.
The Essay 
As far as being able to *crack* a serial type program then this must rate as one of the easiest's around.  Now ask yourself this.  What's the MAIN point in creating serial numbers especially long number ones to register programs with?.  The answer is so that the Users (you and me ) can't accidentally guess the correct serial code.  Now I've said this many times but why o why do programmers bother creating long and or complicated serial numbers for their programs when it's usually so easy to simply sniff out the *real* serial code just by following a few lines of code.

Since I cracked this program without using a Dead Listing I won't tell you to go and create one using W32Dasm but if you really want to learn more about this program it might be a good idea to create one all the same..
First things first..
Run up the program then select the 'File' menu then the 'Register..' option.
You should now be in a simple looking Registration Screen.
Fill in your Name/Handle and a fake serial number.
I used:

The Sandman

Before clicking on the 'Ok' button press 'Ctrl-D' to activate Softice then type: bpx messageboxa.  Now press  'x' to leave Softice.

Now you can click on the 'OK' button.
Softice now breaks at the start of the messageboxa system function.

Press the 'F11' key once and click on the 'OK' button to the message saying your serial code was invalid.  Softice should break here..
:00423815 68A7E04400              push 0044E0A7 ;Messagebox Title
:0042381A 6842DF4400              push 0044DF42 ;"You've entered invalid.."
:0042381F 53                      push ebx
:00423820 E848550100              Call USER32.MessageBoxA
:00423825 E979010000              jmp 004239A3 ;We return here
What I normally do here is to scroll the Softice Assembly window until I come across the first occurrence of the following assembler instructions which are nearly always very close by:-

cmp Register,Register (or test Register,Register)
Conditional Jump

The first set of these instructions I came across I discounted because it was to do with creating a messagebox:-

:004237EB 686CDE4400            push 0044DE6C ;"Thank you for registering"
:004237F0 53                    push ebx
:004237F1 E877550100            Call USER32.MessageBoxA
:004237F6 85F6                  test esi, esi
:004237F8 7430                  je 0042382A
OK, no problem, I now scrolled up a few more lines and Bingo!, I found another classic set of my favorite set of instructions here:-
:004237CF E80C960000            call 0042CDE0 ;Compare serials
                                              ;eax=ffffffff if fail
                                              ;eax=1 if correct
:004237D4 83C408                add esp, 00000008
:004237D7 85C0                  test eax, eax ;serial correct?
:004237D9 7502                  jne 004237DD ;No? then jump

If you have a dead listing close by for this program then you'll see how close all these instructions are to our original Softice breakpoint on messageboxa.
At this point I cleared all of Softice's previous breakpoints by typing: bc *
then I type: bpx 004237cf then x to leave Softice.
Now re-run the registration process again and once again Softice breaks but this time on our newly created breakpoint at: 004237cf
Press the 'F10' key once, yep that's right don't trace into this call, just step over it. Now it's interesting to monitor the state of the pc's registers after you've just skipped over a call because this can reveal quite a lot about what the call has just been doing.
So now type: D ecx and you'll see in Softice's code window the *real* serial number you need to use to register this babe!.

If you type D edx then you'll see your *fake* serial.

Now re-run this program but now use the *real* serial number you've just sniffed out.
Job Done.
The Crack
None required.

If you intend on using this program beyond it's evaluation period then please BUY IT!
Final Notes 
Surly this program is not THAT easy to *crack*!, well yes it was, so it's doesn't really matter if the programmer used a 100 digit serial number to register this program with, we can always sniff it out with relative ease.

My thanks and gratitude goes to:-
Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.
+ORC for showing me the light at the end of the tunnel.
Ob Duh 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will be encouraged to producing even *better* software for us to use and enjoy.

Ripping off software through serials and cracks is for lamers..
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.

 Next   Return to Essay Index   Previous 

Essay by:          The Sandman
Page Created: 14th August 1998
, dword ptr [ecx+01]     ;