BakeHead Editor
Reverse Code Engineering For Beginners
For Educational Use Only
Date: 16th May 2000
Project No: 1
This File Escaped From: "Learn Cracking In New Style."
Target: BakeEditor V1.30
Download From: http://www.zantech-systems.com/headcase/bh100.zip (www.redted.com) (Size: 2.03MB)
Tools Used: SoftICE, W32Dasm and a HexEditor (http://protools.cjb.net)
Rating: It's easy when you know how.
Remember This: It is easy to destroy but hard to create. Software authors work hard to give us good quality software so support shareware. If your intension is of pirating this software then stop reading..... and delete this file immediately. It's better you look for it in some WAREZ sites.
About The Program: Bakehead is the Headcase Face Editor which allows the user to create their own Headcase Face files from scanned or drawn images for use with the Headcase Player.
About Protection Scheme: The Program has a nag-screen at start-up. You can get to the registration box through HELP menu. After successfully registering this software, it stores the password in "config.dat" file located in your "\Program Files\Red Ted\Bakehead Editor\" directory. The password will be unique in each machine, because while downloading; each copy of BakeHead Editor is given a specific registration number and the password in based on it.
The Essay
Second Approach: In the second approach, we're gonna enter a fake password and then make the program register itself by changing our fake password in the valid password. Sounds interesting? OK. Let's get the job done. I think, I have told you that the program store the valid password in "config.dat" after successfully registering it. That means where should we have to look next? That's right "\config.dat". Dead list the program and click on "\config.dat" now you should see following codes:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00405753(U)
|
:0040575C B952319B3B
mov ecx, 3B9B3152
:00405761 250A38EB08
and eax, 08EB380A
:00405766 2BCA
sub ecx, edx
:00405768 D1E9
shr ecx, 1
:0040576A 8D54080D
lea edx, dword ptr [eax+ecx+0D]
:0040576E 8B44240C
mov eax, dword ptr [esp+0C]; In EAX, our fake password is
being copied. We don't want that to happen but instead we want real password to
be copied. So, what should we do next? That's right! Since we know that EDX
holds the real password, we're gonna change it to " mov eax, edx. After
changing this the real password will be copied to EAX and in the next
"cmp"; the real password will be compared with the real password and
there in no chance that "JNE" will fail. Also after that, the real
password will be copied to "\config.dat" file and we're gonna have a
fully functional program.
:00405772 3BC2
cmp eax, edx ;You know what's here.
don't you?
:00405774 754D
jne 004057C3
:00405776 A3CCDC4400
mov dword ptr [0044DCCC], eax
* Possible StringData Ref from Data Obj ->"\config.dat"
Open a HexEditor and search for 8B44240C at offset: 00004B6Eh
:0040576E 8BC2
mov eax, edx ;Move the real password in to EAX.
:00405770 90
nop ;Do nothing.
:00405771 90
nop ;Do nothing.
:00405772 3BC2
cmp eax, edx ;Compare real password with real
~
;password.
:00405774 754D
jne 004057C3 ;Jump is not equal. It'll not jump.
:00405776 A3CCDC4400
mov dword ptr [0044DCCC], eax ;Save real password
~
;in "config.dat" file
* Possible StringData Ref from Data Obj ->"\config.dat"
Making this change in the program, the program will accept any password that you enter and changes it in to the real one.
End Of Second Approach
[NOTE: There is one more way of making this program work as a fully functional software by enabling the crippled "Save As.." function. But it is target to a hardworking newbie. You have to do lots of rough patching and it's not a clean crack though. The solution is by meRlin. If you are a hardworking newbie then email me, I'll send it to you.]
About Us: We are newly born Cracking Group. Cracking is our Hobby and we take it as a Challenge. That's why, we don't limit ourselves to only one approach. We crack software in every possible way it can be or that we are aware of. If our intensions were of cracking software and using it for free, we never had wasted our precious time on cracking it by applying different approaches. Now, this doesn't mean that those who crack using only one approach use software illegally or their intensions are evil. Don't get us wrong guys....:-)). We don't distribute cracks and serials, so don't ask for it. Comments are welcome.
How You Can Help Us: We are knowledge hungry people, so if you see anything interesting while surfing the net next time do let us know. The information can be related to anything such as: hacking, cracking, mp3, books, etc. Of course.. it should be FREE as our tutorials are. Don't e-mail us telling about "Get Paid To Surf" or other such types of "Referral" programs. If by any means, we registered to those types of referral program we'll not include your name as a "Referrer." BTW, we hate spammers.
Our Goal: To spread knowledge and help newbie in "Reverse Code Engineering" by providing Tutorials. :-).
Members:
Founder/Tutorial: e-nigma
Crackers: blacksword, (D)ragon, gkaizer, Jim Charble, meRlin, nachtigall, pepperman, pupp6969, +Viper+
Contact Us: enigmacracker@hotmail.com
Solutions By:
Second Approach: nachtigall
All the solutions were modified and checked by e-nigma. It works 99.99%.
If any problem. Feel free to ask. :-))
Our Thanks And Gratitude Goes To:-
+Sandman for all his Great Tutorials and Magnificent Newbie Forum.
The Snake For hosting this file on his Website.
And all the people out there in "+Sandman Newbie Cracking Forum"
That's all for now. We'll be back with our 2nd project as soon as possible. Till then..... Have Fun!
© 2000 "Learn Cracking In New Style." All Rights Reserved.