Capture Professiona 3.16d for Win95

Hi,
  I'm gald to hear that the Hacker Club is comming back !
  Below are some information about Capture Professiona 3.16d


Name:           ANONYMOUS
COMPANY:        SELF
S/N:            C6-CH5-396-TGE

**** note ****  
After enter the s/n, if you found "a.bat" file under "c:\", you must delete
it. <-- correct ? I don't know !

Tools used: SoftIce, W32dsm89
Where to found the tools ? 
Answer: go to http://cracking.home.ml.org/ to found more information.



Craking Method:
  After disassembly the file, serach the following string,

    "The information that you entered "
    "is not correct.  Would you like "
    "to run Capture Professional as "
    "a demo?"
  
  Observe the disassembled code above, you found many call to "lstrcmpA",
    Here are the description of lstrcmp:
    -----------------------------------
        The lstrcmp function compares two character strings. The comparison is
case sensitive. 

        int lstrcmp(

                LPCTSTR  lpString1,     // address of first string 
                LPCTSTR  lpString2      // address of second string 
        );      
        Parameters
        ==========
                lpString1: Points to the first null-terminated string to be compared. 

                lpString2: Points to the second null-terminated string to be compared. 
        
        Return Value:
        =============
          If the function succeeds and the string pointed to by lpString1 is less 
          than the string pointed to by lpString2, the return value is
negative; 
          if the string pointed to by lpString1 is greater than the string
pointed
          to by lpString2, it is positive. If the strings are equal, the
return value is zero. 
  
  I think it may use this function to compare S/N, so we set a breakpoint to
  "lstrcmpA" inside softice. I found that it first compare the "NAME" with
NULL string,
  The second call is to compare the first field of S/N entered to "C6", the
third call is to 
  compare the fourth field to the correct password. I also found that the
correct fourth field
  is calculated from the 2nd, 3nd filed of S/N entered( maybe from
UserName, and Company 
  information entred also). After get the correct S/N, run the application
again, it exit 
  abnormally.( becuse I patch it before found the correct S/N). I don't
understand why ? 
  I think maybe the S/N is not correct, I try to calculated once more, but
the S/N is correct.
  
  So I use boundschecker to found out why it terminated abnormally, I found
it call 
  "WinExec" API, the parameter is "C:\A.BAT", the content inside is 
        "Deltree /Y c:\the installed directory"
   (I use Windows NT, so the directory will not deleted (why ?), if you use
Windows 95, 
    it will be deleted)

  I found out that you must delete the "A.BAT" after you enter the correct
S/N finally.

  **** If you patch the program, it will create the "A.BAT", but if you
enter the correct S/N,
       everything is OK !
 
by Anynomous