HoW MaKe PrOcEsS PaTcHeR To UsE WiNzIp 7.0 As SeRiAl # GeNeRaToR

CoDeD By Gi0   Gi0@UsA.NeT
DeDiCaTeD To   Ely
                                            \\\\
                                            (.~.)
¸.·'´¯)¸.·'´¯)¸.·'´¯)¸·'´¯)¸.·'´¯)¸·'´¯)oOO--(_)--OOo¸.·'´¯)¸·'´¯)¸.·'´¯)¸·'´¯)¸.·'´¯)¸.·'´¯)

SoFtWaRe ReQuIrEd
SoFtIcE 3.22        Debugger
WdAsM 8.9           Disassembler
HeX WoRkShOp 2.54   Hexeditor
LcC-WiN32           WiN32 C CoMpIlEr
WiNzIp 7.0          Target
                                            \\\\
                                            (.~.)
¸.·'´¯)¸.·'´¯)¸.·'´¯)¸·'´¯)¸.·'´¯)¸·'´¯)oOO--(_)--OOo¸.·'´¯)¸·'´¯)¸.·'´¯)¸·'´¯)¸.·'´¯)¸.·'´¯)

Install WiNzIp 7.0

Make a copy of WINZIP32.EXE in another directory

Run WdAsM and disassembly the copy of WINZIP32.EXE (save files & project)

(NOTE: WdAsM lock the exe to read only so if you don't make a copy you
can't patch exe with HeX WoRkShOp to test crack, besides you may be mistaken and you can restore original   WINZIP32.EXE without reinstall WiNzIp)

Run SoFtIcE SyMbOl LoAdEr and open WINZIP32.EXE from WiNzIp installation
directory

Press load (the 2nd button in SoFtIcE SyMbOl LoAdEr) and press yes soon
afterwards (NOTE: read some of the next lines now!)

Type bpx GetDlgItemTextA and press CTRL+D

Press "I Agree" and select the menu Help->About WinZip->Register

Enter random data and press ok

Now softice break the program execution and if you press F12 you can see
where WiNzIp  call GetDlgItemTextA to read your registration info from dialog box

You can read this address 407D35

Type bc * and press CTRL+D

Close WiNzIp

In WdAsM select the menu Goto->Goto Code Location and insert 407D35

You can see two calls to GetDlgItemTextA (name & serial)

In this lines of code two memory location appear 0047CA78 and 0047CAA8
where probably name and serial are stored

Reload from SoFtIcE SyMbOl LoAdEr WiNzIp and type now bpx 407D35 and press
CTRL+D

Press "I Agree" and select the menu Help->About WinZip->Register

Enter random data and press ok

Now press F10 to execute this instruction. Now type d 47CA78 and you can
see your name!

Press F10 until exceed the next GetDlgItemTextA call. Type d 47CAA8 and the
serial is here.

Type bc * and press CTRL+D

Close WiNzIp

Now we must found where the correct serial number is generated.

Reload from SoFtIcE SyMbOl LoAdEr WiNzIp and type now bpx EndDialog and
press CTRL+D

Press "I Agree" and softice break the program execution... press CTRL+D
Select the menu Help->About WinZip->Register

Enter random data and press ok

Now softice break the program execution and if you press F12 you can see
where WiNzIp close the dialog that say you "Incomplete or incorrect information" that is
407E05

Now we say that the correct code is generated in this range 407D35-407E05

At address 407D64 there is a test for see if you have insert a name; another test
is at nearest address 407D74 for the serial.. if name or serial are missing then jump
to address 407DD3 that is the "Incomplete or incorrect information" messagebox init
mmmmmm you can see another jump to this address from 407D84... before that
address there is 407D7D call 0040786A...

in this area of code the serial number are generated!

Select with WdAsM this line of code and press right arrow or goto to this address

Reload from SoFtIcE SyMbOl LoAdEr WiNzIp and type now bpx 407D7D and press
CTRL+D

Press "I Agree" and select the menu Help->About WinZip->Register

Enter random data and press ok

Press F8 to step inside the function 40786A

Press F10 until 40789B here put the name in EDI

Press F10 until 40793B here put the serial in ESI

Press F10 until 407941 mmmmmmmmmmm :) in EAX there is EBP-140. dump this
address typing d EBP-140 e wow the serial #!! :)

Ok now we need a point of code where insert messagebox code for printing this serial.
I like the help button.

Reload from SoFtIcE SyMbOl LoAdEr WiNzIp and type now bpx WinHelpA and press CTRL+D

Press "I Agree" and softice break the program execution... press CTRL+D

Select the menu Help->About WinZip->Register

Press help button.. press F11 in softice.. 428DF8.. goto with WdAsM.. only the address
428DBC call this function..

remember this function address 428DC7, ok now we must search a good place to call this address & after put here messagebox code

A good place is a function called some times and soon afterwards the
password generation for example at 407990 & 4079AA there is same call at 457420..
Now we replace the first call.. mmmm first we must be sure that the
programm pass for one of this address.. run SoFtIce and bpx 407990... etc..
Ok we replace this address! :)

We have at 407990 call 457420 and we want call 428DC7

Run HeX WoRkShOp ToOlS Hex CaLcUlAtOr and do 457420-428DC7=2E659.. now we have at 407990 E88BFA0400 that is 4FA8B.. 4FA8B-2E659=21432 so the patch is E832140200

Select with WdAsM color line the 407990 line and read on status bar the file offset 6D90

Load from installation dir WINZIP32.EXE in HeX WoRkShOp and goto to 6D90

Replace E88BFA0400 with E836BA0100

Ok now goto with WdAsM at 428DC7 and found file offset that is 281C7

Go here with HeX WoRkShOp..

This is the code that you must copy..

LEA EAX, DWORD PTR[EBP+FFFFFEC0]   8D85C0FEFFFF   Serial #
PUSH 00                            6A00
PUSH 0046FCF0                      68F0FC4600     String "WinZip"
PUSH EAX                           50
PUSH 00                            6A00
CALL User32!MessageBoxA            FF15F8744600
RET                                C3

Now when you register winzip it say to you the correct serial # uahahhahahaha :)))))))

But I want more... now we make a process patcher.. so the exe remain original :)

SeE WiNzIp 7.0 SeRiAl # GeNeRaToR.c

Bye :)
 
 

Serial # Generator.c

 
#include <windows.h>
void main(void)
{
 STARTUPINFO si;
 char* cl;
 PROCESS_INFORMATION pi;

 ZeroMemory(&si,sizeof(si));
 si.cb = sizeof(si);
 cl = GetCommandLine();
 if (CreateProcess("WiNzIp32.ExE", cl, NULL, NULL,FALSE, NORMAL_PRIORITY_CLASS, NULL, NULL, &si, &pi))
 {
  WaitForInputIdle(pi.hProcess,INFINITE);
  WriteProcessMemory (pi. hProcess, (LPVOID) 0x407990, "\xE8\x32\x14\x02\x00", 5, NULL);
/*
CALL 428DC7
*/
  WriteProcessMemory (pi. hProcess, (LPVOID) 0x428DC7, "\x8D\x85\xC0\xFE\xFF\xFF\x6A\x00\x68\xF0\xFC\x46\x00\x50\x6A\x00\xFF\x15\xF8\x74\x46\x00\xC3", 23, NULL);
/*
LEA EAX, DWORD PTR[EBP+FFFFFEC0]   8D85C0FEFFFF   Serial #
PUSH 00                            6A00
PUSH 0046FCF0                      68F0FC4600     String "WinZip"
PUSH EAX                           50
PUSH 00                            6A00
CALL User32!MessageBoxA            FF15F8744600
RET                                C3
*/
  MessageBox(NULL, "NoTe: ThIs PrOgRaM NoT MoDiFy YoUr WiNzIp32.ExE... ThIs Is A PrOcEsS PaTcHeR...\n\nNoW SelEcT ThE MeNu Help->About WinZip->Register\nInSeRt YoUr NaMe AnD RaNdOm SeRiAl\nPrEsS Ok AnD WiNzIp ShOw ThE CoRrEcT SeRiAl #\n\n\nCoDeD By Gi0   Gi0@UsA.NeT\nDeDiCaTeD To Ely", "WiNzIp 7.0 SeRiAl # GeNeRaToR", MB_OK);
  CloseHandle (pi.hProcess);
  CloseHandle (pi.hThread);
 }
 else
  MessageBox(NULL, "FiLe WiNzIp32.ExE NoT FoUnD!!!\nCoPy ThIs PrOcEsS PaTcHeR In WiNzIp DiReCtOrY...\n\n\nCoDeD By Gi0   Gi0@UsA.NeT", "WiNzIp 7.0 SeRiAl # GeNeRaToR", MB_OK);
}
 

Ob Duh

 
 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to  produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
 
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.