Hello babes, I'm back with a new tutorial, with Winzip again, but now version 8 beta(3046). Now turn your resolution to 1024x768 for your convenience and start reading. But first you should check if you have SoftIce 3.25 and above installed with 32 breakpoints enabled. This can be done by removing the semicolons(;) from the EXP in winice.dat file.

        Ok, now we are ready. Load WinZip, press Enter registration code and put a random Name and Registration number. For example I'll use Mits and 12345.Don't press ok. Press Ctrl+D to pop up Softice and type bpx GetDlgItemTextA(A means 32 bit program).Press again Ctrl+d to leave.

    Now press the OK button. You'll see the SoftIce popping up due to a call to getdlgitemtexta. You'll see in the EAX register the number for. This is the length of our name and doesn't care us. Press F5 one time and you'll see in the EAX the value 5.Here we are. This routine reads our registration number. You'll see the following code:

:00407FDB FF1524744700     Call [USER32!GetDlgItemTextA]

:00407FE1 56                           push esi
:00407FE2 E866730300           call 0043F34D
:00407FE7 56                           push esi
:00407FE8 E889730300           call 0043F376
:00407FED 803D28CF480000 cmp byte ptr [0048CF28], 00
:00407FF4 59                           pop ecx
:00407FF5 59                           pop ecx
:00407FF6 7459                       je 00408051
:00407FF8 803D54CF480000 cmp byte ptr [0048CF54], 00
:00407FFF 7450                       je 00408051
:00408001 E81BAFFFF           call 00407A21  <- STOP HERE
:00408006 85C0                       test eax, eax
:00408008 7447                        je 00408051    <- Jump if not good

We're near the bitch serial. You stopped at 00408001 ?OK.

First registration number

Now trace into by pressing F8,and then press F10 58 times.When you reach 00407AF5 push esi you'll see above 00407AEF LEA EAX,[EBP-0140] the EAX register being blue. This means it changes, so type d eax and you'll see a number, which in our case is D8EC02AA,and generally is the right registration code and differs by name.

Now clear the bpx by typing bc * and press Ctrl+D. You'll see the invalid message box, but don't give a shit. Press Enter Registration Code again and fill in Mits and D8EC02AA.Hehe,it's registered now and forever.

           Second registration number

I truly don’t know and doesn’t bother me why WinZip generates two registration numbers. Anyway, let’s find where it is, but firstly you shall unregister WinZip, so as to play with the second way.

Unregistering WinZip: Open regedit by going to Start->Run->regedit and open the key HKEY_CURRENT_USER\SOFTWARE\Nico Mak Computing\WinZip\WinIni and delete the Name and SN entries and press F5 once to save changes.

Now, follow the same steps as in the first way and trace into the call you stopped before(:00408001 CALL 00407A21) by pressing F8 and then press F10 exactly 72 times. You’ll reach the address 00407B1E push esi you'll see above the 00407B18  LEA EAX,[EBP-0140] and the EAX register will be blue. So type d eax and you’ll see in the data window an other number. Type  bc * and press Ctrl+D to leave Soft Ice, ignore the error message and enter in the regcode box the number you saw. Registered again.

How to make WinZip accept any code!

Yes, you can make WinZip accept any code. First of all you make two copies of the winzip32.exe file. The one for backup and the other with extension .w32 for disassembling. Now open W32Dasm and disassemble the winzip32.w32 file. Remember the call 00407A21 ? Go to Goto-> Goto Code Location and type 00408001 and you’ll see the line :00408001 CC int 03 .Well, that's a program's trick so as we can't see the call. Nevermind, there is another way. Run Winzip again and try to register. When you are in the 00408001 E81BAFFFF           call 00407A21 trace into the call and then keep pressing F10 till you see.

:00407B81 E8FAF50500 call 00467180
:00407B86 A18CA14800 mov eax, [0048A18C] <= Too bad! 
:00407B8B 83C40C         add esp, 0C
:00407B8E 5F                   pop edi
:00407B8F 5E                   pop esi
:00407B90 5B                   pop ebx
:00407B91 C9                   leave
:00407B92 C3                   ret

Ok, now we know where to go. Return to W32Dasm and Goto 00407B86 and note the offset, it's 7B86 Now open the winzip32.exe with Hiew and in Decode Mode press F5 and enter 7B86 and change the A18CA14800 to A186A14800 and press F9 for update and <ESC> to exit. Now run winzip and enter random name and serial. Registered!

Note: Winzip makes a check in the beginning of the program to see if our registration number is correct, but it’s in the same routine, so we’ll be always ok, as we have made the program to return the right value. Thank God there’s not another routine for things to be more complicated for you newbies.

Thanks for reading this tut and I hope I'll write another some day in the future. For any questions you can reach me on EF-Net #cracking and #cracking4newbies, or on GR-NET in #cracking (that’s mine,hehe) with the nick iNFRA .

My e-mail is dmitspan@usa.net

Bye my friends.