(Windows95 registry cracking)
by Epic Lord
Courtesy of Fravia's page of
Well an interesting document from our friend EpicLord... the
reversing approach used here is so good that it will 'hold' for many
months (a terrible long time on the web)...
See? I was right! Have a look at ml_am's new
cracking of Homesite version 3, for instance!
HomeSite Secrets by: Epic Lord
Version 2.5 Pre-Release - March 9, 1997 Copyright 1997 by Nick Bradbury
This document is a kind of beginners guide for getting rid of some ugly
features of a cute nice program. The level of the essay is low enough for
any windows95 (disaster) user to grasp.
The informational value of the essay lies in the fact that it is the first
(at least I've known) one on windows95 registry cracking.
The tools which were used here can be found on the web, without any difficulty.
Homesite 2.5 seems to me (IMHO) a very nice and useful program for editing
web pages. It enables the user to edit multiple pages of a(n) homesite
concurrently. Facilitates to edit the whole web site without loosing
individual pages' information.
Both an internal and an external browser facilitates WYSWYG and the
browsers are user definable.
And so and so... A very nice program. Little bit clumsy (written in
Delphi). However, it is not freeware :-(. It has some nifty features which
force the user to register. Here comes the explanation (and solutions) of
1. Usage count
The applications counts how many times it is used. When the counter reaches
some maximum number (50 in this case), it does something unwishful :-).
After analyzing all the files, it appeared that the count was stored in the
registry. Binary comparison (open registry, export to a file and close; use
the regedit.exe, located in windows directory) of two exported registry
photographes showed that the value is in
The value userinfo takes is the ASCII representation of the usage count.
Ex: for 7 times, ASC 7 is written. Therefore, clearing the value of
"Userinfo" (by simply deleting it in the registry editor) will reset the
usage count to 2 (guess why).
Anyway, by changing the value, it will be possible to use the program
By the way, sure, by deleting the whole key (userinfo), the usage counts
will be reset to zero.
A wonderful utility called registry monitor (by Mark Russimowich & Bryce
Cogswell) can be very useful for tracing the registry calls.
The required codecrack can be pinpointed by locating RegsetvalueExA.
Beware, this is an advapi32.dll function. You must import advapi.dll to
your favorite debugger:-)
Let's have a weak crack:
:0045CB06 8B45FC mov eax, [ebp-04]
:0045CB09 50 push eax
:0045CB0A 56 push esi
:0045CB0B 6A00 push 00000000
:0045CB0D 8BC7 mov eax, edi -> here.
patch it with move eax,eax
this patch will deform the userinfo registry key.
Program is always used 1 time.
:0045CB0F E8506FFAFF call 00403A64
:0045CB14 50 push eax
:0045CB15 8B4304 mov eax, [ebx+04]
:0045CB18 50 push eax
* Reference To: advapi32.RegSetValueExA, Ord:0000h -> patched.
no more counter increase
:0045CB19 E82E8BFAFF Call 0040564C
:0045CB1E 85C0 test eax, eax
:0045CB20 7423 je 0045CB45
:0045CB22 897DF4 mov [ebp-0C], edi
The crack above is a quick and dirty one. By changing the value, we
distorted the name of the registry key (namely userinfo) and the program
does never able to read its value correctly.
However, by totally eliminating the call at 0045CB19 with nooping and
moving 0's to eax will do the same more gently. :-)
By the way, I could not pinpoint the counter cause the program always uses
2.The Nag Screen
Homesite does employ a very boring nag screen scheme. It not only appears
at the beginning, but also at the end; politely :-) reminding you to
Interestingly enough, I happened to own :-) a cracked version of UrSofts
WDasm7.0 Demo. It is a nice windows95 disassembler and not a Demo anymore.
The related documentation can be found at http://www.mygale.org/01/Fravia.
Of course I disassembled the file [Homesite.exe]. Why? because all the
string references were in it (uh! which references? such as "you may
I found nothing while analyzing the listing of the file. No menu
references, no dialog references no nothing. Just plain assembler and some
ugly jumps. Smart programmer. Used Borlands 32 bit C++ compiler instead of
ugly Micro$oft's C garbage compilers (sorry, it was Borland's Delphi, not
C++, that's why the references were indirect, errare humanum est).
Seems that the programmer (or the compiler) keeps all the necessary data in
data segment, and uses them with direct absolute addressing, when
So, there comes the Borland's Resource Workshop (a must be utility for
better code :-. Can be found at the Reverse Engineering HQ. However,
Delphi's resource compiler slightly differs from the early ones. So
couldn't get rid of the whole nag screen (was my first aim).
By the way, be careful. Analyzing the code under a debugger shows that the
nag screen is activated through a "sendmessage" event to the child window;
very difficult to trace.
3.The Registration Code
Well, here comes the cream from the crop. All the story above was just for
heating. Now the registration code comes.
Analyzing the registry calls of the program shows that it looks for a key
"Registration" under Homesite section of HKEY_CURRENT_USER;SOFTWARE. Regmon
clearly shows that the key is "NOTFOUND".
Under the key, the program also looks for two string values, a "User" and a
"Reg No" Guess why.
Well, lets create the key "Registration" and two string values under it,
namely "User" and "Reg No". Fill the value of "User" with "Epic Lord" ie.
and fire winice.
If you don't know how to edit the registry :-( use "regedit.exe" under your
The important thing is understanding the registry calls under advapi32.dll.
The standard 16 bit calls are already under kernel.dll. These are 32 bit
calls, generally ended with ExA (RegQueryValueExA, RegSetValueExA etc). The
documentation is pure and simple (can be found using any winapi help) because
the call parameters are in ASCII (ds:di) and in Integer.
With all the information, lets put an expert breakpoint with winice3 (see +ORC's
bpx RegQueryValueExa If (*edi>='User') do "dd *edi"
1. stop while executing advapi32.RegQueryValueExa
2. where the contents of EDI >= 'User'
3. and dump the contents of memory
EDI points to the name of the key and/or the name of the string value.
Therefore, after 4 breakpoints, you will land a place, where all your
information appears: your name, your false registration number (if any) and
your real registration number. This is registration key checking from win95
User : Epic Lord
Reg No: 160093435806
Just hear the echo. Thank you +ORC and people who distributes the all
necessary manuals, info and tutorials.
Epic, May 6th 97
(c) EpicLord All rights reversed
You are deep inside Fravia's page of reverse engineering,
choose your way out:
Is reverse engineering legal?