Name      : WinZip

Version   : 8.0 Beta 2350

Editor    : Nico Mak Computing Inc.

Target    : winzip32.exe

Tools     : Softice
            Brain
            
Cracker   : LW2000

Tutorial  : No.57

http://www.winzip.com


---
DISCLAIMER
For educational purposes only!
I hold no responsibility of the mis-used of this material!
---

1.      OK, i don't like to crack betas, but i was asked and ...
        mhmm, i promised it, so here is my winzip 8.0 tutorial =)

        Go to the registration screen and enter the details.

        Name: LW2000 [CiA]      
        Code: 1230099

        Press [ctrl]+[d] to switch to sice and set a bpx on hmemcpy.
        'bpx hmemcpy'

2.      Press F5 to return to Winzip and press ok.
        *Boom* Sice pops up, but we have 2 textfields, so we can press
        F5 again.

        *Boom* Sice pops up, again. Now press F12 until you're in the
        32-Bit Code (9x).

        Then trace till you see this:


0117:00407A66 BFD0BD4800              mov edi, 0048BDD0
0117:00407A6B 50                      push eax
0117:00407A6C 57                      push edi
0117:00407A6D E89B020000              call 00407D0D
0117:00407A72 8D85F8FDFFFF            lea eax, dword ptr [ebp-0208]
0117:00407A78 50                      push eax <-- d eax
0117:00407A79 8D45EC                  lea eax, dword ptr [ebp-14]
0117:00407A7C 50                      push eax
0117:00407A7D E87E040600              call 00467F00

        Ok, what is WinZip doing? If you show eax on 00407A78,
        you'll notice that Winzip cuts our name a bit!
        LW2000 [CiA] -> LWCiA
        
3.      Good to know ... now trace on, till you see:


0177:00407AFB E8A9000000              call 00407BA9
0177:00407B00 BEFCBD4800              mov esi, 0048BDFC
0177:00407B05 8D85C0FEFFFF            lea eax, dword ptr [ebp+FFFFFEC0]
0177:00407B0B 56                      push esi <-- d eax
0177:00407B0C 50                      push eax
0177:00407B0D E8EE030600              call 00467F00
0177:00407B12 83C410                  add esp, 00000010
0177:00407B15 F7D8                    neg eax
0177:00407B17 1BC0                    sbb eax, eax
0177:00407B19 40                      inc eax
0177:00407B1A A334904800              mov dword ptr [00489034], eax
0177:00407B1F 7568                    jne 00407B89
0177:00407B21 8D85C0FEFFFF            lea eax, dword ptr [ebp+FFFFFEC0]
0177:00407B27 50                      push eax
0177:00407B28 57                      push edi
0177:00407B29 E818010000              call 00407C46
0177:00407B2E 8D85C0FEFFFF            lea eax, dword ptr [ebp+FFFFFEC0]
0177:00407B34 56                      push esi <-- d eax
0177:00407B35 50                      push eax
0177:00407B36 E8C5030600              call 00467F00
0177:00407B3B 83C410                  add esp, 00000010
0177:00407B3E F7D8                    neg eax

4.      Ok, in 00407B05 the first serial is stored in eax.
        This serial is calculated on the full name (LW2000 [CiA]).
        In 00407B2E our second serial is stored in eax. This serial
        is calculated on our cutted Name (LWCiA).

        Mhmm, lets try one...  (but before desiable or clear our bpx...)

        Name: LW2000 [CiA]
        Code: E354128A    or    36612102


Congratulation! You are a registered user.

FINISH! Easy, or?

cu LW2000
Any comments? Mail me LW2000@gmx.net or go to http://www.LW2000.cjb.net
----
tKC, thx for your tutors!
I started with tutor 1 and i still read them... they are the best!
