|
This program is as easily *cracked* because it
still relies on a simple serial number to be entered into it in order to
register it.
On initial startup of Winzip you are given
the chance to register Winzip via the 'Enter Registration Code'
button.
You will be asked for:
Name
Registration #
On successful registration the program
stores the following User info into:-
HKEY\Current_User\Software\Nico Mak
Computing\Winzip\WinIni
Name "The Sandman"
SN "B5241530"
Win32_version "6.3-7.0"
Having found by chance, this full beta
release of WinZip V7 I immediately set about *cracking* it without first
making a 'Dead Listing' of it's code, which, in the end I didn't really need
anyway.
Lets begin..
Start up WinZip, it will display a pretty
nag screen reminding us to register Winzip.. Click on
the 'Enter Registration Code' button.
Type in your user Name/Handle then enter a
sequence of random numbers..
For this example I chose:
The Sandman
7777777
After trying to get Softice to break on bpx
messageboxa when WinZip displayed the 'Beggar off cracker message' I then
decided to use my next favorite Softice breakpoint:-
Press Ctrl-D then type: bpx
getdlgitemtexta then type x to leave Softice.
Lets now get WinZip to check our User
details...Press the 'OK' button on the Registration Screen.
Softice now breaks at the start of the system function getdlgitemtexta
function, so all we need do here is press the 'F11' key once,
this brings us nicely back into WinZip's code.
We should now see the following snippet of code:-
* Reference To:
USER32.GetDlgItemTextA, Ord:00F5h
:004079F3 FF1518444600
Call dword ptr [00464418]
:004079F9 57
push edi ;We land here
:004079FA E8BDFD0100
call 004277BC
:004079FF 59
pop ecx
:00407A00 57
push edi
:00407A01 E8DFFD0100
call 004277E5
:00407A06 59
pop ecx
:00407A07 BED8964700
mov esi, 004796D8
:00407A0C 6A0B
push 0000000B
:00407A0E 56
push esi
:00407A0F 68810C0000
push 00000C81
:00407A14 53
push ebx
:00407A15 FF1518444600
Call dword ptr [00464418]
:00407A1B 56
push esi
:00407A1C E89BFD0100
call 004277BC
:00407A21 59
pop ecx
:00407A22 56
push esi
:00407A23 E8BDFD0100
call 004277E5
:00407A28 803DA896470000
cmp byte ptr [004796A8], 00;Serial empty?
:00407A2F 59
pop ecx
:00407A30 744F
je 00407A81 ;Yes?, then display error
:00407A32 803DD896470000
cmp byte ptr [004796D8], 00 ;Name empty?
:00407A39 7446
je 00407A81 ;Yes? then display error
:00407A3B E809FBFFFF
call 00407549 ;Create Serial No's
:00407A40 85C0
test eax, eax
:00407A42 743D
je 00407A81 ;Jump if wrong serial No
Press the 'F10' key UNTILL you
get to: 00407A3B Call 00407549
This call instruction is where we must
follow if we are to discover where the real serial is stored in memory once
the program has created it for us..
Press the 'T' key once your at memory offset
00407549 and this will take us directly into the section of code that we
wish to examine further.. This is the code we shall see on arrival...
* Referenced by a CALL at
Addresses:
|:0040108C , :00401228 ,
:00407A3B , :0042AEDB
|
:00407549 55 push
ebp ;Save ebp
:0040754A 8BEC mov
ebp, esp ;ebp=esp
:0040754C 81EC08020000 sub
esp, 00000208 ;ebp=ebp-0208h
:00407552 53 push
ebx ;save ebx
:00407553 56 push
esi ;save esi
:00407554 33F6 xor
esi, esi ;zero esi
:00407556 803DA896470000 cmp
byte ptr [004796A8], 00 ;Blank name?
:0040755D 57 push
edi ;save edi
:0040755E 0F84A1000000 je
00407605 ;yes?,then jmp
:00407564 8D45EC lea
eax, dword ptr [ebp-14];
:00407567 50 push
eax ;save eax
:00407568 6880B44600 push
0046B480
:0040756D E850A2FFFF call
004017C2
:00407572 59 pop
ecx
:00407573 8D85F8FDFFFF lea
eax, dword ptr [ebp+FFFFFDF8]
:00407579 59 pop
ecx ;Reference to "MuradMeraly"?
:0040757A BFA8964700 mov
edi, 004796A8 ;User Name (2nd copy)
:0040757F 50 push
eax ;save eax
:00407580 57 push
edi ;save edi
:00407581 E8AB020000 call
00407831
:00407586 59 pop
ecx
:00407587 8D85F8FDFFFF lea
eax, dword ptr [ebp+FFFFFDF8]
:0040758D 59 pop
ecx ;get user name (2nd copy)
:0040758E 50 push
eax ;save eax
:0040758F 8D45EC lea
eax, dword ptr [ebp-14] ;="MuradMeraly"
:00407592 50 push
eax ;Save eax
:00407593 E818C80400 call
00453DB0
:00407598 59 pop
ecx ;Reference to "MuradMerley"
:00407599 59 pop
ecx ;User name (2nd Copy)
:0040759A 6A01 push
00000001
:0040759C 85C0 test
eax, eax
:0040759E 5B pop
ebx
:0040759F 7502 jne
004075A3 ;jump if our serial wrong
:004075A1 8BF3 mov
esi, ebx
:004075A3 8D45EC lea
eax, dword ptr [ebp-14] ;;="MuradMerly
:004075A6 50 push
eax ;save eax
:004075A7 6890B44600 push
0046B490
:004075AC E811A2FFFF call
004017C2
:004075B1 59 pop
ecx
:004075B2 8D45EC lea
eax, dword ptr [ebp-14]
:004075B5 59 pop
ecx
:004075B6 50 push
eax
:004075B7 57 push
edi ;Save User Name
:004075B8 E8F3C70400 call
00453DB0
:004075BD 59 pop
ecx
:004075BE 85C0 test
eax, eax
:004075C0 59 pop
ecx
:004075C1 750C jne
004075CF
* Reference To:
KERNEL32.GetTickCount, Ord:0145h
:004075C3 FF15CC414600 Call
dword ptr [004641CC]
:004075C9 84C3 test
bl, al
:004075CB 7402 je
004075CF
:004075CD 8BF3 mov
esi, ebx
:004075CF 6A14 push
00000014 ;"Save Winzip settings"
:004075D1 8D45EC lea
eax, dword ptr [ebp-14]
:004075D4 6A00 push
00000000
:004075D6 50 push
eax
:004075D7 E8D4AF0400 call
004525B0
:004075DC 83C40C add
esp, 0000000C
:004075DF 8D85F8FDFFFF lea
eax, dword ptr [ebp+FFFFFDF8]
:004075E5 68C8000000 push
000000C8
:004075EA 6A00 push
00000000
:004075EC 50 push
eax
:004075ED E8BEAF0400 call
004525B0
:004075F2 83C40C add
esp, 0000000C
:004075F5 85F6 test
esi, esi
:004075F7 7413 je
0040760C
:004075F9 E82D060000 call
00407C2B
:004075FE 83253470470000 and
dword ptr [00477034], 00000000
:00407605 33C0 xor
eax, eax
:00407607 E9B3000000 jmp
004076BF
:0040760C 8D85C0FEFFFF lea
eax, dword ptr [ebp+FFFFFEC0]
:00407612 50 push
eax
:00407613 57 push
edi
:00407614 E8AB000000 call
004076C4 ;Generate 1st valid serial #
:00407619 59 pop
ecx
:0040761A BED8964700 mov
esi, 004796D8 ;esi=your serial no
:0040761F 59 pop
ecx ;ecx=1st valid serial No
:00407620 8D85C0FEFFFF lea
eax, dword ptr [ebp+FFFFFEC0]
:00407626 56 push
esi ;Save Your Serial #
:00407627 50 push
eax ;Save real Serial #
:00407628 E883C70400 call
00453DB0 ;compare serial's
:0040762D F7D8 neg
eax
:0040762F 1BC0 sbb
eax, eax
:00407631 59 pop
ecx
:00407632 40 inc
eax
:00407633 59 pop
ecx ;Your serial No
:00407634 A334704700 mov
dword ptr [00477034], eax ;Save the Reg
;status
;0=Shareware
;1=registered
:00407639 7569 jne
004076A4
:0040763B 8D85C0FEFFFF lea
eax, dword ptr [ebp+FFFFFEC0]
:00407641 50 push
eax ;Save 1st serial no
:00407642 57 push
edi ;save our user name
:00407643 E820010000 call
00407768 ;Create 2nd valid serial #!
:00407648 59 pop
ecx ;ecx=2nd valid serial #
:00407649 8D85C0FEFFFF lea
eax, dword ptr [ebp+FFFFFEC0]
------------- Snip Snip ----
As you can see, we have the choice of two
valid serial numbers from this code snippet, either of them will do the job
of registering this program.
Job Done. |