after reading many, many cracking tuts for newbies, I decided to write my own, because in these tutorials you always/mostly was finished after you changed the first jmp-instruction. I then learned that this isnt the case, the hard way. So in this tutorial we will do more than one approach (rememebr we are newbies !). Since I am newbie, too and so it shouldnt be too hard to keep track with me.
Also I must say that iam German, so I Apologize for my english, but u should be able to understand me <g>. The only thing I assume is that u have some knowlodge about using Softice and WinDams. Lets start.
Target: WinRar 95 V2.06 (WINRAR95.EXE)
Target Date/Size: 12/3/1998, 204.800 byte
Tools required:
---------------
- Softice 3.2x
- Hview 6.x
- WinDasm 8.9x
Ok, fire up WinRar and have a look at it, after clicking here and there you will notice the following three restrictions/nags
- WinRar displays "...(Evaluation Copy)" in the WindowNameBar
- You can't activate Authenticity verification
- You can't activate Error Logging
Note: The two Disabled functions will play a major role in the following tutorial as you will see later (I learned it the hard way).
Now lets try to Register it, by clicking on OPTIONS and REGISTER. Enter
Your Name and a unlock code and Press OK (I used RAYDEN/123454321). Well,
the Code is wrong (*surprise*).
Note:
this was the first approach I tried, because in other tuts I often read, that reversing a cond. jmp before the MessageBoxA Call could make the program thinking your entered code is a "good" one. Lets continoue trying this be our own :).
Goto SoftIce and set a BP an MessageBoxA. Again enter your name and a serial, click on OK and Softice should break. Press F11 one Time, Click OK on the messagebox and u should be back in softice at the following code:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:00413C7F 7532 jne 00413CB3 ;if NO jmp to 413CB3,else continoue with "Wrong RegCode-Msgbox".
*The CALL 0040A4C1 at adress :00413C75 is the key, at least I thought so.
As we can see , its obvious that the call at 00413C75 generates the real code and compares it with the code we entered. Too bad that the real code is never echoed by WinRar :(
If the two codes are the same EAX is set to 1 else EAX is set to 0.
We also see that if EAX=1 we would jmp OVER the Wrong Reg-Code MsgBox. thats worth a try, lets make WinRar jumping over the Wrong Reg-Code MsgBox (JNE 00413CB3, and this offset is beyond our WrongRegCode MsgBox). Therefore we have to set a BP on 00413C7F (JNE ...) and enter our Name and Reg-Code again.
We now break on 00413C7F. If we now type ? EAX we see that EAX is zero and therefore the Zero-Flag is set. Lets change the zero flag by typing R FL Z (reverses the (Z)ero flag) and F10 once. As you can see WinRar will jmp to 00413CB3 this time. Lets disable our Breakpoints with BD*, press F5 and see whats happens next.
"Thank you for your support", woah...looks like WinRar really thinks our serial is valid. Cool, or ? Also the WindowNameBar changed from "WinRar (evaluation Copy)" to "WinRar" only.
Looks good or ? Congratulations you just cracked WinRar95...but wait....hmm....lets test the disabled functions: Go to OPTIONS/GENERAL and try to activate Auth. Verif. or Error Logging and guess what ? ....Uops...still disabled ? WTF ist going on here ? We just made WinRar thinking our serial is valid but it still wont let us use the disabled functions. Hmm...strange..We now know that WinRar makes some crosschecks to the entered serial. That our theory is right can be seen if we now quit WinRar and restart it. It now again says "WinRar(Evaluation copy)".
Well, I MUST write this. Because the same thing happened to me so many times. In the tuts I read, the job was done after changing some jmpcondition in the routine which checks for the serial. But when I tried to crack my own programs I also got the "Good Boy" Msg all the time, but often the program still knew that thre serial was wrong.
At least we now have our RegString saved in rar.ini, as you can see when editing it with any Text editor:
...
[registration]
regname=RAYDEN
regcode=123454321
....
So it seems that WinRar uses this information when we try one of the Disabled Function OR this information is checked at startup and a flag is set.
What we learned until now:
- Ist easy to make WinRar thinking a entered Code is a legal one.
- Once You get the "Thanks for your support" MessageBox WinRar writes the
entered Name and Serial to RAR.INI.
- But There are crosschecks to our entered code at startup and at
activating disbaled functions.
Ok, back to work and back to our code above the WrongRegCode MessageBox:
:00413C6A 8D8D54FFFFFF lea ecx, dword ptr [ebp+FFFFFF54] ;Point ECX to our Reg.-;Code we entered
:00413C70 51 push ecx ;Push Name on Stack
:00413C71 8D459C lea eax, dword ptr [ebp-64] ;Point EAX to name we ;entered
:00413C7F 7532 jne 00413CB3 ;if NO jmp to 413CB3,else continoue with "Wrong RegCode-Msgbox".
Somewhere deep, deep in this routine or in one of its subroutines (and there are tons of it) must our code be checked with the real one. Since we are newbies and dont know much ASM, I can say after I spent about 2-3 days in trying to understand this routine, it was a total waste of time for me. It was just imposibble to understand all the calls, compares, Shifts and rotates, etc...
Ok what else can we do...hmm...BINGO. Remembering these nice little MsgBoxes which popup when u try to use Error Logging or Auth. Verification ? Maybe can get some Info from them. So go back to SI, clear all BP (BC*) and set a new BP on MessageBoxA (again). Go to OPTIONS/GENERAL and try to activate either Error Logging or Auth. Verifiaction. *BUMM* SI breakes. Press F11, press OK and you should be back in SI at the following code location:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
Hmm...interesting here WinRar compares a memory location with 0. If NOT 0 then jmp else continoue with "Avaiable only in....". So we can say if memory location 0042575C = 1 continoue as registed else continoue as shareware. Nice or ?
Lets see if there are some other functions using this memory location. Therefore we must set a BP on RW-Acess (Read-Write Access) at this memory. You should still be in SI, now clear all BP and type BPM 0042575C. This will make SI break every time from this memory adress is read from or written to. Ok, now try to activate Errorloging *BUMM* SI break (F5 to continoue), try to activate Auth. verifiaction *BUMM* SI Break again. Even if we try to Register WinRar again *BUMM* SI brakes. Wow, looks like this memoryadress is our now key to register this little, damn Tool. We said if Memery-Adress="0" WinRar is still Shareware, if "1" WinRar will continoue as Registered. Now lets check when WinRar is WRITES the 0 or th 1 in this memory. Goto SoftIce clear your old BP and set a now one with "BPM 0042575C R". the "R" makes SI only to brake when something is WRITTEN to this memory. And again our tests: Try to Enable Error Logging/Auth. Verif. , try to register it again, and close WinRar and start it up again. What we see ? The Registration Routine is writing to this memory and at startup WinRar is writing to this memory location. As you also can see ist the SAME Routine at startup and in the Registration process, which writes to this memory. Nice. So our now goal is to make this routine always write a "1" to our memory location, right ? Here is the code which writes to our memory as u should see it in SI:
....
:0040A721 52 push edx
:0040A722 FF3504BF4200 push dword ptr [0042BF04]
:0040A728 E83F280100 call 0041CF6C
:0040A72D 83C40C add esp, 0000000C
:0040A730 85C0 test eax, eax
:0040A732 0F94C1 sete cl
:0040A735 83E101 and ecx, 00000001
:0040A738 890D5C574200 mov dword ptr [0042575C], ecx <--- we land here
You see at 0040a738 the value of ECX is written to our memory location 0042575C. Since we entered a wrong serial ECX contains a "0". If we would enter a real serial ECX would contain a "1".
:0040A735 83E101 and ecx, 00000001
:0040A738 890D5C574200 mov dword ptr [0042575C], ecx <--- we land here
So the AND ECX,00000001 is our indicator if we are registered or not. If ECX is "1" BEFORE the AND ...it will also be "1" AFTER the AND, but if it is "0" at wont be 1 AFTER the AND.
Additional Info on AND and OR operations:
Example for our AND-operation:
00000000 ECX, our Target Indicator
00000001 Is simply the value "1" , our Source Indicator which ECX is ANDed with.
--------
00000000 Our result is "0" because no bit PAIRS are set. The result of AND would only be "1" if the first bit of ECX would be set to "1" , too.
Ok we want ECX to be "1" Every time. So we have to do something here. One solution (the one I have chosen, was to replace the logical AND with a logical OR, which always makes ECX to 1 as you can see below:
Example for our OR-Operation
00000000 ECX, our Target Indicator
00000001 Is simply the value "1" , our Source Indicator which ECX is ORed with.
--------
00000001 Our result is 1. because only one of the to indicators (ECX,1) must have a bit set, to set the bit in our result too.
Get the Point ? By replacing AND with OR we always have "1" in ECX, which is written to our memory. Time to crack now. GoTo WinDasm and load WINRAR95.EXE, goto CodeLocation : 0040A735 and look at the Offset in the statusline. It should say @Offset:00009D35h in file WinRar95.exe. Ok thats all here :)
Now fire up Hackers View Press F4 - Decode, press F5 and enter your offset (9D35). You now should be here:
:0040A735 83E101 and ecx, 00000001
So our instruction "AND EXC, 00000001" is the same as 83E101 in Hex. We simply have to change this now, so it says "OR ECX, 00000001". Now press F3 which will et u edit the code. IF u dont know the Hexcodes for "OR ECX...", (like me) you now have to press F2 (ASM). You then see your Instruction in "ASCII" Code and you simply can overwrite AND with OR and press enter, then ESC. You now should read OR ECX, 00000001 instead AND EXC, 00000001. If u want to edit the Hexcodes instead edit I the ASCII Mode u have to know the Opcode of our OR ECX instruction. There are tons of OpcodeLists around where u can have alook at. So you also could change the 83E101 to 83C901. This also will change the AND to OR, as you can see. Now save it with F9 and ESC. Now we are ready to try our Crack. Fire Up WinRar for the last time.
As you see no more "evaluation copy" in the WindowsBar. Now try to Activate Error Logging and Auth. Verif.....wow no more MessageBox telling us that we must have the registered version. And last but not least try to register it again and again :). as you see it will work. Congratulations, you cracked WinRar95, V2.06 <g>
Job done.
Thanks & Greetings go out to Sandman and Jeff for their great "Newbies Cracking Forum", to Crackz, +Fravia and Iczelion for their enormous resources about Reverse-Engeneering , and to SantaClawz (hope we will work together on the same project one day)
Contact and comments: rayden_@hotmail.com (dont 4get to underscore)
