July 1998
"Winzip Self-Extractor V2.2 (beta)"
( 'A Simple Protection System sniffed out'  )
Win '95 PROGRAM
Win Code Reversing
 
 
by The Sandman 
  
 
Code Reversing For Beginners 
 
 
 
Program Details
Program Name: wzbetase.zip
Program Type: Zip Utility
Program Location: Here 
Program Size: 969K 
 
   
Tools Used:
 Softice V3.2 - Win'95 Debugger
W32Dasm V8.9 - Win'95 Dissembler
 
Rating
Easy ( X  )  Medium (   )  Hard (    )  Pro (    ) 
 There is a crack, a crack in everything. That's how the light gets in.
 
  
 
Winzip Self-Extractor V2.2 (beta)
( 'A Simple Protection System Sniffed Out'  )
Written by The Sandman
 
 
 
Introduction
 

The authors of Winzip Self-Extractor  says:-
 
"WinZip Self-Extractor is a utility program that creates native Windows self-extracting Zip files. These self-extracting Zip files are ideal for Internet file distribution because they:  (1) can contain multiple compressed files, ensuring that important files do not become separated from the rest of the package; (2) allow the receiver to use a familiar Windows interface to decompress files, without owning or knowing how to use a separate unzip utility; and (3) optionally run a "setup" or "installation" program, which may be included by the developer when the files are decompressed."
 
About this protection system
 
On initial startup of Winzip you are given the chance to register Winzip via the 'Enter Registration Code' button.

You will be asked for:

Name
Registration #

On successful registration the program stores the following User info into winzipse.dat which can be found in the same directory as the program itself

Contents of winzipse.dat
 
The Sandman
577487
 
The Essay 
     
Start up WinZip, it will display a pretty nag screen reminding us to register Winzip.. Click on the  'Enter Registration Code' button.

Type in your user Name/Handle then enter a sequence of random numbers..

For this example I chose:

The Sandman
7777777
 
Press Ctrl-D then type: bpx getdlgitemtexta then type x to leave Softice.

Lets now get WinZip to check our User details...Press the 'OK' button on the Registration Screen.

Softice now breaks again at the start of the system function getdlgitemtexta function, so all we need do here is press the 'F11' key once, this brings us nicely back into WinZip's code.
 
We should now see the following snippet of code:-
 
:0040B031 FF153C874300            Call USER32.GetDlgItemTextA
:0040B037 6890594300              push 00435990 ;We land here
:0040B03C E829FEFFFF              call 0040AE6A
:0040B041 83C404                  add esp, 00000004

From here we must keep pressing the 'F10' key until we arrive here..

:0040B0C3 E878E00000              call 00419140
:0040B0C8 83C404                  add esp, 00000004
:0040B0CB 83F808                  cmp eax, 00000008
:0040B0CE 0F8530000000            jne 0040B104 ;Follow this jump

Now as crackers we should now get into the habit of following conditional jumps and calls statements to see where they take us and just as importantly, we should also be checking what information is being passed to the registers, which in turn will give us some idea at least to what is happening as we go from one routine to another. Since I've already done this for you I know that in order for us to 'see' the real serial number that the program has created and which it will compare with the one the User has typed in we need to follow where the jne 0040B104 instruction takes us....
 
** Referenced by a (C)onditional Jump at Address :0040B0CE(C)
 
:0040B104 0FB60580584300          movzx eax, byte ptr [00435880]
:0040B10B 83F859                  cmp eax, 00000059
:0040B10E 0F8562000000            jne 0040B176
:0040B114 6A00                    push 00000000
:0040B116 E84EFCFFFF              call 0040AD69 ;Now follow this call

 
* Referenced by a CALL at Addresses: :0040439B   , :0040B116   , :0040B196
 
:0040AD69 55                      push ebp
:0040AD6A 8BEC                    mov ebp, esp
:0040AD6C 81EC04010000            sub esp, 00000104
:0040AD72 53                      push ebx
:0040AD73 56                      push esi
:0040AD74 57                      push edi
:0040AD75 837D0800                cmp dword ptr [ebp+08], 00000000
:0040AD79 0F8405000000            je 0040AD84
:0040AD7F E8A0FCFFFF              call 0040AA24
:0040AD84 0FB60590594300          movzx eax, byte ptr [00435990]
:0040AD8B 85C0                    test eax, eax
:0040AD8D 0F8507000000            jne 0040AD9A ;Follow this jump
:0040AD93 33C0                    xor eax, eax
:0040AD95 E9C9000000              jmp 0040AE63

* Referenced by a (C)onditional Jump at Address: :0040AD8D(C)
 
:0040AD9A 6880584300              push 00435880
:0040AD9F 6890594300              push 00435990
:0040ADA4 E8876D0100              call 00421B30
:0040ADA9 83C408                  add esp, 00000008
:0040ADAC 85C0                    test eax, eax
:0040ADAE 0F8507000000            jne 0040ADBB ;Follow this jump!
:0040ADB4 33C0                    xor eax, eax
:0040ADB6 E9A8000000              jmp 0040AE63

* Referenced by a (C)onditional Jump at Address: :0040ADAE(C)
 
:0040ADBB 6880584300              push 00435880
:0040ADC0 E8BDB40000              call 00416282
:0040ADC5 83C404                  add esp, 00000004
:0040ADC8 85C0                    test eax, eax
:0040ADCA 0F8419000000            je 0040ADE9 ;Follow this jump
:0040ADD0 C705945A430001000000    mov dword ptr [00435A94], 00000001
:0040ADDA C705985A430001000000    mov dword ptr [00435A98], 00000001
:0040ADE4 E970000000              jmp 0040AE59

* Referenced by a (C)onditional Jump at Address: :0040ADCA(C)
 
:0040ADE9 8D85FCFEFFFF            lea eax, dword ptr [ebp+FFFFFEFC]
:0040ADEF 50                      push eax ;OUR REAL SERIAL Number!
:0040ADF0 6890594300              push 00435990
:0040ADF5 E837FDFFFF              call 0040AB31
:0040ADFA 6880584300              push 00435880
:0040ADFF 8D85FCFEFFFF            lea eax, dword ptr [ebp+FFFFFEFC]
:0040AE05 50                      push eax

We've found it!.  Once you land at: 0040ADEF all you then need to do is type: d eax and Softice will show you in it's Code Window the real serial number based on your name/handle.

Now that we know where the serial is located we could now compress all the steps shown above into follow ones:-

1. Go into the Registration Screen and fill in the user details.
2. Press Ctrl-D then type bpx getdlgitemtexta then x to leave Softice.
3. Press the 'OK' button and Softice breaks.  Press the 'F11' key once.
4. Type BC * then type: bpx 0040ADEF then x to leave Softice.
5. Softice breaks, type d eax to reveal Real Serial Number.
6. Re-run Registration Screen and type in the Real serial number.
 
Job Done.
 
The Patches 
     
None required.
 
Final Notes 
    
This program looks harder to sniff out the serial number when compared to some others but once you've cracked a few programs on your own then you can start to 'feel' your way through the code and so can then ignore checking certain sections of the code because you 'know' that the serial isn't to be found there..

My thanks and gratitude goes to:-
 
Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.
 
+ORC for showing me the light at the end of the tunnel.
 
Ob Duh 
 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will encourage them to produce even *better* software for us to use and enjoy.

Ripping off software through serials and cracks is for lamers..
 
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.
 

 
 
 Next   Return to Essay Index   Previous 
 
Essay by:          The Sandman
Page Created: 24th July 1998