CRACKING WINRAR 2.06 a tutorial by R@yden (from Newbie for Newbies) Hi Crackerz, after reading many, many cracking tuts for newbies, I decided to write my own, because in these tutorials you always/mostly was finished after you changed the first jmp-instruction. I then learned that this isnt the case, the hard way. So in this tutorial we will do more than one approach (rememebr we are newbies !). Since I am newbie, too and so it shouldnt be too hard to keep track with me. Also I must say that iam German, so I Apologize for my english, but u should be able to understand me . The only thing I assume is that u have some knowlodge about using Softice and WinDams. Lets start. Target: WinRar 95 V2.06 (WINRAR95.EXE) Target Date/Size: 12/3/1998, 204.800 byte Tools required: --------------- - Softice 3.2x - Hview 6.x - WinDasm 8.9x Ok, fire up WinRar and have a look at it, after clicking here and there you will notice the following three restrictions/nags - WinRar displays "...(Evaluation Copy)" in the WindowNameBar - You can't activate Authenticity verification - You can't activate Error Logging Note: The two Disabled functions will play a major role in the following tutorial as you will see later (I learned it the hard way). Now lets try to Register it, by clicking on OPTIONS and REGISTER. Enter Your Name and a unlock code and Press OK (I used RAYDEN/123454321). Well, the Code is wrong (*surprise*). Note: this was the first approach I tried, because in other tuts I often read, that reversing a cond. jmp before the MessageBoxA Call could make the program thinking your entered code is a "good" one. Lets continoue trying this be our own :). Goto SoftIce and set a BP an MessageBoxA. Again enter your name and a serial, click on OK and Softice should break. Press F11 one Time, Click OK on the messagebox and u should be back in softice at the following code: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00413C3D(C) | :00413C59 8D559C lea edx, dword ptr [ebp-64] :00413C5C 52 push edx :00413C5D 6830AD4200 push 0042AD30 :00413C62 E839920000 call 0041CEA0 :00413C67 83C408 add esp, 00000008 :00413C6A 8D8D54FFFFFF lea ecx, dword ptr [ebp+FFFFFF54] :00413C70 51 push ecx :00413C71 8D459C lea eax, dword ptr [ebp-64] :00413C74 50 push eax :00413C75 E84768FFFF call 0040A4C1 :00413C7A 83C408 add esp, 00000008 :00413C7D 85C0 test eax, eax :00413C7F 7532 jne 00413CB3 .... * Possible Reference to String Resource ID=00106: "Registration failed" | :00413C8C 6A6A push 0000006A :00413C8E E8F8640000 call 0041A18B :00413C93 59 pop ecx :00413C94 50 push eax :00413C95 FF7508 push [ebp+08] * Reference To: USER32.MessageBoxA, Ord:0000h | :00413C98 E8750C0100 Call 00424912 :00413C9D 33D2 xor edx, edx <------------- We land here :00413C9F 89155C574200 mov dword ptr [0042575C], edx :00413CA5 891538564200 mov dword ptr [00425638], edx :00413CAB 89154C564200 mov dword ptr [0042564C], edx :00413CB1 EB59 jmp 00413D0C Please note that we dont know what the above code is doing right now, therefore we will examine a piece of the code ABOVE our msgbox call: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00413C3D(C) | :00413C59 8D559C lea edx, dword ptr [ebp-64] :00413C5C 52 push edx :00413C5D 6830AD4200 push 0042AD30 :00413C62 E839920000 call 0041CEA0 :00413C67 83C408 add esp, 00000008 :00413C6A 8D8D54FFFFFF lea ecx, dword ptr [ebp+FFFFFF54] ;Point ECX to our Reg.-;Code we entered :00413C70 51 push ecx ;Push Name on Stack :00413C71 8D459C lea eax, dword ptr [ebp-64] ;Point EAX to name we ;entered :00413C74 50 push eax ;Push name to Stack :00413C75 E84768FFFF call 0040A4C1 ;call something* :00413C7A 83C408 add esp, 00000008 ;correct stack :00413C7D 85C0 test eax, eax ;EAX=0 ? :00413C7F 7532 jne 00413CB3 ;if NO jmp to 413CB3,else continoue with "Wrong RegCode-Msgbox". *The CALL 0040A4C1 at adress :00413C75 is the key, at least I thought so. As we can see , its obvious that the call at 00413C75 generates the real code and compares it with the code we entered. Too bad that the real code is never echoed by WinRar :( If the two codes are the same EAX is set to 1 else EAX is set to 0. We also see that if EAX=1 we would jmp OVER the Wrong Reg-Code MsgBox. thats worth a try, lets make WinRar jumping over the Wrong Reg-Code MsgBox (JNE 00413CB3, and this offset is beyond our WrongRegCode MsgBox). Therefore we have to set a BP on 00413C7F (JNE ...) and enter our Name and Reg-Code again. We now break on 00413C7F. If we now type ? EAX we see that EAX is zero and therefore the Zero-Flag is set. Lets change the zero flag by typing R FL Z (reverses the (Z)ero flag) and F10 once. As you can see WinRar will jmp to 00413CB3 this time. Lets disable our Breakpoints with BD*, press F5 and see whats happens next. "Thank you for your support", woah...looks like WinRar really thinks our serial is valid. Cool, or ? Also the WindowNameBar changed from "WinRar (evaluation Copy)" to "WinRar" only. Looks good or ? Congratulations you just cracked WinRar95...but wait....hmm....lets test the disabled functions: Go to OPTIONS/GENERAL and try to activate Auth. Verif. or Error Logging and guess what ? ....Uops...still disabled ? WTF ist going on here ? We just made WinRar thinking our serial is valid but it still wont let us use the disabled functions. Hmm...strange..We now know that WinRar makes some crosschecks to the entered serial. That our theory is right can be seen if we now quit WinRar and restart it. It now again says "WinRar(Evaluation copy)". Well, I MUST write this. Because the same thing happened to me so many times. In the tuts I read, the job was done after changing some jmpcondition in the routine which checks for the serial. But when I tried to crack my own programs I also got the "Good Boy" Msg all the time, but often the program still knew that thre serial was wrong. At least we now have our RegString saved in rar.ini, as you can see when editing it with any Text editor: ... [registration] regname=RAYDEN regcode=123454321 .... So it seems that WinRar uses this information when we try one of the Disabled Function OR this information is checked at startup and a flag is set. What we learned until now: - Ist easy to make WinRar thinking a entered Code is a legal one. - Once You get the "Thanks for your support" MessageBox WinRar writes the entered Name and Serial to RAR.INI. - But There are crosschecks to our entered code at startup and at activating disbaled functions. Ok, back to work and back to our code above the WrongRegCode MessageBox: :00413C6A 8D8D54FFFFFF lea ecx, dword ptr [ebp+FFFFFF54] ;Point ECX to our Reg.-;Code we entered :00413C70 51 push ecx ;Push Name on Stack :00413C71 8D459C lea eax, dword ptr [ebp-64] ;Point EAX to name we ;entered :00413C74 50 push eax ;Push name to Stack :00413C75 E84768FFFF call 0040A4C1 ;call something* :00413C7A 83C408 add esp, 00000008 ;correct stack :00413C7D 85C0 test eax, eax ;EAX=0 ? :00413C7F 7532 jne 00413CB3 ;if NO jmp to 413CB3,else continoue with "Wrong RegCode-Msgbox". Somewhere deep, deep in this routine or in one of its subroutines (and there are tons of it) must our code be checked with the real one. Since we are newbies and dont know much ASM, I can say after I spent about 2-3 days in trying to understand this routine, it was a total waste of time for me. It was just imposibble to understand all the calls, compares, Shifts and rotates, etc... Ok what else can we do...hmm...BINGO. Remembering these nice little MsgBoxes which popup when u try to use Error Logging or Auth. Verification ? Maybe can get some Info from them. So go back to SI, clear all BP (BC*) and set a new BP on MessageBoxA (again). Go to OPTIONS/GENERAL and try to activate either Error Logging or Auth. Verifiaction. *BUMM* SI breakes. Press F11, press OK and you should be back in SI at the following code location: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004138C5(C) | :004138C9 833D5C57420000 cmp dword ptr [0042575C], 00000000 :004138D0 7534 jne 00413906 * Possible Reference to String Resource ID=00048: "Normal" | :004138D2 6A30 push 00000030 * Possible Reference to String Resource ID=00026: "Warning" | :004138D4 6A1A push 0000001A :004138D6 E8B0680000 call 0041A18B :004138DB 59 pop ecx :004138DC 50 push eax * Possible Reference to String Resource ID=00051: "Available in registered version only" | :004138DD 6A33 push 00000033 :004138DF E8A7680000 call 0041A18B :004138E4 59 pop ecx :004138E5 50 push eax :004138E6 53 push ebx * Reference To: USER32.MessageBoxA, Ord:0000h | :004138E7 E826100100 Call 00424912 :004138EC 6A00 push 00000000 <---- We land here If you scroll back u can see that the last cond. jump is at: :004138C9 833D5C57420000 cmp dword ptr [0042575C], 00000000 :004138D0 7534 jne 00413906 Hmm...interesting here WinRar compares a memory location with 0. If NOT 0 then jmp else continoue with "Avaiable only in....". So we can say if memory location 0042575C = 1 continoue as registed else continoue as shareware. Nice or ? Lets see if there are some other functions using this memory location. Therefore we must set a BP on RW-Acess (Read-Write Access) at this memory. You should still be in SI, now clear all BP and type BPM 0042575C. This will make SI break every time from this memory adress is read from or written to. Ok, now try to activate Errorloging *BUMM* SI break (F5 to continoue), try to activate Auth. verifiaction *BUMM* SI Break again. Even if we try to Register WinRar again *BUMM* SI brakes. Wow, looks like this memoryadress is our now key to register this little, damn Tool. We said if Memery-Adress="0" WinRar is still Shareware, if "1" WinRar will continoue as Registered. Now lets check when WinRar is WRITES the 0 or th 1 in this memory. Goto SoftIce clear your old BP and set a now one with "BPM 0042575C R". the "R" makes SI only to brake when something is WRITTEN to this memory. And again our tests: Try to Enable Error Logging/Auth. Verif. , try to register it again, and close WinRar and start it up again. What we see ? The Registration Routine is writing to this memory and at startup WinRar is writing to this memory location. As you also can see ist the SAME Routine at startup and in the Registration process, which writes to this memory. Nice. So our now goal is to make this routine always write a "1" to our memory location, right ? Here is the code which writes to our memory as u should see it in SI: .... :0040A721 52 push edx :0040A722 FF3504BF4200 push dword ptr [0042BF04] :0040A728 E83F280100 call 0041CF6C :0040A72D 83C40C add esp, 0000000C :0040A730 85C0 test eax, eax :0040A732 0F94C1 sete cl :0040A735 83E101 and ecx, 00000001 :0040A738 890D5C574200 mov dword ptr [0042575C], ecx <--- we land here :0040A73E FF353C574200 push dword ptr [0042573C] :0040A744 E81F890100 call 00423068 :0040A749 59 pop ecx :0040A74A 33C0 xor eax, eax :0040A74C A33C574200 mov dword ptr [0042573C], eax You see at 0040a738 the value of ECX is written to our memory location 0042575C. Since we entered a wrong serial ECX contains a "0". If we would enter a real serial ECX would contain a "1". :0040A735 83E101 and ecx, 00000001 :0040A738 890D5C574200 mov dword ptr [0042575C], ecx <--- we land here So the AND ECX,00000001 is our indicator if we are registered or not. If ECX is "1" BEFORE the AND ...it will also be "1" AFTER the AND, but if it is "0" at wont be 1 AFTER the AND. Additional Info on AND and OR operations: Example for our AND-operation: 00000000 ECX, our Target Indicator 00000001 Is simply the value "1" , our Source Indicator which ECX is ANDed with. -------- 00000000 Our result is "0" because no bit PAIRS are set. The result of AND would only be "1" if the first bit of ECX would be set to "1" , too. Ok we want ECX to be "1" Every time. So we have to do something here. One solution (the one I have chosen, was to replace the logical AND with a logical OR, which always makes ECX to 1 as you can see below: Example for our OR-Operation 00000000 ECX, our Target Indicator 00000001 Is simply the value "1" , our Source Indicator which ECX is ORed with. -------- 00000001 Our result is 1. because only one of the to indicators (ECX,1) must have a bit set, to set the bit in our result too. Get the Point ? By replacing AND with OR we always have "1" in ECX, which is written to our memory. Time to crack now. GoTo WinDasm and load WINRAR95.EXE, goto CodeLocation : 0040A735 and look at the Offset in the statusline. It should say @Offset:00009D35h in file WinRar95.exe. Ok thats all here :) Now fire up Hackers View Press F4 - Decode, press F5 and enter your offset (9D35). You now should be here: :0040A735 83E101 and ecx, 00000001 So our instruction "AND EXC, 00000001" is the same as 83E101 in Hex. We simply have to change this now, so it says "OR ECX, 00000001". Now press F3 which will et u edit the code. IF u dont know the Hexcodes for "OR ECX...", (like me) you now have to press F2 (ASM). You then see your Instruction in "ASCII" Code and you simply can overwrite AND with OR and press enter, then ESC. You now should read OR ECX, 00000001 instead AND EXC, 00000001. If u want to edit the Hexcodes instead edit I the ASCII Mode u have to know the Opcode of our OR ECX instruction. There are tons of OpcodeLists around where u can have alook at. So you also could change the 83E101 to 83C901. This also will change the AND to OR, as you can see. Now save it with F9 and ESC. Now we are ready to try our Crack. Fire Up WinRar for the last time. As you see no more "evaluation copy" in the WindowsBar. Now try to Activate Error Logging and Auth. Verif.....wow no more MessageBox telling us that we must have the registered version. And last but not least try to register it again and again :). as you see it will work. Congratulations, you cracked WinRar95, V2.06 Job done. Thanks & Greetings go out to Sandman and Jeff for their great "Newbies Cracking Forum", to Crackz, +Fravia and Iczelion for their enormous resources about Reverse-Engeneering , and to SantaClawz (hope we will work together on the same project one day) Contact and comments: rayden_@hotmail.com (dont 4get to underscore) cya and happy cracking R@yden