Win Image is a nice Win'95 32-bit utility that will create disk images of almost any kind of disk media you have, so you could copy 1.4 MB floppy disks and transfer then to the new 1.72 MB DMF format if you so wish.
 
 

About this protection system

 
Registration is via selecting the 'Option' menu then choosing the 'Register' option.
 

Your asked to enter:

Your Name
Registration Code

before registration begins.

The way the program is setup you have a choice of two registration codes, one will let you use the Standard interface, the other will let you use both the Standard and Professional interface which includes the Batch Wizard facility.

The actual registration key is based on the User Name you enter and wether you wish to use either the Standard or Professional interface ( remember, their are a possible two registration keys generated from your User Name ).
 
This program is not compacted or encrypted in anyway.
 
 

The Essay

     
On installing then running this program I was greeted with an expiration notice, the program had expired on the 1st September 1997 but thankfully it still lets you use it for a further 30 days..:)
 
Our first task before anything else is to disable this time-check, which guessing would be based on reading the pc's internal clock.  Rather than trying to get Softice to break on the various system functions that relate to the system clock I choose to get Softice to break on the message box that displays the 'Expiration notice'.

Start up Softice, type in BPX messageboxA

MessageboxA is a Win'95 system function that runs in the 32-bit environment, had Win Image been a 16-bit utility then I would then have to use the Messagebox (without the 'A') function instead.

Type X to leave Softice and now start up Win Image pro.

Wham, Softice breaks at the start of the MessageboxA routine, from here press F12 once then answer Yes to the 'Expire notice' then 'OK' to the Nag Screen that now pops up.

We should see the following snippet of code in Softice.

* Reference To: KERNEL32.GetSystemTime, Ord:0135h
 
:0042FA46 FF15F8E74300       Call dword ptr [0043E7F8]
:0042FA4C 66817DE4CD07       cmp word ptr [ebp-1C], 07CD ;year =1997?

:0042FA52 7709               ja 0042FA5D ;Oh dear,our Time-limit is up
                                         ;if the year is greater than 1997
                                         ;so show 'Expire Notice'

:0042FA54 7520               jne 0042FA76 ;If year is less or equal to 1997
                                          ;then don't bother checking for
                                          ;the month, just continue on with
                                          ;with the program itself.

:0042FA56 66837DE609         cmp word ptr [ebp-1A], 0009 ;Month=9 (Sept)?
:0042FA5B 7219               jb 0042FA76  ;Yes? then Jump to 0042Fa76.

* Referenced by a (C)onditional Jump at Address: 0042FA52(C)
* Our routine that deals with displaying the 'Expire Notice'.*
|
:0042FA5D 6A24               push 00000024
:0042FA5F 53                 push ebx
:0042FA60 6830964300         push 00439630 ===>Msg "This copy has expired."
:0042FA65 57                 push edi
:0042FA66 FF1510E94300       Call dword ptr [0043E910] ;USER32.MessageBoxA
:0042FA6C 83F807             cmp eax, 00000007 ;We land here
:0042FA6F 7505               jne 0042FA76
:0042FA71 83C8FF             or eax, FFFFFFFF
:0042FA74 EB23               jmp 0042FA99
 

Right, looking at the code we can see that we must have arrived at this messagebox routine from one of TWO ways. (There might be other's but since this is called ONLY at the start of the program, it would not make any sense to show this message during the running of the program ).  So we can assume that what we're looking at is the only place where this kind of decision takes place.

The first way this routine gets called is from:-
 
:0042FA54 7520               jne 0042FA76

Where if the comparison that checks what year we're currently in is Greater than 1997, then display 'Expire Notice'.

The second way is if the year is 1997 but the month is not September then instead of jumping to location 0043FA99 at line:-

:0042FA74 EB23               jmp 0042FA99

It will simply proceed onto our 'Expire Notice' routine.
 

We can 'fix' routine this by simply changing line:-

:0042FA52 7709               ja 0042FA5D

TO

:0042FA52 EB22               jmp 0042FA76

That would then make the program always ignore the 'Expire Notice' checks and proceed on with the program itself.  Since this is an UN-Condition Jump the program will never get past this line to check for the month etc so we don't have to do any more patching to this routine.

OK, now to finish off this program.. Having experimented with this program, using different cracking methods to achieve the outcome I wanted I can tell you that the best method found was to simple sniff out the generated Registration Keys ( there are two remember ) and use them to register the program with.  My attempt to patch the program seemed to result in the program 'forgetting' to remember my User Name and Registration key when I re-ran it, so the patch only worked so long as the program was running after it had been 'registered'.
 
Let's sniff out those two registration keys by 'backtracking our steps through the program...
 
Run up Win Image pro, select Yes to the 'Expire Notice' message, then OK to the Nag screen. Go into the Registration Screen via Options then Registration.
 
Type in the User Name you wish to use, then enter a few numbers of your choice.
 
Press Ctrl-D to enter Softice and type BPX MessageboxA then x to leave.
 
At this point simple press the OK button and lets see what happens next.. Wham, Softice breaks at the start of the messageboxA routine, from here press F11 once then answer OK to the 'Invalid Registration Key' dialog box that appears on our screen which again Softice breaks and we're now in the actual Win Image Code.
 

Well, as you can see this routine branches out from here in one place, namely to the routine we just left that delt with the displaying of our 'Invalid Registration' dialog box and since there are no conditional jumps or comparing instructions to be found here we know that this is not where the program decides wether our entered registration key is correct or not so we need backtrack further into the program.

From here press the F10 key 4 times so that we now land in this routine:-
 
 

Hmm, it's looking better but as you can see (feel), we're at the stage in the program where it has already processed our invalid registration and because it was the wrong one we were sent here where the 'begger off' message is first created.

Look at the above code and where we've just landed, notice that if we proceed five more steps we hit a JMP instruction which is not what we want if we wish to find out where this routine was called from.  Had there been a RET instruction instead of the JMP instruction then we would have had a good chance in returning to the routine that first placed us here.

There are of course, times when a program can manipulate the stack that holds the address of where the program execution begins after executing a routine, in which case we would not always return back to the original calling routine, but in this example this is not the case.
 
OK, so where do we go?.  A good bet is to examine the code above and below this routine, looking for a condition or unconditional jump to the START of the routine we're currently stuck in.   In our this case if we look above this routine you will see a Jump Not Equal instruction at:
 
:00429097 752C                    jne 004290C5
 
Bingo!, this looks very promising, so just to be sure we will place a break point at the START of this new routine but first lets clear any/all other Softice breakpoints first by typing:-

BC *
 
Then type:-

 BPX 42902C
 
Then type:-
 
x to exit Softice

I have chosen to set a breakpoint at the beginning of this new routine rather than on the actual line that jump's to present routine we're in because  I feel it's the right thing to do.
 
Run the Win Image Registration screen again, type in Your Handle & a few numbers again then press the OK button.

Wham, we're in Softice and right where we want to be.
 
                                  
:0042902C 8B358CEA4300         mov esi,dword ptr [USER32.GetDlgItemTextA]
:00429032 BB98C84300           mov ebx, 0043C898 
:00429037 6801010000           push 00000101
:0042903C 53                   push ebx
:0042903D 6816080000           push 00000816
:00429042 FF7508               push [ebp+08]
:00429045 FFD6                 call esi
:00429047 BF90C44300           mov edi, 0043C490
:0042904C 6A7F                 push 0000007F
:0042904E 57                   push edi
:0042904F 6817080000           push 00000817
:00429054 FF7508               push [ebp+08]
:00429057 FFD6                 call esi
:00429059 6870C84300           push 0043C870
:0042905E 57                   push edi
:0042905F 53                   push ebx
:00429060 E8D03C0000           call 0042CD35
:00429065 8B0D70C84300         mov ecx, dword ptr [0043C870]
:0042906B 33D2                 xor edx, edx
:0042906D 83C40C               add esp, 0000000C
:00429070 3BC2                 cmp eax, edx
:00429072 A358C64300           mov dword ptr [0043C658], eax
:00429077 7406                 je 0042907F
:00429079 890D34C84300         mov dword ptr [0043C834], ecx 
:0042907F 391534C84300         cmp dword ptr [0043C834], edx
:00429085 890DC4CA4300         mov dword ptr [0043CAC4], ecx
:0042908B 7505                 jne 00429092
:0042908D A3C4CA4300           mov dword ptr [0043CAC4], eax 
:00429092 6A01                 push 00000001
:00429094 3BC2                 cmp eax, edx
:00429096 5E                   pop esi
:00429097 752C                 jne 004290C5   ; Good Guy Jump!
:00429099 6800200000           push 00002000  ; Else 'Beggar off'
:0042909E 682D040000           push 0000042D
                                   
:004290A3 682B040000           push 0000042B ;=>"Registering information
                                             ;  is invalid"

:004290A8 89353CC74300         mov dword ptr [0043C73C], esi
:004290AE FF7508               push [ebp+08]
:004290B1 893594C84300         mov dword ptr [0043C894], esi
:004290B7 881590C44300         mov byte ptr [0043C490], dl
:004290BD 881598C84300         mov byte ptr [0043C898], dl
:004290C3 EB1E                 jmp 004290E3
 
Looking at the above we can see a *possible* patch of the code at line:-
 
:00429097 752C                 jne 004290C5   ; Good Guy Jump!
 
But if you change this so that it always jumps to the routine that handles valid registration keys you will find it does not work. It will still say 'Invalid Registration Key'. OK, after some more work you will find that at line:-

:0042908B 7505                 jne 00429092

would also have to be changed so that it too would always jump then even that wouldn't be enough.  You will find that as you follow this through there will be other places to patch before the program will accept any registration key you enter into it.  For this essay I will stick to 'sniffing' out the 'real' key(s) rather than go on a patching spree..

Right, use F10 until we get to the line:

:00429060 E8D03C0000           call 0042CD35
 
At which point we press the t ( trace into ) key which will now bring us to the main routine that creates our Registration Key.

* If you run through this routine a few times you will be able to work out the following as I did..:)

:0042CD35 55                      push ebp     ; == Save Mem loc 68F1d4
:0042CD36 8BEC                    mov ebp, esp ; == New Mem Loc 68F1B4
:0042CD38 81EC00020000            sub esp, 00000200 ; Subtract 200h from
                                                    ; 68F1B4 = 68EFB4
                                      ;Memory Location for our REAL RegKey!

:0042CD3E 56                      push esi
:0042CD3F 8B7510                  mov esi, dword ptr [ebp+10]
:0042CD42 85F6                    test esi, esi

:0042CD44 57                      push edi      ;Mem Loc of our fake Regkey
                                                ; at 0157:43c490

------------------ Snip ---------------- Snip -------------
 
 
At this point if you type: d 68efb4 then place  your cursor on the ret instruction at line
 
:0042CE75 C3                      ret
 
then type: here you will see in your softice code window the registration No for the user name you just typed in!
 
Job Done.....
 

The 'Crack'

 
None required..:)
 
But we must 'fix' the expired time limit on the program by simply loading the program (Wima_vp4.exe) into a Hex Editor then performing a search on:-

SEARCH FOR  : 66817DE4CD077709 then
REPLACE WITH: 6817DE4CD077EB22
                          |--|  <--Change these two bytes only.
 

Final Notes

 
This crack has been quite lengthy and could have been speeded up considerably if we had used the 'dead Listing' method, however, unless we can read Assembler well, we would have struggled on de-coding the logic behind the registration key generation.
 
In this case I believe, it was better to spend our time sniffing the real registration key than spending our time patching the code so that it would accept any registration key.

My thanks and gratitude goes to:

Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.
 
+ORC for showing me the light at the end of the tunnel.

 

Ob Duh

 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to  produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
 
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.