Enabling a crippled target
Turning an information into our weapon


Target: WinZip Key 2.1.0
Author: Passware
Protection: Crippled, Packed by UPX
Tools used - SoftICE 4.0
Level (X) Beginner
(X) Intermediate
( ) Advanced
( ) Expert
Disclaimer

Do I really have to remind you all that by BUYING and NOT stealing the software you use will ensure that these software houses will continue to produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems. BTW, It's illegal to use cracked Software!

If you're looking for cracks or serial numbers from these pages then your wasting your time, try to search elsewhere on the Web under Warez, Cracks, etc.


Well as I don't have any new targets for tutorials, I decided to look at the list what I've done in the last two months and quickly found this program, which would fit into another lesson.

First of all we have to find out what the protection of this target is. If you have looked at the main window already you see the following:


     This is a demo version that will recover passwords that are not longer
     than 3 characters. Please visit http://www.lostpassword.com for updated
     demo versions and details on purchasing full version.

So after 3 chars it will stop recovering the password. This is what we wanted to know. I've created an example ZIP file for you. In this ZIP file I've included a text file, TORN@DO.txt ... try to get the password :)

As you try to decrypt the password using WinZip Key, after a few seconds a MessageBox pops up:


     Demo limit has been reached. To recover passwords
     that are longer than 3 characters please consider
     purchasing full version of WinZip Key at http://www.lostpassword.com.

How nice is, the coder helped out cracking his own program with JUST this MessageBox. Let's turn this nice information into our main weapon for cracking the program (eventually authors will learn) :)

So set a BPX to MessageBoxA and start the decryption again. Now after some basic tracing (in this case only 2 presses on F12) you'll come accross the following code: 

   :004037E9  E86C0C0100          CALL      0041445A
Now the check must be done BEFORE the MessageBox appears, so very probably it's a 'few' instructions further in the code:

   :0040373F  40                  INC       EAX
   :00403740  8B16                MOV       EDX,[ESI]
   :00403742  89821C010000        MOV       [EDX+0000011C],EAX
   :00403748  E978010000          JMP       004038C5
   :0040374D  83FB02              CMP       EBX,02
   :00403750  0F8EAE000000        JLE       00403804
   :00403756  FF36                PUSH      DWORD PTR [ESI]
   :00403758  E889210100          CALL      004158E6
   :0040375D  59                  POP       ECX
   :0040375E  6830614200          PUSH      00426130
   :00403763  E8D82D0100          CALL      00416540
   :00403768  59                  POP       ECX
   :00403769  50                  PUSH      EAX
   :0040376A  68AD674200          PUSH      004267AD
   :0040376F  6A00                PUSH      00
   :00403771  8D4DD4              LEA       ECX,[EBP-2C]
   :00403774  51                  PUSH      ECX
   :00403775  E8A42A0100          CALL      0041621E
   :0040377A  83C410              ADD       ESP,10
   :0040377D  50                  PUSH      EAX
   :0040377E  FF36                PUSH      DWORD PTR [ESI]
   :00403780  E833230100          CALL      00415AB8
   :00403785  83C408              ADD       ESP,08
   :00403788  6A02                PUSH      02
   :0040378A  8D45D4              LEA       EAX,[EBP-2C]
   :0040378D  50                  PUSH      EAX
   :0040378E  E8462B0100          CALL      004162D9
   :00403793  83C408              ADD       ESP,08
   :00403796  6823270000          PUSH      00002723
   :0040379B  FF36                PUSH      DWORD PTR [ESI]
   :0040379D  8D55D0              LEA       EDX,[EBP-30]
   :004037A0  52                  PUSH      EDX
   :004037A1  8B0E                MOV       ECX,[ESI]
   :004037A3  8B01                MOV       EAX,[ECX]
   :004037A5  FF5004              CALL      [EAX+04]
   :004037A8  83C40C              ADD       ESP,0C
   :004037AB  8D55D0              LEA       EDX,[EBP-30]
   :004037AE  52                  PUSH      EDX
   :004037AF  FF36                PUSH      DWORD PTR [ESI]
   :004037B1  E802230100          CALL      00415AB8
   :004037B6  83C408              ADD       ESP,08
   :004037B9  6A02                PUSH      02
   :004037BB  8D4DD0              LEA       ECX,[EBP-30]
   :004037BE  51                  PUSH      ECX
   :004037BF  E8152B0100          CALL      004162D9
   :004037C4  83C408              ADD       ESP,08
   :004037C7  6823270000          PUSH      00002723
   :004037CC  FF36                PUSH      DWORD PTR [ESI]
   :004037CE  8D45CC              LEA       EAX,[EBP-34]
   :004037D1  50                  PUSH      EAX
   :004037D2  8B16                MOV       EDX,[ESI]
   :004037D4  8B0A                MOV       ECX,[EDX]
   :004037D6  FF5104              CALL      [ECX+04]
   :004037D9  83C40C              ADD       ESP,0C
   :004037DC  8D45CC              LEA       EAX,[EBP-34]
   :004037DF  50                  PUSH      EAX
   :004037E0  E85B2D0100          CALL      00416540
   :004037E5  59                  POP       ECX
   :004037E6  50                  PUSH      EAX
   :004037E7  FF36                PUSH      DWORD PTR [ESI]
   :004037E9  E86C0C0100          CALL      0041445A
That was too easy. Now to patch it you have to manually unpack it (which I suggest to do) or letting ProcDump do the work for you (do this ONLY after having manually unpacked a UPX packed target at least once).

With the right settings in WinZip Key and with some patience the password for my ZIP file will be decrypted ...



Feel free to e-mail me feedback, questions or whatever (NO crack requests!!). You can also talk to me on IRC (EFNet) at #ImmortalDescendants, #PhrozenCrew or #cracking4newbies.



Another lesson has just finished. Hopefully you have learned something useful from it! Feel free contacting me anytime ... till next time, I highly recommend you to visit (or better download completely) +Fravia's excellent site, which has unfortunately been frozen!

Greetings (no specific order):

+Aesculapius, +Fravia, +MaLaTTiA, +ORC, +wAj, ^TheDevil, /Miz, ACiD BuRN, adenozin, alpine, AntiMaterie, AppBusta, Artex, Black Check, BJanes, ByteBurn, cALiGo, CoRN2, Carpathia, CrackZ, Crashtest, Cruehead, Da GRiM ReaPeR, DEATH, DEZM, DnNuke, douby, duelist, Eternal Bliss, FireWorx, G-RoM, HarvestR, Icecream, Iczelion, Jeff, josephCo, Kaparo, knotty, Kwai_Lo, LagPRO, LaZaRuS, Lord Soth, Lucifer48, MisterE, MiZ, McCodEMaN, Mr. NOP, Mr. WhiTe (WKT), NeuRaL NoiSE, nIabI, NiKai, Nitrus, Noos, Northpole, pain, Pedro, PeeGee, PeeWee, ^PlAyEr^, Predator NLS, Prof. X, Quantico, r4lph, R!SC, Rhytm, rudeboy, Santa Clawz, Scribe, SiONiDE, Steinowitz, Stone, TaG^, TaMaMBoLo, The +Sandman, The AntiXryst, The OWL, Thesmurf, Tin, tKC, viny, VisionZ, Vladimir, Volatility, yAtEs, yosh, ytc, WarezPup, WhizKiD, widYa@cL 2011.
Copyright © 1999 by TORN@DO [ID/PC]. All Rights Reversed.