|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
||
|
|
|
There is a crack, a crack in everything. That's how the light gets in. |
|
|
The authors of WinHacker
says:-
"New features in WinHacker
V2.0 include:
WinHacker 95 is a utility
that you can use to configure the hidden Windows 95 and Windows NT 4.0
settings. WinHacker 95 is THE
Windows Shell
Management Tool.
Many of the settings
that change the way Windows 95 works and feels are hidden in the overwhelming
registry, or in configuration files. WinHacker 95 give you a easy way to
configure those settings through the GUI (graphical user interface)!
|
|
[WinHacker 95 2.0]
Data=21111
;This value changes every time you run WinHacker!
Several keys and entries are created in your System Registry file, but the one that will interest everyone is this one, located at:
HKEY_LOCAL_MACHINE\Software\Wedge
Software\WinHacker 95
Data = 26 bytes of information relating
to trial period and is linked to the entry in win.ini
On successful registration this entry
grows considerably. Any attempts to 'hack' this will be picked up by WinHacker.
WinHacker requires you to type in a valid
serial number which is case sensitive and based on your user Name/Handle.
You are automatically sent to the 'Registration Screen' each time the program
is run as Shareware.. You are given 20 days to evaluate this program..
|
|
Surprisingly, the program seems to try and hide the location of where it stores the valid serial number during it's checks on your entered serial number, however, I found one instruction that for a fraction of a second, points to this valid serial number so here's how I found it...
Start up WinHacker, enter your name, company name (if applicable) and a serial number of some kind, doesn't really matter what you type:-
Example: I used:-
Name
:The Sandman
Company name
: -
Serial No
: 7777777
Now fire up Softice by pressing the Ctrl & D keys together.
Now type bpx getwindowtexta then x to leave Softice.
Now press click on the 'Register...' button, Softice will now break at the start of the system function getwindowtexta. Just press the 'F11' key once then press the 'F10' key 7 sevens to return back into WinHacker's code.
We should now see
this code snippet in Softice...
:00418479
E8FCBD0000 Call 0042427A
:0041847E
8D8600020000 lea eax, dword ptr [esi+00000200];We
Land here
:00418484
50
push eax
:00418485
55
push ebp
:00418486
57
push edi
OK, now we should
keep pressing the F10 key UNTIL you get to the end of this routine which
is has the Ret 0004
assembly instruction. While doing this I stopped on every assembly instruction
that altered any of the pc's flags and typed d followed by a register name.
Example d eax or d ebx or d edi etc. This can
tell us a great deal about the routine we're in by knowing what information
is being handled by the system registers. If you're sniffing out serial
numbers then this is what you must
do.
:004184E6
5F
pop edi
:004184E7
5E
pop esi
:004184E8
5D
pop ebp
:004184E9
5B
pop ebx
:004184EA
C20400
ret 0004 ;End of routine
When you arrive at the Ret 0004 instruction press the 'F10' once, this will now take you into the MFC42.DLL which we don't really need to check so now press the 'F10' key 7 times so that we once again return back into WinHacker's code and to the routine that handles the decision to wether to display the 'Beggar of cracker message' or the 'Thank you for buying bla bla bla message', depending of course on our entered serial number.
:0041850C
8D4DD8
lea ecx, dword ptr [ebp-28];We land here
:0041850F
E8E9060000
call 00418BFD
:00418514
33DB
xor ebx, ebx
:00418516
683C034400
push 0044033C ;="WinHacker 95 2.0"
:0041851B
8D4DD8
lea ecx, dword ptr [ebp-28]
:0041851E
895DFC
mov dword ptr [ebp-04], ebx
:00418521
E848BD0000
Call 0042426E
:00418526
FFB600020000
push dword ptr [esi+00000200]
:0041852C
8D4DDC
lea ecx, dword ptr [ebp-24]
......
......
Code
Continues here...
:00418574
8B3D44524400
mov edi, dword ptr [00445244]
:0041857A
C645FC03
mov [ebp-04], 03
:0041857E
FF75EC
push [ebp-14]
:00418581
FFD7
call edi ;Generate a valid serial # then
;check the serial entered by the
;User.
:00418583
F7D8
neg eax
:00418585
1BC0
sbb eax, eax
:00418587
59
pop ecx ;This pop's of the location of
;of where the real serial no is
;stored..
:00418588
40
inc eax ;If you now type d
ecx you will
;now see your real serial #!
;in my case the serial no was:
;ec1-1657e2
:00418589
59
pop ecx ;erase valid serial
:0041858A
84C0
test al, al
:0041858C
7448
je 004185D6 ;invalid serial? then jump
I've cut out a section
of code so that I can show you the location where we can see the valid
serial number based on the name you typed in and also where the program
verifies your entered serial number. If you *try* and patch that je
004185D6 instruction so that is nop'd
out then the program still won't get registered since during the checking
of the serial numbers the program has already been told wether or not the
serial number was valid or not so nop'ing out the je instruction won't
change this in any way.
Job Done.
|
|
|
|
My thanks and gratitude goes to:-
Fravia+ for providing possibly the greatest
source of Reverse Engineering
knowledge on the Web.
+ORC for showing me the light at the end
of the tunnel.
|
|
Ripping off software through serials
and cracks is for lamers and losers...
If your looking for cracks or serial
numbers from these pages then your wasting your time, try searching elsewhere
on the Web under Warze, Cracks etc.
| Next | Return to Essay Index | Previous |