Cracking 4 Newbies
Lesson 2: Serial fishing on Winzip 7.0
In this second lesson I'll show you how to do a basic serial fishing. To make it easy, we'll crack Winzip 7.0. Its protection is easy, lame, bad,.....but good to learn from! :) It was my first program I cracked on my own, and it costed me less than 5 minutes to do so!
Serial fishing is always done with a debugger...in this case SoftICE. So launch an unregistered copy of Winzip, click on "Enter registration code". Fill in your name and fill in a serial of your choice (I always use 121212). Now, when you press the "OK" button, Winzip reads your username, your serial, makes the real serial, and compares your serial to the real serial.
In this case we'll search for where the real serial is made. Follow me :)
Popup SoftICE (CTRL-D), type in: "bpx getdlgitemtexta" and enter. Close SoftICE (CTRL-D). Click the OK button......SoftICE pops! :) You are now in the GetDlgItemTextA function. Press F12 to execute it and quit the procedure. Now you're in the real Winzip code. Type "bc *" and enter. (=clear all breakpoints). Trace through the code (F10) 'till you see something like this:

:00408049 803D28D9470000          cmp byte ptr [0047D928], 00
:00408050 59                      pop ecx
:00408051 745F                    je 004080B2
:00408053 803D58D9470000          cmp byte ptr [0047D958], 00
:0040805A 7456                    je 004080B2
:0040805C E8EAFAFFFF              call 00407B4B [-> This makes the real serial]
:00408061 85C0                    test eax, eax [-> Test if good serial]
:00408063 744D                    je 004080B2   [-> Jump if valid]

Note that in many programs the "make real serial" procedure precedes a TEST or CMP instruction followed by a conditional jump!
Okay, when you're on the "call 00407B4B" press F8 to trace into the call. Trace a bit trough the code until you see this:

:00407C0E 8D85C0FEFFFF            lea eax, dword ptr [ebp+FFFFFEC0]
:00407C14 50                      push eax
:00407C15 57                      push edi
:00407C16 E8AB000000              call 00407CC6 [<-Makes real serial in EAX]
:00407C1B 59                      pop ecx
:00407C1C BE58D94700              mov esi, 0047D958
:00407C21 59                      pop ecx
:00407C22 8D85C0FEFFFF            lea eax, dword ptr [ebp+FFFFFEC0]

Trace to the "lea eax, dword ptr [ebp+FFFFFEC0]" instrution, execute it (=press again F10) and type "d eax" (display eax register). You'll see the valid registration number in your data window! Congrats! You cracked your first program. :)

[ GO BACK TO MAIN PAGE ]
Cracking 4 Newbies by the Blackbird © 1999