|
=================================================================
TARGET: WinZip v8.0>> get it from "http://www.download.com"
TOOLS : W32dsm v8.9, Hiew>> get them from
"http://www.crackstore.com"
=================================================================
The
usual disclaimer:-
I BLUENYBBLE CANNOT BE HELD ANY RESPONSIBILITY FOR ANY
ACTIONS YOU MAY DO WITH THE INFORMATION PROVIDED IN THIS
TUTORIAL NOR ANYONE WHO PROVIDED YOU WITH THIS INFORMATION
NOR ANY GROUP I AM INVOLVED IN CAN BE HELD RESPONSIBILITY
FOR YOUR ACTIONS. THIS FILE IS STRICTLY WRITTEN FOR
EDUCATIONAL USE, IF YOU LIKE WINZIP BUY IT! IF YOU DO DECIDE
TO USE THIS FILE FOR ILLEGAL PURPOSES, STOP READING NOW! BY
CONTINUING YOU AGREE TO THE TERMS MENTIONED ABOVE!
okay
then!! let us start our crack dudes...
get yourself a heavy hot-chocolate cup and start
downloading the tools needed.. ready?? then let's start...
first you run your WinZip unregistered version and try to
enter any stuff in the fields available for the registry
information, ex. "la flamme" and "321321" you'll immediately
get an error message or a "bad boy!".. the message will
contain the sentence "Incomplete or incorrect information",
write it down and get ready to the next step...
brows for the WinZip main file "Winzip32.exe", make a copy
out of it "just in case you committed a mistake", give any
other extension to the copy you made ex."Winzip32.exx" and
keep it aside for later use if needed.. launch your
disassembler and load the original WinZip main executable
file, now you'll be searching for the string popped up to
you once you tried to registered illegally, from the "Refs"
menu select "String Data References" a small window
contains many strings used in the executable file will pop
up, now look up for the error message carefully...
got it?? well, mine was holding the address "ID=00654"..
NOTE: the address mustn't always contains the whole message
showed up in the bad boy.
double click on it, you'll be taken to somewhere among the
ASM codes that is nearby the possible reference for the
error message, you must now be able to see the lines:
* Referenced by a (U)nconditional or (C)onditional Jump at
Addresses:
|:0040800C(C), :00408015(C), :0040801E(C) //the required
conditional
references.
| ^^^^^^^^ ^^^^^^^^ ^^^^^^^^
:00408067 E89C020000 call 00408308
* Possible Reference to String Resource ID=00654:
"Incomplete or incorrect
information"
|
:0040806C 688E020000 push 0000028E
:00408071 E860690300 call 0043E9D6
:00408076 50 push eax
:00408077 53 push ebx
:00408078 6A3D push 0000003D
:0040807A E886770200 call 0042F805
:0040807F 83C410 add esp, 00000010
:00408082 FF05686C4800 inc dword ptr [00486C68]
:00408088 833D686C480003 cmp dword ptr [00486C68], 00000003
:0040808F 0F85F9000000 jne 0040818E
:00408095 6A00 push 00000000
now all you want is to get the right conditional reference
value...
NOTE: this line must be found somewhere above or below the
possible ID reference...
now pick ONLY the numbers followed by the (C) keyword..
well, this version of WinZip contains three conditional
references thinking that they had over protected it:)..
write down the three bunch of conditional references
without the (C).. got 'em?? gr8, (shift+F12) to open the go
to code location window and type in the conditional
references one by one.. each time you must be taken to
another place within the file, if the selected line was
highlighted with green then you're hitting the right
position, here how it looks like...
* Reference To: USER32.GetDlgItemTextA, Ord:0104h //tells
you this file is 32-bit software.
|
:00407FF1 FF1528644700 Call dword ptr [00476428]
:00407FF7 56 push esi
:00407FF8 E8866C0300 call 0043EC83
:00407FFD 56 push esi
:00407FFE E8A96C0300 call 0043ECAC
:00408003 803DD0BD480000 cmp byte ptr [0048BDD0], 00
:0040800A 59 pop ecx
:0040800B 59 pop ecx
:0040800C 7459 je 00408067 //the conditional statement in
hexadecimal mode.
:0040800E 803DFCBD480000 cmp byte ptr [0048BDFC], 00
:00408015 7450 je 00408067
:00408017 E81BFAFFFF call 00407A37
:0040801C 85C0 test eax, eax
:0040801E 7447 je 00408067
:00408020 57 push edi
now take a little glance at the disassembler status bar
while the highlight is green, it should look similar to
this:
Line: 16790 Pg 336 of 5451 Code Data @:0040800C @Offset
0000800Ch in File:
Winzip32.exe
^^^^^^^^
write down the hexadecimal offset address without the (h)..
do the same recent steps with the other two conditional
references to get the rest of the offsets you need.. now you
can say you're done with the disassembler..
don't be ungrateful and say thanx b4 closing it, thank you
to the cool disassembler;)...
now launch your HIEW and start browsing for the target we
were havin' fun with.. once it's loaded you'll be seeing a
dreadful mess!! don't worry and press (F4), select the
option "Decode"..
a neat columns of hexes and their values across are
displayed.. press (F5) and start filling in the offsets
you've just got from our faithful disassembler.. "you can
dispose the first set of zeros".. Enter.. you're
highlighting a set of two hexes now.. a "74" value is what
we're looking for.. "why 74 is explained later in the
glossary appended".. (F3) to edit, replace 74 with 75
"notice the je across changing to jne"... (F9) to save your
changes, you'll be repeating the hex filling mission all
over again with the remaining offsets and if you happened
to face 75 or 85, replace them to the values 74 and 84 "by
order", (do the opposite when confronted --> 74 to 75, 84
to 85).. once you're done with all your offsets press (F9)
to save and (F10) to quit hiew...
"also don't forget to thank your hiew:)".. now you're
filled with curiosity to try your WinZip cracked version..
go open your WinZip cracked version and try to put anything
in the registry input fields.. and... "Incomplete or
incorrect information":) "DAMN! THE BAD BOY AGAIN!! BUT I
DID NOTHING WRONG!!".. what i was trying to tell is you have
to take into the account the nasty failure every time you're
doing your job as a cracker.. alwayz remember the rule "try
and err!"...
no prob pal! you already have the offsets.. now go and
(nop) the offsets references by putting the value 90 this
time (in place of 74 or 75, 84 or 85).. this will disable
any function call caused by the je or jne... trying any
entry to register now will work..
in order to view the differences between your cracked
version and the original safety copy supposing you made it
on the desktop "the exx one", type the following command
under dos mode...
FC /B C:\PROGRA~1\WINZIP\WINZIP32.EXE
C:\WINDOWS\DESKTOP\WINZIP32.EXX >
C:\WINDOWS\DESKTOP\COMP.TXT
a file called "comp.txt" will be created on your desktop
that demonstrates the differences between the two files in
hex mode, the contents should look like this...
Comparing files C:\PROGRA~1\WINZIP\Winzip32.exe and
C:\WINDOWS\DESKTOP\WINZIP32.EXE
0000800C: 74 90
00008015: 74 90
0000801E: 74 90
well, good luck 'till the next lesson!
## APPENDEX ##
NOTE: the information provided in this section was written
according to my own-self experience.. hence it mustn't be
100% correct!
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%% MOST IMPORTANT ASM CODES GLOSSARY %%%%% %
% HEX CODE ACTION %
% je 74 jump if it's equal. %
% je 84 jump if it's equal. %
% jne 75 jump if it's not equal. %
% jne 85 jump if it's not equal. %
% call E8 calls a function. %
% nop 90 no operation "kills it". %
% add 00 adds two bytes to ram. %
% inc 40-47 increases. %
% dec 48-4F decreases. %
% %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
BADBOY: windows built in popup message.
to differentiate a bad boy from NAGs "non-built in windows
messages", copy this JS coding into a text file and change
it's extension to "htm".. view it as an html document,
here's the code...
//////////////////////////////////////////////////////////////////////////
<html><head><script>
function ale(){
window.alert('alert message');
return 0;
}
function con(){
window.confirm('confirm message');
return 0;
}
</script></head>
<body bgcolor=#000000>
<basefont face=Arial color=a6caff>
<center>those two are a simple of the most common bad boys
you'll be
facing.<br>
<form><input type=button value="1st bad boy!"
onclick="ale()">
<input type=button value="2nd bad boy!"
onclick="con()"></form>
another common bad boy will contain the error sign (<font
face="CommonBullets" size=5>(</font>) within the
message.<br>the last type
you may face would contain a question mark in a call out
(?).<br><br><br><br><font face=Arial size=7
color=#0000ff><b><strong><big>!</big></strong></b><br>BlueNybble</font>
</center></body></html>
//////////////////////////////////////////////////////////////////////////
always keep in mind that there's no bug-free programme
except the traditional "Hello World!" programme:)
BlueNybble
Credits
Author: BlueNybble. |