|
|
|
|
|
|
|
|
|
|
||
|
||
|
|
|
Easy
conversion of websites to compiled publications for
off-line
distribution.
Generation
of hypertext and multimedia publications.
Some
relevant features:
Compressed
& Encrypted Multipage publications in a unique file,
without
size limitation.
Full
Word Search in all publication pages (some pages can be
excluded
if necessary).
Keyword
Search (defined with META TAG).
Access
to the compiled publication can be restricted to certain
pages.
To obtain complete access to the whole publication a
registration
code should be entered."
and
more...
|
We can find the registration screen at the main menu.
The program keeps its settings at the same directory that it runs from, in file called
hypermaker.ini, Including this 2 entries :
User=
RegCode=
|
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:0042D3EE(C), :0042D3FB(U),
:0042D404(C), :0042D411(C)
|
:0042D418 8BD3
mov edx, ebx
:0042D41A 8BC6
mov eax, esi
:0042D41C E8AFA3FEFF
call 004177D0 ; last
hmemcpy
:0042D421 5E
pop esi
; we land here !
:0042D422 5B
pop ebx
:0042D423 C3
ret
:0042D424 53
push ebx
From now, there are a few 'ret' instructions
that we want to pass, so, press F10
21 time, until we get here :
:004A42EF E89814F7FF
call 0041578C
; we land here !
:004A42F4 8B55F4
mov edx, dword ptr [ebp-0C] ; user name
:004A42F7 8BC3
mov eax, ebx
:004A42F9 59
pop ecx
; fake key
:004A42FA E809FCFFFF
call 004A3F08
; here
is the part we want
:004A42FF 33D2
xor edx, edx
:004A4301 A124C64A00
mov eax, dword ptr [004AC624]
When we come to the call at location 004A42FA
, press F8 to go into this call.
inside it we have the check if name/key
are empty :
* Referenced by a CALL
at Address:
|:004A42FA
|
:004A3F08 55
push ebp
:004A3F09 8BEC
mov ebp, esp
:004A3F0B 81C4E4FDFFFF
add esp, FFFFFDE4
--- snip snip ---
:004A3F2B 8B45FC
mov eax, dword ptr [ebp-04] ; name
:004A3F2E E879FAF5FF
call 004039AC
; name empty ?
:004A3F33 8B45F8
mov eax, dword ptr [ebp-08] ; key
:004A3F36 E871FAF5FF
call 004039AC
; key empty ?
:004A3F3B 8B4508
mov eax, dword ptr [ebp+08] ; secret key
:004A3F3E E869FAF5FF
call 004039AC
; secret key empty?
:004A3F43 33C0
xor eax, eax
Also we have here the check for the registration entered :
:004A407A E879F7F5FF
call 004037F8
:004A407F 83F803
cmp eax, 00000003 ; length name = 3 ?
:004A4082 0F8C32010000
jl 004A41BA
; jump
if length name < 3
:004A4088 8B45F8
mov eax, dword ptr [ebp-08]
:004A408B E868F7F5FF
call 004037F8
:004A4090 83F80C
cmp eax, 0000000C ; length key = 12 ?
:004A4093 0F8521010000
jne 004A41BA ; no,
jump
But the section that we want now is at
location 004A414E, so, type bd * to disabled
the break points, and let create a new
one by typing 'bpx 4a414E' and press x.
softice will break here :
:004A414E 8D45E8
lea eax, dword ptr [ebp-18] ; we land here !
:004A4151 E84EF6F5FF
call 004037A4
; create real key
:004A4156 8B45E8
mov eax, dword ptr [ebp-18] ; eax=real key !!!
:004A4159 8B55F8
mov edx, dword ptr [ebp-08] ;
edx=fake key
:004A415C E8A7F7F5FF
call 00403908
; check
keys
:004A4161 7557
jne 004A41BA
; jump
if fake key
we break now on location 004A414E.
If you press f10 3 times and type 'd eax'
you'll see something looking like registration
key. Type F10 again and type 'd
edx', you'll see the fake key you've entered.
Before we check if this is the key we
looking for, let see how this protection routine
is checking for the right key. At location
004A415C, press F8 to go into the call.
the code is here :
:00403908 53
push ebx
:00403909 56
push esi
:0040390A 57
push edi
:0040390B 89C6
mov esi, eax ; real code
:0040390D 89D7
mov edi, edx ; fake key
:0040390F 39D0
cmp eax, edx ; both addresses equal ?
:00403911 0F848F000000
je 004039A6 ; if yes,jump
:00403917 85F6
test esi, esi ; esi=0 ?
:00403919 7468
je 00403983 ; if yes,jump
:0040391B 85FF
test edi, edi ; edi=0 ?
:0040391D 746B
je 0040398A ; if yes,jump
:0040391F 8B46FC
mov eax, dword ptr [esi-04]; eax=length real
:00403922 8B57FC
mov edx, dword ptr [edi-04]; edx=length fake
:00403925 29D0
sub eax, edx ; eax = eax - edx
:00403927 7702
ja 0040392B ; if eax > 0, jump (real > fake)
:00403929 01C2
add edx, eax ; edx=length fake
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00403927(C)
|
:0040392B 52
push edx
:0040392C C1EA02
shr edx, 02 ; edx=how many times loop
:0040392F 7426
je 00403957 ; jump if edx=0
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0040394D(C)
|
:00403931 8B0E
mov ecx, dword ptr [esi] ; ecx=4 bytes of real
:00403933 8B1F
mov ebx, dword ptr [edi] ; ebx=4 bytes of fake
:00403935 39D9
cmp ecx, ebx ;
is the 4 bytes equal ?
:00403937 7558
jne 00403991 ;
jump if not
:00403939 4A
dec edx
; edx = edx - 1
:0040393A 7415
je 00403951 ; jump
if edx=0
:0040393C 8B4E04
mov ecx, dword ptr [esi+04]; next 4 bytes of real
:0040393F 8B5F04
mov ebx, dword ptr [edi+04]; next 4 bytes of fake
:00403942 39D9
cmp ecx, ebx ;
is this 4 bytes equal ?
:00403944 754B
jne 00403991 ;
jump if not
:00403946 83C608
add esi, 00000008 ; adjust esi (+8
bytes)
:00403949 83C708
add edi, 00000008 ; adjust edi (+8
bytes)
:0040394C 4A
dec edx
; edx = edx - 1
:0040394D 75E2
jne 00403931 ; if
edx=0 next loop
:0040394F EB06
jmp 00403957
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0040393A(C)
|
:00403951 83C604
add esi, 00000004 ; adjust esi (end real)
:00403954 83C704
add edi, 00000004 ; adjust edi (end fake)
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:0040392F(C), :0040394F(U)
|
:00403957 5A
pop edx ; edx=original length of real
:00403958 83E203
and edx, 00000003
:0040395B 7422
je 0040397F ; if edx=0, end of check, jump
From here, there
is one more check, where we get back from the call at location
004A4161, if wrong
key, jump to the beggar of cracker message.
:004A4156 8B45E8
mov eax, dword ptr [ebp-18] ; eax=real key !!!
:004A4159 8B55F8
mov edx, dword ptr [ebp-08] ;
edx=fake key
:004A415C E8A7F7F5FF
call 00403908
; check
keys
:004A4161 7557
jne 004A41BA ;
last check: jump if fake key
Now, type the key
in the registration window and press 'OK'. Oops, we get
message that "Hyper
Maker will be closed". Where did we wrong ???
Fire up HM30 again,
and check the Help/About menu...... IT IS REGISTERED TO THE NAME WE ENTERED
!!!
|
REMEMBER, i'm
doing my cracks as a hobby and challenge, so please, if you like
this utility and
want to keep using it, support the author and pay for it.
|
My thanks and gratitude goes to:-
The Sandman for all what he is doing for
us, newbies.
Rhayader for helping me with Reverse Code
Engineering and useful tips