Easy conversion of websites to compiled publications for
    off-line distribution.
    Generation of hypertext and multimedia publications.
    Some relevant features:
    Compressed & Encrypted Multipage publications in a unique file,
    without size limitation.
    Full Word Search in all publication pages (some pages can be
    excluded if necessary).
    Keyword Search (defined with META TAG).
    Access to the compiled publication can be restricted to certain
    pages. To obtain complete access to the whole publication a
    registration code should be entered."
    and more...
 

About this protection system

 
I've categorize this essay as easy/medium. The reason is that when i opened the dead list in w32dasm, i didn't found any of the 'flags' that usualy taking us to the right position for starting our work. The 'flags' is the good/bad cracker text messages that we can locate in the Data String Reference.
The method i used here is nothing but reverse the code line by line from where i first
bpx in it.... until i find the protection routine...
If you're real new to the world of cracking, i recommend not to start with this one...
I'll show how to get to the 'target' part just by break in the code and keep execute
the commands until we get to the part of the code that will show us the real reg-key
and where it get checked.

We can find the registration screen at the main menu.

The program keeps its settings at the same directory that it runs from, in file called

hypermaker.ini,  Including this 2 entries :

User=
RegCode=
 

The Essay

 
Run hm30.exe and go into Registration/Hyper Maker Key. Feel in the User Name and
Registration Key. Don't change the secret key.
Before you click in the "ok" press the "ctrl+d" keys to fire up Softice.
This program don't use the 2 bpx's i usually use, "Getwindowtexta" or "Getdlgitemtexta" , so, we are going to use the "hmemcpy" function. Type "bpx hmemcpy" and type
x to leave... click "ok" and SI breaks. The actual part that interest us is after the third time that hmemcpy takes place, so, click 'x' twice, and now, press 'f12' 7 times to get where last hmemcpywere called from. We should be now at this part of code :

 
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0042D3EE(C), :0042D3FB(U), :0042D404(C), :0042D411(C)
|
:0042D418 8BD3              mov edx, ebx
:0042D41A 8BC6              mov eax, esi
:0042D41C E8AFA3FEFF        call 004177D0      ; last hmemcpy

:0042D421 5E                pop esi            ; we land here !
:0042D422 5B                pop ebx
:0042D423 C3                ret
:0042D424 53                push ebx

From now, there are a few 'ret' instructions that we want to pass, so, press F10
21 time, until we get here :

:004A42EF E89814F7FF        call 0041578C               ; we land here !
:004A42F4 8B55F4            mov edx, dword ptr [ebp-0C] ; user name
:004A42F7 8BC3              mov eax, ebx
:004A42F9 59                pop ecx                     ; fake key
:004A42FA E809FCFFFF        call 004A3F08         ; here is the part we want
:004A42FF 33D2              xor edx, edx
:004A4301 A124C64A00        mov eax, dword ptr [004AC624]
 

When we come to the call at location 004A42FA , press F8 to go into this call.
inside it we have the check if name/key are empty :

* Referenced by a CALL at Address:
|:004A42FA
|
:004A3F08 55                push ebp
:004A3F09 8BEC              mov ebp, esp
:004A3F0B 81C4E4FDFFFF      add esp, FFFFFDE4

 ---  snip snip  ---

:004A3F2B 8B45FC            mov eax, dword ptr [ebp-04] ; name
:004A3F2E E879FAF5FF        call 004039AC               ; name empty ?
:004A3F33 8B45F8            mov eax, dword ptr [ebp-08] ; key
:004A3F36 E871FAF5FF        call 004039AC               ; key empty ?
:004A3F3B 8B4508            mov eax, dword ptr [ebp+08] ; secret key
:004A3F3E E869FAF5FF        call 004039AC               ; secret key empty?
:004A3F43 33C0              xor eax, eax

Also we have here the check for the registration entered :

:004A407A E879F7F5FF        call 004037F8
:004A407F 83F803            cmp eax, 00000003  ; length name = 3 ?
:004A4082 0F8C32010000      jl 004A41BA                ; jump if length name < 3
:004A4088 8B45F8            mov eax, dword ptr [ebp-08]
:004A408B E868F7F5FF        call 004037F8
:004A4090 83F80C            cmp eax, 0000000C  ; length key = 12 ?
:004A4093 0F8521010000      jne 004A41BA       ; no, jump

But the section that we want now is at location 004A414E,  so, type bd * to disabled
the break points, and let create a new one by typing 'bpx 4a414E' and press x.
softice will break here :

:004A414E 8D45E8            lea eax, dword ptr [ebp-18] ; we land here !
:004A4151 E84EF6F5FF        call 004037A4            ; create real key
:004A4156 8B45E8            mov eax, dword ptr [ebp-18] ; eax=real key !!!
:004A4159 8B55F8            mov edx, dword ptr [ebp-08]  ; edx=fake key
:004A415C E8A7F7F5FF        call 00403908                              ; check keys
:004A4161 7557              jne 004A41BA           ; jump if fake key

we break now on location 004A414E.
If you press f10 3 times and type 'd eax' you'll see something looking like registration
key.  Type F10 again and type 'd edx', you'll see the fake key you've entered.
Before we check if this is the key we looking for, let see how this protection routine
is checking for the right key. At location 004A415C, press F8 to go into the call.
the code is here :

:00403908 53                push ebx
:00403909 56                push esi
:0040390A 57                push edi
:0040390B 89C6              mov esi, eax  ; real code
:0040390D 89D7              mov edi, edx  ; fake key
:0040390F 39D0              cmp eax, edx  ; both addresses equal ?
:00403911 0F848F000000      je 004039A6   ; if yes,jump
:00403917 85F6              test esi, esi ; esi=0 ?
:00403919 7468              je 00403983   ; if yes,jump
:0040391B 85FF              test edi, edi ; edi=0 ?
:0040391D 746B              je 0040398A   ; if yes,jump
:0040391F 8B46FC            mov eax, dword ptr [esi-04]; eax=length real
:00403922 8B57FC            mov edx, dword ptr [edi-04]; edx=length fake
:00403925 29D0              sub eax, edx ; eax = eax - edx
:00403927 7702              ja 0040392B ; if eax > 0, jump (real > fake)
:00403929 01C2              add edx, eax ; edx=length fake

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403927(C)
|
:0040392B 52              push edx
:0040392C C1EA02          shr edx, 02 ; edx=how many times loop
:0040392F 7426            je 00403957 ; jump if edx=0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040394D(C)
|
:00403931 8B0E            mov ecx, dword ptr [esi] ; ecx=4 bytes of real
:00403933 8B1F            mov ebx, dword ptr [edi] ; ebx=4 bytes of fake
:00403935 39D9            cmp ecx, ebx        ; is the 4 bytes equal ?
:00403937 7558            jne 00403991        ; jump if not
:00403939 4A              dec edx             ; edx = edx - 1  
:0040393A 7415            je 00403951         ; jump if edx=0
:0040393C 8B4E04          mov ecx, dword ptr [esi+04]; next 4 bytes of real
:0040393F 8B5F04          mov ebx, dword ptr [edi+04]; next 4 bytes of fake
:00403942 39D9            cmp ecx, ebx        ; is this 4 bytes equal ?
:00403944 754B            jne 00403991        ; jump if not
:00403946 83C608          add esi, 00000008   ; adjust esi (+8 bytes)
:00403949 83C708          add edi, 00000008   ; adjust edi (+8 bytes)
:0040394C 4A              dec edx             ; edx = edx - 1
:0040394D 75E2            jne 00403931        ; if edx=0 next loop
:0040394F EB06            jmp 00403957

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040393A(C)
|
:00403951 83C604            add esi, 00000004 ; adjust esi (end real)
:00403954 83C704            add edi, 00000004 ; adjust edi (end fake)

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040392F(C), :0040394F(U)
|
:00403957 5A                pop edx  ; edx=original length of real
:00403958 83E203            and edx, 00000003
:0040395B 7422              je 0040397F ; if edx=0, end of check, jump

From here, there is one more check, where we get back from the call at location
004A4161, if wrong key, jump to the beggar of cracker message.
 

:004A4156 8B45E8            mov eax, dword ptr [ebp-18] ; eax=real key !!!
:004A4159 8B55F8            mov edx, dword ptr [ebp-08]  ; edx=fake key
:004A415C E8A7F7F5FF        call 00403908                              ; check keys
:004A4161 7557              jne 004A41BA     ; last check: jump if fake key

Now, type the key in the registration window and press 'OK'. Oops, we get
message that "Hyper Maker will be closed". Where did we wrong ???
Fire up HM30 again, and check the Help/About menu...... IT IS REGISTERED TO THE NAME WE ENTERED !!!

 

The Patches

  
Nothing is needed.
 

REMEMBER, i'm doing my cracks as a hobby and challenge, so please, if you like
this utility and want to keep using it, support the author and pay for it.
 
 
 

Final Notes

 
In the file that we downloaded, there is a file called hmview32.exe. This is a Demo
version of Hyper Maker publication. It needed to register. It's protection routine is like
this of hm30, but it uses the same registration key regardless what name you use.
BUT, this key does not look like a key we use to see usualy...
HINT - do you remmember Eternal Bliss crackme #1 ???
The settings is kept in \windows in file called hmviewer.ini.

My thanks and gratitude goes to:-
 
The Sandman for all what he is doing for us, newbies.
 
Rhayader for helping me with Reverse Code Engineering and useful tips