
 -->Tutorial number 1--<

Name    : WinZip

Version : 8.0

Target  : Winzip32.exe

Tools   : SoftICE
          Brain

Cracker : KlimaX v2000


Get it at, http://www.winzip.com


   
      ==>DISCLAIMER<==
For educational purposes ONLY!
I hold NO responsibility for the misuse of this material!


This is my very first tutorial, so there'll probably be a couple of hundred other (easier ways) to crack this program, 
but bear with me :)


Alright, enough chit-chat, let's get down and dirty!


1. Open WinZip and press "Enter Registration Code"

2. Enter => Name  : KlimaX v2000
            Reg.# : 12345

   
   Hit OK. Damn..."Incomplete or Incorrect information". Well come on man!, let's fix this damn bug!


3. Press Ctrl+D to access SoftICE, and set a breakpoint on GetdlgItemTextA
   
   => bpx GetdlgItemTextA

   Press F5 to return to WinZip


4. Now press OK again, and SICE pops up. You see, the first breakpoint has been reached, 
   so we can press F5 again because there were two textfields =>  1. Name, and 
                                                              =>  2. Reg.#
   
   Great!, now press F11 to get to the caller of this function.


5. Now you should see this, but before you touch anything, notice EAX=00000005 in the top left corner of SICE. 
   That's right!, the same number of digits as in our code.

   00407F8F     CALL     [USER32!GETDLGITEMTEXTA]
   00407F95     PUSH     ESI       <==You should be here
   00407F96     CALL     0043F89A
   00407F9B     PUSH     ESI
   00407F9C     CALL     0043F8C3
   00407FA1     CMP      BYTE PTR [0048CD78],00
   00407FA8     POP      ECX
   00407FA9     POP      ECX
   00407FAA     JZ       00408005
   00407FAC     CMP      BYTE PTR [0048CDA4],00
   00407FB3     JZ       00408005
   00407FB5     CALL     004079D5  <==F8
   00407FBA     TEST     EAX,EAX
   00407FBC     JZ       00408005
   00407FBE     PUSH     EDI
   etc.


6. Press F10 till you reach 00407FBE, now press F8 to trace into the call.
   Now you should see this:

   004079D2     RET      0004
   004079D5     PUSH     EBP     <== You should end up here
   004079D6     MOV      EBP,ESP
   004079D8     SUB      ESP, 00000208
   004079DE     PUSH     EBX
   004079DF     PUSH     ESI
   004079E0     XOR      ESI,ESI
   004079E2     CMP      BYTE PTR [0048CD78],00
   004079E9     PUSH     EDI


7. Heavy stuff man!! Now press F10 about 58 times, and after a while of pressing you should be here:

   00407A91     LEA      EAX,[EBP-0140]
   00407A97     PUSH     EAX
   00407A98     PUSH     EDI
   00407A99     CALL     00407B47
   00407A9E     MOV      ESI,0048CDA4
   00407AA3     LEA      EAX,[EBP-0140]
   00407AA9     PUSH     ESI
   00407AAA     PUSH     EAX     <== d eax
   00407AAB     CALL     004692D0
   00407AB0     ADD      ESP,10

   When standing at 00407AAA type d esi, and you'll see our nasty invented code (12345), 
   we don't want that silly code right!.
   OK type d eax and there you go, the real, original, unrememberable code right in front of you. Cool Huh!!

   Name  : KlimaX v2000
   Reg.# : Go see for yourself :) hehe
   
   Remember to type BC* before exiting SICE, and trying out your cool code.



   =>LAST WORDS:

   If you have any comments on this tut, feel free to mail at KlimaX_v2000@mail.com
   _ _ _ _ _ _ _ _

   Special thanks to tKC for releasing those great tut's, keep on making 'em!. They are the BEST!!!!!