WinRAR is one of the most commonly used software. Since it is not a free software, after the trial period, every time you open WinRAR, you will be prompted to register a dialog box, which is annoying. Therefore, my general practice is to download a lower version of WinRAR after it is cracked (the latest version of WinRAR is often slow to crack), so if you want to taste it, you have to wait for a while.
I recently read "hacker disassembly and decryption (version 2)", which introduces the basic method for cracking WinRAR. However, the old version mentioned in the book is winrar3.42. Based on the methods described in this article and my own understanding, I have cracked the latest WinRAR version 4.01, and did not dare to exclusive. The special record cracking method is used to notify readers.
Required tools
1. idapro
At present, the best static Disassembly tool is essential for hackers, but it is a pity that it is a paid software. Of course, it is also cracked, that is, the version is relatively low. I am using the latest version of the trial version. Oh, there are all basic skills, so we can use it together.
2. hiew
The famous hexadecimal editing tool is small but powerful. It also supports disassembly and display of files and can be used directly to modify the original file in assembly language, which is very convenient.
3. Kerberos API
An API tracing tool that records all API functions called during software running and helps us quickly locate key points of the program.
Ø Cracking Method
First download winrar4.01 from the Huawei Software Park. After installation, adjust the current system time to 40 days later. After WinRAR is installed, it can be used for free for 40 days. After the trial period, the purchase dialog box will pop up. This dialog box is a breakthrough.
We hope to use the kerberosapi's preview function to find the system API that pops up the purchase dialog box. There are many APIs related to the dialog box, such as createdialog, dialogbox, and MessageBox. Which function is used by WinRAR developers? The Kerberos API detector is needed for clarity.
Before using the javasosapi probe, configure the filter option so that it can discard API calls that do not provide useful information. Open the ke_spy.txt file and comment out the following functions: tlsgetvalue, defwindowproca, dispatchmessagea, getfocus, getmessagea, sendmessagea, sendmessagew, translateacceleratora, expires, and translatemessage. Insert a semicolon (;) before the function name to comment out a function. To improve filtering performance, click "option" and set "report"
Only. EXE calls( .exe call) check box. This example only collects API calls from winrar.exe, rather than calls from the loaded DLL. It should be noted that, if this is not done, no errors will occur. However, if this is not done, the size of the report file will be large and difficult to analyze.
Now, click the "Browse" button to specify the WinRAR file path, and then click the "inject (injection)" button. The window is displayed.
Haha, after being injected into WinRAR with Kerberos, a bare window appears in front of us. Don't think there is any error at this time. Just wait patiently for 2-3 seconds and close WinRAR, and enable WinRAR. rep file, which is saved in the installation directory of WinRAR.
The most convenient way to test the report file is to start from the end of the file. This is because the user registration pop-up window will display the last one after the interface is initialized. Therefore, you can easily find the call to the dialogboxparamw function, which displays the "Reminder" dialog box. It is the function used to create a pop-up window for user registration.
Is the part of the report file generated by the Kerberos API prophtor.
The osapi scanner even displays the address -------- 00498f27 returned from that function, which can immediately direct hackers to the protection code. View this code in the anti-assembler. Start the IDA pro, winrar.exe file, press "G" (jump to an address), specify the return address (00498f27), and press "enter. As shown in:
You can see the call of the dialogboxparamw function, on which the disassembly code is shown below:
. Text: 00498e95 CMP dword_4ea434, 0; jumptable 00498e21 case2
. Text: 00498e9c jnz loc_498f27
. Text: 00498ea2 push 400 h
. Text: 00498ea7 Lea eax, [esp + 0bb0h + widecharstr]
. Text: 00498logy push eax
. Text: 00498eaf mov ECx, offset unk_4f0dd0
. Text: 00498eb4 call sub_4130a0
. Text: 00498eb9 CMP byte_5150f8, 0
. Text: 00498ec0 jnz short loc_498f27
. Text: 00498ec2 CMP byte_4d446f, 0
. Text: 00498ec9 jnz short loc_498f27
. Text: 00498ecb CMP byte_4d70a0, 0
. Text: 00498ed2 jnz short loc_498f27
. Text: 00498ed4 push 6; int
. Text: 00498ed6 push offset ararkey; "rarkey"
. Text: 00498edb Lea ECx, [esp + 0bb4h + widecharstr]
. Text: 00498ee2 push ECx
. Text: 00498ee3 call sub_451c20
. Text: 00498ee8 push eax; lpstring1
. Text: 00498ee9 call sub_473650
. Text: 00498eee test eax, eax
. Text: 00498ef0 JZ short loc_498f27
. Text: 00498ef2 mov eax, dword_4ea428
. Text: 00498ef7 CMP eax, 28 h
. Text: 00498efa JG short loc_498f00
. Text: 00498efc test eax, eax
. Text: 00498efe jge short loc_498f27
. Text: 00498f00
. Text: 00498f00loc_498f00:; Code xref: sub_498700 + 7faj
. Text: 00498f00 push 0; dwinitparam
. Text: 00498f02 push offset sub_4941b0; lpdialogfunc
. Text: 00498f07 mov byte_5150f8, 1
. Text: 00498f0e call DS: getfocus
. Text: 00498f14 mov edX, dword_4d76b0
. Text: 00498f1a push eax; hwndparent
. Text: 00498f1b push offset areminder; "Reminder"
. Text: 00498f20 push edX; hinstance
. Text: 00498f21 call DS: dialogboxparamw
As you can see, it only jumps when the following two statements are executed.
. Text: 00498ef7 CMP eax, 28 h
. Text: 00498efa JG short loc_498f00
If eax is greater than 28 h, the system jumps to the dialogboxparamw function. The decimal number of 28 h is 40. This value specifies the duration of the trial period. So far, the physical meaning of the variable dword_4ea428 has been very clear: the number of days since the installation of the program.
The protection mechanism has been found. What will we do next? For example, to prevent the "prompt registration" window from appearing, replace CMP eax, 28 h (83 f828) with XOR eax, eax/Nop (33 C0/90 ). In this way, the value of the eax register is always zero no matter what the current date is. The NOP command is added to compensate for the length of the command (because the CMP command occupies three bytes, the XOR command only has two bytes long, and the length of the command is shortened after replacement ).
Start hiew, winrar.exe. The initial interface is garbled. However, after pressing the "enter" key twice, you can switch to the Assembly mode. Then press the "F5" Key (...... To specify the CMP command address:. 498ef7. Note that there must be no less periods (.) at the beginning, which is used to tell hiew that the given value here is an address rather than the offset in the file. Press the "F3" key to switch to the Assembly editing mode, and then press the "enter" key to specify the Assembly command to be executed. Next, a dialog box is displayed. Enter XOR eax, eax, <press enter>, NOP, <press enter>, and press F9 to save the result to the file, as shown in, and then exit.
Now, start WinRAR to see what will happen. This time, the annoying prompt is that the registration window does not appear again. The entire cracking process took less than 10 minutes.
Forced Registration
The registration window is successfully blocked, but the software is not registered. The title of the window will honestly prompt you that this is an evaluation version software. If you select the "about" command from the "help" command menu, the software will prompt that this is a 40-day trial software. Although the trial version is not limited in terms of functionality, it is difficult to feel awkward.
WinRAR software registration is implemented through a key file containing a digital signature. This digital signature is generated through encryption to ensure that the tampered key is invalid. Therefore, it is almost impossible to forge a key file, but what we really want to do is to set the registration mark. To find this mark, go back to the key commands CMP eax and 28h.
We focus on the parameters of several commands above CMP eax and 28 h. You may ask how I know which parameter to view. In fact, I don't know which parameter is the key to cracking. This requires a lot of guesses and attempts. Of course, this is not a random guess. We can use the cross-reference feature of IDA pro to understand the role of parameters. The so-called cross-reference is to view the commands in the code segment that call this command or parameter.
In Ida, move the cursor to the variable name, open the context menu, select "Jump to xref (jump to cross reference)", or simply press the "X" key, the interface shown in is displayed.
The entire program contains a large number of cross references for executing read (r) write (w) operations. Select a row in the cross reference list, and double-click the left mouse button to jump to the corresponding position in the code.
Here, I will not list the parameters that I tried wrong. I will tell you where the key parameters are. This is actually the sentence.
. Text: 00498ecb CMP byte_4d70a0, 0
Here, the cross reference of the byte_4d70a0 parameter is shown in the case, and double-click the cursor in the write operation on the last three lines to go to the relevant code segment:
Here, the command at the 00497034 address is a reference location of the byte_4d70a0 parameter. The following commands are displayed:
. Text: 0049702f call sub_41c0d0
. Text: 00497034 mov byte_4d70a0, Al
. Text: 00497039 test Al, Al
. Text: 0049703b JZ short loc_497064; continue to register
First, call the sub_41c0d0 function, and then compare the returned value to jump to the zero value. In fact, sub_41c0d0 is the function for registration and authentication. If you are interested, you can go back and see how it is authenticated, I will not demonstrate it here.
Now, we can register sub_41c0d0 with a non-zero value.
Start hiew and press the Enter key twice to switch to the disassembly mode. Press F5 to give the. 41c0d0 value, which is the first address of the function to be registered, and then press F3 to switch to the editing mode. Enter the following command: <press enter> XOR eax, eax <press enter> Inc eax <press enter> retn <ESC> (first reset the eax register to 0, then add 1 and then exit the function ). Press F9 to save the result to the file and exit hiew.
Start WinRAR to see how it works. We can see that the evaluation version string has disappeared from the title of the window. The "register to" string is displayed in the dialog box, as shown in:
So far, winrar4.01 is cracked perfectly.
References:
Hacker disassembly (second edition)