Obtaining a valid Winzip 9.0 serial By Enforcer Target Winzip 9.0 Tools used: W32Dasm ollydbg http://www.grinders.withernsea.com/tools/odbg109d.rar Disclaimer If you like a program then you should pay for it to help support the developer and to encourage further development. This tutorial is only intended for educational purposes only. In this beginners's tutorial I'll show you how to get a valid serial number for Winzip 9.0. Open up winzip and you will see the nag screen thanking you for trying out winzip and giving you the option to register. click enter registration code and then enter any name and serial # then click ok. We get the error message "Incomplete or Incorrect information", this is the string we will search for with w32Dasm. Open up w32Dasm and disassemble winzip (Winzip32.exe). When w32Dasm has finished disassembling it go to search->Find Text and search for "Incomplete or Incorrect information" without the quotes. The place in the program that w32Dasm takes us to is likely to be where the "Incomplete or Incorrect information" error message is displayed. Just above is this code: -------------------------------------------------------------------------------- * Referenced by a (U)nconditional or (C)onditional Jump at Addresses:|:0040D306(C), :0040D30F(C), :0040D318(C) -------------------------------------------------------------------------------- This shows that this area of code is jumped to from 3 different locations which could mean there are 3 serial checks. 2 of them don't have to check the serial they could check the integrity of the file and just display the incorrect serial message if the file has been altered (cracked), infact none of them could be a serial check, some programs use decoys to wate the cracker's time. Anyway we're just here to get the correct serial not to completely reverse engineer winzip. Lets take a look at the first code location which jumps to the code that displays the error message, go to code location 0040D306. The first thing I notice is that there is a call to GetDlgItemTextA, scroll up and you will see another one. hmm 2 calls to GetDlgItemTextA and 2 boxes to enter information (Name and serial number). Lets look up this function in MSDN (if you don't have the CD go to http://msdn.microsoft.com). code: -------------------------------------------------------------------------------- UINT GetDlgItemText( HWND hDlg, // handle of dialog box int nIDDlgItem, // identifier of control LPTSTR lpString, // address of buffer for text int nMaxCount // maximum size of string); -------------------------------------------------------------------------------- Function Arguments are pushed onto the stack in reverse order before a function is called so in winzip we have this: code: -------------------------------------------------------------------------------- :0040D2DD 6A0B push 0000000B ;maximum length of string (11 bytes) :0040D2DF BEB8E04D00 mov esi, 004DE0B8 :0040D2E4 56 push esi ;place where the serial we entered is stored :0040D2E5 68810C0000 push 00000C81 ; The control ID: 0040D2EA 53 push ebx ;The handle of the dialog box (not important to us) * Reference To: USER32.GetDlgItemTextA, Ord:0113h |:0040D2EB FF15A0C54B00 Call dword ptr [004BC5A0] -------------------------------------------------------------------------------- Open Winzip32.exe in ollydbg and once it has loaded press CTRL+G to open the go to expression box, in that box type 0040D2EB (the address where GetDlgItemTextA is called to get the serial we entered). click the line just below the call to GetDlgItemTextA so that that line is selected and hit f2 to place a breakpoint at that address. Now hit the play button or go to debug menu and select run, winzip opens and displays the nag screen. Click the enter registration code button, I'll enter the name Enforcer and in the registration # box I'll just put 1212121212, you can put whatever you want. Now hit OK and this time instead of displaying the error message ollydbg pops up. Notice in the registers window on the right that esi points to "1212121212" and edi points to "Enforcer" unless you have entered a different name/serial. Select the number next to esi in the registers window then right click it and select follow in dump, the memory dump window at the bottom changes to display the serial in it. In the memory dump window select the first charactor of the serial (in my case "1") and then right click it and select breakpoint->Memory on access. Now click on the play button again winzip will run untill it acceses the memory where the serial is stored. Winzip is going to use the name I entered to generate a serial and then compare it to the serial we entered. We're going to take a guese that when winzip compares the serial to the correct serial, the addresses of both will be in registers, if you look at the registers after we hit the break point you will see the serial you entered and the name you entered but so far no correct serial, so keep pressing the play button untill you see the serial. After we press it a few times we see this in the registers window esi 0012EDC0 ASCII "566F0BBA" If you entered something different in the Name box then the serial will be different. write it down or use follow in dump and then copy it to the clipboard from the memory window. I hope you enjoyed this tutorial