|
How to crack HoTMetaL Pro 4 Evaluation |
Programmers | |
 |
|
|
| fra_00E1 980204 Fallen 1100 PC XX | when I ran the program everything worked fine until I tried to create a new document or load an existing HTML document. It would THEN give me a message about a corrupted rules file Bravo Hotmetal... that's the right way... only, s'il vous plaît, may be a little better implemented next time. Enjoy! |
|
I'm still new to cracking, and this is my first attempt at an essay, so
forgive me if I seem a little bad at it. I have cracked numerous DOS and
Windows programs, a lot of them I was able to locate a password in memory,
and I've done a few Nag screen/Time Trial schemes also.
This one however, I found very interesting, and fun!
PART 1:
When you first run HoTMetaL Pro you will see a message box saying
something about file date inconsistencies, after this there will be
a Dialog Box that will not allow you to close it for an agonizing
amount of time. Then it will run the program.
Well, first lets find out where this NAG screen comes from.
Once the OK button became enabled I popped into S-ICE and checked
the window handle list.
I placed a breakpoint on that handle for the message wm_destroy:
BMSG Handle_you_ll_get_on_your_own_machine WM_DESTROY
Now get back out of S-ICE and hit the OK button.
You should pop into S-ICE somewhere in USER, if I remember right, now
disable the breakpoints and press F12 a few times until you end up
in a DLL that the name begins with EFY???? where the four question
marks represent four numbers. This is where our protection scheme
lies, but don't get excited, it's not that simple.
The first time I tried to crack this, I removed the call to this
DLL and eliminated the Time Protection, Nag Screen and a MessageBox
that pops up about file date inconsistencies all at once.
However, when I ran the program everything worked fine until I
tried to create a new document or load an existing HTML document.
It would then give me a message about a corrupted rules file.
So back to the cracking board.
If you search your hard drive for a matching DLL you will find that it
exists in the system temp directory, usually C:\WINDOWS\TEMP, and that
the four numbers at the end change every time you run the program.
Hmmm... this could be a problem, nah not really.
I came to the obvious conclusion that this DLL was created by HMPRO4.EXE
every time the program was run. Now to figure out how to alter the code
it writes. For this I used BoundsChecker to find out how it creates the
file. I tried using SmartCheck at first but for some reason it would
crash every time I tried to run it in SmartCheck, so I used BoundsChecker.
I loaded it up in BoundsChecker and watched for the function CreateFile.
I'm not going to get specific about BoundsChecker, but I found the portion
of code where it created the DLL and looked above that for the ReadFile
function.
I found that it loaded it's information from a file named ASDFLKJH.IUY this
is disguised to look like a temporary file, but it's not.
After examining this file you will see that this file is the DLL in an
encrypted format.
So our problem lies here. How do we decrypt it, crack it, and re-encrypt
it. No need, a simpler way exists.
The method I used of locating these functions in SoftICE may seem
lengthy, but I wasn't having any luck using the addresses I retrieved
from BoundsChecker.
The first thing I did was set a breakpoint on LoadLibrary. I could see
from my BoundsChecker listing that this was the first DLL that HMPRO4.EXE
loads so of course we need to break on the first LoadLibrary and look at
the code above it to see what we need.
This is what I ended up with:
:00422A37 push 006309C8 - This address holds the name of the DLL to load
* Reference To: KERNEL32.LoadLibraryA, Ord:0021h
|
:00422A3C Call dword ptr cs:[0065032C] - and of course this loads it.
If you look up from this segment of code you will see this:
* StringData Ref from Data Obj ->"asdflkjh.iuy" - This is the name
of the encrypted DLL.
|
:00422A0F mov edx, 005D537C - The address of the encrypted DLL filename.
... - Unimportant code. - Removed
:00422A27 call 004227E8 - This call is shown below, it creates the
new DLL file.
The call from above ^.
:004227E8 - Code to open the encrypted DLL,
read it into memory and then
close the handle.
:004228CE call 00411520 - This call decrypts the file!
This is what we need to eliminate for this crack.
Code to write the
un-encrypted DLL to a file. - Removed
The point of the above section of the essay is to allow us to work with
an unencrypted protection DLL. How? you may ask! Well, here's how we do it:
1. Run HoTMetaL Pro and let the Dialog Box pop up.
2. Make a copy of the efy????.dll file from you windows\temp directory
and place it in your HoTMetal Pro directory.
3. Rename it to the encrypted DLL file name, ASDFLKJH.IUY
4. Now patch HMPRO4.EXE at address 004228CE to eliminate the call that
decrypts the DLL. You choose your own method.
Well, I believe the point of this is self evident.
We can now crack the file ASDFLKJH.IUY as a DLL and patch it accordingly.
Since all of the protection scheme (ie. The messagebox about file date
inconsistencies, Nag screen, and time protection) exist in ASDFLKJH.IUY,
that will be the target of the remainder of this essay.
Part 2
The remainder of this crack is very simple.
My first trip through, I patched the file ASDFLKJH.IUY in two places,
once to eliminate the message box and Dialog Box, and another
to eliminate the time protection.
However, writing of this essay, I found that if you apply the following
patch, it eliminates both.
If you patch the time check call with this code:
:01D91BC6 XOR EAX,EAX
:01D91BC8 RET
It will prevent the program from exiting after March 1, 1998 and will
also eliminate the messagebox and DialogBox Nag screens.
homepage
links
search_forms
+ORC
students' essays
academy database
reality cracking
how to search
javascript wars
tools
anonymity academy
cocktails
antismut CGI-scripts
mail_fravia+
Is reverse engineering legal?