November 1998

"Zip98 v2.2"

(Serial Number fishing)

Win '95/'98 PROGRAM

Win Code Reversing

 

 

by Punisher 

 

 

Cracking 4 Newbies 

 

 

Program Details

Program Name: Zip98.exe

Program Type: Zip File Utility

Program Location: http://www.Rocketdownload.com/

Program Size: 508kb 

 

Tools Used:

Soft-Ice -- Debugger

 

Rating

Easy ( X )  Medium (   )  Hard (    )  Pro (    ) 

There is a crack, a crack in everything. That's how the light gets in.

 


Zip98 v2.2

( Fishing a Serial Number)

Written by Punisher

  

Introduction

 
The author(s) of this program can be found at:  http://www.Zip98.base.org/
 
The author says:

" ZIP98 is 100% compatible with the latest Zip file format. Regular and multi-disk 
Zip files created by ZIP98 can be used by WinZip, PKZip 2.04g, and vice-versa. "

 

About this protection system

 

Registration is via the startup nag screen. You will have to enter info for three fields. They are :-

Name :

Company :

Password :

This protection scheme uses a hardcoded serial number which is compared with our entered password. The real regcode is alphanumeric (numbers + letters)

Install Zip 98 and run it. At startup you will be presented with a nag screen asking you to register the program. The screen also has three edit boxes for Name, Company and Password.

Enter Your name, Your company and a fake password.

Go into softice using ctrl-d. Set a breakpoint on GetwindowTextA. eg:-

>> BPX GetWindowTextA

Leave Softice by pressing ctrl-d and press the OK button on the nag screen. Softice will break at getwindowtexta. Type x and press enter to run the program. Softice breaks again in getwindowtexta. Press F11 to get back to the caller. You will be in Zip98 Code.

Do a search for your fake password. eg:-

>> s 0 lffffffff '12121212'

Set a breakpoint on that memory range. eg:-

>> bpr xxxx:XXXXXXXX xxxx:XXXXXXXXX + 8 RW

Now hit x and softice will break in kernel. You will see this code:

REPZ MOVSD         ; copies our fake password to es:edi
POP ECX
AND ECX, 03
REPZ MOVSB

This code copies our fake serial to the addres that es:edi points to. Now Let's Set a breakpoint range on es:edi so that if the program uses this copy of our fake password softice will break.

>> BPR es:edi es:edi + 8 rw

Do a "d es:edi" after stepping past REPZ MOVSD using F10 and you will see your fake password.

Now type x and press enter to run. Softice will break again in Zip98 code. You will see this piece of code.

REPZ SCASB        ; you land here in Zip98
NOT ECX
SUB EDI, ECX
 

Now single step using F10 until you get to this piece of code.

LEA EAX, [ESP+18]   ; fake code is loaded in eax
MOV EDX, [0048C7F8] ; real code is loaded in edx
MOV CL, [EAX]
CMP CL, [EDX]
JNZ 00487C81

After stepping past MOV EDX, [0048C7F8] dump the meory address there and you will see the correct password. Write it down and press x. The You have entered an invalid password dialogbox will appear click on OK and then enter the correct password in the password edit box and the program will be registered.

When the program is registered, it makes an entry in named {uTnLpLs8SI} in the Registry. This it checks everytime the program is run. If you delete this entry the program will beunregistered again.

Well That's about it for Zip98.

 


I will like to say thanks to +Fravia, Sandman, CrackZ, Cruehead, Iczelion and all the others out there who help by providing the knowledge to make this possible.


You should buy this program if you intend to use it longer than the evaluation period.

  Index p;