Acid_Cool_178
presents he's

#35  Tutorial

 

For Hellforge

This Text Are Only Ment To Edcucational Purpose And Not To Be Used Illegaly, I Take No Response For Illegal Use Of This Text. Move On On Your Risc.

Athour Information
E-mail acid_cool_178@hotmail.com
Age 17
Web Page http://acidcool.cjb.net/
Date March 2K
Member in Hellforge Flying Horse Cracking Force
Groups Web Page Hellforge Login FHCF Login

 

Program Infromation
Name WinRar 2.70 Beta 1
winrar.exe
Size 555KB (Only the EXE file)
Athour Eugene Roshal
Where to Downlaod www.download.com
www.winfiles.com
www.shareware.com
www.rarsoft.net
www.rararchiver.com
www.nowpc.com
www.rarsoft.de
Tools used W32Dasm
Hiew		 Downlaod At
1. Player Tools
2. Programmer Tools
What kind of a program Crackme Shareware
   
Skill Easy Not so easy Hard X-pert
         

 

Information about the Protection I

When you are running the program so can you see that it's unregistered and shareware. It don't got any "Enter code here" stuff, the only protection are one NAG that will pop up after 40 days. And some Commands are disabled.

Before We Start

Now we have to NOP the NAG out and NOP are 90 in NEX. NOP means No Operation. If you got any problems then please reas LaZaRuS Assemberly For Cracker II at the Hellforge Site

Task1        <-- Disabled Function
Task2        <-- Removing 40 Day Protection
Task3        <-- removing the Evalution Copy in the titlebare og WinRar

The Process

Task1
Open WinRar in W32Dasm and under String Data References can you se this string Available in registered version only"
Dubbelclick on that string twice and you can see this code

00404D4D 803DAC5C460000 cmp byte ptr [00465CAC], 00
:00404D54 7522 jne 00404D78                                                                        <-- Make it to JMP
:00404D56 6A30 push 00000030
*
*
*
* Possible Reference to String Resource ID=00106: "Available in registered version only"    <-- Bad Words
|
:00404D60 6A6A push 0000006A
:00404D62 E865330000 call 004080CC

This NAG will you find under Options-->Settings-->Logging-->Log errors to file
Scroll up to the Jump and in W32Dasm's statusbar can you see this.
Line:8751 Pg 93 of 2181 Code Data @:00404D54 @Offset 00004354h in file:WinRAR.exe

The important here are the offset wich are 4354 the h indicates that it are in HEX.

Open WinRAR.exe in W32Dasm and press F4. Now you can choose between "Text, Hex, Decode" Choose Decode. Press F5 wich are Goto and enter in the offset and enter. Now you will stant at the jump. Press F3 wich will edit the Code and F2 and you will now edit the ASM Code, change JE to JMP.
Press enter to accept the cange and update the code by pressing F9 and exit by pressing Escape og F10.

Run WinRar and the messagebox are gone to hell :))

Now, lets tight the 30 day trial.

Task2
Open the windows clock and move the date one month longer forward. I did change 2000 to 2001 :) I too lazy :D

Now, run winrar and you can se one NAG comming up.
Now we now that there are one place in theis code where it's comparing routine and it will be easyer to find. I hope..

The NAG got the caption "Please Register" so in W32Dasm search for "Please Register and than you can see this.
Name: REMINDER, # of Controls=007, Caption:"Please register", ClassName:""
Then search for "REMINDER" and now you can see this code.

:004014F9 83F828 cmp eax, 00000028                                 <--28Hex = 40 Dec
:004014FC 7F04 jg 00401502                                               <-- Jump if EAX are over 40
:004014FE 85C0 test eax, eax                                                <-- Tests again
:00401500 7D26 jge 00401528                                             <-- Jump over the Reminder
*
*
* Possible StringData Ref from Data Obj ->"REMINDER"
|
:00401517 68142C4600 push 00462C14
:0040151C 8B0D04BC4600 mov ecx, dword ptr [0046BC04]
:00401522 51 push ecx

The first jump got the @Offset AFC wich you have to NOP
The seccond jump have we to change to JMP and then everything are OK :)

Open Winrar.exe in Hiew, Press F4 and choose Decode. Goto offset AFC and at the jump ONLY EDIT THE CODE by pressing F3 and type in 9090 (NOPNOP) and Update the file. The last jump can be one small challange to you :D

Run the program and The NAG are gone :)

Task3
Search for evaluation copy and you can now see this code

:0041B942 83C40C add esp, 0000000C
:0041B945 803DAC5C460000 cmp byte ptr [00465CAC], 00
:0041B94C 752E jne 0041B97C                                                     <-- Jump if still an evalution copy

* Possible Reference to String Resource ID=00873: "evaluation copy"
|
:0041B94E 6869030000 push 00000369
:0041B953 E874C7FEFF call 004080CC
:0041B958 50 push eax

Just change the JNE to JMP ant woala.

Greetings

LaZaRuS, Wajid, Borna Janes, ManKind, Eddie Van Camper, ACiD BuRN, KoRnFLeX, Eternal_Bliss, Potsmoke, DiABLO. Torn@do, ^AlX^  and all the other i have forgotten