How to crack HTMLedPro32 2.0d
Destroy them to make them work
student
Not Assigned
2 February 1998
by Edi
 
Courtesy of Fravia's page of reverse engineering
slightly edited
by Fravia+
An interesting essay about code-hardwired property values. Edi's "Constructive Destruction Cracking" is a sound cracker's attitude: when in doubt, just modify the code of your target and see what happens... it's actually funny to contate how seldom crackers 'put their hands' inside the spinning code of a target... ok, most of the time everything explodes, so what? If you feel the code a little, such destructive cracking methods can yearn very interesting and high results... besides: how are you supposed to learn all the different parameters value without just feeding some of them to the spinning code?
Blow targets to pieces! Enjoy!
There is a crack, a crack in everything That's how the light gets in
Rating
(x)Beginner (x)Intermediate ( )Advanced ( )Expert

An interesting essay in order to see how a not-easy-to-discover protection scheme can easily be bypassed.

How to crack HTMLedPro32 2.0d
Destroy them to make them work
Written by Edi


Introduction
Ever thought about modifying a program to tell you where it's protection scheme
is? Maybe, but did you think about causing an error message and bypassing a whole
portion of code (in which you could store your own routines IF YOU COULD :)? It's
not difficult, and I think this method will be applicable in many other programs.


Tools required


Target's URL/FTP
ftp://ftp.cybersmith.net/pub/ist/htx32_2d.exe

Essay

Start it...
Licenced to:
Evaluation version. Evaluation period is over.

Ok, let's disassemble it with wdasm and search for 'evaluation'.
We find:
1.) 460899: "Evaluation version, [x] days left in the evaluation period."
2.) 4608F9: "Evaluation version, [x] days left in the EXTENDED evaluation period."
3.) 460959: "Evaluation version. EXTENDED evaluation period is over."
4.) 46098B: "Evaluation version. Evaluation period is over."
5.) 4609C0:  Name, Company, Serial#

So there must be a check with at least 5 different jmps, we have to look
for a jumptable:
1.) Evaluation period
2.) EXTENDED evaluation period
3.) EXTENDED evaluation period over
4.) Evaluation period over
5.) Registered

Search for 460899 (or scroll up :-) and you'll see this code:

:0046085C E83B65FEFF              call 00446D9C ; Look if registered/extended/whatever
:00460861 8BF8                    mov edi, eax
:00460863 A120AA4A00              mov eax, dword ptr [004AAA20]
:00460868 8BB090030000            mov esi, dword ptr [eax+00000390]
:0046086E 8B465C                  mov eax, dword ptr [esi+5C] ;
:00460871 83F805                  cmp eax, 5    ; 5=registered?
:00460874 0F87D2010000            ja 00460A4C	; Don't nag the user, let him go
:0046087A FF248581084600          jmp dword ptr [4*eax+00460881] ; This should be clear
								 ; it's the TABLE JUMP

The_table:
:00460881 4C0A4600                DWORD 00460A4C ; don't show anything?
:00460885 BD094600                DWORD 004609BD ; show name, company, ...
:00460889 99084600                DWORD 00460899 ; Evaluation version with some days left
:0046088D F9084600                DWORD 004608F9 ; EXTENDED Evaluation version, days left
:00460891 8B094600                DWORD 0046098B ; Evaluation period over
:00460895 59094600                DWORD 00460959 ; EXTENDED Evaluation period over

Now, scroll up again until you see this:

* Referenced by a Jump at Address:0046079A(C)
:00460801 55                      push ebp

* Possible StringData Ref from Code Obj ->"HTMLed Pro32"
:00460823 BA840A4600              mov edx, 00460A84

* Possible StringData Ref from Code Obj ->"Version 2.0d"
:00460833 BA9C0A4600              mov edx, 00460A9C

Here the whole thing starts, the program shows its version
number and information about when it expires.
The code is called from 46079A, so have a look at it, too:

:00460793 6F                      outsd			"ormCreate"
:00460794 726D                    jb 00460803
:00460796 43                      inc ebx
:00460797 7265                    jb 004607FE
:00460799 61                      popad
:0046079A 7465                    je 00460801
:0046079C 1500280E46              adc eax, 460E2800
:004607A1 000E                    add byte ptr [esi], cl
:004607A3 52                      push edx
:004607A4 656742                  inc edx
:004607A7 7574                    jne 0046081D          "uttonClick[HT]TAbo"
:004607A9 746F                    je 0046081A
:004607AB 6E                      outsb
:004607AC 43                      inc ebx
:004607AD 6C                      insb
:004607AE 69636B09544162          imul esp, dword ptr [ebx+6B], 62415409  
:004607B5 6F                      outsd

So THIS looks really weird! outsd? popad? imul esp whatever? 
I don't think this code gets ever executed, do you? 
Let's look at it in HIEW: Ahah! at 460792, you'll see 
"FormCreate". 
In fact you have here some CODE HARDWIRED property values

Let's have some Constructive Destruction Cracking
Hm... replace the ASCII characters
      "Formcreate"
 with "CreateTHIS" :-)
Now let's start the target, you'll see: 
"Error reading AboutBox.OnCreate: Invalid property value."
Funny, isn't it? :-)
Press OK and HTMLed Pro32 2.0d works anyway. 
But I don't like this error box, so let's do a bpx messageboxa 
in order to get rid of it. 
Trace a little bit around and you'll come to this call:

:00425D86 A128A64A00              mov eax, dword ptr [004AA628]
:00425D8B E8481E0000              call 00427BD8 ; <---- causes the messagebox
:00425D90 E89FD6FDFF              call 00403434

Replace it with
:0042518B: 50                           push   eax
:0042518C: 33C0                         xor    eax,eax
:0042518E: 48                           dec    eax
:0042518F: 58                           pop    eax
or with anything else you want to do to the dummy ax between push and pop, 
this is a very useful "nopping" technique as well if you don't want to 
calculate a short jump :)

Start the target... and it works!


Final Notes
What do we learn with this lesson?

1.) It isn't always necessary to find the protection scheme.
2.) Destruction can be good if it's done at the right time and place .
3.) A little introduction to jump tables.
3.) How to crack another program.
4.) Don't press Help - About in htmled :-)

And don't criticize my English, how should I learn it 
perfectly in 14 Years?? :-)


Ob Duh
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell.

You are deep inside Fravia's page of reverse engineering, choose your way out:

student
BAck to the Student page

redhomepage redlinks redanonymity +ORC redstudents' essays redacademy database
redtools redjavascript wars redcocktails redantismut CGI-scripts redsearch_forms redmail_Fravia
redIs reverse engineering legal?