WinZIP 8.1 (2002 version!)  

By +Jonathan

2002-8-19

 

Web: http://www.winzip.com  or www.download.com (that is my favor web site since there are many software

of trial version.)

Price: $30

Protection: a stupid demo box (this serial based protection is too~~ easy to crack ^_^)

 

This is what you see when you open the so-call WinZip  register:

 

 Can you believe your eyes? There is almost NO change from its protection even the old way they protect. Mmmmmm….Now WinZip company listen up~~ If you REALLY do not want to make such STUPID protection scheme, you better e-mail me back. Remember WinZip company, I want $100 U.S. Aaaa!! WinZip company are you still reading? Concentrate OK?

 

Now type as above please~~~ This is what you see:

Wonderful, let us load it into W32Dasm and search “Incomplete or incorrect” in the string data. You will land here:

 

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:

|:0040BD1B(C), :0040BD24(C), :0040BD2D(C)

 

:0040BD7C E8C3020000           call 0040C044

 

* Possible Reference to String Resource ID=00654: "Incomplete or incorrect information"

                                 

:0040BD81 688E020000              push 0000028E

:0040BD86 E841470500              call 004604CC

 

Now close W32Dasm since it is very obvious, right? Ctrl + D call SOFT-ICE (our powerful debugger )

First let us load it. Simply type:

Bpx GetWindowTextW

And then do a “BC*” in order to clear break point. Now please type:

BPX 0040BD1B

Yes, we break point on the “reference conditional jump”. This is what you see:

 

001B:0040BD1B  745F                                JZ        0040BD7C             (NO JUMP) *we sort here*

001B:0040BD1D  803DBCC74C0000      CMP       BYTE PTR [004CC7BC],00  *Do you enter any thing?

001B:0040BD24   7456                                JZ        0040BD7C                                     *No Beggar off*

001B:0040BD26   E831F9FFFF                CALL      0040B65C         *Main checking routine*  

001B:0040BD2B   84C0                               TEST      AL, AL                *Finally test the flag*

001B:0040BD2D   744D                               JZ        0040BD7C              *If the (AL == 1) then registered!!*

 

Therefore let us step into (F-7) the CALL 0040B65C .

 

001B:0040B65C  55                                        PUSH      EBP

001B:0040B65D  8BEC                                  MOV       EBP,ESP

001B:0040B65F  81EC0C020000                SUB       ESP,0000020C

001B:0040B665  8065FF00                           AND       BYTE PTR [EBP-01],00

001B:0040B669  803D90C74C0000            CMP       BYTE PTR [004CC790],00

~~~~~~~~~~~~~~~~~~~~~~~~*Do you enter any serial umber*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

001B:0040B670  53                                          PUSH      EBX

001B:0040B671  56                                          PUSH      ESI

001B:0040B672  57                                          PUSH      EDI

001B:0040B673  0F84FB000000                  JZ        0040B774                 *beggar off* 

 

Now there are many more instructions below, but they are ALL garbage (I mean nothing special) since it is keep checking our name. Like the length of name ≥ 200 and so on…..

 

Here is kind interesting since it load our code (12345678 remember?)  and compare the code length J

 

001B:0040B78E  50                                     PUSH      EAX                          *  EAX == 9E760EC1 *

001B:0040B78F  E8CC790800                 CALL      00493160  *get the length of your code (save in EAX)*

001B:0040B794  BE2C010000                  MOV       ESI,0000012C         * ESI == 12C  (300 in decimal)*

001B:0040B799  83C40C                           ADD       ESP,0C                      * Change to HEX*

001B:0040B79C  3BC6                               CMP       EAX,ESI    *Is your length below 300 in decimal*               

001B:0040B79E  720A                                JB        0040B7AA     *Jump if below; we jump since EAX==8*  

001B:0040B7A0  6A39                                PUSH      39

001B:0040B7A2  57                                     PUSH      EDI

001B:0040B7A3  E8C2F50000                 CALL      0041AD6A

001B:0040B7A8  59                                     POP       ECX               *pop the name* 

001B:0040B7A9  59                                     POP       ECX

001B:0040B7AA  BFBCC74C00              MOV       EDI,004CC7BC   *EDI == 12345678 *

001B:0040B7AF  8D85BCFEFFFF         LEA       EAX,[EBP-0144]  *EAX == 9E760EC1 *

…………………………………………………………………………………………………………..

…………………………………………………………………………………………………………..

 

You DO NOT need to keep tracing (it hurt your eyes) since the program had loaded both real Serial Number and fake Serial Number. And the following is to compare if they are the same and also move the flag. So the out-come would be :

 

·       Name:  +Jonathan 

·       Serial Number:  9E760EC1

 

 

 If you want to register your name, please do the following:

 

Use the same step as I teach you today, but after you load winzip (via getwindowtext) into softice, you can simply do BPX 40B7AF, run it (F-5), and do a dd EAX immidetality  when SI pop up^_^

 

If you really learn above method, you should find out any Serial Number, for instance:

 

·       Name:  Fuck Your WinZip

·       Serial Number:  3FF02B67