WinRAR v2.02 - Tutorial (by friendship)

"Well I'm really pleased to host an essay such as this especially when the key generator is for WinRAR, a program which I've commended for a long time. You'll need to work pretty hard to follow this scheme, especially seeing as English isn't friendships' native tongue :), of course you could just study the key generator instead. Enjoy this tutorial which shows a logical approach to tackling a good scheme". "Edited by CrackZ".


Hello again !, any comments are welcome. I'm short in comments, because I am not good in English. But I try to explain as much as I can. Hope you all could understand.

Tools Required

SoftICE v3.24

Protection System

Registration is available via the 'Options' menu option then choose the 'Registration'. Here you will be asked to enter:

Enter your Registration (AV) text :
Enter your Registration Code      :

The registration code is evidently based on what you type in for your name/handle. The registration name & the password is saved in RAR.INI. Like this :

regname=FriendShip for Everyone

To inactivate it, just delete it or use semicolon (;) in front of the line. There is no registry windows record.


Let's go cracking... First, fire up WinRAR. Then press Ctrl+D to enter into SoftICE.

:bpx GetDlgItemTextA --> to break at USER32.dll
:--> F5, back to WinRAR

Fill the registration :

Enter your Registration (AV) text : abcdefghijkl
Enter your Registration Code      : A1D231ACFE

Then 'OK'.

You break into SoftICE.

:004139E1  CALL    USER32!GetDlgItemTextA
:004139E6  LEA     EAX,[EBP-64]   <-- break here.
:004139E9  PUSH    EAX
:004139EA  LEA     EDX,[EBP-64]
:004139ED  PUSH    EDX
:004139EE  CALL    USER32!CharToOemA
:004139F3  PUSH    46
:004139F5  LEA     ECX,[EBP-00AC]
:004139FB  PUSH    ECX
:004139FC  PUSH    66
:004139FE  PUSH    DWORD PTR [EBP+08]
:00413A01  CALL    USER32!GetDlgItemTextA <-- the second break
:00413A06  CMP     BYTE PTR [EBP-00AC],00 <-- F11 = to back here
:00413A0D  JNZ     00413A29
:00413A0F  PUSH    66
:00413A11  PUSH    DWORD PTR [EBP+08]
:00413A14  CALL    USER32!GetDlgItem
:00413A19  PUSH    EAX
:00413A1A  CALL    USER32!SetFocus
:00413A1F  MOV     EAX,00000001
:00413A24  JMP     00413B07

:00413A29  LEA     EDX,[EBP-00AC]
:00413A2F  PUSH    EDX
:00413A30  LEA     ECX,[EBP-64]
:00413A33  PUSH    ECX
:00413A34  CALL    0040A2B5  <-- this subcall analyze regname and regcode.
                             <-- To enter press F8.
:00413A39  ADD     ESP,08
:00413A3C  TEST    EAX,EAX  <-- if EAX=1 match.
:00413A3E  JNZ     00413A6F <-- Change to JZ is useless.

Now subcall 0040A285 : WinRAR uses a pretty good protection which is controlled by three flags [00437E44], [004318DC] and [004318D8]. It also uses ten tables.

Here are the tables :

1. 00425F60 and 00425F78
2. 00425F10 and 00425F2C
3. 00425EBC and 00425EDC
4. 00425E68 and 00425E88
5. 00425E10 and 00425F34

The flag [00437E44] controls which table is used. The flag itself is controlled by examining the processing of the matching code of RegName and RegCode you've entered. It is a complex mathematical process.

Below it calculates the code :

e.g. : Registration Name :  A1 A2 A3 A4 A5 A6 A7 A8 A9 A10 A11 A12 A12

This RegName is XOR by themself from A1 to A12.

The RegName itself generates a code of length 5.
Here is the mathematical method :

N1 = 2 * A1 + A6 + A11 + ... An
N2 = 2 * A2 + A7 + A12 + ... An+1
N3 = 2 * A3 + A8 + ... An+2
N4 = 2 * A4 + A9 + ... An+3
N5 = 2 * A5 + A10 + ... An+4

These five code is compare to RegCode.

The RegCode itself :
e.g. Registration Code : X1 X2 X3 X4 X5 X6 X7 X8 X9 X10 X11 X12

C1 = X1X2    xor with the result of xor Regname above
C2 = X3X4    xor with the result of xor Regname above
C3 = X5X6    xor with the result of xor Regname above
C4 = X7X8    xor with the result of xor Regname above
C5 = X9X10   xor with the result of xor Regname above
C6 = X11X12  xor with the result of xor Regname above

After that,
C1 = C1 - 3
C2 = C2 - 4
C3 = C3 - 5
C4 = C4 - 6
C5 = C5 - 7
C6 = C6 - 8

At last, these codes are analyzed. Using the tables, a code of length 5 is generated.

C1 C2 C3 C4 C5 C6  ==> [TABLE] ==> V1 V2 V3 V4 V5

V1 --> COMPARE --> N1
V2 --> COMPARE --> N2
V3 --> COMPARE --> N3
V4 --> COMPARE --> N4
V5 --> COMPARE --> N5

Each code is compared respectively to the five code RegName (N1 N2 N3 N4 N5). If it all matches, it is registered !

The C1 C2 C3 C4 C5 C6 is using below scheme to generate five code :
C1C2C3 ==> [TABLE] ==> V1.
C2C3C4 ==> [TABLE] ==> V2.
( Use the offset [004318D8] to pick up the offset of C )
( So, it can be picked up like this : )
C4C5C6 ==> [TABLE] ==> V3. 
( instead of picking C3C4C5 )
( This is a clever scheme ! Randomize picking !)
( And so on till end )

The scheme of using Table is these :
There are only three flag is use :
[004318DC] = 0
[004318D8] = 0
[00437E44] = 3500h

C1C2C3 div 2 power (8 - [004318DC]) then AND 0FFFFh (below 65536 = word = two byte)
Then get the smaller code from Table. Minus it. Save it in --> T
The offset (E) of the Table -->1. is ADD with [004318DC] -->1. AND 07h, then store it till next code.
                             |                           -->2. div 8, ADD [004318D8], store till next.
                            -->2. 16 minus the offset (E). Save it in --> P
Then, (in mathematical method )
V1 = (T div 2 ^ P) + [TABLE + E] - 1
[00437E44] = V1 + [00437E44] - ( [00437E44] / 256 )
[004318DC] = E + [004318DC] AND 07h
[004318D8] = E div 8 + [004318D8]

The three flags is to be used to the next process.

What a wonderful scheme ! So, there is no other way to go back, it is like a diode scheme. Only one way to go, no turn back. A good author (Eugene Roshal) programmer!. Then I wonder, what scheme does he use to generate the Registration key? Any other complex mathematical rather than this?. You know, the scheme is pretty safe. And it is hard to break.

I think it over and over again, how can I break the code? Suddenly I remember a proverb said : "If your enemy have a good weapon, then get it and use it!". Maybe it sounds foolish, but there is no other way to break this. So, I make a PERL key generator which uses the similiar scheme above. The program is counting each code until it matchs the five code RegName, and at last, it generates the registration code for you.

I'm rather lazy to copy all this scheme in assembly code, because it must be changed every position of memory, and it gives me a headache :). The program generatea one by one th code after matching it to the scheme. I add six code to compare, in case of a newer version. So, the last four code of the Registration code is useless. It takes quite a time to calculate depending on the computer speed.

That's all. Bye for now.

PS: Many thanks to +ORC and this wonderful website and the tutorials.

Key Generators Return to Main Index

© 1999 friendship, Hosted by CrackZ. 7th May 1999.