Can software passwords be bypassed by reverse engineering?
In short, yes, you can modify the executable, use a debugger, etc. to alter the logic of the code being executed.
But, that may not be enough.
To use your example of ".zip passwords", password protected archives use the password to derive an encryption key. Unless you supply a correct password, the generated key will be wrong, and even if you modify it to use a wrong key, it will not successfully decrypt the ZIP file.
Another scenario might involve a setuid executable which runs with higher privileges. You could run it under a debugger, or copy it to your user account and make changes, but all this will achieve is running it with your user's permissions, thus defeating exploitation possibilities.
Well your perception of .zip passwords is not accurate. The approach, also used by many other programs is to always run a decryption algorithm and obtain a result, before program even reaches the "good or bad password" decision. The trick is that the decryption produces garbage on any password except a good one which "magically" (or rather - mathematically) calculates proper data. So the program doesn't know what the good password is.
The "good or bad" moment that you want to hack only checks whether the result is garbage. It's not much benefit to override that.
Yes and No.
Since no one has yet come up with a real life (non-computer-related) example, I'll try here:
Imagine trying to board a flight. You need a boarding pass, or the security guys will not let you through. If you have access to the system and you're able to modify it (say you're the CEO), can you bypass the security? Yes! You can:
- Remove the security guys (remove the entire authentication component)
- Ask the guys to let everyone in (remove the "if passenger has valid boarding pass" check)
- Ask the guys to give access if somebody presents a special boarding pass (add a new validation rule to allow fake credentials)
Now, another scenario: a bunch of safes are stored in a bank. To open a safe, you need a physical key to turn the lock.
Can you pull the previous trick? Yes you can, but it won't help. It's not like the security guy who stands there has access to all the safes - he does not have the key to any one of the safes. You can beat the hell out of him, but he does not just possess what is necessary (the physical key) to open the locks.
You can try picking the lock (brute-forcing), but it would be extremely time consuming (the math of modern encryption keys says you need some billions of years to unlock it, even if you have all the computers in the world doing it for you). So there you are - in this design (data encryption), the only way to obtain the stored data is using a key, which makes it impossible to bypass.