Hello again !, any comments are welcome. I'm short in comments, because I am not good in English. But I try to explain as much as I can. Hope you all could understand.
Registration is available via the 'Options' menu option then choose the 'Registration'. Here you will be asked to enter:
Enter your Registration (AV) text : Enter your Registration Code :
The registration code is evidently based on what you type in for your name/handle. The registration name & the password is saved in RAR.INI. Like this :
[registration] regname=FriendShip for Everyone regcode=AD01D4AEDD55F25B58
To inactivate it, just delete it or use semicolon (;) in front of the line. There is no registry windows record.
Let's go cracking... First, fire up WinRAR. Then press Ctrl+D to enter into SoftICE.
:bpx GetDlgItemTextA --> to break at USER32.dll
:--> F5, back to WinRAR
Fill the registration :
Enter your Registration (AV) text : abcdefghijkl Enter your Registration Code : A1D231ACFE
You break into SoftICE.
:004139E1 CALL USER32!GetDlgItemTextA :004139E6 LEA EAX,[EBP-64] <-- break here. :004139E9 PUSH EAX :004139EA LEA EDX,[EBP-64] :004139ED PUSH EDX :004139EE CALL USER32!CharToOemA :004139F3 PUSH 46 :004139F5 LEA ECX,[EBP-00AC] :004139FB PUSH ECX :004139FC PUSH 66 :004139FE PUSH DWORD PTR [EBP+08] :00413A01 CALL USER32!GetDlgItemTextA <-- the second break :00413A06 CMP BYTE PTR [EBP-00AC],00 <-- F11 = to back here :00413A0D JNZ 00413A29 :00413A0F PUSH 66 :00413A11 PUSH DWORD PTR [EBP+08] :00413A14 CALL USER32!GetDlgItem :00413A19 PUSH EAX :00413A1A CALL USER32!SetFocus :00413A1F MOV EAX,00000001 :00413A24 JMP 00413B07 :00413A29 LEA EDX,[EBP-00AC] :00413A2F PUSH EDX :00413A30 LEA ECX,[EBP-64] :00413A33 PUSH ECX :00413A34 CALL 0040A2B5 <-- this subcall analyze regname and regcode. <-- To enter press F8. :00413A39 ADD ESP,08 :00413A3C TEST EAX,EAX <-- if EAX=1 match. :00413A3E JNZ 00413A6F <-- Change to JZ is useless.
Now subcall 0040A285 : WinRAR uses a pretty good protection which is controlled by three flags [00437E44], [004318DC] and [004318D8]. It also uses ten tables.
Here are the tables :
1. 00425F60 and 00425F78 2. 00425F10 and 00425F2C 3. 00425EBC and 00425EDC 4. 00425E68 and 00425E88 5. 00425E10 and 00425F34
The flag [00437E44] controls which table is used. The flag itself is controlled by examining the processing of the matching code of RegName and RegCode you've entered. It is a complex mathematical process.
Below it calculates the code :
e.g. : Registration Name : A1 A2 A3 A4 A5 A6 A7 A8 A9 A10 A11 A12 A12 This RegName is XOR by themself from A1 to A12.
The RegName itself generates a code of length 5.
Here is the mathematical method :
N1 = 2 * A1 + A6 + A11 + ... An N2 = 2 * A2 + A7 + A12 + ... An+1 N3 = 2 * A3 + A8 + ... An+2 N4 = 2 * A4 + A9 + ... An+3 N5 = 2 * A5 + A10 + ... An+4
These five code is compare to RegCode.
The RegCode itself :
e.g. Registration Code : X1 X2 X3 X4 X5 X6 X7 X8 X9 X10 X11 X12
C1 = X1X2 xor with the result of xor Regname above C2 = X3X4 xor with the result of xor Regname above C3 = X5X6 xor with the result of xor Regname above C4 = X7X8 xor with the result of xor Regname above C5 = X9X10 xor with the result of xor Regname above C6 = X11X12 xor with the result of xor Regname above After that, C1 = C1 - 3 C2 = C2 - 4 C3 = C3 - 5 C4 = C4 - 6 C5 = C5 - 7 C6 = C6 - 8
At last, these codes are analyzed. Using the tables, a code of length 5 is generated.
C1 C2 C3 C4 C5 C6 ==> [TABLE] ==> V1 V2 V3 V4 V5 V1 --> COMPARE --> N1 V2 --> COMPARE --> N2 V3 --> COMPARE --> N3 V4 --> COMPARE --> N4 V5 --> COMPARE --> N5
Each code is compared respectively to the five code RegName (N1 N2 N3 N4 N5). If it all matches, it is registered !
The C1 C2 C3 C4 C5 C6 is using below scheme to generate five code : C1C2C3 ==> [TABLE] ==> V1. C2C3C4 ==> [TABLE] ==> V2. ( Use the offset [004318D8] to pick up the offset of C ) ( So, it can be picked up like this : ) C4C5C6 ==> [TABLE] ==> V3. ( instead of picking C3C4C5 ) ( This is a clever scheme ! Randomize picking !) ( And so on till end ) The scheme of using Table is these : There are only three flag is use : [004318DC] = 0 [004318D8] = 0 [00437E44] = 3500h C1C2C3 div 2 power (8 - [004318DC]) then AND 0FFFFh (below 65536 = word = two byte) Then get the smaller code from Table. Minus it. Save it in --> T The offset (E) of the Table -->1. is ADD with [004318DC] -->1. AND 07h, then store it till next code. | -->2. div 8, ADD [004318D8], store till next. -->2. 16 minus the offset (E). Save it in --> P Then, (in mathematical method ) V1 = (T div 2 ^ P) + [TABLE + E] - 1 [00437E44] = V1 + [00437E44] - ( [00437E44] / 256 ) [004318DC] = E + [004318DC] AND 07h [004318D8] = E div 8 + [004318D8] The three flags is to be used to the next process.
What a wonderful scheme ! So, there is no other way to go back, it is like a diode scheme. Only one way to go, no turn back. A good author (Eugene Roshal) programmer!. Then I wonder, what scheme does he use to generate the Registration key? Any other complex mathematical rather than this?. You know, the scheme is pretty safe. And it is hard to break.
I think it over and over again, how can I break the code? Suddenly I remember a proverb said : "If your enemy have a good weapon, then get it and use it!". Maybe it sounds foolish, but there is no other way to break this. So, I make a PERL key generator which uses the similiar scheme above. The program is counting each code until it matchs the five code RegName, and at last, it generates the registration code for you.
I'm rather lazy to copy all this scheme in assembly code, because it must be changed every position of memory, and it gives me a headache :). The program generatea one by one th code after matching it to the scheme. I add six code to compare, in case of a newer version. So, the last four code of the Registration code is useless. It takes quite a time to calculate depending on the computer speed.
That's all. Bye for now.
PS: Many thanks to +ORC and this wonderful website and the tutorials.