ÜÜÜÜÜÜÜÜÜÜÜÜ Û ÜÜÜÜÜÜÜÜ ß Û Û ÜÜÜÜ Û ß ÜÜÜÜÜÜ Ü ÞÝÞÝÞ²ÛÛÝÞÝ ß ßßßßß ÜÜÜÜÜÜÜ ß ßßßßßßßÛÜ Û Û ²ÛÛ Û ÜÛßßßßßßßÛÜÛßßßßßßßÛ ÜÜÜ Û ÜÜÛßßßßßÛÜÜÛßßßßßßßÛÜ Û ÞÝÞÝÞ²ÛÝ ßßßßÛÛ ÜÜÛÛÛÜÜ ß ÜÛÛÛÛ²Ü Þ²ÛÝÞÝ Ûß ÜÜÛÛÛÜÜ ß ÜÛÛÛÛ²Ü Û Û ß Û ²²ÛÜÛÛÛÛÜ ÞÛ² ÜÜÛ²Ý ÞÛ² ÜÜÛ²Ý ²Û ÛÜÜÜÛ ²ÛÛ ÜÜÛ²ß ÞÛ² ß Û²ÝÞÝÞÝ ÞÝÞÝÞ²ÛÛß Ä Û²ÝÄÛ²ÝÄÄÞ²²Ä Û²ÝÄÄÞ²²Ä ²ÛÝÄÄ ÜÜ ²ÛÝÄ ÜÜ Ä Û²Ý Ä ÞÛ² Û Ü ß Û ²²ÛÝ ° Þ²² Þ²² ° Û²Ý Þ²² °° Û²Ý Þ²Û Û²Ý Þ²Û Þ²Û Þ²² °°° Û²ÝÞÝÞÝ Û ÛÜ ßßß ßß ßß ßßß ßß ßß ßßßßßß ßßßßßß ßß ßß Û Û ÛÜ ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß Û ßßßßß ß ß ßßßßßßßßßßßßßßß ßß ß ß ßßßßßß ¯¯¯¯¯ ¯ ¯ ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯ ¯ ¯ ¯¯¯¯¯¯ Tutor : Ordoc Data Wrote : January 3, 1999 (Started working on it late december but never finished hehe) Editor : An NFO Viewer (wordwrap) *Notepad is fine if u don't wanna see the neat ASCII Art :)* Who : Beginner to Intermediate Greets : Harlem, WLW, #cracking4newbies (ytc_ specially for helping me with this.) Target : GodeZip v2.0 (c) DegSoft (ftp://ftp.simtel.net/pub/simtelnet/win95/compress/godzipv2.zip) Size : 320kb Rev Date : 12/10/98 Welcome to my second tutorial, it will be a bit more in depth than my first. This programmer must have been on crack as you will see in a sec. Also this is a weird protection because the reg code compare loop isn't inside a call. First run GodeZip. Now your saying "wtf? theres no Help/About". Like I said the programmer is on crack. Click the upper left icon of GodeZip. Goto "About" Then another box will pop up, click the ".click." button to register. Enter your licsense number and your corresponding code(they both have to be 7 digits[I used 1234567 and 7654321]). Now before you click Ok, Ctrl-D into softice and set a breakpoint on GetDlgItemTextA (bpx GetDlgItemTextA). Ctrl-D back to the program. Click OK. Like magic your back in softice. Hit CTRL-D again since there are two dialog boxes for input and the second one is the one we are interested in. You need to be in GodeZip!Code, are you? YES!. Hit F11 to get into the code. Now you should see something like: :004022B1 803D1113430044 cmp byte ptr [00431311], 44; Check to see if Reg Code starts with D :004022B8 0F94C0 sete al :004022BB 0FB6D0 movzx edx, al :004022BE 803D0813430047 cmp byte ptr [00431308], 47; Check to see if Liscense # starts with G :004022C5 0F94C0 sete al :004022C8 25FF000000 and eax, 000000FF :004022CD 21C2 and edx, eax :004022CF 0FBE0D17134300 movsx ecx, byte ptr [00431317] :004022D6 0FBE0509134300 movsx eax, byte ptr [00431309] Ok first off, those two cmp's look suspicous. Lets Display the pointers (ptr). D 431311 Well well look at that its our Reg Code(Corresponding Code). At the end of that cmp there is a 44 which is hex for D. So that means our reg code needs to start with a 'D'. Next display the second ptr. D 431308 It is our licsense number. At the end of that cmp there is a 47 which is hex for G. So that means or Licsense # needs to start with a 'G'. So far we have found two very important things in the code at the begining. The Liscense # must start with 'G' and Reg Code must start with a 'D'. So Clear your breakpoints and re-enter your code. (G1234567 and D7654321). The next part I will only explain the important parts of the code since there is quite a lot ;) Hit F10 to step through the code(about 7 times) till you get to: :004022CF 0FBE0D17134300 movsx ecx, byte ptr [00431317]; move a number from your reg code into ecx :004022D6 0FBE0509134300 movsx eax, byte ptr [00431309]; move a number from your licsense # into eax :004022DD 83C01E add eax, 0000001E ; add 1E to the current number in eax If you display 431317 (D 431317) you will see your bogus registration number. Look at the first number on the line where u displayed 431317. In my case it was '2'. So remember that and step pas add eax, 1E. Now do ? EAX . You will get a letter. In my case the letter was 'O'. So Substitute 'O' for '2' in your reg code. Mine is now 76543O1. Continue stepping to: :004022EC 0FBE0D16134300 movsx ecx, byte ptr [00431316] :004022F3 0FBE050A134300 movsx eax, byte ptr [0043130A] :004022FA 83C017 add eax, 00000017 Now repeat the above steps. Using the new ptr[00431316]. Get the number of the reg code it is using. Step passed the add eax, 17 and do ? eax to get the corresponding letter to the corresponding number in your code. Keep doing this process until you reach: :00402398 85D0 test eax, edx :0040239A 7434 je 004023D0 Then clear your breakpoints and enter your code. Mine was DKRHTIOE. Congradulations on cracking this WinZip clone. Now delete it and never use it again because it is so lame!! This program is very easy to write a keygen for so go ahead and try it :). Below I have listed the whole code thats important for generating your correct reg code to help u with a keygen. :004022CF 0FBE0D17134300 movsx ecx, byte ptr [00431317] :004022D6 0FBE0509134300 movsx eax, byte ptr [00431309] :004022DD 83C01E add eax, 0000001E :004022EC 0FBE0D16134300 movsx ecx, byte ptr [00431316] :004022F3 0FBE050A134300 movsx eax, byte ptr [0043130A] :004022FA 83C017 add eax, 00000017 :00402309 0FBE0D13134300 movsx ecx, byte ptr [00431313] :00402310 0FBE050B134300 movsx eax, byte ptr [0043130B] :00402317 83C01F add eax, 0000001F :00402326 0FBE0D18134300 movsx ecx, byte ptr [00431318] :0040232D 0FBE050C134300 movsx eax, byte ptr [0043130C] :00402334 83C011 add eax, 00000011 :00402343 0FBE0D14134300 movsx ecx, byte ptr [00431314] :0040234A 0FBE050D134300 movsx eax, byte ptr [0043130D] :00402351 83C013 add eax, 00000013 :00402360 0FBE0D12134300 movsx ecx, byte ptr [00431312] :00402367 0FBE050E134300 movsx eax, byte ptr [0043130E] :0040236E 83C015 add eax, 00000015 :0040237D 0FBE0D15134300 movsx ecx, byte ptr [00431315] :00402384 0FBE050F134300 movsx eax, byte ptr [0043130F] :0040238B 83C01D add eax, 0000001D If you have any questions etc look for me in #cracking4newbies. Look for more tutorials from Harlem soon. D8) is 0