WinZip 8.0 - Messagebox

by Ignatz of stoicForce

Introduction

Hi,
first of all i want to remind you not to do any illegal things. if you do so it´s your fault and i don´t take any responsibility for any mad illegal thing you might do. cracking software to use it beyond trial restrictions is theft and crime. this text is just for educatonal purpose. but if you want to use the knowledge provided here for stealing or other illegal things then don´t continue reading.
thanks
Ignatz

Needful things

Winzip 8.0
Regmon
RegEdit
WinDasm 32
Hiew
Sice

find them at your local downloadsection.

Looking for information

First of all we want to know as much as possible about our target. therefor we start the filemonitor and check what interesting registry entries we find. we soon come across these two:
HKCU\Software\Nico Mak Computing\Winzip
and here
HKCU\Software\Nico Mak Computing\Winzip\Winini\Name
HKCU\Software\Nico Mak Computing\Winzip\Winini\Serial
this is just what we had in mind. the protection seems to be based on an usual name-serial-combination stored in the registry. now all we have to find out is how the two values are used in the regsiter-evaluation process. therefor it is useful to enter a fake name and a creative serial. then lets fire up sice and set the getdlgitemtexta breakpoint. as we click on ok we break to sice and press F5 so the program can read the second dialogitemtexta. now we want to step through the code and write down every interesting location (till we get to the nag), so we can examine it in the deadlisting.
see what i found to be interesting.

:00407AA3 lea eax, dword ptr [ebp+FFFFFEC0] ~serial stored here
:00407AA9 push esi                          ~means easy sniff
:00407AAA push eax
:00407AAB call 004692D0                     ~checking call
:00407AB0 add esp, 00000010
:00407AB3 neg eax
:00407AB5 sbb eax, eax
:00407AB7 inc eax
:00407AB8 mov dword ptr [00489FDC], eax
:00407ABD jne 00407B27                      ~deciding jump
:00407AC0 lea eax, dword ptr [ebp+FFFFFEC0] ~will be replaced by a call

you will soon find out that this jump has to be taken in order to avoid the nag and look like regged. to patch this program you´d just have to make sure that the call is always taken (or just enter the serial) . but i don´t want to show you how to patch it this way, rather how to make a nice messagebox improvement using some free space in the program itself to display the correct serial. the nice thing about it is that we don´t have to write our own keygen.

Messagbox enhancement

As you can see you always get a messagebox at the end of a unsuccessful registration try. we could now use this box for displaying the serial but i want you to learn more like adding apicalls and stuff into an existing exefile. this will sure be useful if you want to write your own unpack-routine for a packed program or other stuff.
this is what we are going to do:
1) find unused space in the exe
2) prepare a title and the serial for the Messagebox
3) display the package
4) return to normal program
now for the work. finding free space is always quite easy since C++ and Delphi, like other overbloated linkers, produce much useless code.

Messagebox addon

The free space is easy to find. just scroll down a long way and you will find a section with all zeros. i decided to take this place for my message.
:0052BFDE
now we have to find the perfect place to take over control and display the messagebox. i replaced the code just after the deciding jump, since now the serial won´t be displayed if you are regged.

:00407AB8 mov dword ptr [00489FDC], eax
:00407ABD jne 00407B27                      ~deciding jump
:00407ABF lea eax, dword ptr [ebp+FFFFFEC0] ~code to replace

i made it a call to the new code and ret back to the program, but you can also make two jumps instead. one to the new code and one back to the program. now let´s have a look what the code would look like in high lvel language:

Messagebox(0, Key, 'Your serial: ', MB_OK);

for asm we will first have a look at the API reference:

int MessageBox(

    HWND  hWnd,         // handle of owner window
    LPCTSTR  lpText,    // address of text in message box
    LPCTSTR  lpCaption, // address of title of message box
    UINT  uType                 // style of message box
   );

this means the following to us. we have to push 4 values, the messagebox parameters, on the stack in the following order: uType first, then lCaption, lpText, and hWnd at last. MB_OK is 0 so we push a zero first. the hWnd is not interesting for us therefor we also push a zero at the end. the address of the serial is [ebp+FFFFFEC0] and the lpCaption will be provided by ourselves. we just have to write it into the file lets say at position 52C001. so it would now look like this in asm:

push 0       ; uType = MB_OK
push 52C001  ; Caption
sub ebp, 140 ; ebp+FFFFFEC0=ebp-140
push ebp     ; serial
add ebp, 140 ; restore value
push 0       ; hWnd

the last thing we now have to worry about is to execute the commands we repaced by making the call to our codesection. and do a ret. this will be all we have to do. take a look at the rest.

lea eax, [ebp+FFFFFEC0]
ret

done thats all so lets fire up hiew and do the neccessary adjustments.

Finishing

Lets get going. go to the position at 52C001 (120001) and enter a string for the caption of the messagebox. like "here´s your serial". be sure to end the caption with 00 which marks the end of the string. now go to this position: 0052BFDE (11FFDE) here we will put our new code. all we still need is to know where the messagbox resides. therfor goto win32dasm and search for the string messagebox. you will soon find something like this

* Reference To: USER32.MessageBoxA, Ord:01BEh
                                  |
:0040D54F FF1510744700            Call dword ptr [00477410]

now we also know how to call the messagebox. so lets enter the code in hiew. you can take a look at my stuff from my hiew. that looks quite good already all now left to do is to change the lea after the jne to a call to our routine so the thing is not ignored. we can do this easily
call 12BFDE (+ base[400000] = 52BFDE)
and also one nop at the end since the intruction is one byte shorter than the lea instruction.
snapshot

Last words

Thats it. this method will work very often if you are able to sniff the serial. memorize it since now your really doing some changes to the program not just a simple nop-out or stuff.
enjoy
yours truly,

                  Ignatz