HOW TO CRACK ELCOM ADVANCED ZIP PASSWORD RECOVERY 3.0 FINAL http://www.elcomsoft.com/prs.html by +DzA kRAker u will need:the awesome Liu Tao Tao's TRW2000 "the chinese power" win32dasm (needed for the second method) knowledge on how to code a memory patcher (call it trainer if u want:) Azpr from Elcom will help u retrieve lost passwords from encrypted zip archives. (brute force , of course). The unregistered version of Azpr will be useless...some (very important) features are disabled.Who will encrypt a zip with a 5 chars password?i think not too many of u. The anti-cracker protections:1.anti debugging (int03,meltice,?) 2.encrypted with aspr?-As Protect (one of the pe sections was named .aspr For the debugger check we will use TRW 2000 (faults=off),wich should work fine... Press register,u will be prompted for a key.Enter your favorite dummy registration code.Now enter TRW2000 with ctrl+n and put a breakpoint on hmemcpy (bpx hmemcpy, just like in softice).Press ok,TRW 2000 pops...press f12 several times , until TRW2000 exits...and azpr's registration window does some kind of useless resizing (to impress the crackers i think...),after the "resizing" is done (2-3 secondz),TRW2000 pops again... push f12 several times until u will land in azpr.exe ,now u should see a ret,wich will kick u back to kernel,F12 again,another ret,back to kernel,F12 again until u are in azpr.exe...now start the tracing with f10 u should soon see: 4130B3 CALL 00412BF0 ---we must trace here. 4130B8 TEST EAX,EAX (boolean identifier) 4130BA JZ 004130DC (if zero returned ,then jump to "incorrect registration code"); If we simply make the JZ FROM 4130BA a JNZ ,"thank you for registering" will appear, but u are still unregistered... Let's trace the call from 4130b3 (press t in TRW2000)... press F10 until u see this: 412C13 CDQ 412C13 IDIV EDI 412C16 TEST EAX,EAX 412C18 JNZ 00412C07 (if not zero will kick u back to 4130b8 with 0 returned ) So , make that jnz a jz.The serial number check is far too complicated ,so i think the best method is patching.And the serial check continues ...press F10 until u see this: 412C51 CALL 0041F760 412C56 TEST EAX,EAX 412C58 JNZ 00412C07 (kick the guy) Reverse that jump too...continue tracing with F10...until u see another conditional jump at 412c86 ,reverse it...continue until u find the next one (and the last one) at 412C93,reverse it...tracing with F10 ,the code will return at 4130B8 ,but this time returns 1 and the proggie will jump to "thank you for registering" ... and it's really registered!. This means that the piece of code we reversed is called by another check(s)...but if we reversed it...it will always return 1...so your memory patch should patch azpr.exe like this: 412C18 74ED (was 75,ED) 412C58 74AD (was 75,AD) 412C86 0F85 (was 0F,84) 412C93 746C (was 75,6C) note:u can reverse all Elcom's Advanced xxxxx Recovery with this method:) I expected a stronger protection from those programmers (experts in cryptology)...maybe in the next versions they will show us some tricks.