HOW TO CRACK EVERY PROGRAM THAT USE THE MSVCRT._mbscmp FUNCTION
TARGET : WINHACKER v2.02 http://www.winhacker.com/
The first time you load WINHACKER it will ask you to fill up the registration, so let's fill up the
registration with +OCHE SATRIANI as NAME, EROTOMANIA as COMPANY and 5150 as the SN#.
Then if you click the register button a stupid message saying ' INVALIS SERIAL NUMBER ......... '
will pop up. Now it's very easy to continue, coz we already have the stupid string that is very usefull
for W32DASM. Go on to String Data References and double click that stupid message !
What now ....... ?
You must figure out the conditional jump to the stupid message, in my case is at offset 0041858C
and before the JUMP there's a CALL, a call to msvcrt.dll. The protection use the MSVCRT function
to compare the REAL SN# with the wrong SN#, so after we can located the protection routine
then it's very easy to figure out what's the REAL SN#, coz this mbscmp function always save the REAL SN#
address for the parameter, and if we dump at that address we will find the REAL SN#.
Very quick isn't it !
* Reference To: MSVCRT._mbscmp, Ord:0154h
:00418574 8B3D44524400 mov edi, dword ptr [00445244] -----> mbscmp func address
:0041857A C645FC03 mov [ebp-04], 03
:0041857E FF75EC push [ebp-14] -----> SAVE THE REAL SN# ADDRESS
:00418581 FFD7 call edi -----> CALL _mbscmp
:00418583 F7D8 neg eax
:00418585 1BC0 sbb eax, eax
:00418587 59 pop ecx
:00418588 40 inc eax
:00418589 59 pop ecx
:0041858A 84C0 test al, al
:0041858C 7448 je 004185D6 -------> JUMP to Invalid Serial Number!
Inside the mbscmp function will look like this :
Exported fn(): _mbscmp - Ord:0155h
:78005D66 A104030478 --------------------
:78005D6B 53 --------------------
:78005D6C 55 --------------------
:78005D6D 33ED --------------------
:78005D6F 56 --------------------
:78005D70 3BC5 --------------------
:78005D72 57 --------------------
:78005D73 0F853E3D0000
:78005D79 8B742418 mov esi, dword ptr [esp+18] ------> OUR CODE
:78005D7D 8B442414 mov eax, dword ptr [esp+14] ------> REAL SN#
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:78005DA3(C)
|
:78005D81 8A10 mov dl, byte ptr [eax] -----> REAL SN# to DL
:78005D83 8A1E mov bl, byte ptr [esi] -----> OUR CODE to BL
:78005D85 8ACA mov cl, dl
:78005D87 3AD3 cmp dl, bl -----> compare them
:78005D89 7521 jne 78005DAC
________
:78005D8B 84C9 test cl, cl |FINISHED ?
:78005D8D 7427 je 78005DB6 |NOT THEN Point
:78005D8F 8A5001 mov dl, byte ptr [eax+01] |to next char.
:78005D92 8A5E01 mov bl, byte ptr [esi+01] |
:78005D95 8ACA mov cl, dl ________|
:78005D97 3AD3 cmp dl, bl
:78005D99 7511 jne 78005DAC -----> compare them
The jne 78005DAC instruction is a jump to get out from the CALL EDI(mbscmp function).
That's all guys, hope you understand much and if you find some other progs that use the MSVCRT._mbscmp function for it PROTECTION then for now on you can find the SN# in a few second. BYE !
OE'97 ITS 4397100xxx
oche_satriani@start.com.au
oblek@start.com.au