Welcome to Cracking Tutorial #60! Hiya guys, Ah finally, a first cracking tutorial in year 2000! As you can see, here's a new version *again* and I hope you like this one! :) And today for a bonus, I give you 7 tutors, #58-64! OK, let's rave! TOOLS ~~~~~ You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE v4.01 W32Dasm v8.93 Hacker's View v6.20 SmartCheck v6.03 ProcDump32 v1.6 Windows Commander v4.03 (I use it coz of easier to multitask) Delphi, VB, C++, or TASM to code a keygen or a patch.. Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here is a good site where you can grab tools from: http://protools.cjb.net or http://w3.to/protools or ask any crackers to get you these tools! Are you ready?! OK! ;) PART 1 ~~~~~~ pR0GRAM : BVS Solitaire Collection v2.3.1 pROTECTION : ID Code cRACK tYPE : CorrECT c0DE uRL : http://www.bvssolitaire.com t00lZ : SoftICE v3.24 (SoftICE v4.0 as better!) AuthOr : RaSCaL / CiA TuT0riaL : No. 1 iNTRO ------------- Well, this is my first tut, so dont expect much from this. However, i will do my best to make it understanding. Excuse my grammatical errors plz, this is not so much to ask! OK, Let's CRACK About the protection -------------------- This little game is shareware. We all know what this mean. So, goto the help menu and click on register... You will notice that it asks for an ID. Soft!CE fits in this situation pERfECTlY. Get started -------------------- Enter a dummy code (i used 1234567). Fire up sice (CTRL+D) and BPX on HMEMCPY, since i guess that this one is coded in Delphi. Click ok. BOOM! Softice breaks! Press F12 for a looooooong time. Till you get there: 004A77D0 mov eax, dword ptr [004B1854] 004A77D5 mov eax, dword ptr [eax] 004A77D7 call 0042DF58 004A77DC cmp byte ptr [ebp-05], 00 004A77E0 je 004A785B 004A77E2 mov eax, dword ptr [004AFF68] 004A77E7 call 00476D68 <-- BPX Here! 004A77EC test al,al 004A77EE je 004A7832 After executing the instruction at 004A77E2 do a .. d eax .. in softice. HeeeeYY, what's that! We have l0CaTed our dummy code. The instructions that follows tell us that the code is prob calculated into the call at 004A77E7. So, press F8. You will land here: :00476D68 55 push ebp :00476D69 8BEC mov ebp, esp :00476D6B 81C4ECFBFFFF add esp, FFFFFBEC :00476D71 33D2 xor edx, edx :00476D73 8995ECFBFFFF mov dword ptr [ebp+FFFFFBEC], edx :00476D79 8955F8 mov dword ptr [ebp-08], edx :00476D7C 8945F0 mov dword ptr [ebp-10], eax :00476D7F 8B45F0 mov eax, dword ptr [ebp-10] :00476D82 E809D0F8FF call 00403D90 :00476D87 33C0 xor eax, eax :00476D89 55 push ebp :00476D8A 681E734700 push 0047731E :00476D8F 64FF30 push dword ptr fs:[eax] :00476D92 648920 mov dword ptr fs:[eax], esp :00476D95 C645FF00 mov [ebp-01], 00 :00476D99 8D45F8 lea eax, dword ptr [ebp-08] :00476D9C 8B1568FF4A00 mov edx, dword ptr [004AFF68] :00476DA2 E851CCF8FF call 004039F8 :00476DA7 8B45F8 mov eax, dword ptr [ebp-08] :00476DAA E82DCEF8FF call 00403BDC <---- hmmm :00476DAF 83F811 cmp eax, 00000011 <--- ? :00476DB2 0F8C3D050000 jl 004772F5 :00476DB8 8D45F8 lea eax, dword ptr [ebp-08] :00476DBB E8ECCFF8FF call 00403DAC Step, a little bit until you reach 00476DAA. When you will execute this call notice that the eax register changes. Guess what? It's the length of our code (for me eax=00000007). After that it compairs it with 11h. (Do a .. ? 11 ... in Softice and you will see that the decimal value for 11 is 17!) So, our code must have 17 chars. CTRL+D to quit softice. Of course you will get this nusty msgbox saying "Sorry, but your registration number is invalid", click ok. Goto register section and enter a 17 number code. Click ok. Sice will break on hmemcpy. Press F5 and it will breake on 004A77E7, where you set a breakpoint, didn't you? Trace into the call until 00476DB2. Now, it will not jump as it did before cause we entered a correct code length. So, it continues with the following: :00476DB8 8D45F8 lea eax, dword ptr [ebp-08] ; :00476DBB E8ECCFF8FF call 00403DAC ; :00476DC0 83C004 add eax, 00000004 ; :00476DC3 8D95F1FEFFFF lea edx, dword ptr [ebp+FFFFFEF1] ; :00476DC9 B903000000 mov ecx, 00000003 ; We are not :00476DCE E8C5B9F8FF call 00402798 ; interested :00476DD3 C685F0FEFFFF03 mov byte ptr [ebp+FFFFFEF0], 03 ; in these :00476DDA 8D85F0FEFFFF lea eax, dword ptr [ebp+FFFFFEF0] ; instructions :00476DE0 BA2C734700 mov edx, 0047732C ; (he,he..) :00476DE5 33C9 xor ecx, ecx ; :00476DE7 8A08 mov cl, byte ptr [eax] ; :00476DE9 41 inc ecx ; :00476DEA E899BCF8FF call 00402A88 ; :00476DEF 0F8400050000 je 004772F5 ; :00476DF5 8D45F8 lea eax, dword ptr [ebp-08] :00476DF8 E8AFCFF8FF call 00403DAC :00476DFD 8B55F8 mov edx, dword ptr [ebp-08] ;edx contain our code :00476E00 0FB612 movzx edx, byte ptr [edx] ;extract the 1st nr. :00476E03 83C203 add edx, 00000003 ;to edx and add 0x3 :00476E06 8810 mov byte ptr [eax], dl ;store to eax :00476E08 8D45F8 lea eax, dword ptr [ebp-08] :00476E0B E89CCFF8FF call 00403DAC :00476E10 8B55F8 mov edx, dword ptr [ebp-08] ;edx contain our code :00476E13 0FB65201 movzx edx, byte ptr [edx+01] ;get 2nd number :00476E17 83C204 add edx, 00000004 ;add 0x4 to it :00476E1A 885001 mov byte ptr [eax+01], dl ;and store it back :00476E1D 8D45F8 lea eax, dword ptr [ebp-08] :00476E20 E887CFF8FF call 00403DAC :00476E25 8B55F8 mov edx, dword ptr [ebp-08] ;continues similar.. :00476E28 0FB65202 movzx edx, byte ptr [edx+02] :00476E2C 83C205 add edx, 00000005 ;add 0x5 to 3rd nr. :00476E2F 885002 mov byte ptr [eax+02], dl :00476E32 8D45F8 lea eax, dword ptr [ebp-08] :00476E35 E872CFF8FF call 00403DAC :00476E3A 8B55F8 mov edx, dword ptr [ebp-08] :00476E3D 0FB65203 movzx edx, byte ptr [edx+03] :00476E41 83C209 add edx, 00000009 ;add 0x9 to 4th nr. :00476E44 885003 mov byte ptr [eax+03], dl :00476E47 8D45F8 lea eax, dword ptr [ebp-08] :00476E4A E85DCFF8FF call 00403DAC :00476E4F 8B55F8 mov edx, dword ptr [ebp-08] :00476E52 0FB65204 movzx edx, byte ptr [edx+04] :00476E56 83C206 add edx, 00000006 ;add 0x6 to 5th nr. :00476E59 885004 mov byte ptr [eax+04], dl :00476E5C 8D45F8 lea eax, dword ptr [ebp-08] :00476E5F E848CFF8FF call 00403DAC :00476E64 8B55F8 mov edx, dword ptr [ebp-08] :00476E67 0FB65205 movzx edx, byte ptr [edx+05] :00476E6B 83C20D add edx, 0000000D ;add 0x0D to 6th nr. :00476E6E 885005 mov byte ptr [eax+05], dl :00476E71 8D45F8 lea eax, dword ptr [ebp-08] :00476E74 E833CFF8FF call 00403DAC :00476E79 8B55F8 mov edx, dword ptr [ebp-08] :00476E7C 0FB65206 movzx edx, byte ptr [edx+06] :00476E80 83C20C add edx, 0000000C ;add 0xC to 7th nr. :00476E83 885006 mov byte ptr [eax+06], dl :00476E86 8D45F8 lea eax, dword ptr [ebp-08] :00476E89 E81ECFF8FF call 00403DAC :00476E8E 8B55F8 mov edx, dword ptr [ebp-08] :00476E91 0FB65207 movzx edx, byte ptr [edx+07] :00476E95 83C202 add edx, 00000002 ;add 0x2 to 8th nr. :00476E98 885007 mov byte ptr [eax+07], dl :00476E9B 8D45F8 lea eax, dword ptr [ebp-08] :00476E9E E809CFF8FF call 00403DAC :00476EA3 8B55F8 mov edx, dword ptr [ebp-08] :00476EA6 0FB65208 movzx edx, byte ptr [edx+08] :00476EAA 42 inc edx ;add 0x1 to 9th nr. :00476EAB 885008 mov byte ptr [eax+08], dl :00476EAE 8D45F8 lea eax, dword ptr [ebp-08] :00476EB1 E8F6CEF8FF call 00403DAC :00476EB6 8B55F8 mov edx, dword ptr [ebp-08] :00476EB9 0FB65209 movzx edx, byte ptr [edx+09] :00476EBD 83C205 add edx, 00000005 ;add 0x5 to 10th nr. :00476EC0 885009 mov byte ptr [eax+09], dl :00476EC3 8D45F8 lea eax, dword ptr [ebp-08] :00476EC6 E8E1CEF8FF call 00403DAC :00476ECB 8B55F8 mov edx, dword ptr [ebp-08] :00476ECE 0FB6520A movzx edx, byte ptr [edx+0A] :00476ED2 83C203 add edx, 00000003 ;add 0x3 to 11th nr. :00476ED5 88500A mov byte ptr [eax+0A], dl :00476ED8 8D45F8 lea eax, dword ptr [ebp-08] :00476EDB E8CCCEF8FF call 00403DAC :00476EE0 8B55F8 mov edx, dword ptr [ebp-08] :00476EE3 0FB6520B movzx edx, byte ptr [edx+0B] :00476EE7 83C208 add edx, 00000008 ;add 0x8 to 12th nr. :00476EEA 88500B mov byte ptr [eax+0B], dl :00476EED 8D45F8 lea eax, dword ptr [ebp-08] :00476EF0 E8B7CEF8FF call 00403DAC :00476EF5 8B55F8 mov edx, dword ptr [ebp-08] :00476EF8 0FB6520C movzx edx, byte ptr [edx+0C] :00476EFC 83C202 add edx, 00000002 ;add 0x2 to 13th nr. :00476EFF 88500C mov byte ptr [eax+0C], dl :00476F02 8D45F8 lea eax, dword ptr [ebp-08] :00476F05 E8A2CEF8FF call 00403DAC :00476F0A 8B55F8 mov edx, dword ptr [ebp-08] :00476F0D 0FB6520D movzx edx, byte ptr [edx+0D] :00476F11 83C208 add edx, 00000008 ;add 0x8 to 14th nr. :00476F14 88500D mov byte ptr [eax+0D], dl :00476F17 8D45F8 lea eax, dword ptr [ebp-08] :00476F1A E88DCEF8FF call 00403DAC :00476F1F 8B55F8 mov edx, dword ptr [ebp-08] :00476F22 0FB6520E movzx edx, byte ptr [edx+0E] :00476F26 42 inc edx ;add 0x1 to 15th nr. :00476F27 88500E mov byte ptr [eax+0E], dl :00476F2A 8D45F8 lea eax, dword ptr [ebp-08] :00476F2D E87ACEF8FF call 00403DAC :00476F32 8B55F8 mov edx, dword ptr [ebp-08] :00476F35 0FB6520F movzx edx, byte ptr [edx+0F] :00476F39 83C20D add edx, 0000000D ;add 0xD to 16th nr. :00476F3C 88500F mov byte ptr [eax+0F], dl :00476F3F 8D45F8 lea eax, dword ptr [ebp-08] :00476F42 E865CEF8FF call 00403DAC :00476F47 8B55F8 mov edx, dword ptr [ebp-08] :00476F4A 0FB65210 movzx edx, byte ptr [edx+10] :00476F4E 83C213 add edx, 00000013 ;add 0x13 to 17th nr. :00476F51 885010 mov byte ptr [eax+10], dl :00476F54 8B45F8 mov eax, dword ptr [ebp-08] ;your code :00476F57 BA38734700 mov edx, 00477338 ;the correct one(?) :00476F5C E88BCDF8FF call 00403CEC ;do the compare :00476F61 0F848E030000 je 004772F5 ;jmp if equal WH00000000W, quite a L00T of code here!, It encrypts your code and compares it with an encrypted one. When you reach 00476F54 do a .. d eax.. you will see your code but in the encrypted form! So, the next instruction sould have the correct one, right? After executing the next instruction as well do a .. d edx .. you will see this " EWL66DA/M>7@/>6ED " (with out the " "). Let's decrypt that, eh? tHE eNCrYPTi0n / dECRYPTiON rOUTiNE ----------------------------------- Actually, this encryption routine is a veeeeery simple one! It just adds some values to your code. So, the only thing you have to do is to sub these values from the correct code! We have: Ascii Hex1 Hex2 Hex3 Ascii ------- = ------ - ------ = ------ = ------- E = 45 - 3 = 42 = B W = 57 - 4 = 53 = S L = 4C - 5 = 47 = G 6 = 36 - 9 = 2D = - 6 = 36 - 6 = 30 = 0 D = 44 - 0D = 37 = 7 A = 41 - C = 35 = 5 / = 2F - 2 = 2D = - M = 4D - 1 = 4C = L > = 3E - 5 = 39 = 9 7 = 37 - 3 = 34 = 4 @ = 40 - 8 = 38 = 8 / = 2F - 2 = 2D = - > = 3E - 8 = 36 = 6 6 = 36 - 1 = 35 = 5 E = 45 - D = 38 = 8 D = 44 - 13 = 31 = 1 i hope you understand this. From the above we have this code: BSG-075-L948-6581 Enter this one in the registration dialog. Click ok. Ooohhhh,what's this?? It does not accept this code! Prob we missed something. hmmmm. Let's take another look to the asm code above.!@#$%^^&&%@#!@):((,... Ye$! Take a look at 00476DB2. If the code length is not 17 then it jumps to 004772F5. Now see the address 00476F61. If these codes match it jumps to the same location as before. Guess what ? I think they have black listed this code! Let's continue with the asm. :00476F67 C745F401000000 mov [ebp-0C], 00000001 :00476F6E 8B45F8 mov eax, dword ptr [ebp-08] ;eax=your code :00476F71 8B55F4 mov edx, dword ptr [ebp-0C] :00476F74 8B149568FF4A00 mov edx, dword ptr [4*edx+004AFF68];edx=other cod :00476F7B E86CCDF8FF call 00403CEC :00476F80 751C jne 00476F9E :00476F82 8B45F8 mov eax, dword ptr [ebp-08] :00476F85 BA38734700 mov edx, 00477338 :00476F8A E85DCDF8FF call 00403CEC :00476F8F 0F8460030000 je 004772F5 :00476F95 C645FF01 mov [ebp-01], 01 :00476F99 E957030000 jmp 004772F5 :00476F9E 8B45F4 mov eax, dword ptr [ebp-0C] :00476FA1 8D04852C2B4B00 lea eax, dword ptr [4*eax+004B2B2C] :00476FA8 8B55F4 mov edx, dword ptr [ebp-0C] :00476FAB 8B149568FF4A00 mov edx, dword ptr [4*edx+004AFF68] some other stuff follows ... we stop here: :0047724B E848B5F8FF call 00402798 :00477250 8B45F8 mov eax, dword ptr [ebp-08] ;eax contain your cod :00477253 8B55F4 mov edx, dword ptr [ebp-0C] :00477256 8B14952C2B4B00 mov edx, dword ptr [4*edx+004B2B2C];edx encrypted :0047725D E88ACAF8FF call 00403CEC ; do the comparison :00477262 7509 jne 0047726D ; jump if not equal :00477264 C645FF01 mov [ebp-01], 01 :00477268 E988000000 jmp 004772F5 Take a look at 00477250. Do a .. d eax .. and u will see your code in data window. 2 instructions later do a .. d edx .. you will see this: VVM6:=register again and enter: SSG-251-4721-K231 Click OK. "Thank you for registering BVS Solitaire collection. All solitaires are now unlocked"!?!?!?! - cOnGRaDZ! - another one cracked! ehhhm, but i can tell you that this code is NoT the only working one. Take a look back at 004772E8. Guess what ? there may be 0xD1=209 working c0des! i am not interested to find them all cause i dont have time for that. bUT you, my friend, who may be newbie you can do it. if you are not as busy(?) as me! (hehe..) cOnCLUsi0N ----------- i hope you learned something from this. Any suggestions/critics/questions are welcome. My email is RaSCaL_CiA@Email.com . look out for my next tutor soon! (- hopefully) gREETS gOEs tO: --------------- tKC, BuLLeT, Northp0le, FeNOreZ, Yo_oY, COKiNE, CiRuS, all CiA meberz and yOU! (for reading this) written by RaSCaL [CiA '99] 30/12/1999 PART 2 ~~~~~~ How to crack Winamp 2.2x Hoho, here we are. My first tutorial with a too easy-cracking prog. Beginning, turn the resolution to 1024x768 for better reading and then you must have one and only one tool: Soft-Ice v.3.23 and above. Well, let's start. Load the prog and go to shareware and registration info. Insert a random name a serial, eg. Mits and 123456. You see that the OK button is not activated. What's this? Don't worry. Just press Ctrl+D to popup SoftIce and type bpx getdlgitemtexta. If it says 'Symbol not defined', then open the winice.dat file with Notepad and remove all the semi-colons(;) from EXP ,save the changes and restart your computer. Ok, you put the bpx and you want to crack it. Don't worry. Press the Backspace button, and  SoftIce will pop-up. Press F11 to go to the caller. There you'll see the following code: :0040225F push 00 :00402261 push 00 :00402263 push ebx :00402264 push edi :00402265 Call [USER32!GetDlgItemInt] :0040226B mov esi, eax :0040226D lea eax, dword ptr [ebp-80] :00402270 push eax ;d eax and you see your name. Don't give a shit. :00402271 call 004271B1 :00402276 cmp eax, esi ;Stop here :00402278 pop ecx :00402279 jne 00402285 Ok, ok, don't swear. You see the 00402276 address ? Stop there and you'll see the EAX register becoming blue. Do a d eax and you'll see nothing. Type ? eax and you'll see a number like 43944939, in our case. Now clear the bpx with bc *,clear the wrong code and enter the 43944939. Hehe, now the OK button is activated, press it and registered! Bravo! You did it! In a next tutorial, if I decide to write ,I'll show you how to make a key generator for WinAmp, because it's simple enough. For any questions you can reach me on EF-Net #cracking and #cracking4newbies, or on GR-NET in #cracking (that's mine,hehe) with the nick iNFRA. My e-mail is dmitspan@usa.net I salute you now. [i] Written by:Mitsaras NukerR PART 3 ~~~~~~ How to crack Quick Editor 6.0 Hello my newbies friends, here I am again, just for you to show you how to crack this time that great program of video processing. Although it's a good prog, it's too easy to crack it. In a minute, you'll be registered. Before starting, for your convienience, turn the resolution to 1024x768. Ok, let's start. There are 2 ways to crack this prog, with SoftIce and with W32Dasm. I suggest you the first one, version 3.23 and above. It's simpler and faster way. First of all you must ensure if 32-bit breakpoints are enabled. This can be done by removing all the semicolons (;) from the EXP from the winice.dat file and reboot your computer for them to take effect. Start now the program and press OK in the window appeared. We don't want that, right? So we will banish it. Now go to Help->Register and put a user name and a serial number. I used Mitsaras and 12345.Don't press OK. Press Ctrl+D to get in SoftIce and set a bpx to GetDlgItemTextA (bpx GetDlgItemTextA) and press again Ctrl+D to get out. Everything is ready to crack that damn prog. Now press the OK button and SoftIce will pop up and the EAX numbering 6,the length of our name. But the check of our serial code is in the same routine, so don't press anything. You'll see some of the following code: :00402EE2 Call [USER32!GetDlgItemTextA] :00402EE8 mov ebx, eax :00402EEA cmp bx, 06 ;Compares the length of our name with 6. :00402EEE jl 00402F76 ;If your name is less than 6 characters, type a and then jg 00402F76 ,Enter and then Enter again. :00402EF4 cmp di, 0A :00402EF8 jl 00402F76 :00402EFA cmp bx, si :00402EFD jle 00402F28 :00402EFF lea edi, dword ptr [esp+18] :00402F03 mov dl, byte ptr [edi] :00402F05 push edx :00402F06 call 004193D0 :00402F0B mov ecx, esi :00402F0D add esp, 04 :00402F10 imul ecx, eax :00402F13 mov eax, dword ptr [esp+14] :00402F17 add eax, ecx :00402F19 inc esi :00402F1A inc edi :00402F1B cmp si, bx :00402F1E mov dword ptr [esp+14], eax :00402F22 jl 00402F03 ;Type a and type jg 00402F03 and press Enter twice. :00402F24 mov edi, dword ptr [esp+30] :00402F28 cmp di, word ptr [esp+14] :00402F2D jnz 00402F47 ;Type a and type jz 00402F47 and press Enter twice. :00402F2F push 01 :00402F31 push ebp ;Press Ctrl+D to get out. Now you are registered. Haha. Don't believe me? Go to Help and you'll see the Register option grayed. Thanks. See ya in a next tutorial. For any questions you can reach me on EF-Net #cracking and #cracking4newbies, or on GR-NET in #cracking (that's mine,hehe) with the nick iNFRA . My e-mail is dmitspan@usa.net Goodbye my friends. [1] Written by :Mitsaras NukerR PART 4 ~~~~~~ How to crack using HMEMCPY Hello again, here I am with a new tutorial. It seems I've became a writer. Well, today we'll talk about cracking using the HMEMCPY in Soft Ice. That automatically means you must be equipped with the version of 3.23 and above, no matter 32-bit breakpoints enabled. For example, I will use the Psplit '97,which is a useful little program, with which you can split large files in diskettes, just like the ARJ, do you remember it? Before starting, turn your resolution up to 1024x768 for your convenience. Starting, as you also can confirm, even it's wasting of time, none of the known breakpoints works, so we have to break to HMEMCPY. First of all, we load the prog and press About and Register. Put a user name and a random registration key-I put Mits and 12345-and before pressing OK, pop up SoftIce by Ctrl+D and type bpx hmemcpy and Ctrl+D again to get out. Now press the OK button. You'll land in an useless routine. Press the F5 key for 6 times and then the F12 key for 7 times and finally the F10 for 21 times, until you reach the following code: :004421FB mov eax, dword ptr [ebp-10] :004421FE mov edx, dword ptr [ebp-0C] ;d eax and see your false regcode :00442201 call 004036C8 ;Stop here and type d edx (guess what). :00442206 jnz 004422C5 ;Jump to unregistered if not zero. * Possible StringData Ref from Code Obj ->"PSplit 2.0 Registred to " :0044220C mov edx, 0044234C :00442211 lea eax, dword ptr [ebp+FFFFFEEC] :00442217 call 004034D8 As you can see, in 00442201 the EDX register becomes blue, so you type d edx and see a number in data window, in our case is 1774-PS-4229. Write down that number and clear the bpx by typing bc * and Ctrl+D to leave SoftIce. It will say wrong code, but try again and in Registration key box enter the number you wrote from the edx and  Registered. Note 1: By changing the jnz to jz in 00442206, has no effect, 'cause the prog checks every time if the entered code is true or false, so you'd better follow all these steps to be sure with the real regkey. Note 2: I haven't found yet, better I haven't bothered with it, what's the meaning of using so many breaks with hmemcpy, even if there aren't any other breakpoints available. I guess this is made to confuse and make it harder for the newbie cracker to find where the real code is being generated. Here we are again, in the end. I think we'll meet soon enough again. I continue my cracking practice all the time. As for keymakers, in the distant or not future. For any questions you can reach me on EF-Net #cracking and #cracking4newbies, or on GR-NET in #cracking (that's mine,hehe) with the nick iNFRA . My e-mail is dmitspan@usa.net Bye my friends! [1] Written by: Mitsaras NukerR PART 5 ~~~~~~ How to find two serial numbers in WinZip 7.0 SR-1 Well, well, here we are again. The tutorial of WinZip 7.0 has been written lots of times, but haven't seen any of them describing all the solutions altogether, and I'll show you a second place where a second registration number is being generated. Before we continue, for your convenience turn to 1024x768 to enjoy this tut and have a glass of Sambuca;I prefer Molinari and some peanuts. Next I shall remind you of using Soft Ice v3.23+ and W32Dasm(see How to accept any code). First you must check if 32 bit bpx are enabled. This can be done by removing the semicolons(;) from the EXP in winice.dat file. Ok, now we are ready. Load WinZip, press Enter registration code and put a random Name and Registration number. For example I'll use Mits and 12345. Don't press ok. Press Ctrl+D to pop up Softice and type bpx GetDlgItemTextA(A means 32 bit program).Press again Ctrl+d to leave. Now press the OK button. You'll see the SoftIce popping up due to a call to getdlgitemtexta. You'll see in the EAX register the number for. This is the length of our name and doesn't care us. Press F5 one time and you'll see in the EAX the value 5.Here we are. This routine reads our registration number. You'll see the following code: :00408036 Call [USER32!GetDlgItemTextA] :0040803C push esi :0040803D call 00429699 :00408042 pop ecx :00408043 push esi :00408044 call 004296C2 :00408049 cmp byte ptr [0047D928], 00 <= type d edx and see the false reg :00408050 pop ecx :00408051 jz 004080B2 :00408053 cmp byte ptr [0047D958], 00 :0040805A jz 004080B2 :0040805C call 00407B4B <= STOP HERE :00408061 test eax, eax :00408063 jz 004080B2 :00408065 push ebx We're near the bitch serial. You stopped at 0040805C ?OK. First registration number Now trace into by pressing F8,and then press F10 68 times. When you reach 00407C22 LEA EAX,[EBP-0140] you'll see the ECX register becoming blue. This means it changes, so type d ecx and you'll see a number, which in our case is D8EC02AA,and generally is the right registration code and differs by name. Now clear the bpx by typing bc * and press Ctrl+D. You'll see the invalid message box, but don't give a shit. Press Enter Registration Code again and fill in Mits and D8EC02AA.Hehe,it's registered now and forever. Second registration number I truly don't know and doesn't bother me why WinZip generates two registration numbers. Anyway, let's find where it is, but firstly you shall unregister WinZip, so as to play with the second way. Unregistering WinZip: Open regedit by going to Start->Run->regedit and open the key HKEY_CURRENT_USER\SOFTWARE\Nico Mak Computing\WinZip\WinIni and delete the Name and SN entries and press F5 once to save changes. Now, follow the same steps as in the first way and trace into the call you stopped before(:0040805C call 00407B4B) by pressing F8 and then press F10 exactly 85 times. You'll reach the address : 00407C51 pop ecx and the EAX register will become blue. So type d eax and you'll see in the data window an other number. Type bc * and press Ctrl+D to leave Soft Ice, ignore the error message and enter in the regcode box the number you saw. Registered again. How to make WinZip accept any code! Yes, you can make WinZip accept any code. First of all you make two copies of the winzip32.exe file. The one for backup and the other with extension .w32 for disassembling. Now open W32Dasm and disassemble the winzip32.w32 file. Remember the call 00407B4B ? Go to Goto-> Goto Code Location and type 0040805C and you'll see the line :0040805C call 00407B4B. Trace into the call by pressing the right arrow key and scroll down till you see :00407CB4 E897E40400 call 00456150 :00407CB9 A17CB04700 mov eax, dword ptr [0047B07C] <= Here's the bitch :00407CBE 83C40C add esp, 0000000C * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00407C09(U) | :00407CC1 5F pop edi :00407CC2 5E pop esi :00407CC3 5B pop ebx :00407CC4 C9 leave :00407CC5 C3 ret You see that mov eax,dword ptr[0047B07C] ? That address(0047B07C) checks our serial and if is invalid returns 0=bad flag, else if it's 1, means that our entered serial is correct. We want always to have a correct serial, so we have to change it to mov eax,1. Place the line on the 00407CB9 address and write down the offset value you'll see in the down taskbar of W32Dasm without the h. In our case the offset is 70B9, but remember, it may differ from computer to computer. Now open HIEW and open the winzip32.exe file. Press F4 to go to Decode Mode and F5 to enter the offset and press . Now press F3 and . In the window it pops up, delete the [00047B07C] and replace it with 1, so as afterwards to be like this: .00407CB9: B801000000 mov eax,000000001. After you make the change, press and F9 to save changes, end then to quit. Run Winzip now and enter any name and serial. Registered forever. Note: Winzip makes a check in the beginning of the program to see if our registration number is correct, but it's in the same routine, so we'll be always ok, as we have made the program to return the right value. Thank God there's not another routine for things to be more complicated for you newbies. Thanks for reading this tut and I hope I'll write another some day in the future. For any questions you can reach me on EF-Net #cracking and #cracking4newbies, or on GR-NET in #cracking (that's mine,hehe) with the nick iNFRA . My e-mail is dmitspan@usa.net Bye my friends. [1] Written by: Mitsaras Nuker R ABOUT ~~~~~ I really hope you've enjoyed this tutorial as much as I did! Don't miss Tutor #61 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: tKC for Interface. DnNuke for Splash Logo RaSCaL for providing a tut in this version. Mitsaras Nuker for providing 4 tuts in this version. tKC for coding this version :) All the crackers (non-members of CiA) are welcome to send tutors for the next tutorials .. see below for my email address! *** 80 chars per line in textfile please! *** And all the tutors can be found at http://www.msjessca.da.ru! Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action 2000 Compiled with Delphi 5 on 10 January 2000 Cracking Tutorial #60 is dedicated to Mandy.