"Help-to-HTML allows you to create Microsoft HTML Help, WebHelp, Windows CE Help, Netscape NetHelp 1.0, Netscape NetHelp 2.0, and Web Sites (for Intranet or Internet use) quickly and easily from any Help file. Just follow the Wizard screens and select your preferences – it’s that easy! Help-to-HTML creates all the files you need.

Key features

· Automatically creates Microsoft HTML Help, Windows CE Help, Netscape NetHelp 1.0, Netscape NetHelp 2.0, and Web sites, either from a RoboHELP Help project or from any standard Windows HLP file.

· Creates a Help table of contents and index (if supported in the final HTML format).

· Supports HTML Help popup windows.

· Creates standard HTML Help features such as navigation buttons, frames, related topics, splash screens and more.

· Supports long filenames and traditional DOS short filenames.

· Transforms each Help Topic into an HTML page.

· Creates HTML filenames using Help topic titles.

· Converts each bitmap into a GIF image file (Web graphic). Maintains the same graphic names after conversion (*.GIF filenames match their former *.BMP filenames).

· Transforms SHED graphics into Web hotspot GIFs with corresponding map files.

· Supports CSIM, the most widely-used image map format.

· Converts any standard WinHelp 3 or WinHelp 4 HLP file.

· Windows Help file source code is not required.

· Converts Windows Help files created with any Help authoring tool."
 

About this protection system

 
This program does not have any facility to allow the User to Register this software, although it's a fully, non crippled working program it will expire after 30 days.

So, from our point of view we must attack the program from two points:-

1. To disable the 30 day expire limit
2. To make the program 'think' it's been registered and not always assume it's a Shareware program.
 

The Essay

     
While this program is by any standards, quite large to download (16 mb) it's well worth the time you spend downloading it. Instead of using Microsoft Word to create .RTF files you use instead html files instead to create your Help file.. So it's possible to create an enhanced help file of your whole web site and send it of to your friends!.

Rather than hand you this program on a plate I will explain to you how to crack this program so that:

1. There is no time limit on it's use - Will run forever..:)
2. It loads and behaves exactly as though it's a  fully registered version.

but I will leave it to you to work out how to get it's 'About Screen' to display your name/handle and company name instead of showing a now, non-working 30 day trial notice. It's the only way you'll learn how to crack. As I've already said, I've done about 99% of the *crack* for you, now you finish it off..

Tip:  The program expects to fetch your name/handle and company name from the System Registry file, so you need to find out what entries *would* be placed in here had the program been registered properly so that the program can then find your name/handle and company name to show who the program is registered to.
 

TASK ONE - Make the program 'think' it's been registered..

Our first task is to create a 'Dead Listing' of Robohtml.exe using W32Dasm, it's a large program so it might take a few minutes to disassemble..  Once you've done this take a look at the program's String Data Resources.. We want to home in on 'Shareware' related error messages, and more to the point, those that reference the 'Serial No'. Don't forget, since the program does not allow you to enter a serial number then any references to a serial number must be to do with the default 30-day serial number that the program uses.

String Resource ID=00758:
"Your RoboHELP HTML Edition serial number registry entry is invalid or missing"

OK, you've probably seen two similar messages to the one above, but only one refers to the HTML Edition of RoboHelp, this is the one we shall examine more closely..  Right, double click on this String Reference, you should now see this code snippet..
 
* Referenced by a (C)onditional Jump at Address: :0048C5A5(C)
 
:0048C7A6 8B4DF0            mov ecx, dword ptr [ebp-10]
:0048C7A9 6AFF              push FFFFFFFF
:0048C7AB 6A00              push 00000000
:0048C7AD 83B99001000000    cmp dword ptr [ecx+00000190], 00000000
:0048C7B4 7407              je 0048C7BD
 
* Possible Reference to String Resource ID=00767: "Your RoboHELP serial number registry entry is invalid or missing."
 
:0048C7B6 68FF020000         push 000002FF
:0048C7BB EB05               jmp 0048C7C2
 
* Possible Reference to String Resource ID=00758: "Your RoboHELP HTML Edition serial number registry entry is invalid or missing."
 
:0048C7BD 68F6020000         push 000002F6

As *crackers* we must learn to gather all the information we can from our dead listings if we are to have any chance of understanding how the protection system within our target program operates..

When I saw the above code snippet I came to the following conclusions:-

1. When\if the program gets to this code snippet it has only one of two choices to make based on wether memory location pointed to by ecx+00000190 had a value of 0 or 1.

2. If ecx+00000190 = 0 then program is unregistered but a problem was found when it tried to access the serial number, so display message "Your RoboHELP serial number registry entry is invalid or missing."

3. If ecx+00000190 =1 then program is registered but a problem was found when it tried to access the serial number, so display the message "Your RoboHELP HTML Edition serial number registry entry is invalid or missing."

4. This code snippet was called from another part of the program at memory location: :0048C5A5
 
Can you see the subtle differences in the wording of both messages?.
 
Your proberbly asking yourself how do I know that the ecx+00000190 instruction refers to the registration status of the program?.  All I can say is that once you've *cracked*  a number of programs you get a 'feeling' about certain how programs operate and how they need to use some sort of 'flag' to tell the program how to react to certain conditions depending on wether they are registered or not.. In the above code snippet the program is checking a memory location to see which message to display, depending on wether it has been registered or not..

At this point I needed to check my theory that what ecx+00000190 was pointing to was in fact, the actual memory location where it stores the program's regsitered/unregistered status. Before we exit our dead listing we need to find another location within the program that uses this exc+00000190 to check on the program's status so that we can have softice break on it.. The reason why we need to do this is because unless we deliberately delete the shareware 30 day trial serial number from our System registry file this code snippet won't get executed, hence why we must find another location within the program to have Softice break on..

Scroll up to the top of your Dead listing then search for:  83b99001000000
This is the hex code of our cmp dword ptr [ecx+00000190], 00000000 instruction.

W32Dasm should now show you this new code snippet:-
 
:0048C433 E828F70000           Call 0049BB60
:0048C438 8B4DF0               mov ecx, dword ptr [ebp-10]
:0048C43B C745FC00000000       mov [ebp-04], 00000000
:0048C442 83B99001000000       cmp dword ptr [ecx+00000190], 00000000
:0048C449 7407                 je 0048C452
 
OK, we know have 'breakpoint' for Softice to use, so save off your 'Dead Listing' and fire up RoboHelp..

Select 'Cancel' to the prompt to select a new help file project..

At this point we need to 'break' into the program's actual code, I was able do this by:-
 

1.  Select the menu option 'Tools' then 'Options..' from within RoboHelp.
2.  Press Ctr-D to fire up Softice.
3.  Type bpx getwindowtexta
4.  Type x to leave Softice.
5.  Select the 'General' Tab option.
6.  Softice now breaks...
7.  Press the 'F11' key  THREE TIMES followed by the 'F10' key 15 TIMES
8.  We should now be in RoboHelp's code..
9.  Type u 48C442
10. Type bc *
11. Type bpm ecx+00000190

*Please note *

What we are doing here is now telling Softice to break EVERY TIME the program attempts to read or write any value to this memory location.  If you think about the program has to first make sure this memory location is first empty before it can use it.

This is often know as the Initialization part of the program and is common in ALL programs regardless of what they are..  Then, after it has checked for a valid serial number record the results in this memory location pointed by the ecx+00000190 instruction.

12. type x to leave Softice.

At this point Softice will keep breaking, just ignore these breaks for now by pressing x each time to let the program continue on.

13. Now Exit RoboHelp. Keep pressing x each time softice breaks until Robohelp has properly finished.

14. NOW restart RoboHelp again..

15. Softice now breaks at XXXXXXXX:48A98D

:0048A958 E803120100              Call 0049BB60
:0048A95D C645FC13                mov [ebp-04], 13
:0048A961 899E40030000            mov dword ptr [esi+00000340], ebx
:0048A967 899E44030000            mov dword ptr [esi+00000344], ebx
:0048A96D 899E48030000            mov dword ptr [esi+00000348], ebx
:0048A973 C706D8E94900            mov dword ptr [esi], 0049E9D8
:0048A979 8BC6                    mov eax, esi
:0048A97B 889EC0010000            mov byte ptr [esi+000001C0], bl
:0048A981 889E24020000            mov byte ptr [esi+00000224], bl
:0048A987 899E90010000            mov dword ptr [esi+00000190], ebx
:0048A98D C745FCFFFFFFFF          mov [ebp-04], FFFFFFFF
:0048A994 8B4DF4                  mov ecx, dword ptr [ebp-0C]
:0048A997 5E                      pop esi
:0048A998 64890D00000000          mov dword ptr fs:[00000000], ecx
:0048A99F 5B                      pop ebx
:0048A9A0 8BE5                    mov esp, ebp
:0048A9A2 5D                      pop ebp
:0048A9A3 C3                      ret
 
OK, this is our first Softice break in RoboHelp and an important one.  Can you see that the program is 'initializing' many locations with a value of '0', check the value stored in the ebx register, it's showing EBX = 00000000. If you press the 'F4' key you'll see that the RoboHelp splash screen hasn't yet been displayed, a good indicator that this is where the program initializes all it's variables before it uses them. Press 'F4' to display the Softice screen again.

At this point type x to exit Softice so that RoboHelp can continue on..

Softice breaks again... BINGO!
 
:0049088F E808B30000              Call 0049BB9C
:00490894 8B8694010000            mov eax, dword ptr [esi+00000194]
:0049089A A802                    test al, 02
:0049089C 7510                    jne 004908AE
:0049089E 85C0                    test eax, eax
:004908A0 740C                    je 004908AE
:004908A2 C7869001000000000000    mov dword ptr [esi+00000190], 00000000
:004908AC EB0A                    jmp 004908B8
:004908AE C7869001000001000000    mov dword ptr [esi+00000190], 00000001

This is a VERY important piece of code, it's here that the program decides wether it's been 'registered' or not.  It's here that it places a value of '0' = not registered or a value of '1' = Registered  into the memory location pointed to by esi+00000190.

Can you see that je 004908A instruction, if we turn it into a jmp 004908A then regardless of the results from the test eax,eax it will ALWAYS proceed to place a value of '1' in our program status memory location that tells the rest of the program to behave as though it's been registered!.

Lets test this right now before doing anything else..

Type r eip=4908AE

We're telling Softice to let the program continue on as though our serial number was found to be valid.. It wasn't really but we can simulate this by making the program start off as though it was!.

now type x to exit Softice then keep typing x until RoboHelp displays a message telling you that your serial number is invalid, it will then exit back to windows. This is perfectly OK, we're going to fix that in just a second.. Hey, while you were pressing x to exit softice did you notice that the program displayed a DIFFERENT splash screen!.. That's the one displayed on the REGISTERED version of RoboHelp Express!. We're getting close..
 
 
 
TASK TWO - Disabling the Invalid Serial No check.
 
Were almost there.. Just to quickly recap on what we've so far done.. We have located where the program decides to either run as a registered program or run as a Shareware program with 30 days time limit.  Now, some where later on from this the program does a second check on our serial number and it's here we must also patch...

This part is dead easy, just follow these instructions..

1. Start up RoboHelp..
2. Softice breaks for the first time.. Just type x
3. Softice breaks again for the second time.
4. type r eip=4908AE
3. Now Keep pressing x UNTIL you get here.

:0048C433 E828F70000              Call 0049BB60
:0048C438 8B4DF0                  mov ecx, dword ptr [ebp-10]
:0048C43B C745FC00000000          mov [ebp-04], 00000000
:0048C442 83B99001000000          cmp dword ptr [ecx+00000190], 00000000
:0048C449 7407                    je 0048C452 'SOFTICE BREAKS HERE!
:0048C44B 68F3020000              push 000002F3
:0048C450 EB05                    jmp 0048C457

Right, when you get here the program has just checked to see if it's been *registered*, it has, but from this point onwards it will perform another check on our 'nonexistent' serial number which we can't allow.. So after much testing I found that if we change the je 0048C452 instruction that we're current sitting on to jmp 48C75E then this will disable the who serial checking routine, as well as the routines that deal with the 30 day time limit.

5. So, at this point type r eip=48C75E
6. Type bd * then type x to let the program run as normal.

Now we have a fully working RoboHelp program, you can change the computer's date and it will still run as normal..:)

Job Done.
 

The 'Crack'

 
In order to make the changes to our target program permanent we need to patch this program in two places..
 
Load up robohtml.exe into your favorite Hex-Editor ( I prefer hexWorkshop-32) but just about any will do..
 
SEARCH FOR THE FOLLOWING BYTES : A802751085C0740C
REPLACE WITH HIGHLIGHTED BYTES : A802751085C0EB0C
 
Then..
 
SEARCH FOR THE FOLLOWING BYTES : 000000740768F302
REPLACE WITH HIGHLIGHTED BYTES : 000000E910030000
 

Final Notes

 
Notice how, once we found the 'Shareware String' "Your RoboHELP HTML Edition serial number registry entry is invalid or missing" we followed up the cmp [esi+0000190],00000000 instruction that was used by the program to determine wether or not the program was registered or not and then, using bpm on this memory location we quickly found the two area's to patch in order to make this program run as though it was fully registered..

Anyone who writes an essay on how to make the program display your name/handle and company name instead of the 30-day trial limit etc will have their essay attached to this one.. Who's going to be first I wonder?...
 
My thanks and gratitude goes to:-
 
Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.
 
+ORC for showing me the light at the end of the tunnel.
 

Ob Duh

 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to  produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
 
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.