WinHacker 95 v2.0

Well, after reading my section about MFC applications what better way to continue than by attempting a program that uses MFC's. Upon starting the next target a huge dialog box pops up advising that only 20 days are permitted for evaluation. However we can see a registration option asking for name, company & serial #, as it turns out this program actually calculates an individual key based upon those 2 fields but unfortunately the serial # is left in a register after a function call which makes it easy to locate.

A disassembly listing should reveal that mfc42.dll and msvcrt.dll are being used, just note also that wh95.dll is also imported, (this is actually a non-standard dll included by the program author and sometimes they hide serial # routines). Now a quick look at the stringRef's will yield these details.

* Reference To: MFC42.MFC42:NoName0335, Ord:021ch

:0041933C E8E5D40000 CALL 00426826

* Possible StringData Ref from Data Obj -> "Invalid Serial Number!"

So we can see where bad numbers end up but I couldn't actually find anything that really looked like the good guy code nearby, so when you start cracking this you know only that this program must avoid 0041933C. Let's set a breakpoint on our standard functions just to see what happens. In fact in this instance GetWindowTextA works well, most of the time you will not be so fortunate and will have to use Hmemcpy.
So, 3 boxes need to be read into memory so perform the necessary actions in Softice and then you should see this:

CALL [User32!GetWindowTextA]
MOV ECX,[EBP+10]
PUSH FF

Now this code actually turns out to be in mfc42!text+.....so you need to step around 5-6 instructions until you find yourself in wh95.exe. Now remember your tactics and stay calm as you step, you will actually go briefly back into mfc42 again during the stepping process but eventually you will near the following.

CALL EDI The last function before the test/jz sequence to the bad serial #.
NEG EAX
SBB EAX,EAX
POP ECX Pop ECX off the stack (Good serial # is now in ECX).
INC EAX Increment EAX.
POP ECX
TEST AL,AL Test AL for 0.
JZ 00419333 Jump if AL=0.

Now, you should trace the CALL EDI with F8 and you will find this fragment, it looks as if the code was actually calculated in a previous function call however this function compares certain values of your serial # with the correct code.

MOV ESI,[EBP+18] ESI holds the number you entered.
MOV EAX,[EBP+14] EAX holds the good serial #.

For interest, you may like to actually investigate earlier function calls and see if you can work out how the serial # is calculated, in fact I've written in an addendum here because this crack is really just find the serial # and run. The functions you step through seem to work like this:

In mfc42.dll the call at 5F4028B8 leaves the serial # you entered in ECX, then in the WinHacker executable the call 0042682C is called 3 times, it seems to set up strings to push as parameters to the message box, like time-trial etc., the function at 00426820 is then called twice, its just checking whether you actually entered something in the Name & Company dialogs, the calculation routine is at 004193CD and tracing it is painful, it calls at least 5 other functions and is a misery to work out, it seems to work on the basis that "if the deserts big enough you'll never find what you are looking for", skip over it and save yourself the hassle.

The final call before the call EDX compare is at 004268F2, you can trace this one and find the correct serial # also, its placed in EAX. Its much easier (if you are going to make a general purpose crack) to push the good serial # as a parameter to the error message in call 00424CB4 rather than work out the key generator. The code, well that gets written to a file wh95.dat in the Windows directory.