Make your own free website on Tripod.com
Homepage of ANURAG JAiN
 
Cracking Winzip
By THE SANDMAN
 
This program is as easily *cracked* because it still relies on a simple serial number to be entered into it in order to register it.

On initial startup of Winzip you are given the chance to register Winzip via the 'Enter Registration Code' button.

You will be asked for:

Name
Registration #

On successful registration the program stores the following User info into:-

HKEY\Current_User\Software\Nico Mak Computing\Winzip\WinIni
 
Name                    "The Sandman"
SN                         "B5241530"
Win32_version  "6.3-7.0"
 

Having found by chance, this full beta release of WinZip V7 I immediately set about *cracking* it without first making a 'Dead Listing' of it's code, which, in the end I didn't really need anyway.

Lets begin..

Start up WinZip, it will display a pretty nag screen reminding us to register Winzip.. Click on the  'Enter Registration Code' button.

Type in your user Name/Handle then enter a sequence of random numbers..

For this example I chose:

The Sandman
7777777

After trying to get Softice to break on bpx messageboxa when WinZip displayed the 'Beggar off cracker message' I then decided to use my next favorite Softice breakpoint:-

Press Ctrl-D then type: bpx getdlgitemtexta then type x to leave Softice.

Lets now get WinZip to check our User details...Press the 'OK' button on the Registration Screen.

Softice now breaks at the start of the system function getdlgitemtexta function, so all we need do here is press the 'F11' key once, this brings us nicely back into WinZip's code.
 
We should now see the following snippet of code:-
 
* Reference To: USER32.GetDlgItemTextA, Ord:00F5h
 
:004079F3 FF1518444600            Call dword ptr [00464418]
:004079F9 57                      push edi ;We land here
:004079FA E8BDFD0100              call 004277BC
:004079FF 59                      pop ecx
:00407A00 57                      push edi
:00407A01 E8DFFD0100              call 004277E5
:00407A06 59                      pop ecx
:00407A07 BED8964700              mov esi, 004796D8
:00407A0C 6A0B                    push 0000000B
:00407A0E 56                      push esi
:00407A0F 68810C0000              push 00000C81
:00407A14 53                      push ebx
:00407A15 FF1518444600            Call dword ptr [00464418]
:00407A1B 56                      push esi
:00407A1C E89BFD0100              call 004277BC
:00407A21 59                      pop ecx
:00407A22 56                      push esi
:00407A23 E8BDFD0100              call 004277E5
:00407A28 803DA896470000          cmp byte ptr [004796A8], 00;Serial empty?
:00407A2F 59                      pop ecx
:00407A30 744F                    je 00407A81 ;Yes?, then display error
:00407A32 803DD896470000          cmp byte ptr [004796D8], 00 ;Name empty?
:00407A39 7446                    je 00407A81 ;Yes? then display error
:00407A3B E809FBFFFF              call 00407549 ;Create Serial No's
:00407A40 85C0                    test eax, eax
:00407A42 743D                    je 00407A81 ;Jump if wrong serial No

Press the 'F10' key UNTILL you get to: 00407A3B  Call 00407549

This call instruction is where we must follow if we are to discover where the real serial is stored in memory once the program has created it for us..

Press the 'T' key once your at memory offset 00407549 and this will take us directly into the section of code that we wish to examine further..  This is the code we shall see on arrival...

* Referenced by a CALL at Addresses:
|:0040108C   , :00401228   , :00407A3B   , :0042AEDB
|
:00407549 55                push ebp                   ;Save ebp
:0040754A 8BEC              mov ebp, esp               ;ebp=esp
:0040754C 81EC08020000      sub esp, 00000208          ;ebp=ebp-0208h
:00407552 53                push ebx                   ;save ebx
:00407553 56                push esi                   ;save esi
:00407554 33F6              xor esi, esi               ;zero esi
:00407556 803DA896470000    cmp byte ptr [004796A8], 00 ;Blank name?
:0040755D 57                push edi                   ;save edi
:0040755E 0F84A1000000      je 00407605                ;yes?,then jmp
:00407564 8D45EC            lea eax, dword ptr [ebp-14];
:00407567 50                push eax                   ;save eax
:00407568 6880B44600        push 0046B480
:0040756D E850A2FFFF        call 004017C2
:00407572 59                pop ecx
:00407573 8D85F8FDFFFF      lea eax, dword ptr [ebp+FFFFFDF8]
:00407579 59                pop ecx            ;Reference to "MuradMeraly"?
:0040757A BFA8964700        mov edi, 004796A8  ;User Name (2nd copy)
:0040757F 50                push eax           ;save eax
:00407580 57                push edi           ;save edi
:00407581 E8AB020000        call 00407831
:00407586 59                pop ecx
:00407587 8D85F8FDFFFF      lea eax, dword ptr [ebp+FFFFFDF8]
:0040758D 59                pop ecx            ;get user name (2nd copy)
:0040758E 50                push eax           ;save eax
:0040758F 8D45EC            lea eax, dword ptr [ebp-14] ;="MuradMeraly"
:00407592 50                push eax           ;Save eax
:00407593 E818C80400        call 00453DB0
:00407598 59                pop ecx            ;Reference to "MuradMerley"
:00407599 59                pop ecx            ;User name (2nd Copy)
:0040759A 6A01              push 00000001
:0040759C 85C0              test eax, eax
:0040759E 5B                pop ebx
:0040759F 7502              jne 004075A3       ;jump if our serial wrong
:004075A1 8BF3              mov esi, ebx
:004075A3 8D45EC            lea eax, dword ptr [ebp-14] ;;="MuradMerly
:004075A6 50                push eax           ;save eax
:004075A7 6890B44600        push 0046B490
:004075AC E811A2FFFF        call 004017C2
:004075B1 59                pop ecx
:004075B2 8D45EC            lea eax, dword ptr [ebp-14]
:004075B5 59                pop ecx
:004075B6 50                push eax
:004075B7 57                push edi           ;Save User Name
:004075B8 E8F3C70400        call 00453DB0
:004075BD 59                pop ecx
:004075BE 85C0              test eax, eax
:004075C0 59                pop ecx
:004075C1 750C              jne 004075CF

* Reference To: KERNEL32.GetTickCount, Ord:0145h
 
:004075C3 FF15CC414600      Call dword ptr [004641CC]
:004075C9 84C3              test bl, al
:004075CB 7402              je 004075CF
:004075CD 8BF3              mov esi, ebx
:004075CF 6A14              push 00000014 ;"Save Winzip settings"
:004075D1 8D45EC            lea eax, dword ptr [ebp-14]
:004075D4 6A00              push 00000000
:004075D6 50                push eax
:004075D7 E8D4AF0400        call 004525B0
:004075DC 83C40C            add esp, 0000000C
:004075DF 8D85F8FDFFFF      lea eax, dword ptr [ebp+FFFFFDF8]
:004075E5 68C8000000        push 000000C8
:004075EA 6A00              push 00000000
:004075EC 50                push eax
:004075ED E8BEAF0400        call 004525B0
:004075F2 83C40C            add esp, 0000000C
:004075F5 85F6              test esi, esi
:004075F7 7413              je 0040760C
:004075F9 E82D060000        call 00407C2B
:004075FE 83253470470000    and dword ptr [00477034], 00000000
:00407605 33C0              xor eax, eax
:00407607 E9B3000000        jmp 004076BF
:0040760C 8D85C0FEFFFF      lea eax, dword ptr [ebp+FFFFFEC0]
:00407612 50                push eax
:00407613 57                push edi
:00407614 E8AB000000        call 004076C4 ;Generate 1st valid serial #
:00407619 59                pop ecx
:0040761A BED8964700        mov esi, 004796D8 ;esi=your serial no
:0040761F 59                pop ecx           ;ecx=1st valid serial No
:00407620 8D85C0FEFFFF      lea eax, dword ptr [ebp+FFFFFEC0]
:00407626 56                push esi          ;Save Your Serial #
:00407627 50                push eax          ;Save real Serial #
:00407628 E883C70400        call 00453DB0     ;compare serial's
:0040762D F7D8              neg eax
:0040762F 1BC0              sbb eax, eax
:00407631 59                pop ecx
:00407632 40                inc eax           
:00407633 59                pop ecx           ;Your serial No
:00407634 A334704700        mov dword ptr [00477034], eax ;Save the Reg
                                                          ;status
                                                          ;0=Shareware
                                                          ;1=registered
:00407639 7569              jne 004076A4
:0040763B 8D85C0FEFFFF      lea eax, dword ptr [ebp+FFFFFEC0]
:00407641 50                push eax          ;Save 1st serial no
:00407642 57                push edi          ;save our user name
:00407643 E820010000        call 00407768     ;Create 2nd valid serial #!
:00407648 59                pop ecx           ;ecx=2nd valid serial #
:00407649 8D85C0FEFFFF      lea eax, dword ptr [ebp+FFFFFEC0]
------------- Snip Snip ----

As you can see, we have the choice of two valid serial numbers from this code snippet, either of them will do the job of registering this program.
 
Job Done.

FINAL NOTES
Anyone who has Winzip V7 Beta installed will no doubt soon find an annoying nag screen screen pop-up each time t7hey use Winzip, even though they may have this program registered.
 
The reason for this nag screen?. To inform you that the your version of  Winzip is rather 'old' and that you should download the 'latest' version from their web site.. Hmmm Sounds like a quick patch to your System Registry file is needed to prevent this from happening again..

If you open up your System Registry file using RegEdit and go to this key:
 
          HKEY_CURRENT_USER\Software\Nico Mak Computing
 
Now you'll notice several sub-keys, the one we're interested in is:
 
          HKEY_CURRENT_USER\Software\Nico Mak Computing\WinZip\rrs
 

There are THREE keys in here:-

          Date  <--Install date

          Days <--No of days before Winzip becomes out-of-date.
 

          CHANGE the value for date to: 08/16/98
          CHANGE the value for days to: 99999
 
Now when ever you use Winzip it will have virtually unlimited No of 'uses' before it displays that nag message again, by which time you'll have an even newer version to play around with.
 

This article was written by THE SANDMAN
                                                                                                    
  Favorites Links:
Google | Indian Magic | India Station | Infosyssec.org | Indiatimes | CoolGoose | Sify | Cricketnext
To troubleshoot and discuss PC problems, download latest Pics and videos. Discuss TV programs and others,
visit: http://personal.aceboard.com/