                   How to keygen WinZip v8.0 with TMG Ripper Studio

This text will show how to ripp the algorithm that WinZip uses. I will assume that you
have some basic debugging experience.

Step 1:
Run the program and use your debugger to find the call where this program generates the
valid key. In the build I have has the interesting stuff at 407A97:

	push	eax
	push	edi
	call	407b47

EAX points to the buffer that will recieve the valid serial, and EDI points to the 
entered name. Tracing 407B47 shows that it uses a short algorithm for the generation of
the key, and finally passes it to a sprintf-function which is located at 467AB4. Since 
the Win32 API gives us a function called "wsprintfA", you don't need this one in your 
ripp. Read on to see how to fix that.


Step 2:
Now start up Ripper Studio and select "Browse". Locate the file and load it. The 
messagewindow should report something like this:

Reading 05h sections from file.
Found 18Eh imported functions.


Step 3:
Since you want the ripp to start at 407B47, you enter that in the "Virtual address"-field.
In the "Identifier"-field, you enter the label that the startpoint should recieve in the
disassembly. You will use this label when you call the ripped code from your keygen. The
word "Keygen" would be a good label.


Step 4:
To prevent the sprintf-function to be included in your ripp, you must add it as an
"Endpoint". Just click the "Add"-button and enter 467AB4 in the window that is shown.


Step 5:
Now press "Start trace" and your disassemblywindow should show you the disassembled code
for calculating the key. In the listbox for datareferences you'll see two items. Click
the first one. The first window in "File view" will now show you what bytes are at that
location and the second window will show you where in the disassembly it was refered.

In the data-view you see that it's the formatspecifier for the sprintf-call, so you 
should dump this reference as a string. Ripper Studio automaticly identifies most
string references, so the "String"-radiobutton should already be selected. Click the 
next item in the listbox. In the data-view you'll see a lot of zeros, and that's no 
help when determining what type the reference is. The code-view shows that it's a
DWORD-reference, though. Since the radiobutton already is set to "Dword" and there are 
no more items in the list, all you have to do is to press "Process datarefs".


Step 6:
After this you could press the "Save to .asm"-button to save the project to a file.


Step 7:
When done, close Ripper Studio and open the saved file in a texteditor. Exchange the 
call to 467AB4 with a call to "wsprintfA", and surround it with some code for the
userinterface. In the file TMGRS-EX.ASM you'll see a minimal implemention of it. The
parts that are in CAPITAL letters is created by Ripper Studio, the rest is handwritten.

  \Chafe