winrar 95 ver.2.0: the guts of a simple protection

	winrar 95 ver.2.0: the guts of a protection by Little-John, 3 January 1998 Slightly edited by Fravia+
here	Courtesy of Fravia's page of reverse engineering
Fravia's comments	Well, an interesting little essay which deals with an utility by Eugene Roshal that is in my opinion injustely underestimated. Winrar should by all means be on your desktop: it has, on mine, taken the place of my Winzip 6.2 (it deals without problems with all zipped files as well), and that for many reasons, the more important one is that RARed archives are SMALLER than pkzipped archives! No, I'm not speaking of the solid archive option (you don't know what 'solid' archiving is? Go and study winrar), I'm speaking of a normal, default rar archive: it's smaller than a zip! I know that many don't even know it, and I myself am still compelled to use the zip format when I dump something on the web 'because everybody zips'. Yet I myself, for myself, on my own harddisks, use only RAR, because with the monstruous overbloated programs we are dealing with 'every spared byte counts'... and you'll spare a lot of bytes in comparison with zipped files if you rar. You still don't believe me? Well, read, enjoy and then go and download winrar... you'll be surprised seeing how GOOD this tool is. BTW: this is the LAST essay I will re-format: Please use THE SAME FORMATTING for all future essays you send to me! In order to do it download this FORMATTING MUSTER and use it, pasting your essay inside it.
here	There is a crack, a crack in everything That's how the light gets in
Rating	(x)Beginner ( )Intermediate ( )Advanced ( )Expert A well-written, very easy to follow essay, useful for beginners in order to see how a call into a protection scheme can easily be dealt with
Title	winrar 95 ver.2.0: the guts of a simple protection Written by Little-John
Introduction	The only time Micro$oft has is the time to make money with stupid overbloated programs. No time to improve their OS like Win95 which is very bugful, no time to think a better use of system resources like RAM'n'Disk space. What do we have to do? Compress. Compress to make ONE (big) file containing MANY (little) files. (Who has a 32k clustered FAT will understand me.) To do this in a quick way some softwares are on the scene. One of them (the most popular) is Winzip 6.x which uses the old good Pkzip compression method. But I'm never satisfied, so I sough and found another pretty GUI-based (Windoze) 32-bit compressor: WinRAR 95 v2.0 by Eugene Roshal.
Tools Required	Debugger (SoftIce) Hexeditor Brain Of course, you may choose any other tools you like.
Program History	No history
T H E E S S A Y	One of Winrar's features I appreciate most is the 'Authenticity Code' which insures the paternity of an archive. But I was able to use it only in the non-$hareware version. Money, money, money, money, money, money... ahhh. In fact when I ticked this feature a (pretty :) dialog box says to me: "Available in registered version only". But it's Xmas and everybody is more kind to the others... I decided that Eugene wouldn't be angry with me if I made a little present to myself: a registered yet "non-commercial" version of WinRAR95. Of course I could have fished a completely regged copy out of the warez scene, without paying a cent and without having to work on this protection, but I prefer to crack myself my proggies instead of using stolen ones. I took the old good Soft-Ice and put myself down to crac...ehm ...study the code. Start WinRAR95 and in the menu Option choose Registration. In the textbox "Enter yuor registration (AV) text" write your (nick:)name for example Johnny. And in the registration code textbox enter your favourite number sequence, (mine is 123321). Now let's go in Soft-Ice (press Ctrl-D) and put a break point on GetDlgItemTexta and see what happens. Your name is stored in memory. The first thing to be done should be putting a breakpoint on the memory range to see what happens to our name, but first study the code. You have to study your targets to reverse them. So continue, by pressing g, and you will fall into another USER32!GetDlgItemTextA, but this time don't restudy the code (it's the same as the name says; Repetita iuvant sed stufant :) Continue tracing the code and very soon you will see this: :004226CC 8D8554FFFFFF LEA EAX,[EBP+FFFFFF54] :004226D2 50 PUSH EAX :004226D3 8D459C LEA EAX,[EBP-64] :004226D6 50 PUSH EAX :004226D7 E84D66FFFF CALL 00418D29 ;Very Interesting Call :004226DC 83C408 ADD ESP,08 ;Stack Correction :004226DF 85C0 TEST EAX,EAX ;Is the Reg. Code Right? :004226E1 752F JNZ 00422712 ;YES/NO! :004226E3 6A30 PUSH 30 :004226E5 6A1A PUSH 1A If you wanna see the "Correct Registration. Thank you for support" DialogBox you can change :004226E1 752F JNZ 00422712 ;YES/NO! in :004226E1 742F JZ 00422712 ;YES/NO! but this apparently easy patch is not enough: you haven't cracked this target, I'm afraid. Infact if you go in Options->General and tick the Autenticity Code you'll still obtain "Available in registered version only". The thing to do is therefore entering inside the "CALL 00418D29" and study our target's behaviour. There are a lot of CALL routines, as usual and we can act in two ways: understanding what happens to our name and Reg. Code to know the right Reg. Code (long way, d'you think it would really be necessary?), or either make the Reg. Code "calzare" to our name (short and pretty way that I prefer: I don't need, nor care to prepare keygenerators for the stupid ones) I hope you have choosen the second way... Oh, nice, I'm glad you have done it :) To understand where the program decides if our Reg. Code is the correct one or not we have to trace that call (CALL 00418D29). We see a lot code scrolling under our eyes and, quite at the end: :00418F7D 8D8574FFFFFF LEA EAX,[EBP+FFFFFF74] ;Call result for name/reg :00418F83 50 PUSH EAX ;Save it :00418F84 FF35706D4400 PUSH DWORD PTR [00446D70] ;Call result for name/reg :00418F8A E871240100 CALL 0041B400 ;Don't mind this call :00418F8F 83C40C ADD ESP,0C ;Stack Correction :00418F92 85C0 TEST EAX,EAX :00418F94 0F94C0 SETZ AL :00418F97 83E001 AND EAX,01 ;if EAX<>1 => EAX=0 => :00418F9A A348074400 MOV [00440748],EAX ; =>Not Regged :00418F9F FF3528074400 PUSH DWORD PTR [00440728] :00418FA5 E8BA830100 CALL 00431364 :00418FAA 59 POP ECX :00418FAB 33C0 XOR EAX,EAX :00418FAD A328074400 MOV [00440728],EAX :00418FB2 A148074400 MOV EAX,[00440748] ;EAX=1 => WINRAR95 Regged :00418FB7 5F POP EDI ;EAX=0 => WINRAR95 UnRegged :00418FB8 5E POP ESI :00418FB9 5B POP EBX :00418FBA 8BE5 MOV ESP,EBP :00418FBC 5D POP EBP :00418FBD C3 RET After the RET we find: :004226DC 83C408 ADD ESP,08 ;Stack Correction :004226DF 85C0 TEST EAX,EAX ;Is EAX=1? No BAD_GUY :( :004226E1 752F JNZ 00422712 ; Yes CLEVER_CRACKER The code above convoys the previous CALL result. EAX=0 means you have entered a bad Reg.code; instead, if EAX=1, the Reg.code is RIGHT :). The only thing to do is to FORCE this flag (EAX) to be true (1). How? Very easy. Do you remember: :00418F8F 83C40C ADD ESP,0C :00418F92 85C0 TEST EAX,EAX :00418F94 0F94C0 SETZ AL :00418F97 83E001 AND EAX,01 :00418F9A A348074400 MOV [00440748],EAX For our purpouse we can change this piece of code to make EAX=1. :00418F8F 83C40C ADD ESP,0C :00418F92 33C0 XOR EAX,EAX ;Clear EAX just in case :00418F94 B800010000 MOV EAX,1 ;EAX=1 =>REGGED :00418F97 90 NOP :00418F9A A348074400 MOV [00440748],EAX The value of EAX now must be 1 so that whatever Name'n'Reg.code you use will be good. The program believes you've entered the right code so now you can enjoy all the features of this pretty program. Ciao a tutti By Little-John
Ob duh	I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell.
Final Notes	No final notes
way out	You are deep inside Fravia's page of reverse engineering, choose your way out: Back to advanced cracking Back to project 1