最新Winrar 32位版本爆破笔记
本帖最后由 zyjsuper 于 2019-7-11 16:03 编辑winrar每次运行都会弹出广告窗口,并且主窗口标题栏会有许可到期时间的提醒,爆破的目的是去掉这两项。
https://img2018.cnblogs.com/blog/1578668/201907/1578668-20190709224944245-569423406.png
Winrar解压缩软件32位(5.71)版本下载地址:
http://www.winrar.com.cn/download/wrar571scp.exe
64位下载地址:
http://www.winrar.com.cn/download/winrar-x64-571scp.exe
https://img2018.cnblogs.com/blog/1578668/201907/1578668-20190709224221535-1373318685.png
所需工具: OllyDbg吾爱破解版、Binary Ninja
https://down.52pojie.cn/Tools/Debuggers/%E5%90%BE%E7%88%B1%E7%A0%B4%E8%A7%A3%E4%B8%93%E7%94%A8%E7%89%88Ollydbg.rar
https://cdn.binary.ninja/installers/BinaryNinja-demo.exe
本文参考了飘云上一位牛人的文章:https://www.chinapyg.com/forum.php?mod=viewthread&tid=125493&highlight=winrar
该方法非常理想,所以借鉴了一下,适合我这种菜菜来练习动手能力。
使用OD加载winrar,如图:
https://img2018.cnblogs.com/blog/1578668/201907/1578668-20190709225334996-1266308154.png
按F9键运行winrar软件,直到弹出主窗口和广告窗口时,按F12键暂停程序,此时点击OD上方的“K”按键或者点击"ALT+K"来查看程序调用的堆栈,查看一下窗口弹出前的函数调用情况,得到如下图所示:
这一步需要注意的是需要看到广告窗口正常弹出,没有其他提示再暂停程序然后查看堆栈,例如在调试时遇到的如下图:
https://img2018.cnblogs.com/blog/1578668/201907/1578668-20190709230842025-615930864.png
下图只在我们正常看到广告页时才会到这一步。
https://img2018.cnblogs.com/blog/1578668/201907/1578668-20190709230206469-1204364753.png
右击最后一条调用如图所示,选择“显示调用”命令。
https://img2018.cnblogs.com/blog/1578668/201907/1578668-20190709230311252-191354023.png
得到如下图的调用位置:
https://img2018.cnblogs.com/blog/1578668/201907/1578668-20190709231044233-1872128558.png
直接在该位置点击回车键或者F7步进调试,我们会得到下面的汇编代码段,这段内容包含我们想破解的两处,即去广告和去标题的许可过期提示,看代码注释就可以判断了。
00AE1520 $55 push ebp
00AE1521 .8DAC24 E8CFFF>lea ebp,dword ptr ss:
00AE1528 .B8 18300000 mov eax,0x3018
00AE152D .E8 9E3F0100 call WinRAR.00AF54D0
00AE1532 .6A FF push -0x1
00AE1534 .68 5832B100 push WinRAR.00B13258
00AE1539 .64:A1 0000000>mov eax,dword ptr fs:
00AE153F .50 push eax
00AE1540 .83EC 14 sub esp,0x14
00AE1543 .A1 341BB300 mov eax,dword ptr ds:
00AE1548 .33C5 xor eax,ebp
00AE154A .8985 14300000 mov dword ptr ss:,eax
00AE1550 .53 push ebx
00AE1551 .56 push esi
00AE1552 .57 push edi
00AE1553 .50 push eax
00AE1554 .8D45 F4 lea eax,dword ptr ss:
00AE1557 .64:A3 0000000>mov dword ptr fs:,eax
00AE155D .8965 F0 mov dword ptr ss:,esp
00AE1560 .8BB5 20300000 mov esi,dword ptr ss:
00AE1566 .6A 01 push 0x1
00AE1568 .E8 531EFBFF call WinRAR.00A933C0
00AE156D .68 05800000 push 0x8005 ; /ErrorMode = SEM_FAILCRITICALERRORS|SEM_NOALIGNMENTFAULTEXCEPT|SEM_NOOPENFILEERRORBOX
00AE1572 .FF15 0442B100 call dword ptr ds:[<&KERNEL32.SetErrorMo>; \SetErrorMode
00AE1578 .B9 A04BB400 mov ecx,WinRAR.00B44BA0
00AE157D .E8 DED3F7FF call WinRAR.00A5E960
00AE1582 .C605 D592B300>mov byte ptr ds:,0x0
00AE1589 .C705 F0A2B300>mov dword ptr ds:,0x0
00AE1593 .FF15 F441B100 call dword ptr ds:[<&KERNEL32.GetCurrent>; [GetCurrentThreadId
00AE1599 .A3 F4A2B300 mov dword ptr ds:,eax
00AE159E .6A 00 push 0x0 ; /EventName = NULL
00AE15A0 .6A 00 push 0x0 ; |InitiallySignaled = FALSE
00AE15A2 .6A 01 push 0x1 ; |ManualReset = TRUE
00AE15A4 .6A 00 push 0x0 ; |pSecurity = NULL
00AE15A6 .FF15 6841B100 call dword ptr ds:[<&KERNEL32.CreateEven>; \CreateEventW
00AE15AC .A3 F8A2B300 mov dword ptr ds:,eax
00AE15B1 .68 04DEB100 push WinRAR.00B1DE04 ; /MsgName = "WMUser_DisplayError"
00AE15B6 .FF15 7445B100 call dword ptr ds:[<&USER32.RegisterWind>; \RegisterWindowMessageW
00AE15BC .A3 20A3B300 mov dword ptr ds:,eax
00AE15C1 .68 A44BB100 push WinRAR.00B14BA4 ;UNICODE "General"
00AE15C6 .E8 C504FCFF call WinRAR.00AA1A90
00AE15CB .84C0 test al,al
00AE15CD .0f94c3 sete bl
00AE15D0 .885D EF mov byte ptr ss:,bl
00AE15D3 .6A 01 push 0x1
00AE15D5 .68 00080000 push 0x800
00AE15DA .8D85 00100000 lea eax,dword ptr ss:
00AE15E0 .50 push eax
00AE15E1 .E8 EAA3F9FF call WinRAR.00A7B9D0
00AE15E6 .68 00080000 push 0x800
00AE15EB .8D85 00100000 lea eax,dword ptr ss:
00AE15F1 .50 push eax
00AE15F2 .E8 1993F9FF call WinRAR.00A7A910
00AE15F7 .68 00080000 push 0x800
00AE15FC .8D85 00100000 lea eax,dword ptr ss:
00AE1602 .50 push eax
00AE1603 .68 E092B300 push WinRAR.00B392E0 ;UNICODE "C:\Users\IEUser\AppData\Roaming\WinRAR\rar.log"
00AE1608 .E8 4312FBFF call WinRAR.00A92850
00AE160D .68 00080000 push 0x800
00AE1612 .68 CC89B100 push WinRAR.00B189CC ;UNICODE "rar.log"
00AE1617 .68 E092B300 push WinRAR.00B392E0 ;UNICODE "C:\Users\IEUser\AppData\Roaming\WinRAR\rar.log"
00AE161C .E8 EF11FBFF call WinRAR.00A92810
00AE1621 .6A 00 push 0x0
00AE1623 .56 push esi
00AE1624 .B9 08F0B600 mov ecx,WinRAR.00B6F008
00AE1629 .E8 12AEFAFF call WinRAR.00A8C440
00AE162E .68 2CDEB100 push WinRAR.00B1DE2C ;UNICODE "winrar.lng"
00AE1633 .B9 0CF0B600 mov ecx,WinRAR.00B6F00C
00AE1638 .E8 639FFAFF call WinRAR.00A8B5A0
00AE163D .56 push esi
00AE163E .E8 ADDBFFFF call WinRAR.00ADF1F0
00AE1643 .85C0 test eax,eax
00AE1645 .0F84 66060000 je WinRAR.00AE1CB1
00AE164B .8D4D E0 lea ecx,dword ptr ss:
00AE164E .E8 AD11FFFF call WinRAR.00AD2800
00AE1653 .C745 FC 00000>mov dword ptr ss:,0x0
00AE165A .8935 04F0B600 mov dword ptr ds:,esi
00AE1660 .B9 F0B5B500 mov ecx,WinRAR.00B5B5F0
00AE1665 .E8 8643F2FF call WinRAR.00A059F0
00AE166A .E8 6137FEFF call WinRAR.00AC4DD0
00AE166F .E8 4CEAFDFF call WinRAR.00AC00C0
00AE1674 .E8 07FBFFFF call WinRAR.00AE1180
00AE1679 .68 44DEB100 push WinRAR.00B1DE44 ; /MutexName = "WinRAR_Busy"
00AE167E .6A 00 push 0x0 ; |InitialOwner = FALSE
00AE1680 .6A 00 push 0x0 ; |pSecurity = NULL
00AE1682 .FF15 5C43B100 call dword ptr ds:[<&KERNEL32.CreateMute>; \CreateMutexW
00AE1688 .A3 D092B300 mov dword ptr ds:,eax
00AE168D .6A 00 push 0x0 ; /Title = NULL
00AE168F .68 B858B100 push WinRAR.00B158B8 ; |Class = "WinRarWindow"
00AE1694 .FF15 8C45B100 call dword ptr ds:[<&USER32.FindWindowW>>; \FindWindowW
00AE169A .8BF8 mov edi,eax
00AE169C .897D E8 mov dword ptr ss:,edi
00AE169F 6A 00 push 0x0 ; /lParam = NULL
00AE16A1 56 push esi ; |hInst = 00DBCB64
00AE16A2 6A 00 push 0x0 ; |hMenu = NULL
00AE16A4 6A 00 push 0x0 ; |hParent = NULL
00AE16A6 68 00000080 push 0x80000000 ; |Height = 80000000 (-2147483648.)
00AE16AB 68 00000080 push 0x80000000 ; |Width = 80000000 (-2147483648.)
00AE16B0 68 00000080 push 0x80000000 ; |Y = 80000000 (-2147483648.)
00AE16B5 68 00000080 push 0x80000000 ; |X = 80000000 (-2147483648.)
00AE16BA 68 0000CF06 push 0x6CF0000 ; |Style = WS_OVERLAPPED|WS_MINIMIZEBOX|WS_MAXIMIZEBOX|WS_CLIPSIBLINGS|WS_CLIPCHILDREN|WS_SYSMENU|WS_THICKFRAME|WS_CAPTION
00AE16BF 68 6C71B100 push WinRAR.00B1716C ; |WindowName = "WinRAR"
00AE16C4 68 B858B100 push WinRAR.00B158B8 ; |Class = "WinRarWindow"
00AE16C9 6A 10 push 0x10 ; |ExtStyle = WS_EX_ACCEPTFILES
00AE16CB FF15 A045B100 call dword ptr ds:[<&USER32.CreateWindow>; \CreateWindowExW
00AE16D1 .A3 AC81B300 mov dword ptr ds:,eax
00AE16D6 .85C0 test eax,eax
00AE16D8 .0F84 C4050000 je WinRAR.00AE1CA2
00AE16DE .50 push eax
00AE16DF .B9 0CF0B600 mov ecx,WinRAR.00B6F00C
00AE16E4 .E8 F7A6FAFF call WinRAR.00A8BDE0
00AE16E9 .6A 00 push 0x0
00AE16EB .E8 60DAFFFF call WinRAR.00ADF150
00AE16F0 .E8 8BF8FFFF call WinRAR.00AE0F80
00AE16F5 .84DB test bl,bl
00AE16F7 .74 1A je short WinRAR.00AE1713
00AE16F9 .E8 D22EFCFF call WinRAR.00AA45D0
00AE16FE .84C0 test al,al
00AE1700 .75 11 jnz short WinRAR.00AE1713
00AE1702 .6A 01 push 0x1
00AE1704 .6A 00 push 0x0
00AE1706 .E8 D596F2FF call WinRAR.00A0ADE0
00AE170B .84C0 test al,al
00AE170D .75 04 jnz short WinRAR.00AE1713
00AE170F .B7 01 mov bh,0x1
00AE1711 .EB 02 jmp short WinRAR.00AE1715
00AE1713 >32FF xor bh,bh
00AE1715 >8D85 00300000 lea eax,dword ptr ss:
00AE171B .50 push eax
00AE171C .E8 FF8BF2FF call WinRAR.00A0A320
00AE1721 .0FB785 003000>movzx eax,word ptr ss:
00AE1728 .50 push eax ; /StringOrChar = 27BC
00AE1729 .E8 5247FBFF call <jmp.&USER32.CharUpperW> ; \CharUpperW
00AE172E .0FB7F0 movzx esi,ax
00AE1731 .68 34040000 push 0x434
00AE1736 .6A 00 push 0x0
00AE1738 .68 38A3B300 push WinRAR.00B3A338
00AE173D .E8 DE620100 call WinRAR.00AF7A20
00AE1742 .83C4 0C add esp,0xC
00AE1745 .6A 00 push 0x0
00AE1747 .6A 00 push 0x0
00AE1749 .6A 01 push 0x1
00AE174B .B9 A04BB400 mov ecx,WinRAR.00B44BA0
00AE1750 .E8 FBD6F7FF call WinRAR.00A5EE50
00AE1755 .E8 06E9F2FF call WinRAR.00A10060
00AE175A .66:85F6 test si,si
00AE175D .74 66 je short WinRAR.00AE17C5
00AE175F .803D B46BB400>cmp byte ptr ds:,0x0
00AE1766 .75 5D jnz short WinRAR.00AE17C5
00AE1768 .56 push esi
00AE1769 .68 5CDEB100 push WinRAR.00B1DE5C ;UNICODE "AFUMD"
00AE176E .E8 6F500100 call WinRAR.00AF67E2
00AE1773 .83C4 08 add esp,0x8
00AE1776 .85C0 test eax,eax
00AE1778 .75 32 jnz short WinRAR.00AE17AC
00AE177A .83FE 43 cmp esi,0x43
00AE177D .75 09 jnz short WinRAR.00AE1788
00AE177F .66:3985 02300>cmp word ptr ss:,ax
00AE1786 .74 24 je short WinRAR.00AE17AC
00AE1788 >803D B46BB400>cmp byte ptr ds:,0x0
00AE178F .75 34 jnz short WinRAR.00AE17C5
00AE1791 .56 push esi
00AE1792 .68 68DEB100 push WinRAR.00B1DE68 ;UNICODE "TXE"
00AE1797 .E8 46500100 call WinRAR.00AF67E2
00AE179C .83C4 08 add esp,0x8
00AE179F .85C0 test eax,eax
00AE17A1 .74 22 je short WinRAR.00AE17C5
00AE17A3 .6A 00 push 0x0
00AE17A5 .E8 3609FFFF call WinRAR.00AD20E0
00AE17AA .EB 20 jmp short WinRAR.00AE17CC
00AE17AC >E8 3F6FFEFF call WinRAR.00AC86F0
00AE17B1 .83FE 44 cmp esi,0x44
00AE17B4 .74 05 je short WinRAR.00AE17BB
00AE17B6 .83FE 43 cmp esi,0x43
00AE17B9 .75 11 jnz short WinRAR.00AE17CC
00AE17BB >33C0 xor eax,eax
00AE17BD .66:A3 B05BB40>mov word ptr ds:,ax
00AE17C3 .EB 07 jmp short WinRAR.00AE17CC
00AE17C5 >6A 00 push 0x0
00AE17C7 .E8 4436FEFF call WinRAR.00AC4E10
00AE17CC >6A 00 push 0x0
00AE17CE .6A 00 push 0x0
00AE17D0 .6A 01 push 0x1
00AE17D2 .B9 A04BB400 mov ecx,WinRAR.00B44BA0
00AE17D7 .E8 74D6F7FF call WinRAR.00A5EE50
00AE17DC .68 A04BB400 push WinRAR.00B44BA0
00AE17E1 .B9 D011B500 mov ecx,WinRAR.00B511D0
00AE17E6 .E8 6567F2FF call WinRAR.00A07F50
00AE17EB .68 00080000 push 0x800
00AE17F0 .68 EAFFB400 push WinRAR.00B4FFEA
00AE17F5 .68 B081B300 push WinRAR.00B381B0
00AE17FA .E8 5110FBFF call WinRAR.00A92850
00AE17FF .33C0 xor eax,eax
00AE1801 .66:A3 EAFFB40>mov word ptr ds:,ax
00AE1807 .68 00080000 push 0x800
00AE180C .8D45 00 lea eax,dword ptr ss:
00AE180F .50 push eax
00AE1810 .E8 CB93FEFF call WinRAR.00ACABE0
00AE1815 .8D45 00 lea eax,dword ptr ss:
00AE1818 .50 push eax
00AE1819 .B9 78E2B500 mov ecx,WinRAR.00B5E278
00AE181E .E8 1D38F6FF call WinRAR.00A45040
00AE1823 .C705 5492B300>mov dword ptr ds:,0x0
00AE182D .C645 FC 01 mov byte ptr ss:,0x1
00AE1831 .E8 4A87F2FF call WinRAR.00A09F80
00AE1836 .C745 FC 00000>mov dword ptr ss:,0x0
00AE183D .FF35 AC81B300 push dword ptr ds:
00AE1843 .E8 58FBFFFF call WinRAR.00AE13A0
00AE1848 .66:833D CC9CB>cmp word ptr ds:,0x0
00AE1850 .74 2C je short WinRAR.00AE187E
00AE1852 .68 CC9CB400 push WinRAR.00B49CCC
00AE1857 .E8 54ACF9FF call WinRAR.00A7C4B0
00AE185C .68 00080000 push 0x800
00AE1861 .68 CC9CB400 push WinRAR.00B49CCC
00AE1866 .68 E092B300 push WinRAR.00B392E0 ;UNICODE "C:\Users\IEUser\AppData\Roaming\WinRAR\rar.log"
00AE186B .3D CC9CB400 cmp eax,WinRAR.00B49CCC
00AE1870 .75 07 jnz short WinRAR.00AE1879
00AE1872 .E8 39ADF9FF call WinRAR.00A7C5B0
00AE1877 .EB 05 jmp short WinRAR.00AE187E
00AE1879 >E8 D20FFBFF call WinRAR.00A92850
00AE187E >6A 00 push 0x0 ; /lParam = 0x0
00AE1880 .6A 00 push 0x0 ; |wParam = 0x0
00AE1882 .68 03800000 push 0x8003 ; |Message = MSG(0x8003)
00AE1887 .FF35 AC81B300 push dword ptr ds: ; |hWnd = 0xB05BC
00AE188D .FF15 9845B100 call dword ptr ds:[<&USER32.SendMessageW>; \SendMessageW
00AE1893 .833D AC81B300>cmp dword ptr ds:,0x0
00AE189A .0F84 93010000 je WinRAR.00AE1A33
00AE18A0 .66:833D CAEFB>cmp word ptr ds:,0x0
00AE18A8 .0F85 6F030000 jnz WinRAR.00AE1C1D
00AE18AE .32DB xor bl,bl
00AE18B0 .66:833D EAFFB>cmp word ptr ds:,0x0
00AE18B8 .0F84 3A030000 je WinRAR.00AE1BF8
00AE18BE .68 EAFFB400 push WinRAR.00B4FFEA
00AE18C3 .E8 F8A7F8FF call WinRAR.00A6C0C0
00AE18C8 .83F8 FF cmp eax,-0x1
00AE18CB .74 06 je short WinRAR.00AE18D3
00AE18CD .A8 10 test al,0x10
00AE18CF .74 02 je short WinRAR.00AE18D3
00AE18D1 .B3 01 mov bl,0x1
00AE18D3 >66:833D EAFFB>cmp word ptr ds:,0x0
00AE18DB .0F84 EB020000 je WinRAR.00AE1BCC
00AE18E1 .84DB test bl,bl
00AE18E3 .0F85 E7020000 jnz WinRAR.00AE1BD0
00AE18E9 .6A 00 push 0x0
00AE18EB .68 8850B100 push WinRAR.00B15088 ;UNICODE "ReuseWindow"
00AE18F0 .68 A44BB100 push WinRAR.00B14BA4 ;UNICODE "General"
00AE18F5 .E8 9623FCFF call WinRAR.00AA3C90
00AE18FA .85C0 test eax,eax
00AE18FC .0F84 F7000000 je WinRAR.00AE19F9
00AE1902 .85FF test edi,edi
00AE1904 .0F84 EF000000 je WinRAR.00AE19F9
00AE190A .6A 00 push 0x0
00AE190C .68 00080000 push 0x800
00AE1911 .8D85 00200000 lea eax,dword ptr ss:
00AE1917 .50 push eax
00AE1918 .E8 F37FFEFF call WinRAR.00AC9910
00AE191D .68 00080000 push 0x800
00AE1922 .8D85 00200000 lea eax,dword ptr ss:
00AE1928 .50 push eax
00AE1929 .E8 E28FF9FF call WinRAR.00A7A910
00AE192E .68 00080000 push 0x800
00AE1933 .68 8CC3B100 push WinRAR.00B1C38C ;UNICODE "Rar$"
00AE1938 .8D85 00200000 lea eax,dword ptr ss:
00AE193E .50 push eax
00AE193F .E8 CC0EFBFF call WinRAR.00A92810
00AE1944 .8D8D 00200000 lea ecx,dword ptr ss:
00AE194A .8D51 02 lea edx,dword ptr ds:
00AE194D .8D49 00 lea ecx,dword ptr ds:
00AE1950 >66:8B01 mov ax,word ptr ds:
00AE1953 .83C1 02 add ecx,0x2
00AE1956 .66:85C0 test ax,ax
00AE1959 .^ 75 F5 jnz short WinRAR.00AE1950
00AE195B .2BCA sub ecx,edx
00AE195D .D1F9 sar ecx,1
00AE195F .51 push ecx
00AE1960 .8D85 00200000 lea eax,dword ptr ss:
00AE1966 .50 push eax
00AE1967 .68 EAFFB400 push WinRAR.00B4FFEA
00AE196C .E8 DF45FBFF call WinRAR.00A95F50
00AE1971 .85C0 test eax,eax
00AE1973 .0F84 80000000 je WinRAR.00AE19F9
00AE1979 .68 20DDB100 push WinRAR.00B1DD20 ; /MapName = "RarArchiveWideName"
00AE197E .68 00100000 push 0x1000 ; |MaximumSizeLow = 0x1000
00AE1983 .6A 00 push 0x0 ; |MaximumSizeHigh = 0x0
00AE1985 .68 04000008 push 0x8000004 ; |Protection = PAGE_READWRITE|SEC_COMMIT
00AE198A .6A 00 push 0x0 ; |pSecurity = NULL
00AE198C .6A FF push -0x1 ; |hFile = FFFFFFFF
00AE198E .FF15 9843B100 call dword ptr ds:[<&KERNEL32.CreateFile>; \CreateFileMappingW
00AE1994 .8BF8 mov edi,eax
00AE1996 .85FF test edi,edi
00AE1998 .74 5C je short WinRAR.00AE19F6
00AE199A .68 00100000 push 0x1000 ; /MapSize = 1000 (4096.)
00AE199F .6A 00 push 0x0 ; |OffsetLow = 0x0
00AE19A1 .6A 00 push 0x0 ; |OffsetHigh = 0x0
00AE19A3 .6A 02 push 0x2 ; |AccessMode = FILE_MAP_WRITE
00AE19A5 .57 push edi ; |hMapObject = NULL
00AE19A6 .FF15 A043B100 call dword ptr ds:[<&KERNEL32.MapViewOfF>; \MapViewOfFile
00AE19AC .8BF0 mov esi,eax
00AE19AE .68 00080000 push 0x800
00AE19B3 .56 push esi
00AE19B4 .68 EAFFB400 push WinRAR.00B4FFEA
00AE19B9 .B9 78E2B500 mov ecx,WinRAR.00B5E278
00AE19BE .E8 8DF6F5FF call WinRAR.00A41050
00AE19C3 .56 push esi ; /BaseAddress = 00DBCB64
00AE19C4 .FF15 9C43B100 call dword ptr ds:[<&KERNEL32.UnmapViewO>; \UnmapViewOfFile
00AE19CA .68 F164E97A push 0x7AE964F1 ; /lParam = 0x7AE964F1
00AE19CF .68 5EAC89D4 push 0xD489AC5E ; |wParam = 0xD489AC5E
00AE19D4 .68 01800000 push 0x8001 ; |Message = MSG(0x8001)
00AE19D9 .FF75 E8 push dword ptr ss: ; |hWnd = 0xDBCBB0
00AE19DC .FF15 9845B100 call dword ptr ds:[<&USER32.SendMessageW>; \SendMessageW
00AE19E2 .85C0 test eax,eax
00AE19E4 .0f95c3 setne bl
00AE19E7 .57 push edi ; /hObject = NULL
00AE19E8 .FF15 A443B100 call dword ptr ds:[<&KERNEL32.CloseHandl>; \CloseHandle
00AE19EE .84DB test bl,bl
00AE19F0 .0F85 B8010000 jnz WinRAR.00AE1BAE
00AE19F6 >8B7D E8 mov edi,dword ptr ss:
00AE19F9 >68 EAFFB400 push WinRAR.00B4FFEA
00AE19FE .B9 78E2B500 mov ecx,WinRAR.00B5E278
00AE1A03 .E8 68FFF5FF call WinRAR.00A41970
00AE1A08 .84C0 test al,al
00AE1A0A 0F84 9E010000 je WinRAR.00AE1BAE
00AE1A10 .803D D491B300>cmp byte ptr ds:,0x0
00AE1A17 .75 17 jnz short WinRAR.00AE1A30
00AE1A19 .833D BC91B300>cmp dword ptr ds:,0x0
00AE1A20 .0F84 77010000 je WinRAR.00AE1B9D
00AE1A26 .B9 78E2B500 mov ecx,WinRAR.00B5E278
00AE1A2B .E8 302EF6FF call WinRAR.00A44860
00AE1A30 >8A5D EF mov bl,byte ptr ss:
00AE1A33 >57 push edi
00AE1A34 .68 00000100 push 0x10000
00AE1A39 .68 B038AD00 push WinRAR.00AD38B0
00AE1A3E .E8 DEAC0100 call WinRAR.00AFC721
00AE1A43 .83C4 0C add esp,0xC
00AE1A46 .FF35 AC81B300 push dword ptr ds: ; /hWnd = 000B05BC ('winrar32 (评估版本)',class='WinRarWindow')
00AE1A4C .FF15 C445B100 call dword ptr ds:[<&USER32.IsWindowVisi>; \IsWindowVisible
00AE1A52 .85C0 test eax,eax
00AE1A54 .75 0E jnz short WinRAR.00AE1A64
00AE1A56 .85FF test edi,edi
00AE1A58 .0f95c0 setne al
00AE1A5B .0FB6C0 movzx eax,al
00AE1A5E .50 push eax
00AE1A5F .E8 CCF5FFFF call WinRAR.00AE1030
00AE1A64 >FF35 AC81B300 push dword ptr ds: ; /hWnd = 000B05BC ('winrar32 (评估版本)',class='WinRarWindow')
00AE1A6A .FF15 0C45B100 call dword ptr ds:[<&USER32.UpdateWindow>; \UpdateWindow
00AE1A70 .84FF test bh,bh
00AE1A72 .74 27 je short WinRAR.00AE1A9B
00AE1A74 .84DB test bl,bl
00AE1A76 .74 23 je short WinRAR.00AE1A9B
00AE1A78 .68 704BB100 push WinRAR.00B14B70 ;UNICODE "Setup"
00AE1A7D .E8 0E00FCFF call WinRAR.00AA1A90
00AE1A82 .84C0 test al,al
00AE1A84 .75 15 jnz short WinRAR.00AE1A9B
00AE1A86 .68 844CB100 push WinRAR.00B14C84 ;UNICODE ".rar"
00AE1A8B .E8 8096F5FF call WinRAR.00A3B110
00AE1A90 .84C0 test al,al
00AE1A92 .75 07 jnz short WinRAR.00AE1A9B
00AE1A94 .6A 06 push 0x6
00AE1A96 .E8 65B2F2FF call WinRAR.00A0CD00
00AE1A9B >6A 00 push 0x0
00AE1A9D .68 1855B100 push WinRAR.00B15518 ;UNICODE "ExportedSettings"
00AE1AA2 .68 7C48B100 push WinRAR.00B1487C
00AE1AA7 .E8 E421FCFF call WinRAR.00AA3C90
00AE1AAC .85C0 test eax,eax
00AE1AAE .74 05 je short WinRAR.00AE1AB5
00AE1AB0 .E8 7B92F2FF call WinRAR.00A0AD30
00AE1AB5 >6A 00 push 0x0
00AE1AB7 .6A 01 push 0x1
00AE1AB9 .E8 E238FCFF call WinRAR.00AA53A0
00AE1ABE .6A 00 push 0x0
00AE1AC0 .68 7050B100 push WinRAR.00B15070 ;UNICODE "WizardMode"
00AE1AC5 .68 A44BB100 push WinRAR.00B14BA4 ;UNICODE "General"
00AE1ACA .E8 C121FCFF call WinRAR.00AA3C90
00AE1ACF .85C0 test eax,eax
00AE1AD1 .74 24 je short WinRAR.00AE1AF7
00AE1AD3 .FF35 AC81B300 push dword ptr ds:
00AE1AD9 .E8 E2390000 call WinRAR.00AE54C0
00AE1ADE .84C0 test al,al
00AE1AE0 .74 15 je short WinRAR.00AE1AF7
00AE1AE2 .833D BC91B300>cmp dword ptr ds:,0x0
00AE1AE9 .75 0C jnz short WinRAR.00AE1AF7
00AE1AEB .FF35 AC81B300 push dword ptr ds: ; /hWnd = 000B05BC ('winrar32 (评估版本)',class='WinRarWindow')
00AE1AF1 .FF15 A445B100 call dword ptr ds:[<&USER32.DestroyWindo>; \DestroyWindow
00AE1AF7 >6A 00 push 0x0
00AE1AF9 .6A 00 push 0x0
00AE1AFB .E8 00F0FFFF call WinRAR.00AE0B00
00AE1B00 .84C0 test al,al
00AE1B02 .^ 75 F3 jnz short WinRAR.00AE1AF7
00AE1B04 .6A 01 push 0x1
00AE1B06 .6A 00 push 0x0
00AE1B08 .6A 00 push 0x0
00AE1B0A .E8 7187FEFF call WinRAR.00ACA280
00AE1B0F .B9 34A3B300 mov ecx,WinRAR.00B3A334
00AE1B14 .E8 C7080000 call WinRAR.00AE23E0
00AE1B19 .E8 A21EFFFF call WinRAR.00AD39C0
00AE1B1E .C605 D592B300>mov byte ptr ds:,0x1
00AE1B25 .FF35 F8A2B300 push dword ptr ds: ; /hEvent = 00000238 (window)
00AE1B2B .FF15 9441B100 call dword ptr ds:[<&KERNEL32.SetEvent>] ; \SetEvent
00AE1B31 .33F6 xor esi,esi
00AE1B33 .8B3D 5043B100 mov edi,dword ptr ds:[<&KERNEL32.Sleep>] ;KERNEL32.Sleep
00AE1B39 .8DA424 000000>lea esp,dword ptr ss:
00AE1B40 >833D F0A2B300>cmp dword ptr ds:,0x0
00AE1B47 .7E 0D jle short WinRAR.00AE1B56
00AE1B49 .6A 64 push 0x64
00AE1B4B .FFD7 call edi
00AE1B4D .4E dec esi
00AE1B4E .81FE C8000000 cmp esi,0xC8
00AE1B54 .^ 7C EA jl short WinRAR.00AE1B40
00AE1B56 >FF35 F8A2B300 push dword ptr ds: ; /hObject = 00000238 (window)
00AE1B5C .FF15 A443B100 call dword ptr ds:[<&KERNEL32.CloseHandl>; \CloseHandle
00AE1B62 .833D CC92B300>cmp dword ptr ds:,0x0
00AE1B69 .0F84 0B010000 je WinRAR.00AE1C7A
00AE1B6F .83C8 FF or eax,-0x1
00AE1B72 .A3 CC92B300 mov dword ptr ds:,eax
00AE1B77 .33F6 xor esi,esi
00AE1B79 .8DA424 000000>lea esp,dword ptr ss:
00AE1B80 >85C0 test eax,eax
00AE1B82 .0F84 10010000 je WinRAR.00AE1C98
00AE1B88 .6A 64 push 0x64
00AE1B8A .FFD7 call edi
00AE1B8C .46 inc esi
00AE1B8D .83FE 0A cmp esi,0xA
00AE1B90 .0F8D 02010000 jge WinRAR.00AE1C98
00AE1B96 .A1 CC92B300 mov eax,dword ptr ds:
00AE1B9B .^ EB E3 jmp short WinRAR.00AE1B80
00AE1B9D >FF35 AC81B300 push dword ptr ds: ; /hWnd = 000B05BC ('winrar32 (评估版本)',class='WinRarWindow')
00AE1BA3 .FF15 A445B100 call dword ptr ds:[<&USER32.DestroyWindo>; \DestroyWindow
00AE1BA9 .^ E9 82FEFFFF jmp WinRAR.00AE1A30
00AE1BAE >E8 FDDDFEFF call WinRAR.00ACF9B0
其中在“DestroyWindow”这一处(这里有两处,分别代表关闭主窗口和广告窗口,不知道是哪个的话我们可以下断点测试一下),应该是关闭窗口的操作,那么广告窗口应该就在它的上方,向上找相关调用,下断点调试肯定找到调用广告窗口的地方,判断出00AE1AB9位置的call WinRAR.00AA53A0这个函数调用,在这个位置向上找关键跳转,看看能否跳过这个函数调用,也可以直接nop掉该处的调用,找到00AE1AAE位置的跳转操作je short WinRAR.00AE1AB5,将其改为jmp 0x00AE1AF7直接跳过DestroyWindow函数,
另一处的修改我选择用Binary Ninja这款反编译工具来完成,因为这款软件的流程图排版比较合理容易分析,并且占用系统资源比较小,其右键"patch"功能在修改汇编代码方面相对比较优秀。
使用Binary Ninja加载winrar主程序后,按“G”键输入我们需要查找的地址,与OD的偏移地址不同,我们需要自己对应一下,00AE1520对应的是004E1520,直接查找该位置如图所示:
https://img2018.cnblogs.com/blog/1578668/201907/1578668-20190709233939349-187953922.png在上述代码中我们关注到有一处调用系统API函数IsWindowVisible(设置可见属性)的地方,即位置00AE1A4C处,这处如果调用起来的话就会使得标题栏对应的许可信息隐藏,那么我们在Binary Ninja中查找位置004E1A4C,得到如下图所示:
https://img2018.cnblogs.com/blog/1578668/201907/1578668-20190709234803979-1477957008.png
点选该位置所在的流程块的第一行即“pushedi {var_18_13}”处,在左下角的“Cross References”窗口中可以看到两个地址跳转到它,分析之后我们判断可以将最早跳转的地址0x4e189a的汇编代码修改为“jmp 0x4e1a33”(在该位置右击-->"patch"-->"Edit Current Line",如图所示)
https://img2018.cnblogs.com/blog/1578668/201907/1578668-20190709235300022-1007203279.png
修改之后如下图:
https://img2018.cnblogs.com/blog/1578668/201907/1578668-20190709235308810-652052619.png
完成这两步后保存好修改,然后我们运行一下winrar得到如图:这下可以软件可以安静的启动,没有广告弹窗和标题栏的许可过期提醒。
https://img2018.cnblogs.com/blog/1578668/201907/1578668-20190710000449314-986337100.png
可是别高兴太早,我们将系统时间调至软件过期,重新启动winrar,还是会出现如下窗口,提示购买winrar许可。
https://img2018.cnblogs.com/blog/1578668/201907/1578668-20190709225232456-170097229.png
重复运行、暂停、查看堆栈、查看调用、步进调试一系列操作我们会找到如下代码段,可以看到这段代码包含广告的链接地址http://ad.winrar.com.cn/show_2.html?L=7&bl=7&v=Vpersonal&a=Vpersonal&a=A&src=pe001以及提醒许可过期需要重新购买的函数RarReminder。
00B853A0/$B8 18100000 mov eax,0x1018
00B853A5|.E8 26010500 call WinRAR1.00BD54D0
00B853AA|.A1 341BC100 mov eax,dword ptr ds:
00B853AF|.33C4 xor eax,esp
00B853B1|.898424 141000>mov dword ptr ss:,eax
00B853B8|.803D 74A5C500>cmp byte ptr ds:,0x0
00B853BF|.74 0E je short WinRAR1.00B853CF
00B853C1|.80BC24 201000>cmp byte ptr ss:,0x0
00B853C9|.0F84 08040000 je WinRAR1.00B857D7
00B853CF|>833D ACFBC000>cmp dword ptr ds:,0x0
00B853D6|.56 push esi
00B853D7|.74 1C je short WinRAR1.00B853F5
00B853D9|.B9 98FBC000 mov ecx,WinRAR1.00C0FB98 ;ASCII "8g3#0w1$5r7%2ta"
00B853DE|.E8 1DF9FFFF call WinRAR1.00B84D00
00B853E3|.833D ACFBC000>cmp dword ptr ds:,0x0
00B853EA|.0F84 A1000000 je WinRAR1.00B85491
00B853F0|.E9 88000000 jmp WinRAR1.00B8547D
00B853F5|>68 FD040000 push 0x4FD
00B853FA|.E8 6171FEFF call WinRAR1.00B6C560
00B853FF|.8BF0 mov esi,eax
00B85401|.66:833E 23 cmp word ptr ds:,0x23
00B85405|.75 20 jnz short WinRAR1.00B85427
00B85407|.66:837E 02 23 cmp word ptr ds:,0x23
00B8540C|.75 19 jnz short WinRAR1.00B85427
00B8540E|.8BCE mov ecx,esi
00B85410|.8D51 02 lea edx,dword ptr ds:
00B85413|>66:8B01 /mov ax,word ptr ds:
00B85416|.83C1 02 |add ecx,0x2
00B85419|.66:85C0 |test ax,ax
00B8541C|.^ 75 F5 \jnz short WinRAR1.00B85413
00B8541E|.2BCA sub ecx,edx
00B85420|.D1F9 sar ecx,1
00B85422|.83F9 64 cmp ecx,0x64
00B85425|.73 06 jnb short WinRAR1.00B8542D
00B85427|>8B35 1800C100 mov esi,dword ptr ds: ;WinRAR1.00BF9628
00B8542D|>68 00100000 push 0x1000
00B85432|.8D4424 1C lea eax,dword ptr ss:
00B85436|.6A 00 push 0x0
00B85438|.50 push eax
00B85439|.E8 E2250500 call WinRAR1.00BD7A20
00B8543E|.83C4 0C add esp,0xC
00B85441|.8D4424 18 lea eax,dword ptr ss:
00B85445|.68 00100000 push 0x1000
00B8544A|.50 push eax
00B8544B|.8D46 04 lea eax,dword ptr ds:
00B8544E|.50 push eax
00B8544F|.E8 0C07FFFF call WinRAR1.00B75B60
00B85454|.8D4C24 18 lea ecx,dword ptr ss:
00B85458|.8D51 01 lea edx,dword ptr ds:
00B8545B|.EB 03 jmp short WinRAR1.00B85460
00B8545D| 8D49 00 lea ecx,dword ptr ds:
00B85460|>8A01 /mov al,byte ptr ds:
00B85462|.41 |inc ecx
00B85463|.84C0 |test al,al
00B85465|.^ 75 F9 \jnz short WinRAR1.00B85460
00B85467|.2BCA sub ecx,edx
00B85469|.8D4424 18 lea eax,dword ptr ss:
00B8546D|.51 push ecx
00B8546E|.50 push eax
00B8546F|.B9 98FBC000 mov ecx,WinRAR1.00C0FB98 ;ASCII "8g3#0w1$5r7%2ta"
00B85474|.E8 67F4FFFF call WinRAR1.00B848E0
00B85479|.84C0 test al,al
00B8547B|.75 14 jnz short WinRAR1.00B85491
00B8547D|>68 80040000 push 0x480
00B85482|.6A 00 push 0x0
00B85484|.68 98FBC000 push WinRAR1.00C0FB98 ;ASCII "8g3#0w1$5r7%2ta"
00B85489|.E8 92250500 call WinRAR1.00BD7A20
00B8548E|.83C4 0C add esp,0xC
00B85491|>803D B467C400>cmp byte ptr ds:,0x0
00B85498|.53 push ebx
00B85499|.75 12 jnz short WinRAR1.00B854AD
00B8549B|.A1 DC92C100 mov eax,dword ptr ds:
00B854A0|.83F8 28 cmp eax,0x28
00B854A3|.7F 04 jg short WinRAR1.00B854A9
00B854A5|.85C0 test eax,eax
00B854A7|.79 04 jns short WinRAR1.00B854AD
00B854A9|>B3 01 mov bl,0x1
00B854AB|.EB 02 jmp short WinRAR1.00B854AF
00B854AD|>32DB xor bl,bl
00B854AF|>80BC24 241000>cmp byte ptr ss:,0x0
00B854B7|.0F84 EE020000 je WinRAR1.00B857AB
00B854BD|.E8 4EA0FCFF call WinRAR1.00B4F510
00B854C2|.3D 01050000 cmp eax,0x501
00B854C7|.77 10 ja short WinRAR1.00B854D9
00B854C9|.F705 A8FBC000>test dword ptr ds:,0x200
00B854D3|.0F84 FC020000 je WinRAR1.00B857D5
00B854D9|>803D 18FFC000>cmp byte ptr ds:,0x0
00B854E0|.0F84 EF020000 je WinRAR1.00B857D5
00B854E6|.C605 C3FCC000>mov byte ptr ds:,0x0
00B854ED|.C605 C7FDC000>mov byte ptr ds:,0x0
00B854F4|.C605 1700C100>mov byte ptr ds:,0x0
00B854FB|.84DB test bl,bl
00B854FD|.75 14 jnz short WinRAR1.00B85513
00B854FF|.A0 A8FBC000 mov al,byte ptr ds:
00B85504|.24 80 and al,0x80
00B85506|.0FB6C0 movzx eax,al
00B85509|.F7D8 neg eax
00B8550B|.1BC0 sbb eax,eax
00B8550D|.2105 B0FBC000 and dword ptr ds:,eax
00B85513|>32FF xor bh,bh
00B85515|.833D C0FBC000>cmp dword ptr ds:,0x0
00B8551C|.76 50 jbe short WinRAR1.00B8556E
00B8551E|.383D B467C400 cmp byte ptr ds:,bh
00B85524|.75 48 jnz short WinRAR1.00B8556E
00B85526|.6A 00 push 0x0
00B85528|.68 A098BF00 push WinRAR1.00BF98A0 ;UNICODE "RemShown"
00B8552D|.68 306CBF00 push WinRAR1.00BF6C30 ;UNICODE "Interface\Misc"
00B85532|.E8 59E7FFFF call WinRAR1.00B83C90
00B85537|.3B05 C0FBC000 cmp eax,dword ptr ds:
00B8553D|.73 2F jnb short WinRAR1.00B8556E
00B8553F|.40 inc eax
00B85540|.50 push eax
00B85541|.68 A098BF00 push WinRAR1.00BF98A0 ;UNICODE "RemShown"
00B85546|.68 306CBF00 push WinRAR1.00BF6C30 ;UNICODE "Interface\Misc"
00B8554B|.E8 50F3FFFF call WinRAR1.00B848A0
00B85550|.803D C4FBC000>cmp byte ptr ds:,0x0
00B85557|.B7 01 mov bh,0x1
00B85559|.0F84 B8000000 je WinRAR1.00B85617
00B8555F|.68 00010000 push 0x100
00B85564|.68 C4FBC000 push WinRAR1.00C0FBC4 ;ASCII "http://ad.winrar.com.cn/show_1.html?L=7&bl=7&v=$Vpersonal&a=$A&src=pe001"
00B85569|.E9 9F000000 jmp WinRAR1.00B8560D
00B8556E|>833D C4FCC000>cmp dword ptr ds:,0x0
00B85575|.76 45 jbe short WinRAR1.00B855BC
00B85577|.84DB test bl,bl
00B85579|.74 41 je short WinRAR1.00B855BC
00B8557B|.6A 00 push 0x0
00B8557D|.68 B498BF00 push WinRAR1.00BF98B4 ;UNICODE "ExpRemShown"
00B85582|.68 306CBF00 push WinRAR1.00BF6C30 ;UNICODE "Interface\Misc"
00B85587|.E8 04E7FFFF call WinRAR1.00B83C90
00B8558C|.3B05 C4FCC000 cmp eax,dword ptr ds:
00B85592|.73 28 jnb short WinRAR1.00B855BC
00B85594|.40 inc eax
00B85595|.50 push eax
00B85596|.68 B498BF00 push WinRAR1.00BF98B4 ;UNICODE "ExpRemShown"
00B8559B|.68 306CBF00 push WinRAR1.00BF6C30 ;UNICODE "Interface\Misc"
00B855A0|.E8 FBF2FFFF call WinRAR1.00B848A0
00B855A5|.803D C8FCC000>cmp byte ptr ds:,0x0
00B855AC|.B7 01 mov bh,0x1
00B855AE|.74 67 je short WinRAR1.00B85617
00B855B0|.68 00010000 push 0x100
00B855B5|.68 C8FCC000 push WinRAR1.00C0FCC8 ;ASCII "http://ad.winrar.com.cn/show_2.html?L=7&bl=7&v=$Vpersonal&a=$A&src=pe001"
00B855BA|.EB 51 jmp short WinRAR1.00B8560D
00B855BC|>833D C8FDC000>cmp dword ptr ds:,0x0
00B855C3|.76 52 jbe short WinRAR1.00B85617
00B855C5|.803D B467C400>cmp byte ptr ds:,0x0
00B855CC|.74 49 je short WinRAR1.00B85617
00B855CE|.6A 00 push 0x0
00B855D0|.68 CC98BF00 push WinRAR1.00BF98CC ;UNICODE "RegRemShown"
00B855D5|.68 306CBF00 push WinRAR1.00BF6C30 ;UNICODE "Interface\Misc"
00B855DA|.E8 B1E6FFFF call WinRAR1.00B83C90
00B855DF|.3B05 C8FDC000 cmp eax,dword ptr ds:
00B855E5|.73 30 jnb short WinRAR1.00B85617
00B855E7|.40 inc eax
00B855E8|.50 push eax
00B855E9|.68 CC98BF00 push WinRAR1.00BF98CC ;UNICODE "RegRemShown"
00B855EE|.68 306CBF00 push WinRAR1.00BF6C30 ;UNICODE "Interface\Misc"
00B855F3|.E8 A8F2FFFF call WinRAR1.00B848A0
00B855F8|.803D CCFDC000>cmp byte ptr ds:,0x0
00B855FF|.B7 01 mov bh,0x1
00B85601|.74 14 je short WinRAR1.00B85617
00B85603|.68 00010000 push 0x100
00B85608|.68 CCFDC000 push WinRAR1.00C0FDCC
00B8560D|>68 18FFC000 push WinRAR1.00C0FF18 ;ASCII "http://ad.winrar.com.cn/show_2.html?L=7&bl=7&v=$Vpersonal&a=$A&src=pe001"
00B85612|.E8 49D1FEFF call WinRAR1.00B72760
00B85617|>FF15 3843BF00 call dword ptr ds:[<&KERNEL32.GetTickCou>; [GetTickCount
00B8561D|.8BC8 mov ecx,eax
00B8561F|.B8 D34D6210 mov eax,0x10624DD3
00B85624|.F7E1 mul ecx
00B85626|.C1EA 06 shr edx,0x6
00B85629|.803D B467C400>cmp byte ptr ds:,0x0
00B85630|.74 08 je short WinRAR1.00B8563A
00B85632|.8B0D BCFBC000 mov ecx,dword ptr ds:
00B85638|.EB 20 jmp short WinRAR1.00B8565A
00B8563A|>84DB test bl,bl
00B8563C|.75 16 jnz short WinRAR1.00B85654
00B8563E|.8B0D B4FBC000 mov ecx,dword ptr ds:
00B85644|.85C9 test ecx,ecx
00B85646|.74 20 je short WinRAR1.00B85668
00B85648|.8BC2 mov eax,edx
00B8564A|.33D2 xor edx,edx
00B8564C|.F7F1 div ecx
00B8564E|.85D2 test edx,edx
00B85650|.75 16 jnz short WinRAR1.00B85668
00B85652|.EB 1C jmp short WinRAR1.00B85670
00B85654|>8B0D B8FBC000 mov ecx,dword ptr ds:
00B8565A|>85C9 test ecx,ecx
00B8565C|.74 0A je short WinRAR1.00B85668
00B8565E|.8BC2 mov eax,edx
00B85660|.33D2 xor edx,edx
00B85662|.F7F1 div ecx
00B85664|.85D2 test edx,edx
00B85666|.74 08 je short WinRAR1.00B85670
00B85668|>84FF test bh,bh
00B8566A|.0F84 65010000 je WinRAR1.00B857D5
00B85670|>55 push ebp
00B85671|.57 push edi
00B85672|.8B3D A8FBC000 mov edi,dword ptr ds:
00B85678|.C1E7 11 shl edi,0x11
00B8567B|.F7D7 not edi
00B8567D|.81E7 00000400 and edi,0x40000
00B85683|.81CF 0000C816 or edi,0x16C80000
00B85689|.F605 A8FBC000>test byte ptr ds:,0x8
00B85690|.75 06 jnz short WinRAR1.00B85698
00B85692|.81CF 00000300 or edi,0x30000
00B85698|>A1 D0FEC000 mov eax,dword ptr ds:
00B8569D|.BD 00000080 mov ebp,0x80000000
00B856A2|.C74424 10 000>mov dword ptr ss:,0x80000000
00B856AA|.8BF5 mov esi,ebp
00B856AC|.8BDE mov ebx,esi
00B856AE|.85C0 test eax,eax
00B856B0|.0F84 90000000 je WinRAR1.00B85746
00B856B6|.833D CCFEC000>cmp dword ptr ds:,0x0
00B856BD|.0F84 83000000 je WinRAR1.00B85746
00B856C3|.50 push eax
00B856C4|.E8 87530200 call WinRAR1.00BAAA50
00B856C9|.8B2D 8C46BF00 mov ebp,dword ptr ds:[<&USER32.GetSystem>;USER32.GetSystemMetrics
00B856CF|.8BF0 mov esi,eax
00B856D1|.6A 21 push 0x21 ; /Index = SM_CYFRAME
00B856D3|.FFD5 call ebp ; \GetSystemMetrics
00B856D5|.6A 04 push 0x4 ; /Index = SM_CYCAPTION
00B856D7|.8D1C46 lea ebx,dword ptr ds: ; |
00B856DA|.FFD5 call ebp ; \GetSystemMetrics
00B856DC|.03D8 add ebx,eax
00B856DE|.F605 A8FBC000>test byte ptr ds:,0x40
00B856E5|.75 0C jnz short WinRAR1.00B856F3
00B856E7|.F705 A8FBC000>test dword ptr ds:,0x100
00B856F1|.75 06 jnz short WinRAR1.00B856F9
00B856F3|>031D 70A5C500 add ebx,dword ptr ds:
00B856F9|>FF35 CCFEC000 push dword ptr ds:
00B856FF|.E8 FC520200 call WinRAR1.00BAAA00
00B85704|.6A 20 push 0x20
00B85706|.8BF0 mov esi,eax
00B85708|.FFD5 call ebp
00B8570A|.6A 00 push 0x0 ; /UpdateProfile = 0
00B8570C|.8D3446 lea esi,dword ptr ds: ; |
00B8570F|.8D4424 18 lea eax,dword ptr ss: ; |
00B85713|.50 push eax ; |pParam = NULL
00B85714|.6A 00 push 0x0 ; |wParam = 0x0
00B85716|.6A 30 push 0x30 ; |Action = SPI_GETWORKAREA
00B85718|.FF15 8C44BF00 call dword ptr ds:[<&USER32.SystemParame>; \SystemParametersInfoW
00B8571E|.8B4424 1C mov eax,dword ptr ss:
00B85722|.3BF0 cmp esi,eax
00B85724|.7C 02 jl short WinRAR1.00B85728
00B85726|.8BF0 mov esi,eax
00B85728|>2BC6 sub eax,esi
00B8572A|.99 cdq
00B8572B|.2BC2 sub eax,edx
00B8572D|.D1F8 sar eax,1
00B8572F|.894424 10 mov dword ptr ss:,eax
00B85733|.8B4424 20 mov eax,dword ptr ss: ;WinRAR1.00C4D45D
00B85737|.3BD8 cmp ebx,eax
00B85739|.7C 02 jl short WinRAR1.00B8573D
00B8573B|.8BD8 mov ebx,eax
00B8573D|>2BC3 sub eax,ebx
00B8573F|.99 cdq
00B85740|.2BC2 sub eax,edx
00B85742|.8BE8 mov ebp,eax
00B85744|.D1FD sar ebp,1
00B85746|>68 00010000 push 0x100
00B8574B|.68 18FFC000 push WinRAR1.00C0FF18 ;ASCII "http://ad.winrar.com.cn/show_2.html?L=7&bl=7&v=$Vpersonal&a=$A&src=pe001"
00B85750|.E8 3BF3FFFF call WinRAR1.00B84A90
00B85755|.6A 00 push 0x0 ; /lParam = NULL
00B85757|.FF35 04F0C400 push dword ptr ds: ; |hInst = 00AE0000
00B8575D|.6A 00 push 0x0 ; |hMenu = NULL
00B8575F|.6A 00 push 0x0 ; |hParent = NULL
00B85761|.53 push ebx ; |Height = 902DC (590556.)
00B85762|.56 push esi ; |Width = 0x0
00B85763|.55 push ebp ; |Y = 5FA518 (6268184.)
00B85764|.FF7424 2C push dword ptr ss: ; |X = 0x0
00B85768|.57 push edi ; |Style = WS_OVERLAPPED|WS_MINIMIZEBOX|WS_SYSMENU|WS_THICKFRAME|3FE
00B85769|.68 6C71BF00 push WinRAR1.00BF716C ; |WindowName = "WinRAR"
00B8576E|.68 E498BF00 push WinRAR1.00BF98E4 ; |Class = "RarReminder"
00B85773|.6A 00 push 0x0 ; |ExtStyle = 0
00B85775|.FF15 A045BF00 call dword ptr ds:[<&USER32.CreateWindow>; \CreateWindowExW
00B8577B|.F605 A8FBC000>test byte ptr ds:,0x1
00B85782|.5F pop edi ;USER32.76CD87ED
00B85783|.5D pop ebp ;USER32.76CD87ED
00B85784|.74 13 je short WinRAR1.00B85799
00B85786|.6A 03 push 0x3 ; /Flags = SWP_NOSIZE|SWP_NOMOVE
00B85788|.6A 00 push 0x0 ; |Height = 0x0
00B8578A|.6A 00 push 0x0 ; |Width = 0x0
00B8578C|.6A 00 push 0x0 ; |Y = 0x0
00B8578E|.6A 00 push 0x0 ; |X = 0x0
00B85790|.6A FF push -0x1 ; |InsertAfter = HWND_TOPMOST
00B85792|.50 push eax ; |hWnd = NULL
00B85793|.FF15 B845BF00 call dword ptr ds:[<&USER32.SetWindowPos>; \SetWindowPos
00B85799|>833D C091C100>cmp dword ptr ds:,0x0
00B857A0|.74 33 je short WinRAR1.00B857D5
00B857A2|.C605 74A5C500>mov byte ptr ds:,0x1
00B857A9|.EB 2A jmp short WinRAR1.00B857D5
00B857AB|>84DB test bl,bl
00B857AD|.74 26 je short WinRAR1.00B857D5
00B857AF|.6A 00 push 0x0 ; /lParam = NULL
00B857B1|.68 10C2BB00 push WinRAR1.00BBC210 ; |DlgProc = WinRAR1.00BBC210
00B857B6|.C605 74A5C500>mov byte ptr ds:,0x1 ; |
00B857BD|.FF15 F444BF00 call dword ptr ds:[<&USER32.GetFocus>] ; |[GetFocus
00B857C3|.50 push eax ; |hOwner = NULL
00B857C4|.68 FC98BF00 push WinRAR1.00BF98FC ; |pTemplate = "REMINDER"
00B857C9|.FF35 00F0C400 push dword ptr ds: ; |hInst = 00AE0000
00B857CF|.FF15 C845BF00 call dword ptr ds:[<&USER32.DialogBoxPar>; \DialogBoxParamW
00B857D5|>5B pop ebx ;USER32.76CD87ED
00B857D6|.5E pop esi ;USER32.76CD87ED
00B857D7|>8B8C24 141000>mov ecx,dword ptr ss:
00B857DE|.33CC xor ecx,esp
00B857E0|.E8 D7FC0400 call WinRAR1.00BD54BC
00B857E5|.81C4 18100000 add esp,0x1018
00B857EB\.C2 0800 retn 0x8
经过分析判断,我们需要关注两处跳转,在函数开始第7行和第9行的跳转,将第7行的跳转NOP掉,第9行改jmp无条件跳转,即可以将程序的执行流程跳过广告链接和重新购买许可证的窗口。7 00B853BF|.74 0E je short WinRAR1.00B853CF8 00B853C1|.80BC24 201000>cmp byte ptr ss:,0x09 00B853C9|.0F84 08040000 je WinRAR1.00B857D7
完成修改后,点击鼠标右键,在弹出的菜单中依次选择“复制到可执行文件”-->“所有修改”-->“复制”。
https://img2018.cnblogs.com/blog/1578668/201907/1578668-20190710070903313-1083251185.png
然后在新窗口中右击选择“保存文件”即可保存修改。
https://img2018.cnblogs.com/blog/1578668/201907/1578668-20190710071110974-1826266975.png
整个世界彻底清净来,老衲要继续清修了^_^!!!!附:分享几个系统函数。
CreateWindowEx function:https://msdn.microsoft.com/zh-cn/vstudio/ms632680(v=vs.90)
DestroyWindow function:https://docs.microsoft.com/zh-cn/windows/win32/api/winuser/nf-winuser-destroywindow
IsWindowVisible function:https://docs.microsoft.com/zh-cn/windows/win32/api/winuser/nf-winuser-iswindowvisible
还有一个大牛写的注册机:https://www.52pojie.cn/thread-984747-1-1.html 神秘来宾 发表于 2019-7-10 08:47
有没有可能破解winrar加密的密码?
https://github.com/hyc/fcrackzip
德国人写的破解工具 神秘来宾 发表于 2019-7-10 08:47
有没有可能破解winrar加密的密码?
两个是完全不同的原理啊 顶一下楼主 围观一下楼主,没激活弹窗的确很烦 学习下,谢谢楼主的分享。 要是能有64位的就好了 有没有可能破解winrar加密的密码? 支持一下,小白看看就好{:1_908:} 感谢楼主分享,支持一下! 楼主到底有多绿。。。