"WinZip Self-Extractor is a utility program that creates native Windows self-extracting Zip files. These self-extracting Zip files are ideal for Internet file distribution because they:  (1) can contain multiple compressed files, ensuring that important files do not become separated from the rest of the package; (2) allow the receiver to use a familiar Windows interface to decompress files, without owning or knowing how to use a separate unzip utility; and (3) optionally run a "setup" or "installation" program, which may be included by the developer when the files are decompressed. "
 

About this protection system

 
Once you've clicked the 'OK' button on the initial nag screen you can then select the 'Enter Registration Code' button to begin registering the program.
 
Organization:
Registration #:
 
On successful registration the following entries are created in a simple ascii file called winzipse.dat file, found in the same directory as the program itself.
 

 

The Essay

     
There are many 'Key Generators' and 'Serial Numbers' on the web for this utility so patching this program makes no sense, however, showing how & where the program handles your registration info is another matter.
 
Surprisingly, the programmers have done very little to discourage attacks from crackers, their code layout is very easy to follow and short of having little text messages in the code saying where everything is, this program should pose no problems for even newbies to cut their teeth on.  To be honest, once I had found where you can 'sniff' out the registration code I felt a little disappointed that it was so easy to find..
 
Step 1.  Preparation.

Set aside 10 minutes from watching the TV and settle down comfortably in front of the pc, there's no rush so take your time..  Place a music cd (I like Queen but anything will do) in the CD Drive and lets rock & role...
 
Step 2. Initialization.
 
Fire up Winzip Self Extractor and go into the Registration Screen.  Fill-in the two boxes with your name/handle and any sequence of random numbers. I used:-
 
Organization  :The Sandman
Registration #:7777777
 
Step 3.  Entering the Winzip Code.
 
Before clicking on that 'Ok' button press the 'Ctrl AND D' keys together to startup Softice. Most 32-bit programs rely on 32-bit functions provided by window's itself and winzip is no exception.  While still in Softice type: bpx messageboxa then x to leave.
 
Step 4. Sniffing out the registration code.
 
While in Winzip click on the 'Ok' button, Softice will break at the start of the messageboxa routine, all you need to do is press the 'F11' key once where a winzip message box will appear informing you that your registration was incorrect, take a good look at that messagebox, in a short while you won't be seeing it again he he.
 
Softice now should be showing the following code:-
 
:00408F0F E8D2FCFFFF        call 00408BE6 ;Create & test Serial No
:00408F14 85C0              test eax, eax ;Results stored in eax
:00408F16 0F854E000000      jne 00408F6A  ;The 'Good Guy' Jump'

*The following three lines places a value of '0' at the beginning of our entered name & and *fake* serial number.
 
:00408F1C C60510C642000     mov byte ptr [0042C610], 00
:00408F23 A010C64200        mov al, byte ptr [0042C610]
:00408F28 A220C74200        mov byte ptr [0042C720], al
:00408F2D 6A10              push 00000010
:00408F2F 6A00              push 00000000
:00408F31 68FC120000        push 000012FC
:00408F36 E8C3D7FFFF        call 004066FE
:00408F3B 50                push eax
:00408F3C FF7508            push [ebp+08]
:00408F3F FF15E0F64200      Call dword ptr [USER32.MessageBoxA]
:00408F45 FF05F89E4200      inc dword ptr [00429EF8] ;We land here
 
As you can see,  depending on the result of the test eax,eax will deiced wether or not the program has been able to match your serial number with the one it created based on the name/handle typed in by the User. Lets now follow where the Call 00408BE6 takes us.

While still in Softice type bpx 00408BE6 then x to leave Softice.. Winzip Self Extractor will once more run as normal and tells us that our serial number was invalid etc.. No problem... Click the 'Ok' button to close this dialog box and then click the 'OK' button again to have Winzip check our serial number again..
 
Softice Breaks at: :00408BE6...

* Referenced by a CALL at Addresses :00408F0F
* On Entry,
* ECX register points to our *fake* serial no.
 
:00408BE6 55                      push ebp ;Save contents of ebp register.
:00408BE7 8BEC                    mov ebp, esp ;ebp now equals esp register
:00408BE9 81EC04010000            sub esp, 00000104 ;subtract 104 from esp.
:00408BEF 53                      push ebx ;save ebx register
:00408BF0 56                      push esi ;save esi register
:00408BF1 57                      push edi ;save edi register
:00408BF2 837D0800                cmp dword ptr [ebp+08], 00000000
:00408BF6 0F8405000000            je 00408C01 ;program jumps here
:00408BFC E8A0FCFFFF              call 004088A1

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408BF6(C)
|
:00408C01 0FB60520C74200          movzx eax, byte ptr [0042C720];lands here
:00408C08 85C0                    test eax, eax
:00408C0A 0F8507000000            jne 00408C17 ;program jumps here
:00408C10 33C0                    xor eax, eax
:00408C12 E9C9000000              jmp 00408CE0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408C0A(C)
|
:00408C17 6810C64200              push 0042C610 ;loc of our *fake* serial
:00408C1C 6820C74200              push 0042C720 ;Loc of our name/handle
:00408C21 E84A200100              call 0041AC70 ;Validate our input
:00408C26 83C408                  add esp, 00000008
:00408C29 85C0                    test eax, eax
:00408C2B 0F8507000000            jne 00408C38
:00408C31 33C0                    xor eax, eax
:00408C33 E9A8000000              jmp 00408CE0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408C2B(C)
|
:00408C38 6810C64200              push 0042C610 ;loc of our *fake* serial
:00408C3D E81EA10000              call 00412D60 ;Test the serial numbers
:00408C42 83C404                  add esp, 00000004
:00408C45 85C0                    test eax, eax
:00408C47 0F8419000000            je 00408C66 ;Even if you enter the
                                              ;correct serial number the
                                              ;program ALWAYS jumps over
                                              ;the next THREE instructions!

* The next three lines if executed, will make this babe fully registered * without the program doing any further checks on our serial numbers!!

* If your looking for a 'patch' then Nop'ing out the je 00408c66 * instruction above this text will allow *any* serial number to be entered * into the program to make this fully registered.. I haven't tested this * but from the code it should work!

:00408C4D C70524C8420001000000    mov dword ptr [0042C824], 00000001
:00408C57 C70528C8420001000000    mov dword ptr [0042C828], 00000001
:00408C61 E970000000              jmp 00408CD6

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408C47(C)
|
:00408C66 8D85FCFEFFFF            lea eax, dword ptr [ebp+FFFFFEFC]
:00408C6C 50                      push eax
:00408C6D 6820C74200              push 0042C720 ;Get our name/handle
:00408C72 E837FDFFFF              call 004089AE ;Generate *Real* Serial No

:00408C77 6810C64200              push 0042C610 ;If you type d eax here
                                                ;then you will see the
                                                ;*REAL* serial No

:00408C7C 8D85FCFEFFFF            lea eax, dword ptr [ebp+FFFFFEFC]
:00408C82 50                      push eax
:00408C83 E8E81F0100              call 0041AC70 ;Check *both* Serial No's
:00408C88 83C408                  add esp, 00000008

:00408C8B 85C0                    test eax, eax
:00408C8D 0F850F000000            jne 00408CA2 ;Jump if invalid serial
 

* Memory location [0042C828] records the status of the program.
* If this location contains a '0' default value then this means
* the program is shareware, but if it contains a '1' then this
* means the serial no the User entered was correct and that the
* program will now run fully *reg'd*.

:00408C93 C70528C8420001000000    mov dword ptr [0042C828], 00000001
 
 

:00408C9D E90A000000              jmp 00408CAC

* Signal program is still *unregistered* by inserting a '0' into memory
* location [0042C828]

:00408CA2 C70528C8420000000000    mov dword ptr [0042C828], 00000000
:00408CAC 6804010000              push 00000104
:00408CB1 6A00                    push 00000000
:00408CB3 8D85FCFEFFFF            lea eax, dword ptr [ebp+FFFFFEFC]
:00408CB9 50                      push eax
:00408CBA E841A40000              call 00413100
:00408CBF 83C40C                  add esp, 0000000C
 
*Check if program still *unregistered*
 
:00408CC2 833D28C8420000          cmp dword ptr [0042C828], 00000000
:00408CC9 0F8507000000            jne 00408CD6 ;Jump if still unregistered
:00408CCF C60520C7420000          mov byte ptr [0042C720], 00
:00408CD6 A128C84200              mov eax, dword ptr [0042C828];Get status
                                                              ;of program.
:00408CDB E900000000              jmp 00408CE0
:00408CE0 5F                      pop edi
:00408CE1 5E                      pop esi
:00408CE2 5B                      pop ebx
:00408CE3 C9                      leave
:00408CE4 C20400                  ret 0004 ;Return with the results in eax
 
Now isn't that interesting, we should now have a pretty good idea of the 'logic' behined this routine, the programmer(s) seemed to also have left us a little gift with an easy patch to their code.
 
Just to recap, once you get into the above routine just keep pressing the 'F10' key until you get to this line:-
 
:00408C77 6810C64200              push 0042C610 ;If you type d eax here
                                                ;then you will see the
                                                ;*REAL* serial No

On this line just type d eax and the serial number you need to *register* this program with will magically be displayed in Softice.

Job Done.
 

The 'Crack'

 
None required, but there is one *possible* patch you can make to the code which will then accept any serial number entered into the program.. See essay.
 

Final Notes

 
Almost anyone can 'sniff' out the serial number in this program, hardly surprising that there are so many 'Key Generators' and serial numbers out on the web for this utility.
 
As always, if you find this program useful, then please buy this program, the authors deserve every dollar for this great utility.

My thanks and gratitude goes to:-
 
Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.
 
+ORC for showing me the light at the end of the tunnel.
 

Ob Duh

 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to  produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
 
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.