July 1998
"WinHacker V2"
( 'A Simple Protection System sniffed out'  )
Win Code Reversing
by The Sandman 
Code Reversing For Beginners 
Program Details
Program Name: wh95v2b3.exe
Program Type: Win '95 utility
Program Location: Here
Program Size: 1.1 MB 
Tools Used:
 Softice V3.2 - Win'95 Debugger
W32Dasm V8.9 - Win'95 Disassembler
Easy ( X  )  Medium (   )  Hard (    )  Pro (    ) 
There is a crack, a crack in everything. That's how the light gets in.
WinHacker V2
( 'A Simple Protection System Sniffed Out'  )
Written by The Sandman

The authors of WinHacker  says:-
"New features in WinHacker V2.0 include:

WinHacker 95 is a utility that you can use to configure the hidden Windows 95 and Windows NT 4.0 settings. WinHacker 95 is THE
 Windows Shell Management Tool.

Many of the settings that change the way Windows 95 works and feels are hidden in the overwhelming registry, or in configuration files. WinHacker 95 give you a easy way to configure those settings through the GUI (graphical user interface)!
About this protection system
On Installation the program places this entry in your C:\Windows\Winhacker.ini

[WinHacker 95 2.0]
Data=21111              ;This value changes every time you run WinHacker!

Several keys and entries are created in your System Registry file, but the one that will interest everyone is this one, located at:

HKEY_LOCAL_MACHINE\Software\Wedge Software\WinHacker 95
Data = 26 bytes of information relating to trial period and is linked to the entry in win.ini
On successful registration this entry grows considerably. Any attempts to 'hack' this will be picked up by WinHacker.
WinHacker requires you to type in a valid serial number which is case sensitive and based on your user Name/Handle. You are automatically sent to the 'Registration Screen' each time the program is run as Shareware.. You are given 20 days to evaluate this program..
The Essay 
Since this program is protected in different ways (CRC checking and double checks on the data entry in your system registry file it's much easier in this case to sniff out the memory echo of the original serial number used by the program to verify the one entered by the User..

Surprisingly, the program seems to try and hide the location of where it stores the valid serial number during it's checks on your entered serial number, however, I found one instruction that for a fraction of a second, points to this valid serial number so here's how I found it...

Start up WinHacker, enter your name, company name (if applicable) and a serial number of some kind, doesn't really matter what you type:-

Example: I used:-

Name                     :The Sandman
Company name  : -
Serial No               : 7777777

Now fire up Softice by pressing the Ctrl & D keys together.

Now type bpx getwindowtexta then x to leave Softice.

Now press click on the 'Register...' button, Softice will now break at the start of the system function getwindowtexta.  Just press the 'F11' key once then press the 'F10' key 7 sevens to return back into WinHacker's code.

We should now see this code snippet in Softice...
:00418479 E8FCBD0000       Call 0042427A
:0041847E 8D8600020000     lea eax, dword ptr [esi+00000200];We Land here
:00418484 50               push eax
:00418485 55               push ebp
:00418486 57               push edi

OK, now we should keep pressing the F10 key UNTIL you get to the end of this routine which is has the Ret 0004 assembly instruction. While doing this I stopped on every assembly instruction that altered any of the pc's flags and typed d followed by a register name.  Example  d eax or d ebx or d edi etc. This can tell us a great deal about the routine we're in by knowing what information is being handled by the system registers. If you're sniffing out serial numbers then this is what you must do.
:004184E6 5F                      pop edi
:004184E7 5E                      pop esi
:004184E8 5D                      pop ebp
:004184E9 5B                      pop ebx
:004184EA C20400                  ret 0004 ;End of routine

When you arrive at the Ret 0004 instruction press the 'F10' once, this will now take you into the MFC42.DLL which we don't really need to check so now press the 'F10' key 7 times so that we once again return back into WinHacker's code and to the routine that handles the decision to wether to display the 'Beggar of cracker message' or the 'Thank you for buying bla bla bla message', depending of course on our entered serial number.

:0041850C 8D4DD8                  lea ecx, dword ptr [ebp-28];We land here
:0041850F E8E9060000              call 00418BFD
:00418514 33DB                    xor ebx, ebx
:00418516 683C034400              push 0044033C ;="WinHacker 95 2.0"
:0041851B 8D4DD8                  lea ecx, dword ptr [ebp-28]
:0041851E 895DFC                  mov dword ptr [ebp-04], ebx
:00418521 E848BD0000              Call 0042426E
:00418526 FFB600020000            push dword ptr [esi+00000200]
:0041852C 8D4DDC                  lea ecx, dword ptr [ebp-24]
Code Continues here...
:00418574 8B3D44524400            mov edi, dword ptr [00445244]
:0041857A C645FC03                mov [ebp-04], 03
:0041857E FF75EC                  push [ebp-14]
:00418581 FFD7                    call edi ;Generate a valid serial # then
                                           ;check the serial entered by the
:00418583 F7D8                    neg eax
:00418585 1BC0                    sbb eax, eax
:00418587 59                      pop ecx ;This pop's of the location of
                                          ;of where the real serial no is
:00418588 40                      inc eax ;If you now type d ecx you will
                                          ;now see your real serial #!
                                          ;in my case the serial no was:
:00418589 59                      pop ecx ;erase valid serial
:0041858A 84C0                    test al, al
:0041858C 7448                    je 004185D6 ;invalid serial? then jump

I've cut out a section of code so that I can show you the location where we can see the valid serial number based on the name you typed in and also where the program verifies your entered serial number. If you *try* and patch that je 004185D6 instruction so that is nop'd out then the program still won't get registered since during the checking of the serial numbers the program has already been told wether or not the serial number was valid or not so nop'ing out the je instruction won't change this in any way.
Job Done.
The Crack 
None required.
Final Notes 
 Was this as easy to *crack* as I've explained above?, well yes it was, so long as you always check what the registers are doing and what information they are handling then you can usually always sniff out the serial number from a program of this type..

My thanks and gratitude goes to:-
Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.
+ORC for showing me the light at the end of the tunnel.
Ob Duh 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will encourage them to produce even *better* software for us to use and enjoy.

Ripping off software through serials and cracks is for lamers and losers...
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.

 Next   Return to Essay Index   Previous 

Essay by:          The Sandman
Page Created: 5th July 1998