Site hosted by Angelfire.com: Build your free website today!


WINZIP & THE PROTECTION ROUTINE.

by : OCHE SATRIANI

http://WWW.WINZIP.COM

 

 

Hai ... Welcome to my THIRD tutors,
Well this TUTS won't make you to become a GREAT CRACKER but maybe can add your basic knowledge in CRACKING , you don't need to know CALCULUS or related stuff to understand my explanation just some MARLBORO and SOFTICE very easy isn't it ? of course you need some BRAINS too BUDDY !

But if you're really really wanna be a GREAT GREAT CRACKER then remember what JAMES LABRIE has told you to do 'I was told there's a miracle for each day that I try' [taken from METROPOLIS part 1]

There is two way (maybe more) to register this PrOGGIe first is by PATCHING it, second is to FIND the real SERIAL#, what we're gonna do is finding the REAL SN#, so Light Up your MARLBORO, sit down nicely and ENJOY it [OK].

NO MORE BULLSHIT, LET'S START CRACKING !

OK .... go to the REGISTRATION AREA and fill it like this :

'OCHE SATRIANI' as name and '5150' as registration number:

[ Make sure your SOFT_ICE is LOADED IF NOT then REBOOT your PC ! ]

Then Control D to set a BREAKPOINT in SOFT_ICE, type BPX GETDLGITEMTEXTA
Control D again to go back to WINZIP now you're allowed to click the OK button
....... then everybody know that we will land in SOFT_ICE and see something like this :

BREAK DUE TO BPX USER32!GETDLGITEMTEXTA

Press F5 you will get another BREAKPOINT (Remeber there is two field first for NAME and second for the CODE ,because what we are looking is something F@CKING with our CODE that's why we press it again) ........... then F11 to get the CALLER

:00408036 FF150C844600 Call dword ptr [0046840C] ---> CALL USER32!GETDLGITEMTEXTA
:0040803C 56 push esi
:0040803D E857160200 call 00429699
:00408042 59 pop ecx
:00408043 56 push esi
:00408044 E879160200 call 004296C2
:00408049 803D28D9470000 cmp byte ptr [0047D928], 00
:00408050 59 pop ecx
:00408051 745F je 004080B2
:00408053 803D58D9470000 cmp byte ptr [0047D958], 00
:0040805A 7456 je 004080B2
:0040805C E8EAFAFFFF call 00407B4B
:00408061 85C0 test eax, eax
:00408063 744D je 004080B2
:00408065 53 push ebx

First it save our CODE (PUSH ESI) , do some checking and then the COMPARISON, so if we entered NOTHING then you'll see something like the above PICTURE ! The je 004080B2 is a BAD JUMP.
The interesting part is the call 00407B4B, coz that's the last CALL and this is almost the HEART of the protection, so find out what happen inside the CALL with F8.

:00407B4B 55 push ebp
:00407B4C 8BEC mov ebp, esp
:00407B4E 81EC08020000 sub esp, 00000208
:00407B54 53 push ebx ---> Save our NAME
:00407B55 56 push esi ---> Save our CODE
:00407B56 33F6 xor esi, esi
:00407B58 803D28D9470000 cmp byte ptr [0047D928], 00 -------> another checking
:00407B5F 57 push edi
:00407B60 0F84A1000000 je 00407C07


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407B60(C)
|
:00407C07 33C0 xor eax, eax ---> zero eax that mean make a bad flag
:00407C09 E9B3000000 jmp 00407CC1

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407C09(U)
|
:00407CC1 5F pop edi
:00407CC2 5E pop esi
:00407CC3 5B pop ebx
:00407CC4 C9 leave
:00407CC5 C3 ret ---> RETURN from the CALL ( :0040805C call 00407B4B)

I guess that is very easy to understand, if we don't entered our NAME then zero the EAX and
go back from the CALL after that there is a TEST EAX, EAX in line 00408061, of course EAX = 0
then we will jump to the BAD GUY.

Let's continue,
Trace along with F10 till you see something like this :

:00407C0E 8D85C0FEFFFF lea eax, dword ptr [ebp+FFFFFEC0]
:00407C14 50 push eax
:00407C15 57 push edi ---> Save our NAME
:00407C16 E8AB000000 call 00407CC6
:00407C1B 59 pop ecx
:00407C1C BE58D94700 mov esi, 0047D958 ---> ESI will contain our CODE
:00407C21 59 pop ecx
:00407C22 8D85C0FEFFFF lea eax, dword ptr [ebp+FFFFFEC0] ---> Check it your self
:00407C28 56 push esi
:00407C29 50 push eax
:00407C2A E8D1FC0400 call 00457900 ---> ?????????????????????

OK we have found the GOLD;
This instruction lea eax, dword ptr [ebp+FFFFFEC0] in line 00407C22 will store the address of the real SERIAL NUMBER in EAX you can see the SN# with D EAX. But how can you be so sure about that ? what about the CALL 00457900

:00457900 55 some junks here
------------------------------------------------------------------
------------------------------------------------------------------
------------------------------------------------------------------
:00457906 8B750C mov esi, dword ptr [ebp+0C] ESI = our CODE
:00457909 8B7D08 mov edi, dword ptr [ebp+08] EDI = REAL SERIAL NUMBER
:0045790C 8D05A0154800 lea eax, dword ptr [004815A0]
:00457912 83780800 cmp dword ptr [eax+08], 00000000
:00457916 753B jne 00457953
:00457918 B0FF mov al, FF
:0045791A 8BC0 mov eax, eax

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00457928(C), :00457948(C)
|
:0045791C 0AC0 or al, al
:0045791E 742E je 0045794E
:00457920 8A06 mov al, byte ptr [esi] ---> al = our first CODE
:00457922 46 inc esi ---> prepare the next char to compare
:00457923 8A27 mov ah, byte ptr [edi] ---> ah = first char in the REAL SERIAL
:00457925 47 inc edi ---> prepare the next char to compare
:00457926 38C4 cmp ah, al ---> THE COMPARISON ...
:00457928 74F2 je 0045791C ---> If EQUAL then do some checking with the next char.

The OR AL, AL instruction is only checking to our CODE, if there is no more char to be compare then jump to desired place or if the COMPARING jobs is DONE then get out.

Did you understand this piece of SHIT....? , I Hope you did. BYE !

 

VOL. 3

SURABAJA, 21 Dec 1998

OE'97 ITS 4397100xxx
OCHE SATRIANI
OBLEK

oche_satriani@start.com.au
oblek@start.com.au

Thanks to :