Winrar 2.71 Protection has no Roar!

Secondary File Checking Scheme is Weak

Date- 09/05/00
by Sojourner
There is a crack, a crack in everything. That's how the light gets in.
(x)Beginner ( )Intermediate ( )Advanced ( )Expert

Somewhat juvenile to crack, but it is a useful prog.



 The rar progam has come a long way from the old dos days. Todays prog looks slicker with the 32 bit gui and allows more
ease of use. This is a useful utility.

Tools required

w32dasm 8.x--your choice of flavors

hex editor needed- UltraEdit 7.xx or whatever you want to use

restorator 2.5--not needed this go round

Target's URL/FTP

Just go to this site. Do a search for winrar and then download what you need.

Program History
Things to do -
   Register this baby!

You know when you need something right now, you often don't have it. That was my dilemma last night. My system was going
on the blink and I knew it. My backexec was malfunctioning and low and behold Veritas has changed their prog from 
backupexec 4.2.1 to 4.5, but it doesn't provide disaster recovery. I frantically searched my archives--nada, niet, 
nothing. This time I was in a crack. Fortunately two things happened, one, I found backupexec 4.2 on an ftp search to
a nice Russian site, and two, a friend uploaded 4.2.1 for me, both of which have disaster recovery processes. See my
other tutorials for a crack on Veritas Backexec 4.2.1. But what in the world does that have to do with winrar? Ah, you
see, when I restored my system, my little winrar was askance and would not deliver any more work for me. What was a guy
to do? Like any good cracker--go out and find it and fix it, if possible. Now, Winrar has another file it searches for 
in order to verify that you're licensed, kind of like cuteftp or even the flex license manager. The file is called
rarreg.key and must reside in the root directory of winrar along with the executable, etc., of winrar. Since by now
you've already downloaded this baby, go ahead and disassemble it in w32dasm. Takes a few minutes with my high speed
Celeron 400 mHz screamer!!! How did I know that Winrar required another file? Because in the Help section of the Winrar
program it says as much and I quote:

Registration procedure:
Upon receipt of your registration fee with the completed registration form you will receive a registration key file 
which will correspond to the registration string given in the registration form.
Upon receipt of your registration key file you should put it to the WinRAR folder. If the key is archived, in a .RAR 
file, please extract the key from the archive in order to register your copy of WinRAR.

So you see, that's how I came by that info. Additionally, when you do a little snooping around inside of Winrar, you
will find reference to rarreg.key, of which, you must note. Ready to go? Let's rev up w32dasm and put it through its
paces. (Good night--the funny cars were racing yesterday-boy are they fast. Over three hundred miles an hour at last
call. Talk about revving!!) When you run Winrar through w32dasm you will see "evaluation copy" at the top of your 
program title. And if you click on Help, then About, it will not be registered to you. That's what we want to fix.
If you have ultraedit, open it to a new file. Type in the name you want to use and save this as rarreg.key. Yeah, you 
know what to do now. Put it in the directory where it needs to be. Surely that's not all there is to it. You are 
correct in your assumption. That's not all there is to it. Actually, you need to put some other characters in there
on a line proceeding your assumed name. Why? Because that's what Winrar wants. So give it to it. What other characters
do I use? Yes, that was going to be my next subject, but you're almost getting ahead of me. Somewhere lurking around 
in the dark code woods there is a useful string--very long though---
What's it for? For checking you out. Place this whole mess on the first line of your rarreg.key file and your name
on the second line. It doesn't read the third line.
Since I've mentioned the rarreg.key, begin placing breakpoints around there and also near "evaluation copy". Do a 
string search for "registered to" also. That will be enough to get us through this process. Now, at the 
"evaluation copy" here is what you get.

* Possible StringData Ref from Data Obj ->"%s - WinRAR"
:0041BA01 68DD5F4600              push 00465FDD
:0041BA06 8D9500FEFFFF            lea edx, dword ptr [ebp+FFFFFE00]
:0041BA0C 52                      push edx
:0041BA0D E8820B0400              call 0045C594
:0041BA12 83C40C                  add esp, 0000000C Return below
:0041BA15 803DCC6C460000          cmp byte ptr [00466CCC], 00 <-- Check this out!!
:0041BA1C 752E                    jne 0041BA4C

* Possible Reference to String Resource ID=00873: "evaluation copy"
:0041BA1E 6869030000              push 00000369
:0041BA23 E894C6FEFF              call 004080BC
:0041BA28 50                      push eax

And at "Registered to"--

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:0040B783 803DCC6C460000          cmp byte ptr [00466CCC], 00  <--Check this out!!
:0040B78A 7472                    je 0040B7FE
:0040B78C 8DBDF0F9FFFF            lea edi, dword ptr [ebp+FFFFF9F0]
:0040B792 BE90964700              mov esi, 00479690
:0040B797 B981010000              mov ecx, 00000181
:0040B79C 8D85F0F9FFFF            lea eax, dword ptr [ebp+FFFFF9F0]
:0040B7A2 F3                      repz
:0040B7A3 A5                      movsd
:0040B7A4 50                      push eax
:0040B7A5 8D95F0F9FFFF            lea edx, dword ptr [ebp+FFFFF9F0]
:0040B7AB 52                      push edx

* Reference To: USER32.OemToCharA, Ord:0000h
:0040B7AC E8A2680500              Call 00462053
:0040B7B1 8D8DF0FAFFFF            lea ecx, dword ptr [ebp+FFFFFAF0]
:0040B7B7 51                      push ecx
:0040B7B8 8D85F0FAFFFF            lea eax, dword ptr [ebp+FFFFFAF0]
:0040B7BE 50                      push eax

* Reference To: USER32.OemToCharA, Ord:0000h
:0040B7BF E88F680500              Call 00462053

* Possible Reference to String Resource ID=00960: "Registered to"
:0040B7C4 68C0030000              push 000003C0
:0040B7C9 E8EEC8FFFF              call 004080BC
:0040B7CE 50                      push eax

At each of these "check outs" I've placed above, there is an important point--there is the exact same variable name
seen in each place-00466CCC. At one point there is the jne ; at the other is je and each time the check is for zero.
Which is which? Which do I want? This variable is very important and the key to solving this whole thing. Before I go
on, place breakpoints at all the places 00466CCC show up. There are quite a few. Are you done? At first, I thought that
I needed the variable to be zero, but the more I studied this the more I was convinced the right answer was for it to 
be one. See above at the eval copy area. As you run the prog through w32dasm, you will see that 00466CCC can be loaded
with some number at a few places.

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:0040EEBC 803DCC6C460000          cmp byte ptr [00466CCC], 00
:0040EEC3 7410                    je 0040EED5
:0040EEC5 803D9096470000          cmp byte ptr [00479690], 00
:0040EECC 7507                    jne 0040EED5
:0040EECE C605CC6C460000          mov byte ptr [00466CCC], 00 <-- Here

* Reference To: USER32.FlashWindow, Ord:0000h
:00418373 E81F9B0400              Call 00461E97
:00418378 6A01                    push 00000001
:0041837A E8693D0200              call 0043C0E8
:0041837F A2CC6C4600              mov byte ptr [00466CCC], al <--Here
:00418384 6A00                    push 00000000
:00418386 8B0D24B94600            mov ecx, dword ptr [0046B924]
:0041838C 51                      push ecx

* Reference To: KERNEL32.SetThreadPriority, Ord:0000h
:0041AF3D E88F6B0400              Call 00461AD1
:0041AF42 6A01                    push 00000001
:0041AF44 E89F110200              call 0043C0E8
:0041AF49 A2CC6C4600              mov byte ptr [00466CCC], al <--Here

Realistically, most of this doesn't help us to achieve our goal. So what do we do? What we will do is to load 
00466CCC ourselves. As I said, what looked promising above, is not really. So, since you have already set breakpoints,
let's use them now and see if we can find a decent spot to load our variable.
Here's what hits:
1. 004184B7
2. 00426358
3. 0041BA15
4. 0041AF2C
Okay. First off, at 004184B7, we need to make sure the jne is changed to jmp because we know that 00466CCC is still
zero. It has not been loaded with the correct number yet.

:004184B7 803DCC6C460000          cmp byte ptr [00466CCC], 00
:004184BE 7513                    jne 004184D3  change to EB13
Next--we really can't catch this blighter easily to load eax. You'd think, well just follow the call. Uh huh. Except 
it's not that easy. You get bumped around a lot in there and get lost. By the time you're back home, you have no idea  
where you've been. So just nop that guy A2CC6C4600--yes nop it all, by golly. It won't matter in just a sec anyway. We 
just want to be sure that our registered prog is not changed to unregistered on the flip-flop by loading in zero to al.
So why don't we just load 00466CCC now with 01? The reason is because it takes way to many bits to set that up at this
point. It's not all that important because as we'll see in a moment, we'll be home free.

:00426353 E8905D0100              call 0043C0E8
:00426358 A2CC6C4600              mov byte ptr [00466CCC], al
:0042635D 53                      push ebx
Batter up!! Now here we can do something legit with our load--
Follow closely, because we're going through some heavy bit changing here.
we are going to use from 0041BA15 up to 0041BA23. Here's what we do. See below

:0041BA15 803DCC6C460000          cmp byte ptr [00466CCC], 00
:0041BA1C 752E                    jne 0041BA4C
* Possible Reference to String Resource ID=00873: "evaluation copy"
:0041BA1E 6869030000              push 00000369
:0041BA23 E894C6FEFF              call 004080BC

The changes are as follows:
0041BA15 C705CC6C460001          mov [00466CCC], 01
0041B11C 0000
0041BA1E 00EB2B9090              --Jmp 0041BA4C

Doing these changes does not affect the fact that we will never call the "evalaution copy" and we have balanced all of
our changes properly.
Last- we know now that 00466CCC is loaded with one so we don't have to mess with this at all.

:0041AF2C 803DCC6C460000          cmp byte ptr [00466CCC], 00
:0041AF33 7419                    je 0041AF4E

Your Winrar is now registered. Be sure to make your changes permanent with your hexeditor.
Happy rarring!


Final Notes

 This was a fun, simple lesson. Until later.

If you have any questions please feel free to contact me at

Oh Duh
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one.