Winzip 7.0 Written by RiceBoy Tools required : Numega SoftICE v 3.2 Target: Download at http://www.winzip.com *make sure there are 4 screens on your SoftICE Essay hey" word up y'alls, sorry if this essay ain't that good. cuz you know this is my first essay, so if i left out somethin' i'm sorry but like i'll just explore and u'll learn cuz WinZip is a useful tool, but damn the protection sucks. So good luck!!! Step1 Run winzip and type in: name: *anything you want* reg.nr: *anything you want* Step2: Start SoftICE(CTRL-D) and set breakpoint on GetDlgItemTextA or you can also use hmemcpy(doesn't matter which it don't matter) Step3: exit SoftICE(CTRL-D), Return to winzip32.exe and click on "OK"(under the registration info) BOOM!!!! SoftICE appears, don't worry there's no problem, remember when you set your breack point? well the break point that you set is being activated Step4: Press 'F11' you'll see this..... :00408014 FF150C844600 Call dword ptr [0046840C] :0040801A 53 push ebx ;We are here :0040801B E879160200 call 00429699 :00408020 59 pop ecx ;ECX = Name :00408021 53 push ebx :00408022 E89B160200 call 004296C2 :00408027 59 pop ecx :00408028 BE58D94700 mov esi, 0047D958 :0040802D 6A0B push 0000000B :0040802F 56 push esi :00408030 68810C0000 push 00000C81 :00408035 57 push edi :00408036 FF150C844600 Call dword ptr [0046840C] :0040803C 56 push esi :0040803D E857160200 call 00429699 :00408042 59 pop ecx ;ECX = fake serial :00408043 56 push esi :00408044 E879160200 call 004296C2 :00408049 803D28D9470000 cmp byte ptr [0047D928], 00 ;Check lenth of name :00408050 59 pop ecx ;ECX =Serial you typed in :00408051 745F je 004080B2 ;If 0 then display error :00408053 803D58D9470000 cmp byte ptr [0047D958], 00 ;Check lenth of serial :0040805A 7456 je 004080B2 ;If 0 then display error :0040805C E8EAFAFFFF call 00407B4B ;CREATE and compare serials :00408061 85C0 test eax, eax ;EAX 0 = Wrong serial, EAX 1 = Good serial :00408063 744D je 004080B2 ;If wrong serial display error :00408065 53 push ebx :00408066 BBB80C4700 mov ebx, 00470CB8 Step5: Type "bc *" so that it will diable breakpoints Step6: Trace down with 'F10' until you you get to :0040805C E8EAFAFFFF call 00407B4B Then step into the call (F8) Reminder: stepping into this call is about the most important thing you do, so if you screw up then you have to do it all over agian. Step9: Then you should see this you see this...(*If you just cruse down using F10 you should be able to see the REAL serial number on the screen) :00407B4B 55 push ebp :00407B4C 8BEC mov ebp, esp :00407B4E 81EC08020000 sub esp, 00000208 :00407B54 53 push ebx :00407B55 56 push esi :00407B56 33F6 xor esi, esi ;ESI = 0 :00407B58 803D28D9470000 cmp byte ptr [0047D928], 00 ;Check lenth of name :00407B5F 57 push edi :00407B60 0F84A1000000 je 00407C07 ;If 0 then display error :00407B66 8D45EC lea eax, dword ptr [ebp-14] ;Memory location for next string :00407B69 50 push eax :00407B6A 6860F44600 push 0046F460 :00407B6F E84F9CFFFF call 004017C3 ;Save "MuradMeraly" to EAX :00407B74 59 pop ecx :00407B75 8D85F8FDFFFF lea eax, dword ptr [ebp+FFFFFDF8];Memory location for next string :00407B7B 59 pop ecx ;ECX= "MuradMeraly" :00407B7C BF28D94700 mov edi, 0047D928 ;EDI = Name :00407B81 50 push eax :00407B82 57 push edi :00407B83 E8A9020000 call 00407E31 ;Make second copy of name :00407B88 59 pop ecx :00407B89 8D85F8FDFFFF lea eax, dword ptr [ebp+FFFFFDF8] :00407B8F 59 pop ecx ;ECX = Second copy of name :00407B90 50 push eax :00407B91 8D45EC lea eax, dword ptr [ebp-14] ;EAX = "MuradMeraly" :00407B94 50 push eax :00407B95 E866FD0400 call 00457900 ;Compare "MuradMeraly" and second copy of name :00407B9A 59 pop ecx ;If they are the same then EAX = 0, else EAX = 1 :00407B9B 59 pop ecx :00407B9C 6A01 push 00000001 :00407B9E 85C0 test eax, eax ;Check EAX :00407BA0 5B pop ebx :00407BA1 7502 jne 00407BA5 ;If EAX= 0 then then then ESI = 1 :00407BA3 8BF3 mov esi, ebx :00407BA5 8D45EC lea eax, dword ptr [ebp-14] :00407BA8 50 push eax :00407BA9 6870F44600 push 0046F470 :00407BAE E8109CFFFF call 004017C3 :00407BB3 59 pop ecx :00407BB4 8D45EC lea eax, dword ptr [ebp-14] :00407BB7 59 pop ecx :00407BB8 50 push eax :00407BB9 57 push edi :00407BBA E841FD0400 call 00457900 :00407BBF 59 pop ecx :00407BC0 85C0 test eax, eax :00407BC2 59 pop ecx :00407BC3 750C jne 00407BD1 :00407BC5 FF15C4814600 Call dword ptr [004681C4] :00407BCB 84C3 test bl, al :00407BCD 7402 je 00407BD1 :00407BCF 8BF3 mov esi, ebx :00407BD1 6A14 push 00000014 :00407BD3 8D45EC lea eax, dword ptr [ebp-14] :00407BD6 6A00 push 00000000 :00407BD8 50 push eax :00407BD9 E872E50400 call 00456150 :00407BDE 83C40C add esp, 0000000C :00407BE1 8D85F8FDFFFF lea eax, dword ptr [ebp+FFFFFDF8] :00407BE7 68C8000000 push 000000C8 :00407BEC 6A00 push 00000000 :00407BEE 50 push eax :00407BEF E85CE50400 call 00456150 :00407BF4 83C40C add esp, 0000000C :00407BF7 85F6 test esi, esi ;Check ESI :00407BF9 7413 je 00407C0E ;If ESI = 0 then skip next few lines :00407BFB E89C060000 call 0040829C :00407C00 83257CB0470000 and dword ptr [0047B07C], 00000000 :00407C07 33C0 xor eax, eax ;EAX = 0 :00407C09 E9B3000000 jmp 00407CC1 ;Jump to end of the routine *HERE"S THE MOST IMPORTANT PART OF THE CODE :00407C0E 8D85C0FEFFFF lea eax, dword ptr [ebp+FFFFFEC0] ;Memory location for first serial :00407C14 50 push eax :00407C15 57 push edi :00407C16 E8AB000000 call 00407CC6 ;Generate first serial :00407C1B 59 pop ecx :00407C1C BE58D94700 mov esi, 0047D958 :00407C21 59 pop ecx ;ECX = First serial (*Type "D ECX" here to see the first valid serial number(when you are on :00407C21 59 pop ecx ) :00407C22 8D85C0FEFFFF lea eax, dword ptr [ebp+FFFFFEC0] :00407C28 56 push esi :00407C29 50 push eax :00407C2A E8D1FC0400 call 00457900 ;Compare first serial with *fake* serial :00407C2F F7D8 neg eax :00407C31 1BC0 sbb eax, eax :00407C33 59 pop ecx :00407C34 40 inc eax :00407C35 59 pop ecx :00407C36 A37CB04700 mov dword ptr [0047B07C], eax ;Save registration result 1 = Good serial :00407C3B 7569 jne 00407CA6 ;into memory 2 = Bad serial :00407C3D 8D85C0FEFFFF lea eax, dword ptr [ebp+FFFFFEC0] ;Memory location for second serial :00407C43 50 push eax :00407C44 57 push edi :00407C45 E820010000 call 00407D6A ;Generate second serial :00407C4A 59 pop ecx :00407C4B 8D85C0FEFFFF lea eax, dword ptr [ebp+FFFFFEC0] :00407C51 59 pop ecx ;ECX = Second serial Type "D ECX" here to see second valid serial number :00407C52 56 push esi :00407C53 50 push eax :00407C54 E8A7FC0400 call 00457900 ;Compare second serial with *fake* serial :00407C59 F7D8 neg eax :00407C5B 1BC0 sbb eax, eax :00407C5D 59 pop ecx :00407C5E 40 inc eax :00407C5F 59 pop ecx :00407C60 A37CB04700 mov dword ptr [0047B07C], eax ;Save registration result 1 = Good serial :00407C65 753F jne 00407CA6 ;into memory 2 = Bad serial (*Type "d ecx to see the second valid serial(when you are on :00407C51 59 pop ecx) Step 10: once you have the REAL serial number, you can use anyone of then to register WinZip. Final Words: I think the best way to learn something is just to explore, i have left step kind of open ended for a reason, it's so simple you can't screw up, hahhahaha, but seriously you would learn more about what the function is and the stuff if. try typing what you see like "d eax" or "d edx" stuff like that. see what comes out. Warning: The information in this essay is for educational purpose only! *it is Illegal to crack/moditfy programs that you do not own Important I'll take no responebility for how you use the info in this essay, I am not responebility for what might happen to you or your computer! You may use this information on your own risk!! PLEASE BUY THE SOLFWARE!!!!!!!!!!!!!!!!!!!!!!!!!!!! "Untill next time, take care of your self, and each other" "Got Rice?"