December 1998
"RoboHelp Express V6.010"
( 'Show name/company in About screen'  )
Win '95 PROGRAM
Win Code Reversing
 
 
by The snake
  
 
Code Reversing For Beginners

 
 

RoboHelp Express V6.010
('Show name/company in About screen'  )
Written by The snake




As an addition to  Sandman's essay #38  about RoboHelp Express, and as I decided to take the challenge of his final notes about "Anyone who writes an essay on how to make the program display your name/handle and company name instead of the 30-day trial limit", here is the way i've done this.
 
The Essay
If you followed the Sandman's essay #38, you know by now that the program runs as
*registered*, but in the about screen it shows the "30-day trial license".
We have to remember that it's not registered, so in the registry file we don't have the
proper entry, and this is our job here.
I'm sure that at this point you have a dead list of the prog, if not, do it. Let search for
some words for our case, do you see the name and company yet ?
Click twice on the name string and we see this snippet code :

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048176F(C)
|
:004817D8 8D4DF0                  lea ecx, dword ptr [ebp-10]

---------   snip  snip  --------

:0048180B 8B3D404B4A00            mov edi, dword ptr [004A4B40]

* Possible StringData Ref from Data Obj ->"name"
                                  |
:00481811 6844304A00              push 004A3044
:00481816 50                      push eax
:00481817 6A02                    push 00000002
:00481819 FFD7                    call edi
:0048181B 83C410                  add esp, 00000010
:0048181E 85C0                    test eax, eax
:00481820 740C                    je 0048182E
:00481822 8B45F0                  mov eax, dword ptr [ebp-10]
:00481825 8D4E60                  lea ecx, dword ptr [esi+60]
:00481828 50                      push eax

* Reference To: MFC42.MFC42:NoName0068, Ord:1837h
                                  |
:00481829 E88CA30100              Call 0049BBBA

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00481820(C)
|
:0048182E 8D45F0                  lea eax, dword ptr [ebp-10]
:00481831 8B4DE8                  mov ecx, dword ptr [ebp-18]
:00481834 50                      push eax

* Possible StringData Ref from Data Obj ->"company"
                                  |
:00481835 683C304A00              push 004A303C
:0048183A 51                      push ecx
:0048183B 6A02                    push 00000002
:0048183D FFD7                    call edi
:0048183F 83C410                  add esp, 00000010
:00481842 85C0                    test eax, eax
:00481844 740F                    je 00481855
:00481846 8B45F0                  mov eax, dword ptr [ebp-10]
:00481849 8D8EE0000000            lea ecx, dword ptr [esi+000000E0]
:0048184F 50                      push eax

 Ok...   This is what the program look for in the registry file, so, open Regedit and go to entry :

HKCU\Software\Blue Sky Software\RoboHTML\1.00

To create the new key we need to click on : Edit/New/String value. Call it company.
To set it with the value we need to click on : Edit/Modify. put in what ever you like.
now point again with the mouse on the "1.00".
To create the new key we need to click on : Edit/New/String value. Call it name.
To set it with the value we need to click on : Edit/Modify. put in what ever you like.

Ok, run the program and see what happened now. Go into the help/about...
Nothing changed !!! we need to take a closer look at the dead list :

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00481752(C)
|
:0048176B 837DD4F9      cmp dword ptr [ebp-2C], FFFFFFF9
:0048176F 7467          je 004817D8  ; if equal jump to name + company !!
:00481771 8D4DF0        lea ecx, dword ptr [ebp-10] ; else, keep on to
                                                    ; the 30-day trial
:00481774 E8E7A30100    Call 0049BB60
:00481779 C645FC02      mov [ebp-04], 02
:0048177D 8B45D4        mov eax, dword ptr [ebp-2C]
:00481780 8D4DF0        lea ecx, dword ptr [ebp-10]
:00481783 50            push eax

* Possible Reference to String Resource ID=00761: "%d-day trial license"
                                 |
:00481784 68F9020000    push 000002F9
:00481789 51            push ecx

We need to check it, we need to 'break' into the program's actual code, with this steps :

1.  Select the menu option 'Help' from within RoboHelp.
2.  Press Ctr-D to fire up Softice.
3.  Type bpx getwindowtexta
4.  Type x to leave Softice.
5.  Select the 'About' Tab option.
6.  Softice now breaks...
7.  Press the 'F11' key  1 TIME followed by the 'F10' key 13 TIMES
8.  We should now be in RoboHelp's code..
9.  Type u 48176f
10. Type bc *
11. Type bpx 0048176f
12.  Type x to leave Softice.

Softice now brakes on location 0048176f :

:0048176F 7467          je 004817D8     < no jump >

Type r eip=004817d8,  and then type x to leave softice.  BINGO.. The name and
company we put in the registry is showing now in the About screen.

Sandman, i did it !!
 
 
The 'crack'
In order to make this as a permanent jump we need to patch this program.

Load up robohtml.exe into Hex-Editor ( I usu hexWorkshop-32)

SEARCH FOR THE FOLLOWING BYTES : 837DD4F97467
REPLACE WITH HIGHLIGHTED BYTES : 837DD4F9EB67
 
 
Final Notes
This program was very big to download, but as Sandman says allways, we need to think as a *cracker*. After i've done this crack, i feel that i'm on my way to start
thinking like one :).
 

My thanks and gratitude goes to:-

The Sandman for all that he is doing for us, newbies.

Rhayader for helping me with Reverse Code Engineering and
useful tips


Essay by:           The snake
Page Created: 9th December 1998