Reverse Code Regineering For Beginners *BakeHead Editor V1.30* (For Educational Use Only)

Remember This: It is easy to destroy but hard to create. Software authors work hard to give us good quality software so support shareware. If your intension is of pirating this software then stop reading..... and delete this file immediately. It's better you look for it in some WAREZ sites.

About The Program: Bakehead is the Headcase Face Editor which allows the user to create their own Headcase Face files from scanned or drawn images for use with the Headcase Player.

About Protection Scheme: The Program has a nag-screen at start-up. You can get to the registration box through HELP menu. After successfully registering this software, it stores the password in "config.dat" file located in your "\Program Files\Red Ted\Bakehead Editor\" directory. The password will be unique in each machine, because while downloading; each copy of BakeHead Editor is given a specific registration number and the password in based on it.

First Approach: In the first approach, we are gonna hunt for the Password. So let's go hunting. Run the program, at first it shows "This is an unregistered version..." Click OK. Go to registration box through Help and click "Register Bakehead.." Try entering fake password and click OK. What..? no error message. This program tries to smart...umm. Fire up softice and set BPX GetWindowTextA. Press F5 and again type fake password. Let's say 12345 and click OK. Softice breaks, press F11 and F8, 30 times. Now you should be at following codes.

Work done. I think you got it, didn't you? End Of First Approach

Second Approach: In the second approach, we're gonna enter a fake password and then make the program register itself by changing our fake password in the valid password. Sounds interesting? OK. Let's get the job done. I think, I have told you that the program store the valid password in "config.dat" after successfully registering it. That means where should we have to look next? That's right "\config.dat". Dead list the program and click on "\config.dat" now you should see following codes:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00405753(U)
|
:0040575C B952319B3B              mov ecx, 3B9B3152
:00405761 250A38EB08              and eax, 08EB380A
:00405766 2BCA                    sub ecx, edx
:00405768 D1E9                    shr ecx, 1
:0040576A 8D54080D                lea edx, dword ptr [eax+ecx+0D]
:0040576E 8B44240C                mov eax, dword ptr [esp+0C]; In EAX, our fake password is being copied. We don't want that to happen but instead we want real password to be copied. So, what should we do next? That's right! Since we know that EDX holds the real password, we're gonna change it to " mov eax, edx. After changing this the real password will be copied to EAX and in the next "cmp"; the real password will be compared with the real password and there in no chance that "JNE" will fail. Also after that, the real password will be copied to "\config.dat" file and we're gonna have a fully functional program.
:00405772 3BC2                    cmp eax, edx    ;You know what's here. don't you?
:00405774 754D                    jne 004057C3
:00405776 A3CCDC4400              mov dword ptr [0044DCCC], eax

* Possible StringData Ref from Data Obj ->"\config.dat"

Open a HexEditor and search for 8B44240C at offset: 00004B6Eh

Look what happens when you do the above patch.

:0040576E 8BC2                    mov eax, edx ;Move the real password in to EAX.
:00405770 90                      nop    ;Do nothing.
:00405771 90                      nop    ;Do nothing.
:00405772 3BC2                    cmp eax, edx ;Compare real password with real ~                                              ;password.
:00405774 754D                    jne 004057C3 ;Jump is not equal. It'll not jump.
:00405776 A3CCDC4400              mov dword ptr [0044DCCC], eax ;Save real password ~                                                              ;in "config.dat" file

* Possible StringData Ref from Data Obj ->"\config.dat"

Making this change in the program, the program will accept any password that you enter and changes it in to the real one.

End Of Second Approach

[NOTE: There is one more way of making this program work as a fully functional software by enabling the crippled "Save As.." function. But it is target to a hardworking newbie. You have to do lots of rough patching and it's not a clean crack though. The solution is by meRlin. If you are a hardworking newbie then email me, I'll send it to you.]

About Us: We are newly born Cracking Group. Cracking is our Hobby and we take it as a Challenge. That's why, we don't limit ourselves to only one approach. We crack software in every possible way it can be or that we are aware of. If our intensions were of cracking software and using it for free, we never had wasted our precious time on cracking it by applying different approaches. Now, this doesn't mean that those who crack using only one approach use software illegally or their intensions are evil. Don't get us wrong guys....:-)). We don't distribute cracks and serials, so don't ask for it. Comments are welcome.

How You Can Help Us: We are knowledge hungry people, so if you see anything interesting while surfing the net next time do let us know. The information can be related to anything such as: hacking, cracking, mp3, books, etc. Of course.. it should be FREE as our tutorials are. Don't e-mail us telling about "Get Paid To Surf" or other such types of "Referral" programs. If by any means, we registered to those types of referral program we'll not include your name as a "Referrer." BTW, we hate spammers.

Our Goal: To spread knowledge and help newbie in "Reverse Code Engineering" by providing Tutorials. :-).

Crackers: blacksword, (D)ragon, gkaizer, Jim Charble, meRlin, nachtigall, pepperman, pupp6969, +Viper+

That's all for now. We'll be back with our 2nd project as soon as possible. Till then..... Have Fun!