Cracking WinRAR - All 3.xx versions (Beginner Tut).By.cl0ud
From:ARTeamPost:cl0udOne thing Beginner Crackers need to learn:
How to Crack a Program Based on a Specific Value that tells the whole program (in many different ways) if its registered or not.
This method of cracking is Very Efficient, it can save you time, and the concept works on many programs!
This is a Perfect Example of what to do, and what i mean, i hope you all enjoy!
How to Crack WinRAR using Registration Byte Patch Method (every 3.xx version)
Tutorial by cl0ud/mephist0
i used WinRAR 3.80 beta 5 for this small tutorial
Programs Needed:
WinRAR, Olly Debug, and a hex editor, or u can just save patches to file in olly
1.) Load the WinRAR.exe up in Olly Debug.
2.) In OLLY, Right click in the CPU Window, and Click: Search For > All Referenced Text strings
it will take you to the Reference window. from here can see all the Text inside the EXE file, and the address's from which they are used in the file. If you take a moment you can find the string (near the bottom): "RARKEY" and "RARREG.KEY". once found you can double click it, and it will take you to the instruction pointing to the text. (this is how you can find the proper patch in later versions)
3.): Here is where the Registration Proc is first Called:
CODE
00440CC7 . E8 FC8C0600CALL <JMP.&KERNEL32.GetLocalTime>
00440CCC . 33C0 XOR EAX,EAX < just Clearing EAX register for registration proc
00440CCE . E8 ADA60400CALL RegistrationProc@.0048B380 <**CALL TO Registration Check proc, to see if registered.
00440CD3 . A2 F4B84B00MOV BYTE PTR DS:,AL <** THE Registration Byte (to check if its registered or not)
00440CD8 . 33C0 XOR EAX,EAX
OK, the REGISTRATION BYTE, holds the Key, if its 1, the program is registered, if its 0, the program is NOT Registered.
This is what gets called.. the Registration Proc Start, its testing if Program is Registered or Trial
CODE
0048B380 55 PUSH EBP<***Registration Check Proc Start
0048B381 8BEC MOV EBP,ESP
0048B383 81C4 04F0FFFFADD ESP,-0FFC
0048B389 . 50 PUSH EAX
0048B38A . 81C4 E4FEFFFFADD ESP,-11C
0048B390 . 53 PUSH EBX
0048B391 . 56 PUSH ESI
0048B392 . 57 PUSH EDI
0048B393 . 8BD8 MOV EBX,EAX
0048B395 . B8 586D4B00MOV EAX, .004B6D58
0048B39A . E8 654E0100CALL.004A0204
0048B39F . 8BC3 MOV EAX,EBX
0048B3A1 . E8 2A40F8FFCALL.0040F3D0
0048B3A6 . 84C0 TEST AL,AL
0048B3A8 74 14 JE SHORT.0048B3BE
0048B3AA . B0 01 MOV AL,1
0048B3AC . 8B95 E4FEFFFFMOV EDX,DWORD PTR SS:
0048B3B2 . 64:8915 000000>MOV DWORD PTR FS:,EDX
0048B3B9 . E9 57010000JMP WinRAR.0048B515
0048B3BE > 8D8D E4EEFFFFLEA ECX,DWORD PTR SS:;Just Checking if Registry Keys Exsist.. blah..
0048B3C4 . BA B8684B00MOV EDX, .004B68B8;ASCII "Software\WinRAR"
0048B3C9 . 51 PUSH ECX
0048B3CA . 6A 00 PUSH 0
0048B3CC . 68 FF0F0000PUSH 0FFF
0048B3D1 . B9 C8684B00MOV ECX, .004B68C8; |ASCII "rarkey"
4.) Here is the CALL to REGISTRATION CHECK, and the Registration BYTE:
CODE
00440CCE . E8 ADA60400CALL RegistrationProc@.0048B380 <**CALL TO Registration Check proc, to see if registered.
00440CD3 . A2 F4B84B00MOV BYTE PTR DS:,AL <** Registration Byte address
You COULD just patch the CALL RegistrationProc to MOV EAX,1..
But that is NOT Safe. As more parts of the EXE may Call the Registration Proc to keep checking if its registered.
This MOV BYTE PTR DS:,AL instruction has the Registration byte Address,. If the byte at is 0, it is not registered..
The instruction function is moving the BYTE from AL into the address
So we need to make a MOV AL,1 patch at the Registration Check Proc Start, and the program will be Registered!
(AL register is 16bit version of EAX register or somthin like that http://forums.accessroot.com/style_emoticons/default/tongueA.gif)
5.) The PROPER Patch to Make:
CODE
REGISTRATION PROC: ( 00440CCECALL RegistrationProc@.0048B380 )
-
0048B380 55 PUSH EBP <***Registration Check Proc Start
0048B381 8BEC MOV EBP,ESP
0048B383 81C4 04F0FFFFADD ESP,-0FFC
0048B389 . 50 PUSH EAX
0048B38A . 81C4 E4FEFFFFADD ESP,-11C
EDIT TO:
REGISTRATION PROC: ( 00440CCECALL RegistrationProc@.0048B380 )
-
0048B380 B0 01 MOV AL,1 <***Registration Check Proc Start
0048B382 C3 RETN <** Immediately Return
This Patch makes AL (or EAX) = 1, and then Retn's to code, it doesnt process any of the registration check code!
So make the patch, and Now the Program will be Completely REGISTERED! + you can use this on any 3.xx version of winrar.
And this is how to Crack using the Registration byte method. The Concept is the same in Alot of popular programs.
(Actually there is one other thing. If you Make a RAR Archive, and you CLICK: Put Authenticity Verification. you will get a message saying " Only Availible in Registered Version." This can be easily patched by setting a BP on MessageBoxA, Retn 2 or 3 times, and you will see a jump right above where you returned to, just patch it to Jump always)
CODE
0044765D|. E8 2A290600CALL <JMP.&USER32.IsDlgButtonChecked>; \IsDlgButtonChecked
00447662|. 85C0 TEST EAX,EAX
00447664|. 74 11 JE SHORT .00447677<Make this Jump always :)
00447666|. 8BC3 MOV EAX,EBX
00447668|. E8 4B9B0300CALL .004811B8 < Send unregistered message
0044766D|. 6A 00 PUSH 0
Final Notes:
This method of cracking is flawless and it's a widely used, logical method.
This tutorial should help you learn this universal concept of cracking.
i made this tutorial specifically for educational purposes, and a Contribution to ARTeam.
Enjoy!! (sorry about fast n sloppy job, i was cracking winrar as i wrote this)
regards
-cl0ud/mephist0 我汗。。看不懂英文额。。翻译下额。。 LZ是不是故意的 闷
页:
[1]