http://www.bpsoft.com - Webpage.
hw32v25.exe - (1.1Mb).
As I remarked elsewhere, one of the first things you should do as a reverse engineer is reverse your own tools. Hex Workshop is a fairly decent HEX editor although its protection leaves a lot to be desired. Start Hex Workshop and quickly locate in the Help / About menu a registration option. Note that its only asking for a serial # and therefore unlikely to house any tedious maths operations.
So lets enter any code. Note here a very small trick, the dialog box allows a maximum of 12 characters (maybe implying that the code is 12 in length, but this is not so as we'll shortly find out). So set a >bpx GetWindowTextA in Softice and step a few instructions or hit F12 a few times to the following code:
:00426273 CALL 00439040
:00426278 ADD ESP, 08 <-- Tidy stack.
:0042627B PUSH 0047F7E8 <-- StringData Reference JN11mARQ.
:00426280 LEA EAX,[EBP-24] <-- Code entered.
:00426283 PUSH EAX <-- Stack it for next function.
:00426284 CALL 0043A7F0 <-- Compare code entered with JN11mARQ.
:00426289 ADD ESP, 08 <-- Tidy stack again.
:0042628C TEST EAX,EAX <-- Check.
:0042628E JZ 004262A8 <-- Jump_JN11mARQ_isn't_a_good_code.
:00426294 LEA EAX,[EBP-24] <-- Restore code entered.
:00426297 PUSH EAX <-- Stack it for next function.
:00426298 CALL 004373C0 <-- Check code.
:0042629D ADD ESP,04 <-- Stack correction again.
:004262A0 MOV DWORD PTR [EBP-14],EAX <-- Flag.
:004262A3 JMP 004262AF <-- Jump.
:004262AF CMP DWORD PTR [EBP-14],00000000 <-- Compare flag for 0.
:004262B3 JZ 00426332 <-- Jump_bad_code.
Well this code snippet is fairly interesting, JN11mARQ is a registration code that was widely posted
around the web for Hex Workshop and in this version the programmers have gone
to great lengths to ensure losers won't be using it. The function CALL 004373C0
is worthy of some discussion, trace it and note the 2 critical compares,
the first will be a string length check (8 being valid), the 2nd will check that
the first 2 letters of your entered code were SY (numbers are not permitted), assuming you pass these checks your
code will be valid.
As soon as the program accepts your code, you will be asked to enter your registration details, fill them in as you please, note also that the information will be written to the file HEXWORKS.REG and that this file will only actually be checked for its length (210 bytes). Take a look with a > bpx _lopen, its actually quite common for programs to use a separate routine to check the registration, even though 2 functions to do the same task might seem inefficient.
I'll leave you to patch this program as you see fit, or just register it for your own evaluation use. If you patch try and locate the flag setting instruction beneath 004373C0, it looks like this:
:0043743F REPZ CMPSB <-- Compare (E)SI:(E)DI - SY with first 2 chars of your code.
:00437441 JZ 00437448 <-- Jump_good_code (this moves our flag EAX to 1).
Serial Number: SYCRACKZ