BakeHead Editor

Reverse Code Engineering For Beginners

For Educational Use Only

Date: 16th May 2000

Project No: 1

This File Escaped From: "Learn Cracking In New Style."

Target: BakeEditor V1.30

Download From: ( (Size: 2.03MB)

Tools Used: SoftICE, W32Dasm and a HexEditor  (  

Rating: It's easy when you know how.

Remember This: It is easy to destroy but hard to create. Software authors work hard to give us good quality software so support shareware. If your intension is of pirating this software then stop reading..... and delete this file immediately. It's better you look for it in some WAREZ sites.

About The Program: Bakehead is the Headcase Face Editor which allows the user to create their own Headcase Face files from scanned or drawn images for use with the Headcase Player.

About Protection Scheme: The Program has a nag-screen at start-up. You can get to the registration box through HELP menu. After successfully registering this software, it stores the password in "config.dat" file located in your "\Program Files\Red Ted\Bakehead Editor\" directory. The password will be unique in each machine, because while downloading; each copy of BakeHead Editor is given a specific registration number and the password in based on it.

The Essay

First Approach: In the first approach, we are gonna hunt for the Password. So let's go hunting. Run the program, at first it shows "This is an unregistered version..." Click OK. Go to registration box through Help and click "Register Bakehead.." Try entering fake password and click OK. What..? no error message. This program tries to smart...umm. Fire up softice and set BPX GetWindowTextA. Press F5 and again type fake password. Let's say 12345 and click OK. Softice breaks, press F11 and F8, 30 times. Now you should be at following codes.
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:0040130C B952319B3B              mov ecx, 3B9B3152
:00401311 250A38EB08              and eax, 08EB380A
:00401316 2BCA                    sub ecx, edx
:00401318 D1E9                    shr ecx, 1
:0040131A 8D54080D                lea edx, dword ptr [eax+ecx+0D]
:0040131E 8B86CC000000            mov eax, dword ptr [esi+000000CC]
:00401324 3BC2                    cmp eax, edx ;This is the place where the valid ~                                              ;password is compared with our fake ~                                              ;password. Do ? EAX=fake password and ~                                              ;? EDX=valid password.
:00401326 740E                    je 00401336  ;If EAX=EDX then it enables Save ~                                              ;function else continues to be a ~                                              ;shareware.
:00401328 6A00                    push 00000000
:0040132A 6A40                    push 00000040
* Possible StringData Ref from Data Obj ->"This is an unregistered version "
                                        ->"of Bakehead Editor. The SAVE feature "
                                        ->"is disabled."
    Work done. I think you got it, didn't you?                                                                                         End Of First Approach

Second Approach: In the second approach, we're gonna enter a fake password and then make the program register itself by changing our fake password in the valid password. Sounds interesting? OK. Let's get the job done. I think, I have told you that the program store the valid password in "config.dat" after successfully registering it. That means where should we have to look next? That's right "\config.dat". Dead list the program and click on "\config.dat" now you should see following codes:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:0040575C B952319B3B              mov ecx, 3B9B3152
:00405761 250A38EB08              and eax, 08EB380A
:00405766 2BCA                    sub ecx, edx
:00405768 D1E9                    shr ecx, 1
:0040576A 8D54080D                lea edx, dword ptr [eax+ecx+0D]
:0040576E 8B44240C                mov eax, dword ptr [esp+0C]; In EAX, our fake password is being copied. We don't want that to happen but instead we want real password to be copied. So, what should we do next? That's right! Since we know that EDX holds the real password, we're gonna change it to " mov eax, edx. After changing this the real password will be copied to EAX and in the next "cmp"; the real password will be compared with the real password and there in no chance that "JNE" will fail. Also after that, the real password will be copied to "\config.dat" file and we're gonna have a fully functional program.
:00405772 3BC2                    cmp eax, edx    ;You know what's here. don't you?
:00405774 754D                    jne 004057C3
:00405776 A3CCDC4400              mov dword ptr [0044DCCC], eax

* Possible StringData Ref from Data Obj ->"\config.dat"

Open a HexEditor and search for 8B44240C at offset: 00004B6Eh

    Then change 8B 44 24 0C it to
                8B C2 90 90
Look what happens when you do the above patch.

:0040576E 8BC2                    mov eax, edx ;Move the real password in to EAX.
:00405770 90                      nop    ;Do nothing.
:00405771 90                      nop    ;Do nothing.
:00405772 3BC2                    cmp eax, edx ;Compare real password with real ~                                              ;password.
:00405774 754D                    jne 004057C3 ;Jump is not equal. It'll not jump.
:00405776 A3CCDC4400              mov dword ptr [0044DCCC], eax ;Save real password ~                                                              ;in "config.dat" file

* Possible StringData Ref from Data Obj ->"\config.dat"

   Making this change in the program, the program will accept any password that you enter and changes it in to the real one. 

End Of Second Approach

[NOTE: There is one more way of making this program work as a fully functional software by enabling the crippled "Save As.." function. But it is target to a hardworking newbie. You have to do lots of rough patching and it's not a clean crack though. The solution is by meRlin. If you are a hardworking newbie then email me, I'll send it to you.]

About Us: We are newly born Cracking Group. Cracking is our Hobby and we take it as a Challenge. That's why, we don't limit ourselves to only one approach. We crack software in every possible way it can be or that we are aware of. If our intensions were of cracking software and using it for free, we never had wasted our precious time on cracking it by applying different approaches. Now, this doesn't mean that those who crack using only one approach use software illegally or their intensions are evil. Don't get us wrong guys....:-)). We don't distribute cracks and serials, so don't ask for it. Comments are welcome. 

How You Can Help Us: We are knowledge hungry people, so if you see anything interesting while surfing the net next time do let us know. The information can be related to anything such as: hacking, cracking, mp3, books, etc. Of course.. it should be FREE as our tutorials are. Don't e-mail us telling about "Get Paid To Surf" or other such types of "Referral" programs. If by any means, we registered to those types of referral program we'll not include your name as a "Referrer." BTW, we hate spammers. 

Our Goal: To spread knowledge and help newbie in "Reverse Code Engineering" by providing Tutorials. :-).


Founder/Tutorial: e-nigma

Crackers: blacksword, (D)ragon, gkaizer, Jim Charble, meRlin, nachtigall, pepperman, pupp6969, +Viper+

Contact Us:

Solutions By:

Second Approach: nachtigall

All the solutions were modified and checked by e-nigma. It works 99.99%.

If any problem. Feel free to ask. :-))


Our Thanks And Gratitude Goes To:- 

+Sandman for all his Great Tutorials and Magnificent Newbie Forum.

The Snake For hosting this file on his Website.

And all the people out there in "+Sandman Newbie Cracking Forum"

That's all for now. We'll be back with our 2nd project as soon as possible. Till then..... Have Fun!

2000 "Learn Cracking In New Style." All Rights Reserved.