Crack step: 1. Load Windows with Softice (check if Softice is ready, press F5 to exit softice); 2. Run Winzip, select "Enter Registration Code ..." under "Help"; 3 Enter: kranexh (casual) in "Name:", "Registration #:" Enter: 12345678 (random); 4. Export Softice with Ctrl D, down-million breakpoint: BPX HMEMCPY, press F5 to return to Winzip; 5. Select "OK" in Winzip, soon being intercepted by Softice (because we set the breakpoint bpx hmemcpy, when selecting "OK" in Winzip, Winzip will take the HMEMCPY to take the name "" Kranexh "12345678", SoftICE detected HMemcpy called, then interrupting Winzip's operation, staying in Winzip, calling HMemcpy); 6. Use BD * to suspend the breakpoint BPX HMEMCPY you just set up (why to pause Breakpoint BPX HMEMCPY? Because our purpose is to interrupt its operation when winzip's name and registration code, BPX Hmemcpy is not valid for WinZip, and the program running in the computer may call it. it.
Since we just entered the name and the registration code after Winzip, set the breakpoint BPX HMemcpy. At this time, Winzip will immediately take the name and registration code we entered, so we can ensure that it is interrupted in the Winzip program, suspended through the BD * Breakpoint BPX HMEMCPY, it is possible to prevent it from being interrupted by other discrepared programs, affecting the normal proceed by the decryption); 7. Press the F12 key 9 times, return to Winzip's airspace (because the Softice is interrupted in HMemcpy, this is a Windows system Region, Winzip is only called this function, so we must return to the Winzip program), come to the following place: ... 0167: 00407f6d call [user32! Getdlgitemtexta] 0167: 00407F73 PUSH EDI ← - program stop here, EDI point to "KraneXH" 0167: 00407F74 CALL 0043F89A0167: 00407F79 PUSH EDI0167: 00407F7A CALL 0043F8C30167: 00407F7F POP ECX0167: 00407F80 MOV ESI, 0048CDA40167: 00407F85 POP ECX0167: 00407F86 PUSH 0B0167: 00407F88 PUSH ESI0167 : 00407F89 PUSH 00000C810167: 00407F8E PUSH EBX0167: 00407F8F CALL [USER32 GetDlgItemTextA!] 0167: 00407F95 PUSH ESI ← - ESI pointing to "12345678" 0167: 00407F96 CALL 0043F89A0167: 00407F9B PUSH ESI0167: 00407F9C CALL 0043F8C30167: 00407FA1 CMP BYTE PTR [0048CD78], 00 ← - [0048CD78] point "KraneXH" 0167: 00407FA8 POP ECX0167: 00407FA9 POP ECX0167: 00407FAA JZ 004080050167: 00407FAC CMP BYTE PTR [0048CDA4], 00 ← - [0048CDA4] point to "12345678" 0167: 00407FB3 JZ 0040800501679070167: 004079050167: 004079050167: EAX0167: 00407FC3 jz 00408005 ...... 8. When returning from the system area of calling hmemcpy, the program stays on 0167: 00407f73 push edi, see It's the instruction 0167: 00407f6d call [user32! Getdlgitemtexta], this call is the program that takes us into the data, that is, this CALL let us intercept the winzip with bpx hmemcpy. Since Winzip takes this call to get the input, then will definitely return the result, let's take a look: use D Edi, observe the Softice data area, you will see the content of the memory area points to the EDI is our input The name "kranexh"; 9. From the program, it can be seen that there is also a place in the same place to call USER32! Getdlgitemtexta, from 0167: 00407f8f call [user32! Getdlgitemtexta].
Press the F10 key multiple times, go to this CALL next sentence stopped, both the program stopped on this instruction of 0167: 00407f95 Push ESI, using D ESI, the same we can see the content of the memory area pointing to the ESI is our input Registration code "12345678". Now Winzip has taken the names and registration code we entered, let's take a look at what it will do next? 10. Continue to press f10, when the program goes to 0167: 00407FA1 CMP BYTE PTR [0048CD78], this instruction compares the data and 00 in the memory 0048cd78, and then determines the program towards the program according to the comparison result. With D 0048CD78, observe Softice's data area, we can see the data in 0048cd78 is "kranexh", now we know that the role of this instruction is to determine whether the name of our input is empty, if you do not enter anything, the program will Jump to 00408005; Similarly, press F10 to 0407FAC CMP Byte PTR [0048cda4], 00 This line stops, then use D 0048CDA4, you can see the data in 0048cda4 is "12345678". Because we entered the name and registration code, the program will not jump to 00408005, the program checks the name and registration code, if any one is not input (both the value is 00), the program will jump to 00408005, from this It should be thought that 00408005 is likely to display an error, that is, when the program comes to 00408005, it means that the input name and the registration code are erroneous; 11. Press two times to the following Call 00407905 (because the program is still stopped 0167: 00407FAC CMP BYTE PTR [0048CDA4], 00): ... 0167907FB5 Call 00407905 ← - Program stay here 0167: 00407FBA Test Eax, EAX0167: 00407FC3 JZ 00408005 ...... program judgment The input name and the registration code are empty call call 00407905, which returns the result to Eax, and the program is judged according to the EAX value. From the program, you can know that if the return value of EAX is 0, the program will jump to 00408005, just that we judge is a problem. So what kind of cat is tired of this CALL? It is not very clear now, then press F10 to stop to JZ 00408005 twice.
Now take a look at the zero (ie Z) flag in Softice, which is zero, so the program will jump to 00408005, we will take the F10 to the 00408005 to see it: ... 0167: 00408005 Call 004082A6 ← - program stop here 0167: 0040800A PUSH 0000028E0167: 0040800F CALL 0043F5ED0167: 00408014 PUSH EAX0167: 00408015 PUSH EBX0167: 00408016 PUSH 3D0167: 00408018 CALL 00430025 ← - error box 0167: 0040801D ADD ESP, 100167: 00408020 INC DWORD PTR [ 00487AF8] 0167: 00408026 CMP DWORD PTR [00487AF8], 03 ← - Is it judged whether the number of errors arrived 3 times? 0167: 0040802D JNZ 0040812C0167: 00408033 PUSH 000167: 00408035 PUSH EBX0167: 00408036 CALL [USER32 EndDialog!] 0167:. 0040803C JMP 0040812C ...... 12 has been pressing F10 through 0167: 00408018 CALL 00430025, which is the program pop A window, warning: Incomplete or incorrect information, the program is already clear: If the program jumps to 00408005 in front, it means that the name and registration code that the input is incorporated. So, the 0167: 00407fb5 call 00407905, must be a place where the registration code entered is correct, that is, there must be a place to be compared to the registration code we entered and the correct registration code, so we have to enter the call 00430025 Go and see. If you continue to see the statement below Call 00430025, you will see the following sentences: 0167: 00487AF8] 0167: 00487AF8] 0167: 00487AF8] 0167: 00487AF8], 030167: 0040802D JNZ 0040812C program first memory 00487af8 The value is 1 (which is 0, can be viewed in this statement before this statement), then the comparison is 3, if not jumping to 0040812c, if it is, then execute the following 0167: 00408036 Call [user32! Enddialog ], Its role is to close the dialog, that is, we entered the window of the name and registration code. Thus we can see that the role of this program is to check the error input name, whether the number of error changes has arrived 3 times, if it is 3 times, turn off the dialog, do not allow it to enter again; if less than 3 times, Have the opportunity to enter the name and registration code again.
13. Repeat the previous steps 1 to 11, let the program stop on 0167: 00407fb5 call 00407905, then press F8 to enter this Call: ... 0167999d5 Push EBP0167: 004079D6 PUSH EBP, ESP0167: 004079D8 SUB ESP, 000002080167: 004079DE PUSH EBX0167: 004079DF PUSH ESI0167: 004079E0 XOR ESI, ESI0167: 004079E2 CMP BYTE PTR [0048CD78], 000167: 004079E9 PUSH EDI0167: 004079EA JZ 00407A8A ...... 14 press F10 N times (I. I don't know a few times, you have a few ^ _ ^), have been stopped below: ... 0167: 00407a91 Lea EAX, [EBP-0140] ← - Program stay here 0167 : 00407A97 PUSH EAX0167: 00407A98 PUSH EDI ← - EDI points entered name "KraneXH" 0167: 00407A99 CALL 00407B47 ← - calculation License 0167: 00407A9E MOV ESI, 0048CDA40167: 00407AA3 LEA EAX, [EBP-0140] 0167: 00407AA9 PUSH ESI ← - ESI points to enter registration code "12345678" 0167: 00407AAA PUSH EAX ← - EAX points to the correct registration code "5CFC0875" 0167: 00407AAB CALL 004692D00167: 00407AB0 ADD ESP, 100167: 00407AB3 NEG EAX0167: 00407AB5 SBB EAX, EAX0167: 00407AB7 INC EAX0167: 00407AB8 MOV [00489FDC], EAX0167: 00407ABD JNZ 00407B270167: 00407ABF LEA EAX, [EBP-0140] 0167: 00407AC5 PUSH EAX0167: 00407AC6 PUSH EDI ← - EDI point to enter the name "KraneXH" 0167: 00407AC7 Call 00407BE4 ← - calculation registration code 0167: 00407ACC Lea Eax, [EBP-0140] 0167: 00407AD2 PUSH ESI ← - ESI point to the entered registration code "12345678" 0167: 00407ad3 push EAX ← - EAX point to the correct registration code "23804216" 0167: 00407AD4 CALL 004692D00167: 00407AD9 ADD ESP, 100167: 00407ADC NEG EAX0167: 00407ADE SBB EAX, EAX0167: 00407AE0 INC EAX0167: 00407AE1 MOV [00489FDC], EAX0167:. 00407AE6 JNZ 00407B27 ...... 15 we must ask: Why stop here, not other places? Because I have seen D *** in front of the program, I didn't find anything suspicious, ^ _ ^! Press F10 to 0167: 00407A99 Call 00407B47, use D EAX and D EDI to observe what is it? You can see the name "Kranexh" of the EDI to the name "Kranexh", the memory area points to the EAX does not have any special data; followed by the following Call 00407B47, "Kranexh" will be handled, and we still don't know, continue ;
