WinRAR v2.06 - Tutorial by Rayden

"Well another essay by a newbie and a logical approach to cracking a pretty good protection which sadly is controlled by a single flag. Many intermediate/advanced readers will know that WinRAR's scheme is pretty safe from newbies (as Rayden himself points out, there is never an echo of the good code, all is achieved using encryption and tables). Once again let me point out that the author Eugene Roshal has written one of the few useful tools on the web so support him if you can afford to do so. Newbies will find some useful snippets here". "Slightly edited by CrackZ".


After reading many, many cracking tutorials for newbies, I decided to write my own, because in these tutorials you are usually finished after you changed the first conditional jmp-instruction. I then learned that this isn't the case, the hard way. So in this tutorial we will use more than one approach (remember we are newbies!). Since I am newbie too, it shouldn't be too hard to keep track with me. Also I must say that I am German, so I apologise for my English, but you should be able to understand me. The only thing I assume is that you have some knowledge about using SoftICE and W32Dasm. Lets start.

Target Details

WinRAR 95 v2.06 (WINRAR95.EXE).
Date/Size: 12/03/1998, 204,800 bytes.

Tools Required

SoftICE 3.2x.
Hiew 6.x.
W32Dasm 8.9x

OK, fire up WinRAR and have a look at it, after clicking here and there you will notice the following three restrictions/nags.

- WinRAR displays "...(Evaluation Copy)" on the Title Bar.
- You can't activate Authenticity verification.
- You can't activate Error Logging.

Note: The two disabled functions will play a major role in the following tutorial as you will see later (I learned it the hard way).

Now lets try to Register it, by clicking on OPTIONS and REGISTER. Enter Your Name and an unlock code and Press OK (I used RAYDEN/123454321). Well, the Code is wrong (*surprise*).

Note: This was the first approach I tried, because in other tutorials I often read, reversing a conditional jmp before the MessageBoxA CALL would probably make the program think your entered code was a "good" one. Lets try this approach. Goto SoftICE and set a BP on MessageBoxA. Again enter your name and a serial, click on OK and SoftICE should break. Press F11 once, Click OK on the MessageBox and you should be back in SoftICE at the following code:

* Possible Reference to String Resource ID=00106: "Registration failed".

:00413C8C PUSH 0000006A
:00413C8E CALL 0041A18B
:00413C93 POP ECX
:00413C94 PUSH EAX
:00413C95 PUSH [EBP+08]

* Reference To: USER32.MessageBoxA, Ord:0000h

:00413C98 CALL 00424912
:00413C9D XOR EDX,EDX <-- We land here.
:00413C9F MOV DWORD PTR [0042575C], EDX
:00413CA5 MOV DWORD PTR [00425638], EDX
:00413CAB MOV DWORD PTR [0042564C], EDX
:00413CB1 JMP 00413D0C

Please note that we haven't seen yet what the code above is doing, therefore we will examine the piece of the code ABOVE our MessageBox CALL.

* Referenced by a (U)nconditional or (C)onditional Jump at Address:

:00413C59 LEA EDX, DWORD PTR [EBP-64]
:00413C5C PUSH EDX
:00413C5D PUSH 0042AD30
:00413C62 CALL 0041CEA0
:00413C6A LEA ECX, DWORD PTR [EBP+FFFFFF54] <-- Point ECX to the # we entered.
:00413C70 PUSH ECX <-- Push onto the stack.
:00413C71 LEA EAX, DWORD PTR [EBP-64] <-- Point EAX to name the name we entered.
:00413C74 PUSH EAX <-- Push name onto the stack.
:00413C75 CALL 0040A4C1 <-- CALL something *.
:00413C7A ADD ESP, 00000008 <-- Correct stack.
:00413C7D TEST EAX,EAX <-- EAX=0 ?.
:00413C7F JNZ 00413CB3 <-- If NOT jump to 00413CB3, else show "Wrong RegCode-Msgbox".

The CALL 0040A4C1* at address 00413C75 is the key, at least I thought so. As we can see, its obvious that this call generates the real code and compares it with the code we entered. Too bad that the real code is never echoed by WinRAR :(. If the code is correct EAX is set to 1 else EAX is set to 0. We also see that if EAX=1 we would jmp OVER the Wrong Reg-Code MsgBox. thats worth a try, lets force WinRAR to jump over the Wrong Reg-Code MsgBox (JNZ 00413CB3), we'll set our BP to this location and enter our Name and Reg-Code again.

We break now on 00413C7F. If we now type ? EAX we see that EAX is zero and therefore the Zero-Flag was set. Lets change the zero flag by typing R FL Z (reverses the (Z)ero flag) and F10 once. As you can see WinRAR will jmp to 00413CB3 this time. Lets disable our Breakpoints with BD *, press F5 and see whats happens next.

"Thank you for your support", ...looks like WinRAR really thinks our serial is valid. Cool, or ? Also note the Title Bar changed from "WinRAR (Evaluation Copy)" to "WinRAR" only. Looks good or ? Congratulations you just cracked WinRAR95...but...wait...hmm...lets test the disabled functions: Go to OPTIONS/GENERAL and try to activate Auth. Verif. or Error Logging and guess what ? ...Oops...still disabled ? whats going on here ? We just made WinRAR thinking our serial is valid but it still won't let us use the disabled functions. Hmm...strange..We know now that WinRAR makes some crosschecks to the entered serial.

That our theory is right can be seen if we now quit WinRAR and restart it. It now again says "WinRAR (Evaluation Copy)".

Well, I MUST write this because the same thing has happened to me so many times. In the tutorials I read, the job was done after changing some conditional jmp in the routine which checks for the serial. But when I tried to crack my own programs I also got the "Good Boy" message all the time, but often the program still knew that the serial was wrong. At least we now have our RegString saved in rar.ini, as you can see when editing it with any Text editor.


So it seems that either WinRAR uses this information when we try one of the disabled functions OR this information is checked at startup and a flag is set.

- Its easy to make WinRAR think an entered Code is a legal one.
- Once You get the "Thanks for your support" MessageBox WinRAR writes the entered Name and Serial to RAR.INI.
- But there are crosschecks to our entered code at startup and when activating disabled functions.

OK, back to work and back to our code above the WrongRegCode MessageBox.

:00413C75 CALL 0040A4C1 <-- Here.

Somewhere deep, deep in this routine or in one of its subroutines (and there are plenty of them) our code be checked with the real one. Since we are newbies and don't know much ASM, (I say this after spending about 2-3 days trying to understand this routine), it was a total waste of time for me. It was just impossible to understand all the calls, compares, shifts and rotates, etc...

OK what else can we do...hmm...BINGO. Remember these nice little MsgBoxes which popup when you try to use Error Logging or Auth. Verification ? Maybe we can get some information from them. So go back to SoftICE, clear all BP (BC*) and set a new BP on MessageBoxA (again). Go to OPTIONS/GENERAL and try to activate either Error Logging or Auth. Verifiaction. SoftICE breaks. Press F11, press OK and you should be back at the following code.

* Referenced by a (U)nconditional or (C)onditional Jump at Address:

:004138C9 CMP DWORD PTR [0042575C], 00000000
:004138D0 JNZ 00413906

* Possible Reference to String Resource ID=00048: "Normal"

:004138D2 PUSH 00000030

* Possible Reference to String Resource ID=00026: "Warning"

:004138D4 PUSH 0000001A
:004138D6 CALL 0041A18B
:004138DB POP ECX
:004138DC PUSH EAX

* Possible Reference to String Resource ID=00051: "Available in registered version only"
:004138DD PUSH 00000033
:004138DF CALL 0041A18B

* Reference To: USER32.MessageBoxA, Ord:0000h

:004138E7 CALL 00424912
:004138EC PUSH 00000000 <-- We land here.

If you scroll back you can see the last cond. jump shown above. Hmm... interesting, here WinRAR compares a memory location with 0. If NOT 0 then jmp else continue with "Available only in....". So we can say if memory location 0042575C = 1 continue as registered else continue as shareware. Lets see if there are some other functions using this memory location. Therefore we must set a BP on RW-Acess (Read-Write Access) at this memory. You should still be in SI, now clear all BP and type BPM 0042575C. This will make SoftICE break every time this memory address is read from or written to.

OK, now try to activate Error Logging, SoftICE breaks (F5 to continue), try to activate Auth. Verifiaction and SoftICE breaks again. Even if we try to Register WinRAR again SoftICE breaks. Wow, looks like this memory address is our key to register this tool. We said if Memory-Address="0" WinRAR is still Shareware, if "1" WinRAR will continue as Registered. Now lets check when WinRAR WRITES the 0 or the 1 to this location.

Goto SoftICE, clear your old BP and set a new one with "BPM 0042575C R". the "R" makes SoftICE only break when something is WRITTEN to this memory (sure about that ? - CrackZ). Again lets test: Try to Enable Error Logging/Auth. Verif., try to register it again, and close WinRAR and start it up again. What we see ?. The Registration Routine is writing to this memory and at startup WinRAR is writing to this memory location. As you also can see its the SAME Routine at startup and in the Registration process, which writes to this memory.

So our goal now is to make this routine always write a "1" to our memory location, right ? Here is the code which writes to our memory as you should see it in SoftICE.

:0040A730 TEST EAX,EAX
:0040A732 SETE CL
:0040A735 AND ECX, 00000001
:0040A738 MOV DWORD PTR [0042575C], ECX <-- We land here.
:0040A73E PUSH DWORD PTR [0042573C]
:0040A744 CALL 00423068
:0040A749 POP ECX
:0040A74C MOV DWORD PTR [0042573C], EAX

You see at 0040A738 the value of ECX is written to our memory location 0042575C. Since we entered a wrong serial ECX contains a "0". If we had entered a real serial ECX would contain a "1". So the AND ECX,00000001 indicates if we are registered or not. If ECX is "1" BEFORE the AND will also be "1" AFTER the AND, but if it is "0" it won't be 1 AFTER.

Additional Information AND/OR Operations

Example for our AND-operation.

00000000 ECX, our Target Indicator.
00000001 Is simply the value "1", our Source Indicator which ECX is ANDed with.

Our result is "0" because no bit PAIRS are set. The result of AND would only be "1" if the first bit of ECX would be set to "1".

OK we want ECX to be "1" every time. So we have to do something here. One solution (the one I chose, was to replace the logical AND with a logical OR, which always makes ECX 1 as you can see below.

Example for our OR-Operation.

00000000 ECX, our Target Indicator.
00000001 Is simply the value "1" , our Source Indicator which ECX is ORed with.

Our result is 1, because only one of the 2 indicators (ECX,1) must have a bit set, to set the bit in our result too. Get the point ? by replacing AND with OR we always have "1" in ECX, which is written to our memory. Time to crack now. Goto W32Dasm and load WINRAR95.EXE, goto Code Location 0040A735 and look at the offset in the status line. It should say Offset:00009D35h in file WINRAR95.exe. OK were done here :).

Now fire up Hiew, Press F4 - Decode, press F5 and enter your offset (9D35). Our instruction "AND ECX, 00000001" is 83E101 in HEX. We simply have to change this so it says "OR ECX, 00000001". Press F3 which will let you edit the code. IF you dont know the HEX for "OR ECX...", (like me) you now have to press F2 (ASM). You then see your instruction in "ASCII" Code and you simply can overwrite AND with OR and press enter, then ESC. The code should now read OR ECX, 00000001 instead of AND ECX, 00000001.

If you want to edit the HEX instead change 83E101 to 83C901. This will also change the AND to OR, as you will see. Now save it with F9 and ESC. Now we are ready to test our patch. Fire up WinRAR for the last time.

No more "Evaluation Copy" on the Title Bar. Now try to Activate Error Logging and Auth. more MessageBox telling us that we must have the registered version & last but not least try to register it again and again :). as you see it will work. Congratulations, you cracked WINRAR95, v2.06.

Job done.

Thanks & Greetings

The Sandman and Jeff for their great "Newbies Cracking Forum", to CrackZ, +Fravia and Iczelion for their enormous resources about Reverse-Engineering, and to Santa Clawz (hope we will work together on the same project one day).

Comments: (dont forget to underscore).


Newbies Return to Main Index

© 1999 Hosted By CrackZ. Rayden 5th March 1999.