
 //**cracking tut by alpine**//
       //*****and******//
//**the immortal descendants**//

#4 05.1999

hello and welcome to a new adventure....
Target today is powerzip with its lazy protection scheme.For expirienced crackers,this protection scheme wouldn't make a lot of troubles.Therefore this essay is for beginners.

what we need:

pzip  //download it from www.cnet.com or www.powerzip.lco.net
softice
wdasm or pc_offset to get the opcodes.
hex editor of your choice.

lets fetz(g.l.)

Regarding our target we can find a box to register the program,when we click on about/register.Probably you have noticed the time trail protection,but i'm not cracking it today,because using the program longer than 30 days doesn't cause anything.
Now enter a name and a fake serial, i used alpine and 1234565.
Press register and you get a messagebox telling you to f**k off.
Click on okay and then enter softice.Set a breakpoint on hmemcpy.

//i almost always use hmemcpy,because it works for nearly every target//

Exit softice and press register,you will be kicked back to softice.
Now you have to press f12 till you reach the main exe file.By pressing 
f12 once again you will be in a windows dll,therefore press f12 once again and you will find yourself back to the main exe.
Now we are close to our protection scheme.
what i do, to find  the compare routine is to press f10, till i get the 
annoying messagebox,telling me: wrong serial.
You did it? you wrote down the call,which triggered the messagebox?
Ok, then set a bpx on hmemcpy again and trace till 
are at the following adress,marked with *1


:0041211D E830020100              Call 00422352
:00412122 3D14513035              cmp eax, 35305114 *1
:00412127 7507                    jne 00412130
:00412129 B81E513035              mov eax, 3530511E
:0041212E EB0C                    jmp 0041213C
:00412130 3D8883FF1F              cmp eax, 1FFF8388
:00412135 7505                    jne 0041213C
:00412137 B89283FF1F              mov eax, 1FFF8392
:0041213C 8B4F64                  mov ecx, dword ptr [edi+64] *2
:0041213F 81F914513035            cmp ecx, 35305114 *3
:00412145 741C                    je 00412163
:00412147 81F98883FF1F            cmp ecx, 1FFF8388 *4
:0041214D 7414                    je 00412163
:0041214F 3BC8                    cmp ecx, eax *5
:00412151 7410                    je 00412163
:00412153 6A00                    push 00000000
:00412155 6A10                    push 00000010
:00412157 686C274300              push 0043276C *6 
:0041215C E861F90000              Call 00421AC2 *7



Now what happens?:

*2 our fake serial number is moved to ecx.
*3 our number is compared to a real "static" serial number.
*4 the same as above.
*5 it is compared to eax.In eax the real serial number,generated on our name, is stored.

Now you will say,by typing d ecx i can't see my serial.
Try to do a ? ecx and you will get your fake serial.Since our number is
compared to two serial numbers which are always the same (*3,*4),you will have to do the same to see the two serial.For example at *3 do
a ? 35305114 and you will get one right serial.At *5 do a ?eax and you will get the real serial based upon our name.

That's it.....

alpine 
alpine@gmx.at	

thanks to the immortal descendants



















