|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
||
|
|
|
There is a crack, a crack in everything. That's how the light gets in. |
|
|
Support for MicrosoftÆs
CAB (cabinet) format, including most self-extracting CAB files. Sizable,
sortable, and selectable columns in the main window. The optional
attribute and CRC columns are new. Columns can be resized with the
mouse, and turned off from the Configuration | View dialog box. A print
facility to print the information listed in the main WinZip window. Zip
comment support.
|
|
On initial startup of Winzip you are given the chance to register Winzip via the 'Enter Registration Code' button.
You will be asked for:
Name
Registration #
On successful registration the program stores the following User info into:-
HKEY\Current_User\Software\Nico Mak Computing\Winzip\WinIni
Name
"The Sandman"
SN
"B5241530"
Win32_version "6.3-7.0"
|
|
Lets begin..
Start up WinZip, it will display a pretty nag screen reminding us to register Winzip.. Click on the 'Enter Registration Code' button.
Type in your user Name/Handle then enter a sequence of random numbers..
For this example I chose:
The Sandman
7777777
After trying to get Softice to break on bpx messageboxa when WinZip displayed the 'Beggar off cracker message' I then decided to use my next favorite Softice breakpoint:-
Press Ctrl-D then type: bpx getdlgitemtexta then type x to leave Softice.
Lets now get WinZip to check our User details...Press the 'OK' button on the Registration Screen.
Softice now breaks at the start of the system function getdlgitemtexta
function, so all we need do here is press the 'F11' key once,
this brings us nicely back into WinZip's code.
We should now see the following snippet of code:-
* Reference To: USER32.GetDlgItemTextA,
Ord:00F5h
:004079F3 FF1518444600
Call dword ptr [00464418]
:004079F9 57
push edi ;We land here
:004079FA E8BDFD0100
call 004277BC
:004079FF 59
pop ecx
:00407A00 57
push edi
:00407A01 E8DFFD0100
call 004277E5
:00407A06 59
pop ecx
:00407A07 BED8964700
mov esi, 004796D8
:00407A0C 6A0B
push 0000000B
:00407A0E 56
push esi
:00407A0F 68810C0000
push 00000C81
:00407A14 53
push ebx
:00407A15 FF1518444600
Call dword ptr [00464418]
:00407A1B 56
push esi
:00407A1C E89BFD0100
call 004277BC
:00407A21 59
pop ecx
:00407A22 56
push esi
:00407A23 E8BDFD0100
call 004277E5
:00407A28 803DA896470000
cmp byte ptr [004796A8], 00;Serial empty?
:00407A2F 59
pop ecx
:00407A30 744F
je 00407A81 ;Yes?, then display error
:00407A32 803DD896470000
cmp byte ptr [004796D8], 00 ;Name empty?
:00407A39 7446
je 00407A81 ;Yes? then display error
:00407A3B E809FBFFFF
call 00407549 ;Create Serial No's
:00407A40 85C0
test eax, eax
:00407A42 743D
je 00407A81 ;Jump if wrong serial No
Press the 'F10' key UNTILL you get to: 00407A3B Call 00407549
This call instruction is where we must follow if we are to discover where the real serial is stored in memory once the program has created it for us..
Press the 'T' key once your at memory offset 00407549 and this will take us directly into the section of code that we wish to examine further.. This is the code we shall see on arrival...
* Referenced by a CALL
at Addresses:
|:0040108C
, :00401228 , :00407A3B , :0042AEDB
|
:00407549 55
push ebp
;Save ebp
:0040754A 8BEC
mov ebp, esp
;ebp=esp
:0040754C 81EC08020000
sub esp, 00000208
;ebp=ebp-0208h
:00407552 53
push ebx
;save ebx
:00407553 56
push esi
;save esi
:00407554 33F6
xor esi, esi
;zero esi
:00407556 803DA896470000
cmp byte ptr [004796A8], 00 ;Blank name?
:0040755D 57
push edi
;save edi
:0040755E 0F84A1000000
je 00407605
;yes?,then jmp
:00407564 8D45EC
lea eax, dword ptr [ebp-14];
:00407567 50
push eax
;save eax
:00407568 6880B44600
push 0046B480
:0040756D E850A2FFFF
call 004017C2
:00407572 59
pop ecx
:00407573 8D85F8FDFFFF
lea eax, dword ptr [ebp+FFFFFDF8]
:00407579 59
pop ecx
;Reference to "MuradMeraly"?
:0040757A BFA8964700
mov edi, 004796A8 ;User Name (2nd copy)
:0040757F 50
push eax ;save
eax
:00407580 57
push edi ;save
edi
:00407581 E8AB020000
call 00407831
:00407586 59
pop ecx
:00407587 8D85F8FDFFFF
lea eax, dword ptr [ebp+FFFFFDF8]
:0040758D 59
pop ecx
;get user name (2nd copy)
:0040758E 50
push eax ;save
eax
:0040758F 8D45EC
lea eax, dword ptr [ebp-14] ;="MuradMeraly"
:00407592 50
push eax ;Save
eax
:00407593 E818C80400
call 00453DB0
:00407598 59
pop ecx
;Reference to "MuradMerley"
:00407599 59
pop ecx
;User name (2nd Copy)
:0040759A 6A01
push 00000001
:0040759C 85C0
test eax, eax
:0040759E 5B
pop ebx
:0040759F 7502
jne 004075A3 ;jump
if our serial wrong
:004075A1 8BF3
mov esi, ebx
:004075A3 8D45EC
lea eax, dword ptr [ebp-14] ;;="MuradMerly
:004075A6 50
push eax ;save
eax
:004075A7 6890B44600
push 0046B490
:004075AC E811A2FFFF
call 004017C2
:004075B1 59
pop ecx
:004075B2 8D45EC
lea eax, dword ptr [ebp-14]
:004075B5 59
pop ecx
:004075B6 50
push eax
:004075B7 57
push edi ;Save
User Name
:004075B8 E8F3C70400
call 00453DB0
:004075BD 59
pop ecx
:004075BE 85C0
test eax, eax
:004075C0 59
pop ecx
:004075C1 750C
jne 004075CF
* Reference To: KERNEL32.GetTickCount,
Ord:0145h
:004075C3 FF15CC414600
Call dword ptr [004641CC]
:004075C9 84C3
test bl, al
:004075CB 7402
je 004075CF
:004075CD 8BF3
mov esi, ebx
:004075CF 6A14
push 00000014 ;"Save Winzip settings"
:004075D1 8D45EC
lea eax, dword ptr [ebp-14]
:004075D4 6A00
push 00000000
:004075D6 50
push eax
:004075D7 E8D4AF0400
call 004525B0
:004075DC 83C40C
add esp, 0000000C
:004075DF 8D85F8FDFFFF
lea eax, dword ptr [ebp+FFFFFDF8]
:004075E5 68C8000000
push 000000C8
:004075EA 6A00
push 00000000
:004075EC 50
push eax
:004075ED E8BEAF0400
call 004525B0
:004075F2 83C40C
add esp, 0000000C
:004075F5 85F6
test esi, esi
:004075F7 7413
je 0040760C
:004075F9 E82D060000
call 00407C2B
:004075FE 83253470470000
and dword ptr [00477034], 00000000
:00407605 33C0
xor eax, eax
:00407607 E9B3000000
jmp 004076BF
:0040760C 8D85C0FEFFFF
lea eax, dword ptr [ebp+FFFFFEC0]
:00407612 50
push eax
:00407613 57
push edi
:00407614 E8AB000000
call 004076C4 ;Generate 1st valid serial #
:00407619 59
pop ecx
:0040761A BED8964700
mov esi, 004796D8 ;esi=your serial no
:0040761F 59
pop ecx ;ecx=1st
valid serial No
:00407620 8D85C0FEFFFF
lea eax, dword ptr [ebp+FFFFFEC0]
:00407626 56
push esi ;Save
Your Serial #
:00407627 50
push eax ;Save
real Serial #
:00407628 E883C70400
call 00453DB0 ;compare
serial's
:0040762D F7D8
neg eax
:0040762F 1BC0
sbb eax, eax
:00407631 59
pop ecx
:00407632 40
inc eax
:00407633 59
pop ecx ;Your
serial No
:00407634 A334704700
mov dword ptr [00477034], eax ;Save the Reg
;status
;0=Shareware
;1=registered
:00407639 7569
jne 004076A4
:0040763B 8D85C0FEFFFF
lea eax, dword ptr [ebp+FFFFFEC0]
:00407641 50
push eax ;Save
1st serial no
:00407642 57
push edi ;save
our user name
:00407643 E820010000
call 00407768 ;Create
2nd valid serial #!
:00407648 59
pop ecx ;ecx=2nd
valid serial #
:00407649 8D85C0FEFFFF
lea eax, dword ptr [ebp+FFFFFEC0]
------------- Snip
Snip -------
As you can see, we
have the choice of two valid serial numbers from this code snippet, either
of them will do the job of registering this program.
Job Done.
|
|
|
|
If you open up your System Registry file using RegEdit and go to this
key:
HKEY_CURRENT_USER\Software\Nico
Mak Computing
Now you'll notice several sub-keys, the one we're interested in is:
HKEY_CURRENT_USER\Software\Nico
Mak Computing\WinZip\rrs
There are THREE keys in here:-
Date <--Install date
Days <--No
of days before Winzip becomes out-of-date.
CHANGE the value
for date to: 08/16/98
CHANGE the value
for days to: 99999
Now when ever you use Winzip it will have virtually unlimited No of
'uses' before it displays that nag message again, by which time you'll
have an even newer version to play around with.
My thanks and gratitude goes to:-
Fravia+ for providing possibly the greatest
source of Reverse Engineering
knowledge on the Web.
+ORC for showing me the light at the end
of the tunnel.
|
|
Ripping off software through serials
and cracks is for lamers..
If your looking for cracks or serial
numbers from these pages then your wasting your time, try searching elsewhere
on the Web under Warze, Cracks etc.
| Next | Return to Essay Index | Previous |