Crack Zip Key v2.11.0 by woody^drn
Okay I'll try cracking zip key v2.11.0 with r!sc's process patcher which is a pretty cewl cracking tool for packed programs. You can get it at beam.to/risc, you can get zipkey at www.lostpassword.com

This program is actually pretty good in speed, it's a zip password breaker/recovery. But lets run the program first and see what it says

Hmm maximum 3 char password, that kinda sucks ;) what a bug heh .. lets fix it. Start by packing some files with winzip or pkzip and set the password to 4 chars. Boom ! a messagebox appears :) nice even with at beep ;) hehe

So what we can do is to break on "bpx messageboxa" or "bpx messagebeep" in softice. I'll choose messageboxa, load the .zip file again and softice breaks. Press F12 and press the OK button when the nag appears. Now you're back in softice. Right here:


:00403A75 E836FE0000              call 004138B0
:00403A7A 8D4DD8                  lea ecx, dword ptr [ebp-28]
:00403A7D E8DE9B0000              call 0040D660
:00403A82 EB05                    jmp 00403A89

You are at 403A7A now, so we know that we don't want the program to execute line 403A75 cause that's where the nag is .. so lets load the file into w32dasm. hmmm the file is packed :) I know the file is packed because if you take a look at the .exe header with gtui (a program by phox):


- [zipkey.exe] -----
    DOS executable file - 74042 bytes
 
    Portable executable (starting at 232 for 73810 bytes)
      Packer: UPX 0.70 [PE]

You can see that it's packed with UPX v0.70. Okay so we use ProcDump to unpack the file. I assume you know how to use it ... when the file is depacked load the new depacked .exe file into w32dasm. Now find the offset 403A7A where we landed on in softice, and scroll up until you find the:


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403896(C)
|
:004039EE 8B0D80A94200            mov ecx, dword ptr [0042A980]

Okay all this code is jumped to on line 403896. So we take a look at that line:


* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00403874(C), :0040387B(C)
|
:00403893 83FB02                  cmp ebx, 00000002
:00403896 0F8F52010000            jg 004039EE

Now this looks good :) compare ebx with 2 .. 0..1..2 that's 3 chars :) heh and jump if greater to 4039EE (jg 004039EE). We really don't want it to jump to that location so we just nop line 403896. Normally we would find the correct entry point in the packed file, and make a little patch that would nop this hole line, but this tut I'm gonna use r!sc's process patcher Which is really easy to use ...

Just make a new file with a text editor called zipkey.rpp. Please read his documentation to use it if you're having trouble using it. I'll just show you some of the many cewl commands he has made available.


[File: zipkey.rpp]:

; Woody's crack for zip key 2.11.0

f=zipkey.exe:
o=w-zipkey.exe:
p=403896/0f,8f,52,01,00,00/90,90,90,90,90,90:
$

To explain these commands ..

f=zipkey.exe:
This is the org. file that has to be patched.

o=w-zipkey.exe:
This is the file r!sc's process patcher will create.

p=403896/0f,8f,52,01,00,00/90,90,90,90,90,90:
First the data offset where it will patch, then the org. bytes in the org. file, then the new bytes replacing the bad ones ;)


:00403896 0F8F52010000            jg 004039EE

You can see at line 403896 the hex codes is 0f8f52010000, and we wanted to nop that hole line, and a nop is the hex 90. So the new hex codes would be 909090909090. easy right ? :)

End the file with a $ sign. Now that's it ! the only thing you have to do now is "compile" the script file zipkey.rpp. Run r!sc's program and find the script file, and compile it. Now r!sc's program creates the file w-zipkey.exe which will patch the program when executing it. r!sc's program doesn't patch it permanent ofcause, it's a process patcher. So the user has to execute the patch every time he wants to use the zipkey.exe program.

Run the patch now and check if the program doesn't care about passwords larger than 3 chars. does it ?? ofcause not :) Was that easy or what :))

-wOODY^dRN