[blockquote]From:ARTeam
Post:cl0ud[/blockquote][blockquote]One thing Beginner Crackers need to learn: How to Crack a Program Based on a Specific Value that tells the whole program (in many different ways) if its registered or not.
This method of cracking is Very Efficient, it can save you time, and the concept works on many programs!
This is a Perfect Example of what to do, and what i mean, i hope you all enjoy!
How to Crack WinRAR using Registration Byte Patch Method (every 3.xx version)
Tutorial by cl0ud/mephist0
i used WinRAR 3.80 beta 5 for this small tutorial
Programs Needed:
WinRAR, Olly Debug, and a hex editor, or u can just save patches to file in olly
1.) Load the WinRAR.exe up in Olly Debug.
2.) In OLLY, Right click in the CPU Window, and Click: Search For > All Referenced Text strings
it will take you to the Reference window. from here can see all the Text inside the EXE file, and the address's from which they are used in the file. If you take a moment you can find the string (near the bottom): "RARKEY" and "RARREG.KEY". once found you can double click it, and it will take you to the instruction pointing to the text. (this is how you can find the proper patch in later versions)
3.): Here is where the Registration Proc is first Called:
CODE
00440CC7 . E8 FC8C0600 CALL <JMP.&KERNEL32.GetLocalTime>
00440CCC . 33C0 XOR EAX,EAX < just Clearing EAX register for registration proc
00440CCE . E8 ADA60400 CALL RegistrationProc@.0048B380 <**CALL TO Registration Check proc, to see if registered.
00440CD3 . A2 F4B84B00 MOV BYTE PTR DS:[4BB8F4],AL <** THE Registration Byte (to check if its registered or not)
00440CD8 . 33C0 XOR EAX,EAX
OK, the REGISTRATION BYTE, holds the Key, if its 1, the program is registered, if its 0, the program is NOT Registered.
This is what gets called.. the Registration Proc Start, its testing if Program is Registered or Trial
CODE
0048B380 55 PUSH EBP<***Registration Check Proc Start
0048B381 8BEC MOV EBP,ESP
0048B383 81C4 04F0FFFFADD ESP,-0FFC
0048B389 . 50 PUSH EAX
0048B38A . 81C4 E4FEFFFFADD ESP,-11C
0048B390 . 53 PUSH EBX
0048B391 . 56 PUSH ESI
0048B392 . 57 PUSH EDI
0048B393 . 8BD8 MOV EBX,EAX
0048B395 . B8 586D4B00 MOV EAX, .004B6D58
0048B39A . E8 654E0100 CALL.004A0204
0048B39F . 8BC3 MOV EAX,EBX
0048B3A1 . E8 2A40F8FF CALL.0040F3D0
0048B3A6 . 84C0 TEST AL,AL
0048B3A8 74 14 JE SHORT.0048B3BE
0048B3AA . B0 01 MOV AL,1
0048B3AC . 8B95 E4FEFFFFMOV EDX,DWORD PTR SS:[EBP-11C]
0048B3B2 . 64:8915 000000>MOV DWORD PTR FS:[0],EDX
0048B3B9 . E9 57010000 JMP WinRAR.0048B515
0048B3BE > 8D8D E4EEFFFFLEA ECX,DWORD PTR SS:[EBP-111C];Just Checking if Registry Keys Exsist.. blah..
0048B3C4 . BA B8684B00 MOV EDX, .004B68B8;ASCII "Software\WinRAR"
0048B3C9 . 51 PUSH ECX
0048B3CA . 6A 00 PUSH 0
0048B3CC . 68 FF0F0000 PUSH 0FFF
0048B3D1 . B9 C8684B00 MOV ECX, .004B68C8; |ASCII "rarkey"
4.) Here is the CALL to REGISTRATION CHECK, and the Registration BYTE:
CODE
00440CCE . E8 ADA60400 CALL RegistrationProc@.0048B380 <**CALL TO Registration Check proc, to see if registered.
You COULD just patch the CALL RegistrationProc to MOV EAX,1.. But that is NOT Safe. As more parts of the EXE may Call the Registration Proc to keep checking if its registered.
This MOV BYTE PTR DS:[4BB8F4],AL instruction has the Registration byte Address,[4BB8F4]. If the byte at [4BB8F4] is 0, it is not registered..
The instruction function is moving the BYTE from AL into the address [4BB8F4]
So we need to make a MOV AL,1 patch at the Registration Check Proc Start, and the program will be Registered!
(AL register is 16bit version of EAX register or somthin like that )
This Patch makes AL (or EAX) = 1, and then Retn's to code, it doesnt process any of the registration check code!
So make the patch, and Now the Program will be Completely REGISTERED! + you can use this on any 3.xx version of winrar.
And this is how to Crack using the Registration byte method. The Concept is the same in Alot of popular programs.
(Actually there is one other thing. If you Make a RAR Archive, and you CLICK: Put Authenticity Verification. you will get a message saying " Only Availible in Registered Version." This can be easily patched by setting a BP on MessageBoxA, Retn 2 or 3 times, and you will see a jump right above where you returned to, just patch it to Jump always)
CODE
0044765D|. E8 2A290600 CALL <JMP.&USER32.IsDlgButtonChecked>; \IsDlgButtonChecked
00447662|. 85C0 TEST EAX,EAX
00447664|. 74 11 JE SHORT .00447677<Make this Jump always :)
00447666|. 8BC3 MOV EAX,EBX
00447668|. E8 4B9B0300 CALL .004811B8 < Send unregistered message
0044766D|. 6A 00 PUSH 0
Final Notes:
This method of cracking is flawless and it's a widely used, logical method.
This tutorial should help you learn this universal concept of cracking.
i made this tutorial specifically for educational purposes, and a Contribution to ARTeam.
Enjoy!! (sorry about fast n sloppy job, i was cracking winrar as i wrote this)
发表于 2008-9-5 21:14
发表于 2008-9-5 23:41
)
