This tutorial are coming from
Acid Cool 178
Tutorial Number 36
Target
Program_____________Win RAR 2.70 Final version Protection___________40 Days Time Tial / NAG / KeyFile Downlaod it at ______www.rarsoft.com / download.com / winfiles.com Date________________28 April 2000
Toolz
Smart Check / Win 32 Disassembler and a good HEX Editor
Essay
Well, I have installed Microsoft Windows 2000 Professional Version for a week ago and i have had some BIG problems with my cracking tools. The hardest problem was that HIEW didn't work so now i have to crack without it,, damet..
Copy winrar.exe into another directory and open it in W32Dasm there, when it are Disassembeling so can upy put the clock one year forward, from 2000 to 2001. Now when you are running winrar so can you see one reminder there.. Well, we will remove that one and the "Evalution Copy" words in the title of winrar.. Now when you are running winrar so are one NAG poping up, and it are one "Please Register" box remember that box..
In W32Dasm start a search for "Please Register" and u will end at this line
Name: REMINDER, # of Controls=007, Caption:"Please register", ClassName:""
You can try to search more but with no luck.. Now we can see "REMINDER" hmm, what are that for ? Well, the "Please Register" are one reminder for you, so Rarsoft will make some easy bucks.. start a new search and now you can search for "Reminder" and you will see this code.
* Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004011B2(C) | :00401506 833DA0CC460000 cmp dword ptr [0046CCA0], 00000000 :0040150D 7546 jne 00401555 :0040150F 803D7430460000 cmp byte ptr [00463074], 00 :00401516 753D jne 00401555 :00401518 803DAC6C460000 cmp byte ptr [00466CAC], 00 :0040151F 7534 jne 00401555 :00401521 A188F54600 mov eax, dword ptr [0046F588] :00401526 83F828 cmp eax, 00000028 <-- 28 = 40, WinRar = 40 Day Trial :00401529 7F04 jg 0040152F <-- If days used = +40 then jump to bad code :0040152B 85C0 test eax, eax :0040152D 7D26 jge 00401555 <-- Jumps over the bad code..
* Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401529(C) | :0040152F C6057430460001 mov byte ptr [00463074], 01 <-- Here are the code that we have to jump over :00401536 6A00 push 00000000 :00401538 68C0B94000 push 0040B9C0 :0040153D 8B1504B94600 mov edx, dword ptr [0046B904] :00401543 52 push edx
* Possible StringData Ref from Data Obj ->"REMINDER" <-- The Reminder word
|
:00401544 68E73B4600 push 00463BE7
:00401549 8B0D00CC4600 mov ecx, dword ptr [0046CC00]
:0040154F 51 push ecx
* Reference To: USER32.DialogBoxParamA, Ord:0000h
|
:00401550 E8A8070600 Call 00461CFD
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0040150D(C), :00401516(C), :0040151F(C), :0040152D(C) | :00401555 833DA0CC460000 cmp dword ptr [0046CCA0], 00000000 :0040155C 7529 jne 00401587 :0040155E 833D98CC460000 cmp dword ptr [0046CC98], 00000000 :00401565 7520 jne 00401587 :00401567 6A0A push 0000000A :00401569 A1C4CC4600 mov eax, dword ptr [0046CCC4] :0040156E 50 push eax
Now this are my plan:
We have to NOP out the jump
at 401529 wich are jumpinf to the bad code and the jump at 40152D must always jump over
the code..
And here was my first problem in the cracking, i don't have Hiew anymore.. Well, this are
what we now in hex opcodes..
JMP = EB | NOP = 90
And that are all we need to now for now.. Open winrar.exe in one hex
editor and we are looking at the code at the first jump so are it "7F04" But
there are too many if these and wich are the correct one, so i did take with some extra
code. "7F 04 85 C0 7D 26" and we will only change the 4 first bits to "90
90" and the first jump are gone from my brain :)
Now we have to change the seccond jump to always jump, the code are "7D 26" wich we will change to EB 26" and it will always jump over the bad code.. Just look longer down for the code, u don't need to search for it.
Now we will remove the "evaluation copy" word in the title of winrar. In W32Dasm start a search for "evaluation copy" and you can see this code.
:0041B84A 83C40C add esp, 0000000C :0041B84D 803DAC6C460000 cmp byte ptr [00466CAC], 00 :0041B854 752E jne 0041B884 <-- Jumps over the "evaluation copy" shit
* Possible Reference to String Resource ID=00873: "evaluation copy" <-- Hmm, this must be gone..
|
:0041B856 6869030000 push 00000369
:0041B85B E874C7FEFF call 00407FD4
:0041B860 50 push eax
* Possible StringData Ref from Data Obj ->" (%s)"
|
:0041B861 68C75F4600 push 00465FC7
:0041B866 8D8D00FEFFFF lea ecx, dword ptr [ebp+FFFFFE00]
:0041B86C 51 push ecx
:0041B86D E8A2CA0300 call 00458314
:0041B872 59 pop ecx
:0041B873 8D9500FEFFFF lea edx, dword ptr [ebp+FFFFFE00]
:0041B879 03C2 add eax, edx
:0041B87B 50 push eax
:0041B87C E8430B0400 call 0045C3C4
:0041B881 83C40C add esp, 0000000C
* Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0041B854(C) | :0041B884 8D8500FEFFFF lea eax, dword ptr [ebp+FFFFFE00] <-- The jump lands here :0041B88A 50 push eax
Well, the same tjing again, we will change JNE
(75) to JMP (EB) now, openwinrar.exe in an hex editor and search for "75 2E 68 69
03" and only replace "75" with "EB" let the rest stand alone..
Else you have lost the game..
Walla, Program patched..
Ending
Well, this was my first crack in Windows 2K, wich are much more stable as Win95/98 was.. But i still don't have Hiew to work with and SoftIce don't have hmemcpy, i'm are dead now soon..
LaZaRuS, Wajid, Borna Janes, ManKind, Eddie Van Camper, ACiD BuRN, KoRnFLeX, Eternal_Bliss, Potsmoke, DiABLO. Torn@do, ^AlX^ , AC|D, Dark Wolf, Marton and all the other i have forgotten