STEP 1: open winzip, go to the registration part, and enter a name(any name u want),
and a fake registration number(its recommended that u put a one that is easy to remember ;) i did like this:
Name: blackgh0st
registration #: 12345 (see? so easy to remember ;)
STEP 2: open your favorite debugger (SoftIce of course ;) and set a breakpoint on execution(from now on we'll call it bpx) the most popular for serials are: "getwindowtexta", "getdlgitemtexta", "getdlgitemint" and "hmemcpy" (this bpx make softice break everytime that something called into memory, but i rather not to use it, unless the other bpx's dont work). so after u set the bpx and got out of SoftIce (F5/CTRL+D), what r u gonna do??? right! press "OK" Button!
STEP 3: if u set "bpx getdlgitemtexta" u should be in SoftIce again, if u didnt, open SoftIce, clear the bpx u set(by typing "bc *") and set the right bpx.
NOW, we r in softice and have no idea what is all this shit, so this is what we do: we press F12(to get out of the fuckin DLL) and now what we see is like this:
015F:00407F6D CALL [USER..blablabla...]
051F:00407F73 PUSH EDI <-----push EDI into the memory, EDI is our name (type "d edi" and u will see the name u entered in the data section).
there r two fields in the registration part, and we r in the first(NAME field), exit SoftIce(F5/CTRL+D) so it will read the second field(registration # field).
G00D...Back in SoftIce...now press F12(u know why), and now u see:
015F:00407F8F CALL [USER..blablabla...]
015F:00407F95 PUSH ESI <-----push ESI into memory, ESI is our fake number (type "d esi" and u will see the number u entered in the data section).
STEP 4: now u will need to trace a lot!! start tracing with F10 until u see this:
015F:00407FA1 CMP BYTE PTR [0048CD78],00 <----type "d 0048CD78" and u see the "NAME".
now continue tracing until u get to the next compare(CMP), which is:
051F:00407FAC CMP BYTE PTR [0048CDA4],00 <----can u guess what will happen if we'll type "d 0048CDA4" ? right! we'll see our fake number.
so we have our two CMP, now the next CALL is calling the comparison of the real serial with our fake serial. so the next CALL should be:
015F:00407FB5 CALL 004079D5<----this is our CALL ;) trace into it with F8 and continue to the net step.
ok... now in this place the program calculates the serial num that should come with your name...u should look for a PUSH command followed by another PUSH command, but the first one should contain our fake serial(do u remember where was our fake serial was stored? right, in ESI). so look for two PUSH commands, u found it? it is here:
015F:00407AA9 PUSH ESI<---our fake serial!
015F:00407AAA PUSH EAX<---do u know what is in eax? very good, the REAL serial, so type "d eax" and what do u see in the data section?!?!?! ;) THE REAL SERIAL!!!
clear all bpx by typing "bc *", go to winzip, type in the real serial and enjoy winzip (yeah right ;). so u cracked it! how is the feeling, good ha?
