December 1998

"Cracking Win-eXpose Registry"

(Finding a memory echo)

Win '95/'98 PROGRAM

Win Code Reversing



by Punisher 



Cracking 4 Newbies 



Program Details

Program Name:

Program Type: Windows Registry logger

Program Location:

Program Size: 1.12MB 

 Tools Used:

Soft-Ice -- Debugger


Easy ( X )  Medium (   )  Hard (    )  Pro (    ) 

There is a crack, a crack in everything. That's how the light gets in.


Win-eXpose Registry v1.00

( Finding a memory echo)

Written by Punisher




The Author says:

Win-eXpose-Registry is a registry Tracing/Debugging/Monitoring SHAREWARE windows utility which lets you examine in real time what data is stored/retrieved and where in the registry.


About this protection system


Registration is via the Help Registration Menu. You are presented with a window with six edit boxes for information. They are :-

Name First, Last :

Company Name :

Address #1:

Address #2:

Serial Number :

Password :

The Password is calculated based on the serial number you enter.

Install Win-eXpose-Registry v1.00 and run it. you will be preseented with a nag screen at startup asking you to registry the program. This screen has a number of buttons, one which says something like I am still in my 30 days evalution or something to that effect. Click that button and you will enter the main program window.

Chose Registration from the help menu and you will be presented with the registration dialogbox. Fill in the information for the edit fields, the only tow you really need is Serial number and password. Enter a fake serial number and password. I used 12121212 for serial number and ninja for password.

Go into softice by pressing ctrl-d. Set a breakpoint on Getwindowtexta

>>> bpx GetWindowTextA

Leave softice by pressing ctrl-d. Now click the Ok button. Softice will break at getwindowtexta. Press x and hit enter five times. Softice will break at get windowtext each time this is because of the number of edit boxes it has to info from.

Press F11 to get back to the caller. You will land in the code of MFC40. Continue to trace using F10 until you get into WXR95 code.

Inside WXR95 code trace until you come to the following code. You will have to do a lot of tracing. This is because the program calculates the password and a lot of looping takes place here. Here is the code to look for:-

0137:004024B7     push  0040A1BC
0137:004024BC push eax
0137:004024BD call [006D7B10]
0137:004024C3 add esp, 0C
0137:004024C6 lea eax, [ebp + FFFFFECC] ; real password put in eax
0137:004024CC lea ecx, [ebp + FFFFFDCC]
0137:004024D2 mov dl, [eax]
0137:004024D4 cmp dl, [ecx]
0137:004024D6 jnz 004024F2
Step through this code until you pass LEA  EAX, [EBP + FFFFFECC]. do a dump of eax and you will get the correct password. eg:-
>>>  d  eax
Write down that password. Now disable all breakpoints. eg:-
>>> bd *

Press x and hit enter to let the program run and you will see a messagebox telling you that it was a wrong registration and to try again. Click the Ok button to get rid of this messagebox.

Now enter the real password and click ok and the program will be registered.

You should buy this program if you intend to use it longer than the evaluation period.

I will like to say thanks to +Fravia, Sandman, CrackZ, Cruehead, Iczelion and all the others out there who help by providing the knowledge to make this possible.