Results 1 to 6 of 6

Thread: PE Explorer reversing

  1. #1

    PE Explorer reversing

    I'm trying to find the serial checking algorithm in the program "PE Explorer" by HeavenTools, but seem to be having a hard time. I've DeDe'd the executable, which is in Delphi 3 format (from running PEID on it) and I've got a IDA and WDASM89 listing.

    Now, upon select "About" from the help menu, it seems to call a routine at 42CA94 to check if the program is registered or not, and if not, puts up a nag box before the About box. If the program has expired, the nag box changes to a "Buy Info" and "Quit Program" box. This box seems to be created by a routine at 42FB50.

    I notice that choosing the registration option and entering bad data doesn't give any clues like "Invalid serial code", but simply calls the same routine as the about box routine calls. Now considering I can't find any code in the registration form for checking or generating any kind of hash or serial, I can only assume it's done each time from 42CA94.

    However, even running it through the debugger in W32DASM and through SoftICE, I fail to see any of my text that I previously entered into the registration box in any of the routines prior to the nag-box appearing.

    Has anyone got some ideas on more how this program works? I'm not interested in a crack or keygen, but more about where in the program the actual checking algorithm is, so I can create a keygen for it. I can patch the program to be registered, but I'd rather not, and generate a valid serial without modifying the original code.

  2. #2
    I haven't looked at this prog but sometimes the data you enter is not checked at all but stored in a file or in the registry. When the program is run the file (or registry) is read and the check for validity is carried out before the program loads.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    There is a tut about this on exetools forum is you can access it
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    ExeTools seems dead at the minute

    However, I've found the algorithm, created a valid name/serial pair and tried it on PEX. It registers in that name, but still says it's an evaluation copy! I gone through the code with w32dasm in debug mode, and it seems to pass on all the jumps, then writes out an encrypted file called "pexdata.rdat", which I have figured out the encryption for and can decrypt and create my own "pexdata.rdat" which it accepts, but it still says I have X days left, even though the about box says "Licensed To: myregname".

    Due to the obvious an unique XORing on the username, I have found the place where it rechecks the serial on startup, but it seems to pass the checks, so I'm a bit puzzled at the moment.

    Will keep looking however. Thanks for the replies.

  5. #5

    Nice :>

    Hi squidge,

    I worked on 1.60 long time ago... yeah found out about the key file n the encryption there but as u have discovered, the program still refused to reg... In the end i still had to resovle to patching the damn program... LOTS of patches cos it has so many hidden checks...

    i did looked at their website n found out that in order to buy the program, users have to download some files from them so i guessed that the download file will also make patches to the program so that it is registered n there is no way to use a key file or serial number to register the program but that was purely my guess... u can investigate further, i believe that my information might even be outdated but ah well... i remember spending a significant time on this nice proggy :>>... brought back some good memory...


  6. #6
    Thanks for the info m8, I took another look at it last night and wrote a keygen anyway, so I could check different versions of names (eg, with/without spaces, etc) without tracing the exe for the correct serial every time. They all showed the name in the about box, but didn't reg the program. Sigh.

    Also wrote a file reader for the pexdata.rdat file to just see if there was any secret values in there I didn't know about, but after decrypting, all that is stored is the username with the first 16 bytes XOR'd with specific values, and the serial number stored as two 32-bit values.

    Tracing through the program I couldn't find anything else about the way the registration worked, so In the end I gave in and patched it.

    If anyone wants my "keygen" or pexdata.rdat decryption routines, then just ask and I'll email you the sources. I wrote them in C++ Builder 5.

Similar Threads

  1. CFF Explorer
    By Daniel Pistelli in forum Tools of Our Trade (TOT) Messageboard
    Replies: 5
    Last Post: June 12th, 2008, 17:14
  2. DisasMSIL and CFF Explorer
    By Daniel Pistelli in forum Blogs Forum
    Replies: 8
    Last Post: May 2nd, 2008, 05:20
  3. Explorer Suite III (CFF Explorer VII)
    By Daniel Pistelli in forum Blogs Forum
    Replies: 7
    Last Post: January 25th, 2008, 05:57
  4. CFF Explorer IV
    By Ntoskrnl in forum Tools of Our Trade (TOT) Messageboard
    Replies: 6
    Last Post: March 6th, 2006, 07:42
  5. CFF Explorer III
    By Ntoskrnl in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: December 6th, 2005, 07:35


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts