<name title="How to crack zip key v2.11.0" author="woody">
<font ns>
<font name verdana height 22 color 1>
<center>Crack Zip Key v2.11.0 by woody^drn</center><br>

<font name verdana height 12 color 0>
Okay I'll try cracking zip key v2.11.0 with <b>r!sc's process patcher</b>
which is a pretty cewl cracking tool for packed programs. You can get
it at <link external="http://beam.to/risc">beam.to/risc</link>,
you can get zipkey at <link external="http://www.lostpassword.com">
www.lostpassword.com</link><br>
<br>

This program is actually pretty good in speed, it's a zip password
breaker/recovery. But lets run the program first and see what it says<br>
<br>

Hmm maximum 3 char password, that kinda sucks ;) what a bug heh .. lets
fix it. Start by packing some files with winzip or pkzip and set the password
to 4 chars. Boom ! a messagebox appears :) nice even with at beep ;) hehe<br>
<br>

So what we can do is to break on "bpx messageboxa" or "bpx messagebeep" in
softice. I'll choose messageboxa, load the .zip file again and softice breaks.
Press F12 and press the OK button when the nag appears. Now you're back in
softice. Right here:<br>

<pre><font name terminal height 12 color 3>
:00403A75 E836FE0000              call 004138B0
:00403A7A 8D4DD8                  lea ecx, dword ptr [ebp-28]
:00403A7D E8DE9B0000              call 0040D660
:00403A82 EB05                    jmp 00403A89
</pre><font name verdana height 12 color 0><br>

You are at 403A7A now, so we know that we don't want the program to execute
line 403A75 cause that's where the nag is .. so lets load the file into
w32dasm. hmmm the file is packed :) I know the file is packed because if you
take a look at the .exe header with gtui (a program by phox):<br>

<pre><font name terminal height 12 color 3>
- [zipkey.exe] -----
    DOS executable file - 74042 bytes
 
    Portable executable (starting at 232 for 73810 bytes)
      Packer: UPX 0.70 [PE]
</pre><font name verdana height 12 color 0><br>

You can see that it's packed with UPX v0.70. Okay so we use ProcDump to
unpack the file. I assume you know how to use it ... when the file is depacked
load the new depacked .exe file into w32dasm. Now find the offset 403A7A
where we landed on in softice, and scroll up until you find the:<br>

<pre><font name terminal height 12 color 3>
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403896(C)
|
:004039EE 8B0D80A94200            mov ecx, dword ptr [0042A980]
</pre><font name verdana height 12 color 0><br>

Okay all this code is jumped to on line 403896. So we take a look at that line:<br>

<pre><font name terminal height 12 color 3>
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00403874(C), :0040387B(C)
|
:00403893 83FB02                  cmp ebx, 00000002
:00403896 0F8F52010000            jg 004039EE
</pre><font name verdana height 12 color 0><br>

Now this looks good :) compare ebx with 2 .. 0..1..2 that's 3 chars :) heh
and jump if greater to 4039EE (jg 004039EE). We really don't want it to
jump to that location so we just nop line 403896. Normally we would find
the correct entry point in the packed file, and make a little patch that
would nop this hole line, but this tut I'm gonna use <b>r!sc's process patcher</b>
Which is really easy to use ... <br>
<br>

Just make a new file with a text editor called zipkey.rpp. Please read his
documentation to use it if you're having trouble using it. I'll just show
you some of the many cewl commands he has made available.<br>
<br>

<pre><font name terminal height 12 color 3>
[File: zipkey.rpp]:

; Woody's crack for zip key 2.11.0

f=zipkey.exe:
o=w-zipkey.exe:
p=403896/0f,8f,52,01,00,00/90,90,90,90,90,90:
$
</pre><font name verdana height 12 color 0><br>

To explain these commands ..<br>
<br>

f=zipkey.exe:<br>
This is the org. file that has to be patched.<br>
<br>

o=w-zipkey.exe:<br>
This is the file <b>r!sc's process patcher</b> will create.<br>
<br>
p=403896/0f,8f,52,01,00,00/90,90,90,90,90,90:<br>
First the data offset where it will patch, then the org. bytes in the org.
file, then the new bytes replacing the bad ones ;)<br>
<br>

<pre><font name terminal height 12 color 3>
:00403896 0F8F52010000            jg 004039EE
</pre><font name verdana height 12 color 0><br>

You can see at line 403896 the hex codes is 0f8f52010000, and we wanted to
nop that hole line, and a nop is the hex 90. So the new hex codes would be
909090909090. easy right ? :)<br>
<br>

End the file with a $ sign. Now that's it ! the only thing you have to do
now is "compile" the script file zipkey.rpp. Run r!sc's program and find
the script file, and compile it. Now r!sc's program creates the file w-zipkey.exe
which will patch the program when executing it. r!sc's program doesn't patch
it permanent ofcause, it's a process patcher. So the user has to execute the
patch every time he wants to use the zipkey.exe program.<br>
<br>

Run the patch now and check if the program doesn't care about passwords larger
than 3 chars. does it ?? ofcause not :) Was that easy or what :))<br>
<br>

-wOODY^dRN<br>
<br>



