|
Winrar 2.71 Protection has no Roar! Secondary File Checking Scheme is Weak |
||
| Date- 09/05/00 |
by
Sojourner
|
|
|
There is a crack, a crack in everything. That's how
the light gets in.
|
||
| Rating |
(x)Beginner ( )Intermediate
( )Advanced ( )Expert
|
Somewhat juvenile
to crack, but it is a useful prog.
|
|
The rar progam has come a long way from the old dos days. Todays prog looks slicker with the 32 bit gui and allows more ease of use. This is a useful utility.
|
|
w32dasm 8.x--your choice of flavors
hex editor needed- UltraEdit 7.xx or whatever you want to use
restorator 2.5--not needed this go round
|
|
Just go to this site. Do a search for winrar and then download what you need.
|
|
Things to do - Register this baby!
|
|
You know when you need something right now, you often don't have it. That was my dilemma last night. My system was going
on the blink and I knew it. My backexec was malfunctioning and low and behold Veritas has changed their prog from
backupexec 4.2.1 to 4.5, but it doesn't provide disaster recovery. I frantically searched my archives--nada, niet,
nothing. This time I was in a crack. Fortunately two things happened, one, I found backupexec 4.2 on an ftp search to
a nice Russian site, and two, a friend uploaded 4.2.1 for me, both of which have disaster recovery processes. See my
other tutorials for a crack on Veritas Backexec 4.2.1. But what in the world does that have to do with winrar? Ah, you
see, when I restored my system, my little winrar was askance and would not deliver any more work for me. What was a guy
to do? Like any good cracker--go out and find it and fix it, if possible. Now, Winrar has another file it searches for
in order to verify that you're licensed, kind of like cuteftp or even the flex license manager. The file is called
rarreg.key and must reside in the root directory of winrar along with the executable, etc., of winrar. Since by now
you've already downloaded this baby, go ahead and disassemble it in w32dasm. Takes a few minutes with my high speed
Celeron 400 mHz screamer!!! How did I know that Winrar required another file? Because in the Help section of the Winrar
program it says as much and I quote:
Registration procedure:
Upon receipt of your registration fee with the completed registration form you will receive a registration key file
which will correspond to the registration string given in the registration form.
Upon receipt of your registration key file you should put it to the WinRAR folder. If the key is archived, in a .RAR
file, please extract the key from the archive in order to register your copy of WinRAR.
So you see, that's how I came by that info. Additionally, when you do a little snooping around inside of Winrar, you
will find reference to rarreg.key, of which, you must note. Ready to go? Let's rev up w32dasm and put it through its
paces. (Good night--the funny cars were racing yesterday-boy are they fast. Over three hundred miles an hour at last
call. Talk about revving!!) When you run Winrar through w32dasm you will see "evaluation copy" at the top of your
program title. And if you click on Help, then About, it will not be registered to you. That's what we want to fix.
If you have ultraedit, open it to a new file. Type in the name you want to use and save this as rarreg.key. Yeah, you
know what to do now. Put it in the directory where it needs to be. Surely that's not all there is to it. You are
correct in your assumption. That's not all there is to it. Actually, you need to put some other characters in there
on a line proceeding your assumed name. Why? Because that's what Winrar wants. So give it to it. What other characters
do I use? Yes, that was going to be my next subject, but you're almost getting ahead of me. Somewhere lurking around
in the dark code woods there is a useful string--very long though---
70c2441db366d92ea7be1342b3bf629026ba92bb675f06e684bdd34511097434
What's it for? For checking you out. Place this whole mess on the first line of your rarreg.key file and your name
on the second line. It doesn't read the third line.
Since I've mentioned the rarreg.key, begin placing breakpoints around there and also near "evaluation copy". Do a
string search for "registered to" also. That will be enough to get us through this process. Now, at the
"evaluation copy" here is what you get.
* Possible StringData Ref from Data Obj ->"%s - WinRAR"
|
:0041BA01 68DD5F4600 push 00465FDD
:0041BA06 8D9500FEFFFF lea edx, dword ptr [ebp+FFFFFE00]
:0041BA0C 52 push edx
:0041BA0D E8820B0400 call 0045C594
:0041BA12 83C40C add esp, 0000000C Return below
:0041BA15 803DCC6C460000 cmp byte ptr [00466CCC], 00 <-- Check this out!!
:0041BA1C 752E jne 0041BA4C
* Possible Reference to String Resource ID=00873: "evaluation copy"
|
:0041BA1E 6869030000 push 00000369
:0041BA23 E894C6FEFF call 004080BC
:0041BA28 50 push eax
And at "Registered to"--
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040B775(C)
|
:0040B783 803DCC6C460000 cmp byte ptr [00466CCC], 00 <--Check this out!!
:0040B78A 7472 je 0040B7FE
:0040B78C 8DBDF0F9FFFF lea edi, dword ptr [ebp+FFFFF9F0]
:0040B792 BE90964700 mov esi, 00479690
:0040B797 B981010000 mov ecx, 00000181
:0040B79C 8D85F0F9FFFF lea eax, dword ptr [ebp+FFFFF9F0]
:0040B7A2 F3 repz
:0040B7A3 A5 movsd
:0040B7A4 50 push eax
:0040B7A5 8D95F0F9FFFF lea edx, dword ptr [ebp+FFFFF9F0]
:0040B7AB 52 push edx
* Reference To: USER32.OemToCharA, Ord:0000h
|
:0040B7AC E8A2680500 Call 00462053
:0040B7B1 8D8DF0FAFFFF lea ecx, dword ptr [ebp+FFFFFAF0]
:0040B7B7 51 push ecx
:0040B7B8 8D85F0FAFFFF lea eax, dword ptr [ebp+FFFFFAF0]
:0040B7BE 50 push eax
* Reference To: USER32.OemToCharA, Ord:0000h
|
:0040B7BF E88F680500 Call 00462053
* Possible Reference to String Resource ID=00960: "Registered to"
|
:0040B7C4 68C0030000 push 000003C0
:0040B7C9 E8EEC8FFFF call 004080BC
:0040B7CE 50 push eax
At each of these "check outs" I've placed above, there is an important point--there is the exact same variable name
seen in each place-00466CCC. At one point there is the jne ; at the other is je and each time the check is for zero.
Which is which? Which do I want? This variable is very important and the key to solving this whole thing. Before I go
on, place breakpoints at all the places 00466CCC show up. There are quite a few. Are you done? At first, I thought that
I needed the variable to be zero, but the more I studied this the more I was convinced the right answer was for it to
be one. See above at the eval copy area. As you run the prog through w32dasm, you will see that 00466CCC can be loaded
with some number at a few places.
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040EE78(C)
|
:0040EEBC 803DCC6C460000 cmp byte ptr [00466CCC], 00
:0040EEC3 7410 je 0040EED5
:0040EEC5 803D9096470000 cmp byte ptr [00479690], 00
:0040EECC 7507 jne 0040EED5
:0040EECE C605CC6C460000 mov byte ptr [00466CCC], 00 <-- Here
* Reference To: USER32.FlashWindow, Ord:0000h
|
:00418373 E81F9B0400 Call 00461E97
:00418378 6A01 push 00000001
:0041837A E8693D0200 call 0043C0E8
:0041837F A2CC6C4600 mov byte ptr [00466CCC], al <--Here
:00418384 6A00 push 00000000
:00418386 8B0D24B94600 mov ecx, dword ptr [0046B924]
:0041838C 51 push ecx
* Reference To: KERNEL32.SetThreadPriority, Ord:0000h
|
:0041AF3D E88F6B0400 Call 00461AD1
:0041AF42 6A01 push 00000001
:0041AF44 E89F110200 call 0043C0E8
:0041AF49 A2CC6C4600 mov byte ptr [00466CCC], al <--Here
Realistically, most of this doesn't help us to achieve our goal. So what do we do? What we will do is to load
00466CCC ourselves. As I said, what looked promising above, is not really. So, since you have already set breakpoints,
let's use them now and see if we can find a decent spot to load our variable.
Here's what hits:
1. 004184B7
2. 00426358
3. 0041BA15
4. 0041AF2C
/////////////////////////////
Okay. First off, at 004184B7, we need to make sure the jne is changed to jmp because we know that 00466CCC is still
zero. It has not been loaded with the correct number yet.
:004184B7 803DCC6C460000 cmp byte ptr [00466CCC], 00
:004184BE 7513 jne 004184D3 change to EB13
////////////////////////////
Next--we really can't catch this blighter easily to load eax. You'd think, well just follow the call. Uh huh. Except
it's not that easy. You get bumped around a lot in there and get lost. By the time you're back home, you have no idea
where you've been. So just nop that guy A2CC6C4600--yes nop it all, by golly. It won't matter in just a sec anyway. We
just want to be sure that our registered prog is not changed to unregistered on the flip-flop by loading in zero to al.
So why don't we just load 00466CCC now with 01? The reason is because it takes way to many bits to set that up at this
point. It's not all that important because as we'll see in a moment, we'll be home free.
:00426353 E8905D0100 call 0043C0E8
:00426358 A2CC6C4600 mov byte ptr [00466CCC], al
:0042635D 53 push ebx
///////////////////////////
Batter up!! Now here we can do something legit with our load--
Follow closely, because we're going through some heavy bit changing here.
we are going to use from 0041BA15 up to 0041BA23. Here's what we do. See below
:0041BA15 803DCC6C460000 cmp byte ptr [00466CCC], 00
:0041BA1C 752E jne 0041BA4C
* Possible Reference to String Resource ID=00873: "evaluation copy"
|
:0041BA1E 6869030000 push 00000369
:0041BA23 E894C6FEFF call 004080BC
The changes are as follows:
0041BA15 C705CC6C460001 mov [00466CCC], 01
0041B11C 0000
0041BA1E 00EB2B9090 --Jmp 0041BA4C
Doing these changes does not affect the fact that we will never call the "evalaution copy" and we have balanced all of
our changes properly.
/////////////////////////
Last- we know now that 00466CCC is loaded with one so we don't have to mess with this at all.
:0041AF2C 803DCC6C460000 cmp byte ptr [00466CCC], 00
:0041AF33 7419 je 0041AF4E
Your Winrar is now registered. Be sure to make your changes permanent with your hexeditor.
Happy rarring!
|
|
This was a fun, simple lesson. Until later. If you have any questions please feel free to contact me at jomamameister@yahoo.com
|
|