WinZIP 8.1 (2002 version!)
By +Jonathan
2002-8-19
Web:
http://www.winzip.com or www.download.com
(that is my favor web site since there are many software
of
trial version.)
Price:
$30
Protection:
a stupid demo box (this serial based protection is too~~ easy to crack ^_^)
This
is what you see when you open the so-call WinZip register:
Can you believe your eyes? There is almost NO
change from its protection even the old way they protect. Mmmmmm
.Now WinZip
company listen up~~ If you REALLY do not want to make such STUPID protection
scheme, you better e-mail me back. Remember WinZip company, I want $100 U.S. Aaaa!! WinZip company are you still reading? Concentrate
OK?
Now
type as above please~~~ This is what you see:
Wonderful,
let us load it into W32Dasm and search Incomplete or incorrect in the string
data. You will land here:
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:0040BD1B(C), :0040BD24(C),
:0040BD2D(C)
:0040BD7C E8C3020000 call
0040C044
* Possible Reference to String Resource ID=00654: "Incomplete or incorrect
information"
:0040BD81 688E020000 push
0000028E
:0040BD86 E841470500 call
004604CC
Now
close W32Dasm since it is very obvious, right? Ctrl + D call SOFT-ICE (our
powerful debugger )
First
let us load it. Simply type:
Bpx GetWindowTextW
And
then do a BC* in order to clear break point. Now please type:
BPX 0040BD1B
Yes,
we break point on the reference conditional jump. This is what you see:
001B:0040BD1B
745F JZ 0040BD7C (NO JUMP) *we
sort here*
001B:0040BD1D
803DBCC74C0000 CMP
BYTE PTR [004CC7BC],00 *Do you enter any thing?
001B:0040BD24 7456 JZ 0040BD7C *No Beggar off*
001B:0040BD26 E831F9FFFF CALL 0040B65C *Main
checking routine*
001B:0040BD2B 84C0 TEST
001B:0040BD2D 744D JZ 0040BD7C *If the
(
Therefore
let us step into (F-7) the CALL 0040B65C .
001B:0040B65C
55
PUSH EBP
001B:0040B65D
8BEC MOV EBP,ESP
001B:0040B65F
81EC0C020000 SUB ESP,0000020C
001B:0040B665 8065FF00 AND BYTE PTR [EBP-01],00
001B:0040B669
803D90C74C0000 CMP BYTE PTR [004CC790],00
~~~~~~~~~~~~~~~~~~~~~~~~*Do you enter any serial
umber*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
001B:0040B670
53 PUSH EBX
001B:0040B671
56
PUSH ESI
001B:0040B672
57
PUSH EDI
001B:0040B673
0F84FB000000 JZ 0040B774 *beggar
off*
Now
there are many more instructions below, but they are ALL garbage (I mean
nothing special) since it is keep checking our name. Like the length of name ≥ 200 and so on
..
Here
is kind interesting since it load our code (12345678 remember?) and compare the code
length J
001B:0040B78E
50 PUSH EAX * EAX == 9E760EC1 *
001B:0040B78F
E8CC790800 CALL 00493160
*get the length of your code (save in EAX)*
001B:0040B794
BE2C010000 MOV ESI,0000012C * ESI ==
12C (300 in decimal)*
001B:0040B799
83C40C ADD ESP,0C *
Change to HEX*
001B:0040B79C
3BC6 CMP EAX,ESI *Is your length
below 300 in decimal*
001B:0040B79E
720A JB 0040B7AA *Jump if below;
we jump since EAX==8*
001B:0040B7A0
6A39 PUSH
39
001B:0040B7A2
57 PUSH EDI
001B:0040B7A3
E8C2F50000 CALL 0041AD6A
001B:0040B7A8
59 POP ECX *pop
the name*
001B:0040B7A9
59 POP ECX
001B:0040B7AA
BFBCC74C00 MOV EDI,004CC7BC *EDI == 12345678 *
001B:0040B7AF
8D85BCFEFFFF LEA EAX,[EBP-0144] *EAX == 9E760EC1 *
..
..
You
DO NOT need to keep tracing (it hurt your eyes) since the program had loaded
both real Serial Number and fake Serial Number. And the following is to compare
if they are the same and also move the flag. So the out-come would be :
·
Name: +Jonathan
·
Serial Number: 9E760EC1
If you want to register your name, please do the following:
Use the same step as I teach you today, but after you load winzip (via getwindowtext) into softice,
you can simply do BPX 40B7AF,
run it (F-5), and do a dd EAX immidetality when SI pop up^_^
If you really learn above
method, you should find out any Serial Number, for instance:
·
Name: Fuck Your WinZip
·
Serial Number: 3FF02B67