//**cracking tut by alpine**// //*****and******// //**the immortal descendants**// #4 05.1999 hello and welcome to a new adventure.... Target today is powerzip with its lazy protection scheme.For expirienced crackers,this protection scheme wouldn't make a lot of troubles.Therefore this essay is for beginners. what we need: pzip //download it from www.cnet.com or www.powerzip.lco.net softice wdasm or pc_offset to get the opcodes. hex editor of your choice. lets fetz(g.l.) Regarding our target we can find a box to register the program,when we click on about/register.Probably you have noticed the time trail protection,but i'm not cracking it today,because using the program longer than 30 days doesn't cause anything. Now enter a name and a fake serial, i used alpine and 1234565. Press register and you get a messagebox telling you to f**k off. Click on okay and then enter softice.Set a breakpoint on hmemcpy. //i almost always use hmemcpy,because it works for nearly every target// Exit softice and press register,you will be kicked back to softice. Now you have to press f12 till you reach the main exe file.By pressing f12 once again you will be in a windows dll,therefore press f12 once again and you will find yourself back to the main exe. Now we are close to our protection scheme. what i do, to find the compare routine is to press f10, till i get the annoying messagebox,telling me: wrong serial. You did it? you wrote down the call,which triggered the messagebox? Ok, then set a bpx on hmemcpy again and trace till are at the following adress,marked with *1 :0041211D E830020100 Call 00422352 :00412122 3D14513035 cmp eax, 35305114 *1 :00412127 7507 jne 00412130 :00412129 B81E513035 mov eax, 3530511E :0041212E EB0C jmp 0041213C :00412130 3D8883FF1F cmp eax, 1FFF8388 :00412135 7505 jne 0041213C :00412137 B89283FF1F mov eax, 1FFF8392 :0041213C 8B4F64 mov ecx, dword ptr [edi+64] *2 :0041213F 81F914513035 cmp ecx, 35305114 *3 :00412145 741C je 00412163 :00412147 81F98883FF1F cmp ecx, 1FFF8388 *4 :0041214D 7414 je 00412163 :0041214F 3BC8 cmp ecx, eax *5 :00412151 7410 je 00412163 :00412153 6A00 push 00000000 :00412155 6A10 push 00000010 :00412157 686C274300 push 0043276C *6 :0041215C E861F90000 Call 00421AC2 *7 Now what happens?: *2 our fake serial number is moved to ecx. *3 our number is compared to a real "static" serial number. *4 the same as above. *5 it is compared to eax.In eax the real serial number,generated on our name, is stored. Now you will say,by typing d ecx i can't see my serial. Try to do a ? ecx and you will get your fake serial.Since our number is compared to two serial numbers which are always the same (*3,*4),you will have to do the same to see the two serial.For example at *3 do a ? 35305114 and you will get one right serial.At *5 do a ?eax and you will get the real serial based upon our name. That's it..... alpine alpine@gmx.at thanks to the immortal descendants