Web
: http://mxb.cjb.net
Contact Me : [email protected] or [email protected]
WinHex 9.26
Type : Multi editor
Protection : Key File - Serial No: [Flag check]
Tech : Patching
Crack : WinHex uses numerous flag check at every step.Funny part is that
only a single flag is checked.
Memory position [0x44FE8C] >> 00 ==> BAD is used as flag.
Only at start up of the program the serial is computed.
On application start up ...
0x448B56 JZ 0x448B5C >> GOOD
0x448B58 XOR EAX,EAX >> Clear flag
0x448B5A JMP 0x448B5E >> BAD
0x448B5C MOV AL,0x01 << SET FLAG [GOOD]
0x448B5E MOV [0x44FE8C],AL >> STORE FLAG
To Crack :
0x448B56 JMP 0x448B5C | EB 04
Offset : 0x47F56
File : winhex.exe
Another check :
0x448B2D CALL 0x42C81C
0x448B32 CMP EAX,[0x44E184]
0x448B38 JNZ 0x448B58 >> BAD
To crack : 0x448B38 NOP
0x448B39 NOP
Offset : 0x47F38 - 0x47F39
Another check :
0x43849F CALL 0x436A74
0x4384A4 CMP [EDI+0x189F],00
0x4384AB JZ 0x4384B4 >> GOOD
0x4384AD MOV [0x44FE8C],00 <<BAD
To crack :
0x4384AB JMP 0x4384B4 | EB 07
Offset : 0x378AB
How to find a serial for winhex
Consider the check ..
0x448B28 MOV EAX,[0x44E180] << First S/N
0x448B2D CALL 0x42C81C
0x448B32 CMP EAX,[0x44E184] << Fake Second S/N ;EAX = REAL Second S/N
0x448B38 JNZ 0x448B58 >> BAD
EAX = 0xFFFFFFFF if First S/N is wrong range
EAX = REAL Second S/N if First S/N is within the range.
We will use the program it self to produce S/N :
When we reach at 0x448B28 use Soft ice command 'a eip' and enter the following
key gen.
0x448B28 MOV EAX,[0x44E180] << First S/N
0x448B2D CALL 0x42C81C
0x448B32 CMP EAX,-1 = 0xFFFFFFFF
0x448B34 JNZ STOP
0x448B3E INC EAX
0x448B3F MOV [0x44E180],EAX
0x448B44 JMP 0x448B28
Registration info :I Code = 444445 And II Code = 599889