New 2 Cracking ~~~~~~~~~~~~~~ Tutorial Type : Tutorial Tutorial Topic : How To Get A Valid Serial When We have no LStrCmp Utilities : W32Dasm / Debugger (i'll use w32dasm debugger) / WinZip 8.1 Beta Music : Lite Music, Bob Marley (Again ??) or Some quiet music Written by : ParaBytes Date : Nov. 16th, 2001. Remarks : This tutorial assume you have a basic ASM knowledge, if need the basic tutorials, come to me (the place to find me is in the buttom) (you can get winzip 8.1 beta in www.WinZip.com > Download) Ok, lets light up the fuse, what ? err... *KA---BOOM* yeah. lets start, where ? in the beginning... ;) When i met DeaL he asked me to help him to crack winzip 8.1 beta, even all winzip versions from 6.xx-8.xx use the same algo so the key will be the same... but when i tried to crack this winzip i didnt made it, caused i used no tut, but when i helpped DeaL i came up with some great idea ! if the algo is : push name push serial call checkReg test al,al jz badboy! lets get into checkReg, and where the end preform a backtrace 'till the place where al become 0 or 1.. so i said, its a f*****g useful ! all the other tuts tell ya like : "run sice, bpx GetDlgItemTextA press F10 xx times trace here, do that d eax what do u see ?" i hate those things ! the approach of "WHY PATCH WHEN SERIAL IS FISHY" is good, but hey to crack you need the method, not the serial !! so, here i'm writing this essay... waiting to finish, eat my pizza (mum is baking one ! yumm !) ok, lets get the exrcise ! light up a ciggy (if you smoke..) open the CDPlayer/Mp3 Player and put your music.. open winzip, enter name (ParaBytes / N2C Staff) and fake code (3133705) register, write the error message "Incomplete or incorrect information" close winzip, fire the w32dasm, open winzip.exe wait... sing some with your music, finsished ? not yet... ohh ? what ? yeah.. finished ! lets open the String Data References, seek the error message (String Resource ID=00654 "Incomplete..") click on it, we are in the place of the string, reclick (making sure the error message is used only one time) good ! only used one time.. now we scroll up few lines, we see the jump reference, that say what offest have a jump over here and what kind of a jmp (conditinal - like je/jg/etc or uncoditinal - like jmp/jmp/jmp ;]) so we see 3 jump, all marked as (C)onditinal... hmm... we are logic people, so we need to check the jump from the last one, coz when we check the last we have the biggest chance to get to the algo.. so, goto location 0040BDA8 - je 0040BDF7 - if we saw that, we know that if we get number<>0 its a good thing, because we dont goto badboys place... scroll up 2 lines, we see 0040BDA1 E831F9FFFF call 0040B6D7 00B0BDA6 84C0 test al,al 0040BDA8 744D je 0040BDF7 so, in the end of this call we get in al number, if its 0 we get the badboy else, we get the goodboy ! lets execute the call (stand on it, the line is yellow, press right arrow>, we are in the start, check few lines up in the tutorial, we need the END of this procedure so, lets find the ret offset ! weeeeeeee aaaaaaarreeeeeee ssssssssccccrrrrrrrrooolllllllliiiiiiiiinnnnnnnngggggggg !! phew ! its ended ! here we are, 0040B8EF C3 ret so, its the end, lets start the backtrace, now backtrace is tracing on the code, backward.. hmmm... 0040B8E3 A00DC04C00 mov al, byte ptr [004CC00D] here is where al changed, now lets find what make this memory address changed ! continue the backtrace.. 0040B8CD 80250DC04C0000 and byte ptr [004CC00D], 00 that mean that the 1st byte on the address will be and with 0, that mean he equal 0 ! but we need the place its not 0 ! keep on backtracing 0040B8C0 85C0 test eax,eax 0040B8C2 7509 jne 0040B8CD 0040B8C4 C6050DC04C0001 mov byte ptr [004CC00D], 01 0040B8CB EB07 jmp 0040B8D4 that mean that if eax=0 we get badboy, else we get goodboy !!! but wait a sec !!!!! over the 0040B8CD 80250DC04C0000 and byte ptr [004CC00D], 00 we see 2 conditinal jump, that was the 1st (0040B8C2 7509 jne 0040B8CD) so wher is the other ? goto the address said, (0040B8A8) hmmm... scroll some up, we see again, test eax,eax but there is a call (the add esp,0000000C is to recalibrate the stack) so.. lets debug, break before the call, and see what we are doing there ! fire up the debugger (Ctrl+L) run couple of times, when the winzip is running, lets goto the offest just before call offset, 0040B89D 57 push edi enter the name you wish (ParaBytes / N2C Staff) and fake serial, click on the register, mmm... pizza :)~~ yeah, we smell pizza, but lets get back, we are very close to the end... ok, we stopped, we see on the code window the offset with *BP near it, so we are there... lets check what we pushed to the call, hmm yeah push 00000004 we dont care, push eax, push edi, lets check what is in edi (click on edi on the data window), well, its our badboy! lets check eax, well... i see my serial, on 2 lines, copy it, by order 57250127 (top line, and then the 2nd line), so we have a serial, lets see ? yeah ! match !! good ! hooray ! we are great crackers ! we do ! we fished serial ! and learn a technique ! hooray !!! yeah, now calm down ! lets review what we got : when we have a call get our name/serial and returns 0/1 we should get to the end of the procedure, and check where and why the number we get is 0/1 and how to get the other, good ? use it, enjoy it.. now the best part - Ending Greetings : ~~~~~~~~~~~ DeaL, for making me write this tutorial Anvile, for spell-check my essays, here is a misstek for you. Invoker,GinGer,PhANt0m,d4d0,ChibiHime,Anvile (again :)) the N2C Staff, all the ppl who come #New2Cracking, we appreciate your support, iNSiGHT crew, phrozen crew, c.i.a, all crackers, UnPacking Gods, thanks for many many things... Bob Marley (yeah...), thanks for the great music !!! Borland, thanks for Delphi, tKC, THe-SAiNT, BuL-LeT, Bengaly, GodsJiva, comrade, all the people who read this/publish this tutorial, ASTAGA, you are THE TTM ;) all the people i forgot, or made me like it... love ya all ! Contact Me : ~~~~~~~~~~~~ eMail : Lewsers@Hotmail.com IRC : EFNet > #New2Cracking Here ! ;p ParaBytes / Lewsers Inc.nake@hotmail.com>">The