Swegin8r7528

LAST BLOG ON THE BLOGROLL: Southern Comfort by JodyC2546

SECOND TO LAST BLOG ON THE BLOGROLL: Photoshop Tutorial #3 - 5 Basic Animations (Beginner) by DethHolly12470



If you want to follow along and don't already have the right tools, check out my first entry HERE.

Cracking WinRAR v4.20 - x86 (32-bit)



Ok, let's be honest, WinRAR doesn't really need to be cracked. "I passed my WinRAR 40 day trial! What should I do?!? Oh, wait a second, I can just press 'Close'…." Although for practice purposes it is a great application to crack. So let's dig in my friends!


First let's identify the problems that the trial version suffers from. If you start WinRAR after the 40 day trial period, the first thing you will notice is the reminder dialog saying: "I'm not free, buy me!"



Then you will of course notice the title bar in the main window stating either "Only X days left to buy a license" or "evaluation copy", depending on wether or not you have passed the 40 day trial period.



Finally, if you look in the about box you will see the message "40 days trial copy".



So we need to remove these three unwanted attributes from the program. Let's start with the reminder dialog, as it seems to be the most annoying of the trial aspects. Open WinRAR in Resource Hacker and search for the string (CTRL+F) "please note that winrar is not free". You will then see that the reminder dialog is actually named REMINDER.



Well that should be easy enough to find. Now let's open up WinRAR in OllyDbg. Once Olly finishes analyzing everything and you can see the code, right-click and search for all referenced strings. Search for the string: REMINDER. Double click on the first occurrence. Right above the call to display the dialog box is a conditional jump. Let's make that jump non-conditional (JE --> JMP) so we will never hit that dialog.



Now highlight the modified portion of code and right-click then choose EDIT --> COPY TO EXECUTABLE. Restart Olly. Now let's get rid of the extra text in the title bar ("evaluation copy"). In Olly press CTRL+G and type "SetWindowText". You will see two different instances, "SetWindowTextW" and "SetWindowTextA", select "SetWindowTextW" and press OK. Set a breakpoint on the location you end up at then press Run ('play symbol' button). Olly will now pause at the breakpoint.



From here press Execute Till Return (the button with an arrow pointing towards a line) then Step Over (button with a downward arrow next to three dots). We will now be located right after the call from WinRAR to "USER32.SetWindowTextW".



We need to modify what happens right before that call, let's see what's up there…



This looks like the jump we want, because it goes straight to the call to "SetWindowTextW" without adding any more arguments. Although just to see exactly what's happening and make sure we are getting the right jump, let's let the program run and see what happens in that area of code.



If we get the first one, it is the "Only X days left to buy a license" string.



If we get the second one, it is the "evaluation copy" string. You will not see that text in the main window, but instead in the Registers window in the upper right where you can see the values of EAX, ESP, etc… So we had it right, the jump that bypasses those calls and goes straight to "SetWindowTextW" is the one we want. Let's change that from a conditional to non-conditional jump (JNE --> JMP) then copy that section of code to the executable.

Now all we have left to do is alter the About dialog so that it no longer says "40 days trial copy". For this let's open WinRAR in Resource Hacker again and search for that string: "40 days trial copy". Once you have found it, right click in the dialog editor and select Edit Control.



You can make it say anything you like here, but first we have to modify a few things. First of all the control's height is only set to 8 for one line of text, set it to 24 or 32. Then change the Tab Order from 10 to 17 (17 is the last control here) so that nothing is drawn over our text in the GUI. Now you can change the caption from "40 days trial copy" to whatever you want. I entered "\n\t - Swegin8r -". The \n means to start a new line, the \t represents the tab character and I entered the other five spaces to center my text up. There are other ways to center, but in this case it's easier this way so we don't have to modify the coordinates or width of that control.



Once you've got that set up the way you want it, press the Compile Script button. Then FILE --> SAVE and quit Resource Hacker. Now start up WinRAR and let's check out the final product.



That's all there is to that one! Congratulations, you handled that like a PRO!

SUPERAntiSpyware is a piece of software designed to remove and prevent malware on Windows based PCs. It also happens to be relatively easy to crack, so it is a good program to learn or practice reverse engineering on.

Things you will need to follow along:
1. Your brain
2. OllyDbg
3. HDasm
4. PEiD

Now that you have everything, let's get started!


First of all load the program into PEiD to see if it is packed/protected.



In this case it's not. Good, less work for us!

Now open the program and try to register it with invalid information. You will receive a message stating: "The registration number you have entered is not valid. Please enter a valid registration number."



We want to take notice of the text in this message, so open up Notepad and write down "The registration number you have entered is not valid."

Now load the program into HDasm and search for string references by clicking the 'S' in the toolbar. Search for the text we took note of before by typing it into the search bar at the top.



You can see the text and that it's ID is 97. You will want to take note of this ID so in Notepad write something like: "97=Bad".

Time to load the program into OllyDbg. Once the program has been loaded and analyzed you can search for the bad message. To do this, right click and select "Search for --> All commands". In the following dialog type: "push 97". You will be presented with a window showing all the places where this command is located.



Press F2 to set breakpoints on the various locations. Now when you run the program it will pause on these breakpoints so you can view the surrounding code and modify it if necessary.

Press 'Run' from the toolbar (icon that looks like a 'Play' symbol) or by pressing F9. Before the program finishes starting up you will hit one of the breakpoints that was set.



We haven't entered a registration number yet so this is obviously not the location we want. You can remove the breakpoint by pressing F2. Now press 'Run' again because the program is paused. Once the program window opens try entering some invalid information again. Again, we will hit one of the breakpoints we set.



This is the correct location. As you can see there are two conditional jumps which go to the bad message. You could alter the the jumps from JE to JNE, but this may not stop the bad message from being shown. What I mean by this is if the first jump didn't go to the bad message but the second did, by changing the JE command to JNE now the first jump would go to the bad message without ever hitting the second. Since you don't want either jump to occur you can fill them in with NOPs (No Operation) by highlighting them then right clicking and selecting "Edit --> Fill with NOPs".



Now highlight the whole section of code that you just modified then right click and select "Edit --> Copy to executable" and save the file. Close OllyDbg. Run the program again and enter an invalid registration number. This time you won't get the bad message, but instead be presented with an activation screen.



Select the option to enter your activation code manually and enter any random set of numbers. The program will now register.



Now try to check for definition updates. The authentication process will fail and instead of downloading the updates you will get the following:



After you get the failed message the program will revert back to the trial version, so re-enter some fake info to register it again. Ok now we need to find the string "Failed!". If you open the program in HDasm again and search for "Failed!" you won't find it.



Instead open the program in Olly again and search for referenced text strings by right clicking and selecting "Search for --> All referenced strings". Once the search results window comes up press 'CTRL + F' and type in "Failed!".



This time you will find it. Double click on the entry and you will be taken to the location where you get the failed message.



There is a call before the decision to jump past the failed message or not is made. We need to change whatever is happening in that call, so set a breakpoint on it and run the program. When you check for updates this time the program will pause on the breakpoint we just set to the call that makes the decision. We can explore what is happening there by pressing F7 to step into the call.



Here the program makes a call to validate the license and has a conditional jump underneath. When the program reaches that jump the condition has been met so it makes the jump. You can either reverse this jump (JE to JNE) by double clicking that line of code and editing it or fill it with NOPs. Once you have modified the code, highlight the changes and copy them to the executable. Close Olly.

Run the program and try to check for definition updates again. This time the authentication is successful so the updates will start downloading and you will see this:



You now have a fully functional, registered version of SUPERAntiSpyware! Congratulations!

First of all I would like to thank my buddy SirSeedsAlot52782 for giving me the idea to share the steps involved in cracking an application.

Second, I'll name some of the tools I use:
1. My brain (in mostly working order)
2. OllyDbg v2.01 Alpha 4 - Various plugins
Home Page
3. PEiD v0.95 - Various plugins
Download Page
4. HxD v1.7.7
Home Page
5. HDasm (Hacker's Disassembler) v1.06
Home Page
6. Resource Hacker v3.6.0.92
Home Page
7. ImpRec (Import Reconstructor) v1.6F
Download Page

Finally, getting down to business! To start off with I would use PEiD to check and see if the application is packed/protected, and if so by what method.

If the application is packed then there are a couple different ways to go about unpacking it. One of these ways is using another application designed to do the unpacking for you such as Quick Unpack. Another is stepping through the code with OllyDbg until you find the correct OEP (Original Entry Point) and dumping the process to another executable.

I can then use ImpRec to rebuild the IAT (Import Address Table) so the application will start and work correctly again.


From here I would open the application in PEiD again and use a plugin called Kanal. Kanal will search for known cryptographic signatures and give you the address(es) at which they are located within the program.

Some cryptos are more important to deal with than others. For example, the program 'mIRC' contains a CRC check algorithm that will prevent the application from running if it has been modified. In other words your cracking will have been all for naught until you bypass or alter that bit of code.

Of course you will have to know the wanted or unwanted results you wish to achieve or avoid. So from here I would run the program and try to register it using incorrect information, or use it for a while to study the limitations.

After taking note of these things there are a few different routes I could take. One of these being opening the program in HDasm and searching for the wanted/unwanted strings or dialogs and taking down the addresses or IDs.

Sometimes it is difficult to identify what you are looking for (such as caption-less dialog boxes), this is when I like to use Resource Hacker. Using Resource Hacker I could give that dialog an easily recognizable caption. Another would be opening the program in OllyDbg and searching for referenced strings, assembly commands, calls to other programs/libraries, etc.

Once I have found out where the desirable/undesirable actions are taking place at in the program, then I can use OllyDbg to modify the code to produce the wanted results. This can be done by placing breakpoints at key locations (jumps and calls) that surround the wanted or unwanted results. Then I can run the application and OllyDbg will pause it on these breakpoints so I can see what is happening.

From there I can decide what actions need to be taken, like changing a conditional jump to a non-conditional jump (JE, JNB, etc. to JMP) or stopping a jump or call completely by filling it in with a NOP (No Operation command).

Now I would test the program out for a while to make sure everything is working how I want. If all went well and I don't get any nag messages, half-working features, time/usage limitations or anything of that sort then I'm almost done. Last but not least, It's then time to wrap it all up nice and neat with instructions and create a torrent to share with everybody!