HOW TO REGISTER WinZip 7.0 

Tutorial by UmE

Introduction: in this tutorial I'll try to explain you how to register WinZip 7.0 finding the 
registrtation number inside the code. Follow me.... :)

Necessary tools: SoftIce 3.24 or better.

Program description: WinZip 7.0, WinZip32.exe, 983.040 bytes.

PARENTAL ADVISORY: this tutorial is cracking oriented!!!

Step 1: when you run the program a nag screen will appear with the following written :

"This is a fully functional unregistered version for evaluation use only...."

You can start to work with the program pressing the "I Agree" button or you can enter a 
registration code pushing the "Enter Registration Code..." button. Let's see what can we do in 
this case.

Step 2: you have in front of you the dialog box where you can enter your name and the 
registration number. Enter a name (I've entered UmE) and a reg. number that naturally will be 
wrong, but don't push the Ok button. Push Ctrl+D to enter in SoftIce and place a breakpoint on 
the win32 API getdlgitemtexta (type bpx getdlgitemtexta). Push Ctrl+D again to return to the 
operating system and now push the Ok button...BINGO!!! You're in SoftIce!!! As you know the 
getdlgitemtexta reads one entry every time it is called, so with the first call the function 
reads the name you've entered, and the next time the function will read the S/N you've entered. 
Ok, press Ctrl+D to return to the operating system and immediatly you'll be in SoftIce again. 
Press F11 to return to the piece of code that has called the function and start to trace the 
code with F10. You'll see:

:0040803C 56                      	push esi
:0040803D E800160200              	call 00429642
:00408042 59                       	pop ecx
:00408043 56                      	push esi
:00408044 E822160200              	call 0042966B
:00408049 803D18D9470000    		cmp byte ptr [0047D918], 00
:00408050 59                      	pop ecx
:00408051 745F                    	je 004080B2
:00408053 803D48D9470000    		cmp byte ptr [0047D948], 00
:0040805A 7456                    	je 004080B2
:0040805C E8EAFAFFFF          	call 00407B4B	<- compute the serial number
:00408061 85C0                    	test eax, eax	<-test if you've entered the right S/N
:00408063 744D                    	je 004080B2		<- jump if the S/N is Ok!
:00408065 53                      	push ebx

It's a classical scheme in serial number comparing. What we have to do now is traceing the call 
starting at the address 00407B4B: when you're traceing the piece of code above and the line 
highlighted is on the instruction "call 00407B4B" push F8 and you'll be inside the fatidical 
call. You'll see:

:00407B4B 55                      	push ebp
:00407B4C 8BEC                    	mov ebp, esp
:00407B4E 81EC08020000       		sub esp, 00000208
:00407B54 53                      	push ebx
:00407B55 56                      	push esi
:00407B56 33F6                    	xor esi, esi
:00407B58 803D18D9470000     		cmp byte ptr [0047D918], 00

Let's start to trace the call and pay attention at the register values!!! If you observe the 
function you can notice that the name that you've entered is pushed and popped a lot of times: 
this means that the the right S/N is calculated in the first part of the function. Continue to 
trace and continue to monitorize the addresses. At a certain point you'll have:

:00407C1C BE48D94700              	mov esi, 0047D948
:00407C21 59                       	pop ecx			<- What is popped up?
:00407C22 8D85C0FEFFFF         	lea eax, dword ptr [ebp+FFFFFEC0]
:00407C28 56                      	push esi
:00407C29 50                      	push eax
:00407C2A E871FC0400             	call 004578A0

Try to type d ecx and yo'll see: D08C00F7, It seems to be a valid serial number. Continue to 
trace until the end of the function and some rows later you'll find:

:00407C45 E820010000              call 00407D6A
:00407C4A 59                      	pop ecx			<-What is this?
:00407C4B 8D85C0FEFFFF       lea eax, dword ptr [ebp+FFFFFEC0]
:00407C51 59                      	pop ecx
:00407C52 56                      	push esi
:00407C53 50                      	push eax
:00407C54 E847FC0400             call 004578A0

It is most likely the piece of code above....mmmm suspicious!!! Type d ecx again and you'll 
have: 29424031. Another valid serial number? Yes!!!! If you go to the WinZip help you'll find 
that there are two kinds of licenses: single user and server user, so the program control if 
the S/N you've entered is one of the two above!!!
As you have seen in this crack is a little difficult to understand what the program do inside 
the function described above, but is important to know where is the call that generates the 
right S/N. One you've found it in some manner the S/N will be discovered. And remember: keep 
the highest number of information about the program you're going to crack!! It's one of the 
most important things that a good cracker must do for his job!!

That's all for now!!! I hope that this tutorial could be useful for someone.

Greetings to Volatility and all the Immortal Descendants.

Contact me at: ume15@hotmail.com