Extreme Hacking
Advanced Ethical Hacking Institute in Pune
Hey guys,
Today I’ll be showing you how to crack WinRAR. I was storing some files on my webserver and my WinRAR license was past its due date (like a really long time) and the nag screen annoyed me as fuck. That’s why I decided to reverse engineer it and write a tutorial upon it.
ow if you are on 32bit you can use OllyDBG, if you are on 64bit you need to use another debugger.
The reason different architectures (32/64bit) requires different debuggers is because of the distribution of our target. WinRAR has a 32 and 64 bit installer, whereas the previous target (Internet Downloader Manager) only has a 32 bit installer. Now 32 bit applications runs fine on 64 bit but not vice versa. Olly can’t handle 64 bit applications and if you try to load the 64 bit WinRAR to Olly it will probably notice you about how it couldn’t load the file.
I’ll be using x64dbg, but if you are on 32 bit and you are using Olly the steps shouldn’t differ that much (the debuggers are very look a like).
First, we start again by analyzing the target, I don’t really want to activate it as that would probably take a lot longer and besides, I just want to get rid of the nag screen..
![[Image: 1334962946.or.91385.jpg]](http://www.betaarchive.com/imageupload/2012-04/1334962946.or.91385.jpg)
I couldn’t find any register form, just some buttons that led me to the purchase page. So, I fired up Google and started looking for license keys and I found out that if you purchase a key, you will get a file named ‘rarkey.key’ or ‘rarreg.txt’. This tells us the target hash multiple license formats, which we can and will exploit. Lets take ‘rarkey.key’.
Attach your debugger to the WinRAR process and make sure you are in the winrar.exe module.
Right click -> Search For -> String References.
![[Image: r2QSN4y.png]](http://i.imgur.com/r2QSN4y.png)
This will pop up a list of all occuring strings in the WinRAR.exe module.
To move on, lets search for ‘rarkey’, these are my results (yours should be the same except for the addresses):
![[Image: BWtD5c8.png]](http://i.imgur.com/BWtD5c8.png)
Lets check them all. One leads to:
![[Image: BxVbj3G.png]](http://i.imgur.com/BxVbj3G.png)
This looks like the function is trying to find any of the allowed file formats. Nothing we can use. Lets take a look at the next one:
![[Image: 5QYiyf4.png]](http://i.imgur.com/5QYiyf4.png)
Oh! That looks alright, it seems like call 13F136D20 is the method to parse the license key, meaning that the JE 13F197D3B afterwards will decide whether the license is valid or not, interesting. Note that the JE instruction jumps over a call, which could be the function where the nagscreen is located: call 13F169968. Although we have 2 more strings to check, so lets continue.
You might already have seen due the bytes between the last 2 addresses are minimal that they are really close to eachother:
![[Image: ccikY5E.png]](http://i.imgur.com/ccikY5E.png)
If tried figuring out what that function is used for, but I noticed it isn’t executed at all. It could be some testing code or just there to brainfuck reversers but as long as the code won’t get executed we can leave it there and have no worries about it.
Okay, lets get back to our only useful find:
If you put a breakpoint on there and resume (F9) the program, you notice that the breakpoint is actually getting hit within a second. This usually means the function we are in is inside a thread, which matches the behaviour of the nag screen. Lets follow the code (step over, f8):
![[Image: KmDDHNG.png]](http://i.imgur.com/KmDDHNG.png)
As you can see, the jump (JE) wasn’t hit and we are going to execute the function located at 0x13F169968. Make sure you stand on the call instruction (like in the screenshot, the address on the left side is black at the call instruction, this means that is where we are currently). Then, press F7 to step inside the call function. Step over some more instructions and you will see a few JE’s.
The second JE jumps all the way down to the function. If you put a breakpoint on the first JE and run the program again (F9) you will notice it keeps getting hit. Whenever it hits the breakpoint and you hit F9 again, it will instantly hit the breakpoint again. It means we are still in the thread. I noticed after putting the breakpoint that 9/10 times it takes the second JE to the end of the method. If you have used WinRAR for awhile you know that the nag screen appears randomly, so my guess would be this is the right method. Also, when you look through the method you will see strings like ‘reminder’ and you will see the link that is on the nag screen.
To test out whether we have the right method, you can change the 2nd instruction its opcode from (JE) to JNE. Now whenever you resume the program and get past the breakpoint a nag screen will appear! If you want it to stop (it will keep opening a nag screen every second) change it back to JE.
The patch is fairly simple, if its JNZ it will always show the nag screen unless it actually should shows us the nag screen (the 1/10 times) screen. If its JE it will only show the nag screen sometimes, but still enough for it to annoy the fuck out of us. But we don’t want to see it 9/10 or 1/10 times, we don’t want to see it at all. Meaning we have to change (don’t do it yet!) JE to JMP. JMP (jump) means that it will always take the jump, no matter what and that means we will never have to see the nag again :).
If you inspected the first JE you would notice that it jumps past the second JE. Hmm, that’s unexpected behavior as that would skip our patch. Again, the solution to this is also very simple:
The original code (don’t copy these as yours are different):
Code:
00000013F1699AC | 74 09 | je winrar.13F1699B7 | first JE
00000013F1699AE | 41 3A D5 | cmp dl,r13b |
00000013F1699B1 | 0F 84 72 04 00 00 | je winrar.13F169E29 | second JEThe patched code:
Code:
00000013F1699AC | 74 09 | jmp winrar.13F169E29 | << PATCH
00000013F1699AE | 41 3A D5 | cmp dl,r13b |
00000013F1699B1 | 0F 84 72 04 00 00 | je winrar.13F169E29 |I’ve copied the address where the second JE jumps to and modified the first JE to a JMP and have it jump to that address. Now save the file and your will never see the nag screen again!
Saving in Olly: Right click -> Edit -> Copy to executable -> * new window opens* -> Right click -> Save File
Saving in x64dbg: Right click -> Patches -> (make sure all patches are selected) -> Patch File
Make sure that after you have saved the file you replace the original WinRAR.exe with your patched version.
www.extremehacking.org
CEHv8 CHFIv8 ECSAv8 CAST ENSA CCNA CCNA SECURITY MCITP RHCE CHECKPOINT ASA FIREWALL VMWARE CLOUD ANDROID IPHONE NETWORKING HARDWARE TRAINING INSTITUTE IN PUNE,Certified Ethical Hacking, Center For Advanced Security Training in India, IT Security Training Information Security Traning Courses in Pune, ceh certification in pune, Ethical Hacking Course in Pune