HexDecCharEditor 1.02
by zouzouni
 
zouzouni's cracking gallery
 
 
This tutorial is made for newbies

 

Cracking HexDecCharEditor 1.02


Introduction

HexDecCharEditor is a hex editor with a lot of functions and as the File Analyzer identifies,it 's compiled by Borland Delphi 3.0

Tools required

Softice 3.25

Target's location

Here 502KB , or at the developers site http://beyersdorf.com

Authors words

The HexDecCharEditor is more than a common hex-editor for programmers who want to view, modify, search, compare and analyze binary files. Due to the possibility to set, save and search for colored marks the HexDecCharEditor is especially suited to analyze file formats. It can be switched between hexadecimal and decimal output and input. At the same time the bytes are displayed as characters. Of course it is also possible to enter the bytes as characters from the keyboard. The HexDecCharEditor offers a lot of easy to use options for the search for and replacement of sequences of hexadecimal or decimal byte-values and characters. Several jump-functions are implemented. Data can be loaded directly from the clipboard. This makes the HexDecCharEditor the perfect tool for analyzing clipboard-formats. Obvious to mention that hex-dumps can be printed with and without marks.

Essay

This program is a 30 days time limited program and needs a name and key to become a registered software. So press the register button and enter name PIRATE COPY and key 12345 .Press OK ,a message will appear telling us that the name and key cannot be accepted together .Lets try again ,write the name and the key but before pressing OK enter softice and set a breakpoint type "bpx hmemcpy" and "x"or F5 to leave softice ,press OK and you are again into softice.Press "bd*" (breakpoint disable, * means all of them) or bd 00 (because our breakpoint is the 00.If you press "bl" you will see all the breakpoints) and press F12 so you will start jumping into the code in your computer's memory. After pressing "F12" seven times you will be at the code of HEXDECCHAREDITOR and now you have to search for the calculation-comparison code of the good name-key which will usually be a Call followed by a Test and after that a Jump to the bad or good registration message. Press "F10" so you will step into the code of the HEXDECCHAREDITOR.If you press "F10" for about 22 time you will find this code


:0043584F 8B83DC010000            mov eax, dword ptr [ebx+000001DC]
:00435855 E8EEC2FFFF          (1) call 00431B48
:0043585A 84C0                (2) test al, al
:0043585C 7432                (3) je 00435890

You see the (1) Call where the calculation-comparison is done, the (2) test between the flags and the (3) jump to the bad message if al=0 .Firstly I think of testing if this is really the place I'm looking for so I place one or two breakpoints by double clicking at the call.Then I change the (3) je from JUMP into NO JUMP by writing "r fl z" (reverse flag zero) and I'm pressing "F10" several times ,the message that I'm registered is appearing .Cool I'm in the right place.
I'm restarting the program , entering name and key .Softice will break where I had put tha breakpoint before.
Lets take a look into that Call by pressing "F10"


:00431B48 55                      push ebp
:00431B49 8BEC                    mov ebp, esp
:00431B4B 83C4E0                  add esp, FFFFFFE0
:00431B4E 53                      push ebx
:00431B4F 56                      push esi
:00431B50 57                      push edi
:00431B51 33DB                    xor ebx, ebx
:00431B53 895DE4                  mov dword ptr [ebp-1C], ebx     here our serial is entering
:00431B56 895DE0                  mov dword ptr [ebp-20], ebx
:00431B59 895DF0                  mov dword ptr [ebp-10], ebx
:00431B5C 894DF8                  mov dword ptr [ebp-08], ecx
:00431B5F 8955FC                  mov dword ptr [ebp-04], edx
:00431B62 8BD8                    mov ebx, eax
:00431B64 8B45FC                  mov eax, dword ptr [ebp-04]
:00431B67 E8DC1BFDFF              call 00403748
:00431B6C 8B45F8                  mov eax, dword ptr [ebp-08]
:00431B6F E8D41BFDFF              call 00403748
:00431B74 8B4508                  mov eax, dword ptr [ebp+08]
:00431B77 E8CC1BFDFF              call 00403748
:00431B7C 33C0                    xor eax, eax
:00431B7E 55                      push ebp
:00431B7F 68631D4300              push 00431D63
:00431B84 64FF30                  push dword ptr fs:[eax]
:00431B87 648920                  mov dword ptr fs:[eax], esp
:00431B8A C645F700                mov [ebp-09], 00
:00431B8E 33C0                    xor eax, eax
:00431B90 55                      push ebp
:00431B91 68211D4300              push 00431D21
:00431B96 64FF30                  push dword ptr fs:[eax]
:00431B99 648920                  mov dword ptr fs:[eax], esp
:00431B9C 8D55E4                  lea edx, dword ptr [ebp-1C]          doing maths
:00431B9F 8B45F8                  mov eax, dword ptr [ebp-08]
:00431BA2 E8653DFDFF              call 0040590C
:00431BA7 8B55E4                  mov edx, dword ptr [ebp-1C]
:00431BAA 8D45F8                  lea eax, dword ptr [ebp-08]
:00431BAD E80219FDFF              call 004034B4
:00431BB2 8D55E4                  lea edx, dword ptr [ebp-1C]
:00431BB5 8B4508                  mov eax, dword ptr [ebp+08]
:00431BB8 E84F3DFDFF              call 0040590C
:00431BBD 8B55E4                  mov edx, dword ptr [ebp-1C]
:00431BC0 8D4508                  lea eax, dword ptr [ebp+08]
:00431BC3 E8EC18FDFF              call 004034B4
:00431BC8 8B55F8                  mov edx, dword ptr [ebp-08]
:00431BCB 8BC3                    mov eax, ebx
:00431BCD E886FEFFFF              call 00431A58
:00431BD2 8BF0                    mov esi, eax
:00431BD4 8B4508                  mov eax, dword ptr [ebp+08]
:00431BD7 E8EC3EFDFF              call 00405AC8
:00431BDC 3BF0               (4)  cmp esi, eax    here is comparing our code with the real code
:00431BDE 0F8533010000            jne 00431D17                  in case that we change this into je the program will acept our code as corect
:00431BE4 8B45F8                  mov eax, dword ptr [ebp-08]
:00431BE7 E8A819FDFF              call 00403594
:00431BEC 83F80A                  cmp eax, 0000000A    here is checking if your name has more than 10(=0A) letters
:00431BEF 0F8C22010000            jl 00431D17          if no bye bye cracker
:00431BF5 B201                    mov dl, 01
:00431BF7 B8E8F74200              mov eax, 0042F7E8
:00431BFC E89BDCFFFF              call 0042F89C
:00431C01 8945E8                  mov dword ptr [ebp-18], eax
:00431C04 33C0                    xor eax, eax

So when you are at (4) [cmp esi, eax ]  (=comparing eax with esi)  press "?EAX" to see the value of eax at hex and decimal which is is the serial we entered 12345 .Then write "?ESI" which is the correct key. Two values will be created in the registry (use regedit.exe to check) at [HKEY_LOCAL_MACHINE\Software\Beyersdorf\HexDecCharEditor] Name and Key

Final words

I would characterize this protection scheme weak as you can clearly see the real serial number at the comparison routine while it should have been hidden.

Oh Duh
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell, don't come back.

 

| main |

ptr [edi], cl