HOW TO CRACK ELCOM ADVANCED ZIP PASSWORD RECOVERY 3.0 FINAL
                          http://www.elcomsoft.com/prs.html




by +DzA kRAker
              
u will need:the awesome Liu Tao Tao's TRW2000 "the chinese power"
            win32dasm (needed for the second method)
            knowledge on how to code a memory patcher (call it trainer if u want:)



Azpr from Elcom will help u retrieve lost passwords from encrypted zip archives.
(brute force , of course).
The unregistered version of Azpr will be useless...some (very important) features 
are disabled.Who will encrypt a zip with a 5 chars password?i think not too
many of u.
The anti-cracker protections:1.anti debugging (int03,meltice,?)
                             2.encrypted with aspr?-As Protect (one of the
pe sections was named .aspr

For the debugger check we will use TRW 2000 (faults=off),wich should work fine...
Press register,u will be prompted for a key.Enter your favorite dummy registration
code.Now enter TRW2000 with ctrl+n and put a breakpoint on hmemcpy (bpx hmemcpy,
just like in softice).Press ok,TRW 2000 pops...press f12 several times , until TRW2000
exits...and azpr's registration window does some kind of useless resizing (to impress the
crackers i think...),after the "resizing" is done (2-3 secondz),TRW2000 pops again...
push f12 several times until u will land in azpr.exe ,now u should see a ret,wich
will kick u back to kernel,F12 again,another ret,back to kernel,F12 again until u are in azpr.exe...now start
the tracing with f10 u should soon see:
4130B3 CALL 00412BF0 ---we must trace here.
4130B8 TEST EAX,EAX (boolean identifier)
4130BA JZ   004130DC (if zero returned ,then jump to "incorrect registration code");
If we simply make the  JZ FROM 4130BA a JNZ ,"thank you for registering" will appear,
but u are still unregistered...
Let's trace the call from 4130b3 (press t in TRW2000)...
press F10 until u see this:
412C13 CDQ             
412C13 IDIV EDI
412C16 TEST EAX,EAX 
412C18 JNZ 00412C07 (if not zero will kick u back to 4130b8 with 0 returned )
So , make that jnz a jz.The serial number check is far too complicated ,so i think the best
method is patching.And the serial check continues ...press F10 until u see this:
412C51 CALL 0041F760
412C56 TEST EAX,EAX
412C58 JNZ 00412C07 (kick the guy)
Reverse that jump too...continue tracing with F10...until u see another conditional jump at
412c86 ,reverse it...continue until u find the next one (and the last one)
at 412C93,reverse it...tracing with F10 ,the code will return at 4130B8 ,but this time  returns 1 
and the proggie will jump to "thank you for registering" ... and it's really registered!.
This means that the piece of code we reversed is called by another check(s)...but if we
reversed it...it will always return 1...so your memory patch should patch azpr.exe like
this:
412C18 74ED (was 75,ED)
412C58 74AD (was 75,AD)
412C86 0F85 (was 0F,84)
412C93 746C (was 75,6C)
note:u can reverse all Elcom's Advanced xxxxx Recovery with this method:)
I expected a stronger protection from those programmers (experts in cryptology)...maybe in the next versions
they will show us some tricks.