Reverse Code Engineering - WinPatch v1.2
Cracking A Patcher!
Author: Volatility

Please Read The Disclaimer Before Continuing.

Target WinPatch v1.2  - (wpatch12.exe) - 1,297,344 bytes
Location N/A - Got It From A Friend, Couldn't Find It On A Net Search
Protection(s) Nags/User Name/Serial Number
Tools Needed Soft-Ice (Any Version)
Level (X) Beginner (X) Intermediate ( ) Advanced ( ) Expert

Kind of ironic huh?  Cracking a patcher.  Maybe if I get some free time, I'll patch this patcher and then make a patcher with this patcher to patch your patcher!  *sigh* dry humor... anyway, finding your correct serial number is kind of a bitch in this prog, because it goes through TONS of checks, tests, compares and jumps before you can finally find it.  Nonetheless, I'll try to make this as painless as possible.

Prepare To Crack:

Run the program (winpatch.exe).  The first thing you'll see is an ugly nag screen... click "Continue".  The next thing you'll see is ANOTHER ugly nag screen... click "AGREE".  Now you'll be at a screen with two funky lookin' dudes on it.  Click on the "About" button, then click the "Register" button.  Your registration screen should look like this:

WinPatch Registration Screen

Three fields must be entered.. a name, a registration code, and an organization.  Anything over two fields can become difficult to crack.  As you'll see, this one isn't exactly the easiest.

To find our correct Registration ID, we'll need to set a breakpoint in Soft-Ice.  Two of the most common breakpoints for 32 bit programs are "GetWindowTextA", "GetDlgItemTextA", and if all else fails "HmemCpy".  To Save you time, the function we need to breakpoint on is GetWindowTextA.

Making The Crack:

Enter in some test data ("Cracked By Volatility [ID]", "272727" and "Immortal Descendants" for mine) then press Cntrl+D to enter Soft-Ice.  Set a breakpoint on GetWindowTextA (BPX GETWINDOWTEXTA).  Press Cntrl+D again to return to the program, and click on "Ok".  Soft-Ice pops up.  Press F11 once to get into the function, and you should be here:
0137:00434906   FF15C8E34300       CALL        [USER32!GetWindowTextA]
0137:0043490C   8B4D10             MOV         ECX,[EBP+10]
0137:0043490F   6AFF               PUSH        FF
0137:00434911   E8EFB3FFFF         CALL        0042FD05
0137:00434916   EB0B               JMP         00434923
0137:00434918   8B4510             MOV         EAX,[EBP+10]
0137:0043491B   FF30               PUSH        DWORD PTR [EAX]
0137:0043491D   56                 PUSH        ESI

Now, the following is going to be a VERY condensed and VERY brief explanation of how to find your correct serial number.  It took me a long time to find it, so make sure you look at the code ALL the way through, so you understand where and how your data is being manipulated and stored.

Step through the code using the F10 key, and look for a compare (TEST, CMP) and/or a jump (JNE, JE, JNZ,  JZ etc).  You won't find any, but you can display some of the information you entered in by displaying various registers and memory locations in this routine.  After pressing F10 13 times, you'll see the text on the line above the command window has turned from WINPATCH!text to USER!text.  This isn't where we want to be, so press F10 (14 times) until you see WINPATCH!text on the line again.

The routine you're in now will look almost identical to the first one, and you can display registers and memory locations here as well to see some of the information you entered in.  Again, there's no compare or jump in this routine, and WINPATCH!text will be replaced by USER!text after pressing F10 13 times.  Press F10 (14 times again) until you see WINPATCH!text on the line.

Now you'll be at the beginning of the routine you need to be in.  This is a VERY long routine which manipulates, compares and jumps many times.  All through this routine, you can check different registers and memory locations to see the information you entered.  About halfway from the beginning, to where we'll find our code, you'll see a long line of the following functions which manipulate our serial number:
0137:00413014   8A4802          MOV BL,[EAX+04]
0137:00413017   8A4003          MOV AL,[EAX+03]
0137:0041301A   884C2412        MOV [ESP+12],CL
0137:0041301E   8B4D00          MOV ECX,[EBP+00]
0137:00413021   88442413        MOV [ESP+13],AL
0137:00413025   8B41F8          MOV EAX,[ECX-08]

After locating the above code, you need to look for the FINAL compare and jump, where we can find our correct serial number.  As I mentioned earlier, this program does LOTS of jumps and compares, and it took me a long time to find the location I wanted.  But, as always, to save you time, you'll find the place you need to be at the following code:
0137:004130E9   E8B8930000      CALL 0041C4A6
0137:004130EE   83C408          ADD  ESP,08
0137:004130F1   85C0            TEST EAX,EAX
0137:004130F3   7560            JNZ  00413155
0137:004130F5   8D542414        LEA  EDX,[ESP+14]
0137:004130F9   8BCF            MOV  ECX,EDI
0137:004130FB   52              PUSH EDX
0137:004130FC   E80CCA0100      CALL 0042FB0D

To find our correct serial number in the above code, step through the line "CALL            0041C4A6" so that the line "ADD             ESP,08" is highlighted.  Now display the EDX register by typing:  d EDX.  In order to see your serial number, you'll need  to scroll the memory window down a bit by pressing Alt plus the down arrow key.  My serial number was L&D-0611-53809846.

Of Interest:

Since this crack is *fairly* simple, and I didn't go into a whole lot of detail about cracking the program, here  are a few interesting things you may want to investigate further on your own using a disassembler, and poking around in Soft-Ice:

1.  The  serial number begins with one of three prefixes - UIS-WWENT, UIS-2200, or L&D-0611 and are referred to as "PIN numbers" - find out where, how and why.

2.  You can view as your serial number is calculated within the code in Soft-Ice, find where... write a key generator!

3.  These guys are obviously scared of Phrozen Crew (infamous cracking group) - If you enter the word "Phroz" in ANY part of your user name or organization, you can't register!  Find where, and how you can fix this!

*** Disclaimer ***

This Essay Is For Knowledge Purposes Only. Neither We, Our ISP, Nor Any Persons Mentioned Shall Be Held Liable For Any Damages Improper Usage May Cause To Your Machine.

If You Successfully Crack A Program, You Must Delete It Immediately. If You Want To Keep The Program, Please BUY It! Support Shareware, This Is Our Learning Tool!

It Is Illegal To Continue To Use Cracked/Patched Software.

Copyright © 1998 Volatility And The Immortal Descendants.  All Rights Reserved.