-->Tutorial number 2--<
Name : WinRAR
Version : 2.70
Target : WinRAR.exe
Tools : W32dasm
: Hiew
: Brain
Cracker : KlimaX v2000
Get it at, http://www.winrar.com
==>DISCLAIMER<==
For educational purposes ONLY!
I hold NO responsibility for the misuse of this material!
About program:
WinRAR 2.70 is a program similar to WinZip, which is used to compress/decompress files.
This program (WinRAR v2.70) is shareware, but contains only one limitation, but not a limitation that will directly affect
the compressing/decompressing procedure.
1) OK let's crack the beast
After opening WinRAR.exe, you recieve a "Please Register" box, but where's the "Enter Reg. Code" box at???.
Well I don't know, but let's move on from what we have. These types of programs often use these kind of messageboxes,
as a REMINDER on how many days you have left/used of the trial period.
Alright, go to your WinRAR dir. and make a copy of the .exe file. Why?, because if you make any mistakes in the cracking
process, it's nice to have a backup;)
Now fire up Wdasm and open WinRAR.exe, open StringData Ref box and scroll down searching for something that can be
linked with the messagebox shown when we started WinRAR.
AHA! After nearly hitting the bottom of the scrollbar with a great splash, we find it. "REMINDER", that may be it!
Doubleclick on it and you'll be warped to this place:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401529(C) <-- We'll need this Jump
|
:0040152F C6057430460001 mov byte ptr [00463074], 01
:00401536 6A00 push 00000000
:00401538 68C0B94000 push 0040B9C0
:0040153D 8B1504B94600 mov edx, dword ptr [0046B904]
:00401543 52 push edx
* Possible StringData Ref from Data Obj ->"REMINDER"
|
:00401544 68E73B4600 push 00463BE7 <-- You are here
:00401549 8B0D00CC4600 mov ecx, dword ptr [0046CC00]
:0040154F 51 push ecx
Right now you should be at 00401544 which is where the "Please Register" box is shown from,
but it isn't the address we want!. If you scroll a couple of lines up, you'll see
the (C)onditional Jump Address 00401529, that's where we want to go,
so press shift+F12 and enter 00401529. Press OK.
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004011B2(C)
|
:00401506 833DA0CC460000 cmp dword ptr [0046CCA0], 00000000
:0040150D 7546 jne 00401555
:0040150F 803D7430460000 cmp byte ptr [00463074], 00
:00401516 753D jne 00461555
:00401518 803DAC6C460000 cmp byte ptr [00466CAC], 00
:0040151F 7534 jne 00401555
:00401521 A188F54600 mov eax, dword ptr [0046F588]
:00401526 83F828 cmp eax, 00000028
:00401529 7F04 jg 0046152F <-- You'll be here
:0040152B 85C0 test eax, eax
:0040152D 7D26 jge 00401555
Now you're at the Jump address which we want to modify, so write down the @Offset 00000B29
(Never mind all the zeroes in front of the B29, and the small h in the end, you only need the B29)
Fire up Hiew and open WinRAR.exe.
Now press F5 and type the @Offset number you wrote down a minute ago (B29, in case you forgot), and press enter.
You should now be at 00401529.
Now what we want, is to change the number (press F3)
from: 7F04 <=> jg (jump to "badboy" if today is greater than the 40 day trial)
to : 7E04 <=> jle (jump to "badboy" if today is less or equal the 40 day trial)
Press F9 to save changes and F10 to exit Hiew.
Try and start WinRAR and you will notice that the "Please Register" box is gone, just what we wanted right,
but I'm not satisfied yet;)
If you take a look at the top of the WinRAR screen, you'll see it says "evaluation copy", and that is not downright
beautiful, so let's get rid of that to:)
2) Open WinRAR.exe in Wdasm and search for "evaluation copy" in SDR, when found doubleclick on it.
You should now be around here:
:0041B845 E87A0B0400 Call 0045C3C4
:0041B84A 83C40C add esp, 0000000C
:0041B84D 803DAC6C460000 cmp byte ptr [00466CAC], 00
:0041B854 752E jne 0041B884 <-- We want to change this one
* Possible Reference to StringData Resource ID=00873: "evaluation copy"
:0041B856 6869030000 push 00000369 <-- You are here
:0041B85B E874C7FEFF Call 00407FD4
:0041B860 50 push eax
Place the bar on 0041B854, note the @offset 1EA54, exit Wdasm, and fire up Hiew.
Open the WinRAR.exe, press F4, select decode. Now press F5 and enter 1AE54.
Now you're at 0041B854 where the jne is placed.
Press F3 and change the 75 (jne) <=> 74 (je), press F9 to save changes and F10 to exit.
Now we can finally open WinRAR, and not see any trial messages, or the "evaluation copy" in top of the window.
(Don't we just love it)
=>LAST WORDS:
If you have any comments on this tut, feel free to mail at KlimaX_v2000@mail.com
_ _ _ _ _ _ _ _
Special thanks to tKC for releasing those great tut's, keep on making 'em!. They are the BEST!!!!!