Requirements :

W32DASM

hex editor

EXESCOPE

Information :

Target: WinRAR v3.00

Author: hEYWIRE

Download : http://www.rarlab.com

 

About:

The purpose of this Tutorial is to offer help to anyone wishing to study the art of Reverse Code Engineering. Breaking protection systems in programs is an intellectual challenge, it should NOT be used to steal software. REMEMBER, I do my cracks/keygens as a hobby and challenge, so please, if you like the utility you crack and keep using it, support the author and pay for it! . Peace hEYWIRE

Program Info:

RAR is a powerful tool which allows you to manage and control archive files. The archive is usually a regular file, which name has a ".rar" suffix.
RAR features include:-
* Highly sophisticated, original compression algorithm
* Special compression algorithms optimized for text, audio, graphics data, 32 and 64-bit Intel executables
* Better compression than similar tools, using 'solid' archiving
* Authenticity verification (registered version only)
* Self-extracting archives and volumes (SFX)
* Ability to recover physically damaged archives
* Locking, password, file order list, file security & more ...

Registering :

Ok run the target program, Look around there is no where to register this program so it might be using the windows register/keyfile to look for a users registration details. Find out if the program is packed/Encrypted. We now know its written in Borland C++ and not packed/encrypted.

Load up W32DSM and dissemble the program. We also know it’s a 40-day trial so Forward you computers clock and re- run the program. We get a Dialog box reminding us to register etc… Look at the buttons on this dialog box:

Online registration

Price list

Sites list

Close

Help

Ok lets search in W32DSM for the text "Online registration" we find it here:

Name: REMINDER, # of Controls=007, Caption:"Please register", ClassName:""

001 - ControlID:0066, Control Class:"BUTTON" Control Text:"&Online registration"

002 - ControlID:0065, Control Class:"BUTTON" Control Text:"&Price list"

003 - ControlID:0067, Control Class:"BUTTON" Control Text:"&Sites list"

004 - ControlID:0001, Control Class:"BUTTON" Control Text:"Close"

005 - ControlID:0009, Control Class:"BUTTON" Control Text:"&Help"

006 - ControlID:FFFF, Control Class:"BUTTON" Control Text:""

007 - ControlID:FFFF, Control Class:"STATIC" Control Text:"Please note that"

Ok as we can see this dialog box is named "REMINDER" ok lets do a search for this the string "REMINDER". We find it here:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:0043BB0E(C) ß this is the call for the REMINDER box/ left click on it

|

:0043BB14 C60598F1480001 mov byte ptr [0048F198], 01

:0043BB1B 6A00 push 00000000

:0043BB1D 6824F44300 push 0043F424

:0043BB22 FF35E0574A00 push dword ptr [004A57E0]

* Possible StringData Ref from Data Obj ->"REMINDER" ß dialog box name

|

:0043BB28 68E5F64800 push 0048F6E5

:0043BB2D FF3510714900 push dword ptr [00497110]

* Reference To: USER32.DialogBoxParamA, Ord:0000h

|

:0043BB33 E896EB0400 Call 0048A6CE

We now land here:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:0043B5F7(C)

|

:0043BAE2 833D487E4A0000 cmp dword ptr [004A7E48], 00000000

:0043BAE9 754D jne 0043BB38

:0043BAEB 803D98F1480000 cmp byte ptr [0048F198], 00

:0043BAF2 7544 jne 0043BB38

:0043BAF4 803D58FE4A0000 cmp byte ptr [004AFE58], 00

:0043BAFB 753B jne 0043BB38

:0043BAFD 803D0C71490000 cmp byte ptr [0049710C], 00

:0043BB04 7532 jne 0043BB38

:0043BB06 A17C874A00 mov eax, dword ptr [004A877C]

:0043BB0B 83F800 cmp eax, 00000000

:0043BB0E 7C04 jl 0043BB14 ß this is the jump

:0043BB10 85C0 test eax, eax

:0043BB12 7D24 jge 0043BB38

we could change JL at code location to 0043BB0E JG but looking at the above code we could change mov eax, dword ptr [004A877C] at code location 0043BB06 to move,eax,000. We do this because when we but our systems clock back we don’t want to see that REMINDER dialog. Run the program now. No Dialog box!

Ok so we have no REMINDER dialog box now, but we still have the string WinRAR-(evaluation copy) in the windows taskbar. In W32SDM do a search for the string "evaluation copy" we land here:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:0043F9AE(C) ß this is the call / left click on it

|

* Possible Reference to String Resource ID=00873: "evaluation copy"

|

:0043F9B5 B869030000 mov eax, 00000369

:0043F9BA E8DDF1FCFF call 0040EB9C

:0043F9BF 50 push eax

:0043F9C0 8D942404020000 lea edx, dword ptr [esp+00000204]

:0043F9C7 52 push edx

:0043F9C8 E87B3C0300 call 00473648

:0043F9CD 83C408 add esp, 00000008

:0043F9D0 EB27 jmp 0043F9F9

:0043F995 E8667A0300 call 00477400

:0043F99A 83C40C add esp, 0000000C

:0043F99D 803D1CDD480000 cmp byte ptr [0048DD1C], 00

:0043F9A4 757A jne 0043FA20

:0043F9A6 A1B4DF4900 mov eax, dword ptr [0049DFB4]

:0043F9AB 83F814 cmp eax, 00000014

:0043F9AE 7C05 jl 0043F9B5 ß we land here

:0043F9B0 83F828 cmp eax, 00000028

:0043F9B3 7C1D jl 0043F9D2

From looking at the above peace of code we can see at code location 0043F9B0 the program is comparing EAX to 28h in DEC this 40. At code location 0043F9A4 there is a JNE, lets change these to a JMP.OK start the program and the string is gone. Great.

Go to the help menu à about winrar and you will see a string "40 days trial copy". We don’t want that there. You can use your favorite hex editor and search for that string and change it to what ever you want. In addition you could use a program called EXESCOPY and change the string to what ever you want.

Note: EXESCOPY is a great program, which deserves your money if you continue to use it after the 2 weeks evaluation period. The author of this program is a really good programmer. But I can’t understand why he has such a bad serial/protection scheme. Its not as if he couldn’t write a better protection scheme.

Well thats the patching part of this program done. If you didnt notice you can register this program with a KeyFile. The program looks for a keyFile name rarkey.key.If you want to try your hand at cracking the program this way, the best thing to do is get the program to give you a messagebox saying thanks or what ever.Then you you can find the call/FLAG that decides if your registred or not. Some KeyFile proections are really tricky.You could also changed the registers. eg R EAX = EBX etc.. and reversed jumps with 'R FL Z' where needed to get your encrypted strings printed out to your bogus file.

Final Notes :

That’s it for this Tutorial, hope you learned something, if there is any spelling mistake or grammar errors then forgive me, IM only human. Just a short note, REMEMBER, I do my cracks/keygens as a hobby and challenge, so please, if you like the utility you crack and keep using it, support the author and pay for it! Peace hEYWIRE