|
======================================================================
TARGET: WinZip v8.0>> get it from "http://www.download.com"
TOOLS : W32dsm v8.9, Hiew>> get them from "http://www.crackstore.com"
======================================================================
The usual disclaimer:-
I BLUENYBBLE CANNOT BE HELD ANY RESPONSIBILITY FOR ANY ACTIONS YOU
MAY DO
WITH THE INFORMATION PROVIDED IN THIS TUTORIAL NOR ANYONE WHO PROVIDED
YOU
WITH THIS INFORMATION NOR ANY GROUP I AM INVOLVED IN CAN BE HELD
RESPONSIBILITY FOR YOUR ACTIONS. THIS FILE IS STRICTLY WRITTEN FOR
EDUCATIONAL USE, IF YOU LIKE WINZIP BUY IT! IF YOU DO DECIDE TO
USE THIS
FILE FOR ILLEGAL PURPOSES, STOP READING NOW! BY CONTINUING YOU AGREE
TO THE
TERMS MENTIONED ABOVE!
okay then!! let us start our crack dudes...
get yourself a heavy hot-chocolate cup and start downloading the
tools
needed.. ready?? then let's start...
first you run your WinZip unregistered version and try to enter
any stuff in
the fields available for the registry information, ex. "la
flamme" and
"321321" you'll immediately get an error message or a
"bad boy!".. the
message will contain the sentence "Incomplete or incorrect
information",
write it down and get ready to the next step...
brows for the WinZip main file "Winzip32.exe", make a
copy out of it "just
in case you committed a mistake", give any other extension
to the copy you
made ex."Winzip32.exx" and keep it aside for later use
if needed.. launch
your disassembler and load the original WinZip main executable file,
now
you'll be searching for the string popped up to you once you tried
to
registered illegally, from the "Refs" menu select "String
Data References" a
small window contains many strings used in the executable file will
pop up,
now look up for the error message carefully...
got it?? well, mine was holding the address "ID=00654"..
NOTE: the address mustn't always contains the whole message showed
up in the
bad boy.
double click on it, you'll be taken to somewhere among the ASM codes
that is
nearby the possible reference for the error message, you must now
be able to
see the lines:
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040800C(C), :00408015(C), :0040801E(C) //the required conditional
references.
| ^^^^^^^^ ^^^^^^^^ ^^^^^^^^
:00408067 E89C020000 call 00408308
* Possible Reference to String Resource ID=00654: "Incomplete
or incorrect
information"
|
:0040806C 688E020000 push 0000028E
:00408071 E860690300 call 0043E9D6
:00408076 50 push eax
:00408077 53 push ebx
:00408078 6A3D push 0000003D
:0040807A E886770200 call 0042F805
:0040807F 83C410 add esp, 00000010
:00408082 FF05686C4800 inc dword ptr [00486C68]
:00408088 833D686C480003 cmp dword ptr [00486C68], 00000003
:0040808F 0F85F9000000 jne 0040818E
:00408095 6A00 push 00000000
now all you want is to get the right conditional reference value...
NOTE: this line must be found somewhere above or below the possible
ID
reference...
now pick ONLY the numbers followed by the (C) keyword.. well, this
version
of WinZip contains three conditional references thinking that they
had over
protected it:).. write down the three bunch of conditional references
without the (C).. got 'em?? gr8, (shift+F12) to open the go to code
location
window and type in the conditional references one by one.. each
time you
must be taken to another place within the file, if the selected
line was
highlighted with green then you're hitting the right position, here
how it
looks like...
* Reference To: USER32.GetDlgItemTextA, Ord:0104h //tells you this
file is
32-bit software.
|
:00407FF1 FF1528644700 Call dword ptr [00476428]
:00407FF7 56 push esi
:00407FF8 E8866C0300 call 0043EC83
:00407FFD 56 push esi
:00407FFE E8A96C0300 call 0043ECAC
:00408003 803DD0BD480000 cmp byte ptr [0048BDD0], 00
:0040800A 59 pop ecx
:0040800B 59 pop ecx
:0040800C 7459 je 00408067 //the conditional statement in
hexadecimal mode.
:0040800E 803DFCBD480000 cmp byte ptr [0048BDFC], 00
:00408015 7450 je 00408067
:00408017 E81BFAFFFF call 00407A37
:0040801C 85C0 test eax, eax
:0040801E 7447 je 00408067
:00408020 57 push edi
now take a little glance at the disassembler status bar while the
highlight
is green, it should look similar to this:
Line: 16790 Pg 336 of 5451 Code Data @:0040800C @Offset 0000800Ch
in File:
Winzip32.exe
^^^^^^^^
write down the hexadecimal offset address without the (h).. do the
same
recent steps with the other two conditional references to get the
rest of
the offsets you need.. now you can say you're done with the disassembler..
don't be ungrateful and say thanx b4 closing it, thank you to the
cool
disassembler;)...
now launch your HIEW and start browsing for the target we were havin'
fun
with.. once it's loaded you'll be seeing a dreadful mess!! don't
worry and
press (F4), select the option "Decode".. a neat columns
of hexes and their
values across are displayed.. press (F5) and start filling in the
offsets
you've just got from our faithful disassembler.. "you can dispose
the first
set of zeros".. Enter..
you're highlighting a set of two hexes now.. a "74" value
is what we're
looking for.. "why 74 is explained later in the glossary appended"..
(F3) to
edit, replace 74 with 75 "notice the je across changing to
jne"... (F9) to
save your changes, you'll be repeating the hex filling mission all
over
again with the remaining offsets and if you happened to face 75
or 85,
replace them to the values 74 and 84 "by order", (do the
opposite when
confronted --> 74 to 75, 84 to 85).. once you're done with all
your offsets
press (F9) to save and (F10) to quit hiew...
"also don't forget to thank your hiew:)".. now you're
filled with curiosity
to try your WinZip cracked version.. go open your WinZip cracked
version and
try to put anything in the registry input fields.. and... "Incomplete
or
incorrect information":) "DAMN! THE BAD BOY AGAIN!! BUT
I DID NOTHING
WRONG!!"..
what i was trying to tell is you have to take into the account the
nasty
failure every time you're doing your job as a cracker.. alwayz remember
the
rule "try and err!"...
no prob pal! you already have the offsets.. now go and (nop) the
offsets
references by putting the value 90 this time (in place of 74 or
75, 84 or
85).. this will disable any function call caused by the je or jne...
trying
any entry to register now will work..
in order to view the differences between your cracked version and
the
original safety copy supposing you made it on the desktop "the
exx one",
type the following command under dos mode...
FC /B C:\PROGRA~1\WINZIP\WINZIP32.EXE C:\WINDOWS\DESKTOP\WINZIP32.EXX
>
C:\WINDOWS\DESKTOP\COMP.TXT
a file called "comp.txt" will be created on your desktop
that demonstrates
the differences between the two files in hex mode, the contents
should look
like this...
Comparing files C:\PROGRA~1\WINZIP\Winzip32.exe and
C:\WINDOWS\DESKTOP\WINZIP32.EXE
0000800C: 74 90
00008015: 74 90
0000801E: 74 90
well, good luck 'till the next lesson!
## APPENDEX ##
NOTE: the information provided in this section was written according
to my
own-self experience.. hence it mustn't be 100% correct!
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%% MOST IMPORTANT ASM CODES GLOSSARY %%%%
% %
% HEX CODE ACTION %
% je 74 jump if it's equal. %
% je 84 jump if it's equal. %
% jne 75 jump if it's not equal. %
% jne 85 jump if it's not equal. %
% call E8 calls a function. %
% nop 90 no operation "kills it". %
% add 00 adds two bytes to ram. %
% inc 40-47 increases. %
% dec 48-4F decreases. %
% %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
BADBOY: windows built in popup message.
to differentiate a bad boy from NAGs "non-built in windows
messages", copy
this JS coding into a text file and change it's extension to "htm"..
view it
as an html document, here's the code...
//////////////////////////////////////////////////////////////////////////
<html><head><script>
function ale(){
window.alert('alert message');
return 0;
}
function con(){
window.confirm('confirm message');
return 0;
}
</script></head>
<body bgcolor=#000000>
<basefont face=Arial color=a6caff>
<center>those two are a simple of the most common bad boys
you'll be
facing.<br>
<form><input type=button value="1st bad boy!"
onclick="ale()">
<input type=button value="2nd bad boy!" onclick="con()"></form>
another common bad boy will contain the error sign (<font
face="CommonBullets" size=5>(</font>) within
the message.<br>the last type
you may face would contain a question mark in a call out
(?).<br><br><br><br><font face=Arial
size=7
color=#0000ff><b><strong><big>!</big></strong></b><br>BlueNybble</font>
</center></body></html>
//////////////////////////////////////////////////////////////////////////
always keep in mind that there's no bug-free programme except the
traditional "Hello World!" programme:)
BlueNybble
|