||There is a crack, a crack in everything. That's how the light gets in.|
The authors of WinHacker
"New features in WinHacker V2.0 include:
WinHacker 95 is a utility
that you can use to configure the hidden Windows 95 and Windows NT 4.0
settings. WinHacker 95 is THE
Windows Shell Management Tool.
Many of the settings
that change the way Windows 95 works and feels are hidden in the overwhelming
registry, or in configuration files. WinHacker 95 give you a easy way to
configure those settings through the GUI (graphical user interface)!
[WinHacker 95 2.0]
Data=21111 ;This value changes every time you run WinHacker!
Several keys and entries are created in your System Registry file, but the one that will interest everyone is this one, located at:
Data = 26 bytes of information relating to trial period and is linked to the entry in win.ini
On successful registration this entry grows considerably. Any attempts to 'hack' this will be picked up by WinHacker.
WinHacker requires you to type in a valid serial number which is case sensitive and based on your user Name/Handle. You are automatically sent to the 'Registration Screen' each time the program is run as Shareware.. You are given 20 days to evaluate this program..
Surprisingly, the program seems to try and hide the location of where it stores the valid serial number during it's checks on your entered serial number, however, I found one instruction that for a fraction of a second, points to this valid serial number so here's how I found it...
Start up WinHacker, enter your name, company name (if applicable) and a serial number of some kind, doesn't really matter what you type:-
Example: I used:-
Company name : -
Serial No : 7777777
Now fire up Softice by pressing the Ctrl & D keys together.
Now type bpx getwindowtexta then x to leave Softice.
Now press click on the 'Register...' button, Softice will now break at the start of the system function getwindowtexta. Just press the 'F11' key once then press the 'F10' key 7 sevens to return back into WinHacker's code.
We should now see
this code snippet in Softice...
:00418479 E8FCBD0000 Call 0042427A
:0041847E 8D8600020000 lea eax, dword ptr [esi+00000200];We Land here
:00418484 50 push eax
:00418485 55 push ebp
:00418486 57 push edi
OK, now we should
keep pressing the F10 key UNTIL you get to the end of this routine which
is has the Ret 0004
assembly instruction. While doing this I stopped on every assembly instruction
that altered any of the pc's flags and typed d followed by a register name.
Example d eax or d ebx or d edi etc. This can
tell us a great deal about the routine we're in by knowing what information
is being handled by the system registers. If you're sniffing out serial
numbers then this is what you must
:004184E6 5F pop edi
:004184E7 5E pop esi
:004184E8 5D pop ebp
:004184E9 5B pop ebx
:004184EA C20400 ret 0004 ;End of routine
When you arrive at the Ret 0004 instruction press the 'F10' once, this will now take you into the MFC42.DLL which we don't really need to check so now press the 'F10' key 7 times so that we once again return back into WinHacker's code and to the routine that handles the decision to wether to display the 'Beggar of cracker message' or the 'Thank you for buying bla bla bla message', depending of course on our entered serial number.
lea ecx, dword ptr [ebp-28];We land here
:0041850F E8E9060000 call 00418BFD
:00418514 33DB xor ebx, ebx
:00418516 683C034400 push 0044033C ;="WinHacker 95 2.0"
:0041851B 8D4DD8 lea ecx, dword ptr [ebp-28]
:0041851E 895DFC mov dword ptr [ebp-04], ebx
:00418521 E848BD0000 Call 0042426E
:00418526 FFB600020000 push dword ptr [esi+00000200]
:0041852C 8D4DDC lea ecx, dword ptr [ebp-24]
Code Continues here...
:00418574 8B3D44524400 mov edi, dword ptr 
:0041857A C645FC03 mov [ebp-04], 03
:0041857E FF75EC push [ebp-14]
:00418581 FFD7 call edi ;Generate a valid serial # then
;check the serial entered by the
:00418583 F7D8 neg eax
:00418585 1BC0 sbb eax, eax
:00418587 59 pop ecx ;This pop's of the location of
;of where the real serial no is
:00418588 40 inc eax ;If you now type d ecx you will
;now see your real serial #!
;in my case the serial no was:
:00418589 59 pop ecx ;erase valid serial
:0041858A 84C0 test al, al
:0041858C 7448 je 004185D6 ;invalid serial? then jump
I've cut out a section
of code so that I can show you the location where we can see the valid
serial number based on the name you typed in and also where the program
verifies your entered serial number. If you *try* and patch that je
004185D6 instruction so that is nop'd
out then the program still won't get registered since during the checking
of the serial numbers the program has already been told wether or not the
serial number was valid or not so nop'ing out the je instruction won't
change this in any way.
My thanks and gratitude goes to:-
Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.
+ORC for showing me the light at the end of the tunnel.
Ripping off software through serials
and cracks is for lamers and losers...
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.
|Next||Return to Essay Index||Previous|