þ¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿þ 00000 00000000 0000 0000 377O 00000 J77t 30000000 O7J t7W 000Q 0000 H0000 d00000000 00000 00000000 0000; 0000000000 000 J000 0000 0003 0000 00000 W0000 0000 0000 W0000 00000 000W000 0000 ,0 0000O 0000 c0000 0000000d 0000 0000 c000000 0ZZ 0000 000000 00000 0000000000 0000000 0000 0000U 200000 0000000000 W00000 0000Q 0000 00000 0000 0000 U0000 00000 0000 W 0000 00000 0000d 0000 :0000 00000 0000Q 0000; 00000 0000t 000; 0000St0 0000 3000 00000 0d 0000 0000 t0000 0000Q 0000 000000000 00000000 00000000, 00000000 S000000000 00000 c0000 00000 HZZH 00ZZZZ0 HZWZ 00ZZZZZH 0000 QQ, :0QW0 U0000000000 t077H H0000U Cracking Tutorial #11: CrAcKiNG Winrar 3 Beta 2 THROUGHLY [cracked bY:] sLeEpY¿[FWA/NWA/FTPR8Z] iN 02/2002 [difficulty:] intermediate [where:] http://www.winrar.com þ¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿þ tOOLz: w32dasm, Hiew, ultraedit 9 Resource Hacker [optional] HeLLo, i'm bored in my microsoft windows 2000 certification class so i decided to crack a prog...why not the latest winrar. This one is kinda fun to crack but only if you are interested in this kinda thing, but i suppose you wouldnt be reading it if you wernt so lets piss of the winrar programmer and crack his useful prog. I will show you 2 ways to crack winrar, the first is the long way (which i think is more fun) , the second is the quick way. ÝàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàÝ [Cracking winrar the long way] OK, you allready know what to do, make a backup and also one that has the W32 ext. First I saw that this was a 40 day eval version so i skipped my computer clock ahead 1 year (its just easier that 40 days) and started the program, and here is what pops up! 40 day trial nag eval msgbox Ok, no prob you think, I'll just look in the SDR window in w32dasm.... NOTHING! damn now what? Well hmm we check in the dialog msg and find.... NOTHING! hmm, good thing we are not braindead and give up. Lets try this, just do a general search for a word in that msgbox, how about the word "please" This runs and finds: REMINDER, # of Controls=007, Caption:"Please register", Classname:"" So this is our evil msgbox, its called "REMINDER", how conveniant... Well now you should know what to do, just either looks in the SDR window for: "REMINDER" or do another general search for "REMINDER". Either way it'll take you to these places: ÝàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàÝ here: *Possible StringData Ref from Data Obj ->"REMINDER" :004360D1 and here: *Possible StringData Ref from Data Obj ->"REMINDER" :0043944E ÝàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàÝ well im chasing the first one because it looks easier. ÝàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàÝ *Possible StringData Ref from Data Obj ->"REMINDER" :004360D1 <-this is where you are dropped follow the code up and you'll find where its called from: 004360B7 <-this number is what calls out reminder code, so lets go there :004360B7 7F04 jg 004360BD <-go to our reminder nag scroll up a lil bit and you'll see 3 jumps above and 1 jump below this jump that all go to 004360E1, and if you look at the code listing you'll see that it is past the call to the nag. I chose the first one because the code always reads down so lets kill it immediatly... here is the original code: :0043609B 7544 jne 004360E1 <-jump if registered, or go on to reminder nag. change to: :0043609B EB44 jmp 004360E1 <-jump no matter what, nag will never be called the code offset in HIEW for this is 3569B Start the program and hmm...no nag about trial popping up... Well, the nag doesnt seem to show up anymore so screw chasing down the other code, If you get the nag again over time well chase this one starting here: *Possible StringData Ref from Data Obj ->"REMINDER" :0043944E Normally you should be through with the crack so you dont look like an idiot but im sure this is something we dont have to worry about. ÝàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàÝ On with the show! Well i was checking for other nags and found this one that appears close to buying time: * Possible Reference to String Resource ID=00874: "only %d days left to buy a license" this drops us here: :0043ED7F well, trace the code up and it is called from :0043ED5B you will find: :0043ED5B 7C1D jl 0043ED7A <-jumps to eval days left msg above that a lil you'll find :0043ED56 7C05 jl 0043ED5D <-jumps past but still goes to WINRAR (Evaluation) and ends up eventually where the next jump i'll describe goes above that is: :0043ED4C 757A jne 0043EDC8 <-jumps past and skips that call and also skips the place where it says "evaluation" Note this before you change this section, start Winrar, up at the top of winrar it says: Winrar (evaluation version) So change the jump from: :0043ED4C 757A jne 0043EDC8 to: :0043ED4C EB7A jmp 0043EDC8 now start winrar and whats at the top, WinRAR. Kool we trashed that eval crap at the top, NEXT! ÝàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàÝ hmm i find this and it makes me curious: String Resource ID=00106: "Available in registered version only." This is called in 46 f*@#ing places! Well i checked out the places and found this to be funny, the places where that is almost never popup that msg, maybe a future protection to come? It involves graying out menu items but i checked em, like "select all" and others, but most work. Well we almost have a fully functional version! kool kool Here is where i found that nag upon experimenting: 1.Logging Log errors to file "Warning, available in registered version only." (LOCATED UNDER OPTIONS, SETTINGS,..A CHECKBOX) in this: CONFIGGENERAL, # of Controls=019, Caption:"General", Classname:"" 015 - ControlID:FFFF, Control Class:"BUTTON" Control Text:"Logging" 016 - ControlID:006B, Control Class:"BUTTON" Control Text:"Log &errors to file" 2.Sign archive Add authenticity information "Warning, available in registered version only." (LOCATED WHEN YOU OPEN A RAR FILE AND CLICK THE PROTECT BUTTON AND TRY TO CHECK THE BOX AT THE BOTTOM) in this: Name: INFOOPT, # of Controls=013, Caption:"Options", ClassName:"" 010 - ControlID:FFFF, Control Class:"BUTTON" Control Text:"Sign archive" 011 - ControlID:006B, Control Class:"BUTTON" Control Text:"Add &authenticity information" 3.Put authenticity verification "Warning, available in registered version only." (WHEN YOU RAR A FILE IT IS AN OPTION TO CHECK, UNDER ADD, ...) in this: Name: INFO, # of Controls=032, Caption:"Info", ClassName:"" 030 - ControlID:0075, Control Class:"STATIC" Control Text:" authenticity verification" So three places out of 46, maybe i missed some, but well after these three if you find more you will know how to handle em =0) Go and fix them! Yes I'm not going to tell you how, have fun. All we have left to do is optional, you're prog is cracked but why not make it look regged to you as well instead of the 40 day trial and stuff... ÝàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàÝ To get rid of the "40 DAY TRIAL CRAP" UNDER THE HELP, about button... --->FIRE UP ULTRAEDIT 9<--- tHIS pROG kICKS aSS! Open the exe, look for that text, here we go! from here: 000a5270h to 000a53c0h is where the location of that text is in hex, on the right you can see the ascii text of the HEX. Inside there look for 40 day eval ect.. i changed mine to: Copyleft sLeEpY¿ Eugene Roshal (i left the original programmers name in cause he did the hard work =0)) CrAcKeD bY sLeEpY¿ (in place of the 40 days trial) Be careful when HEX editing, only replace the text thats allready there, dont add anything extra (unless you know what you are doing) or modify system stuff (like those random letters are commands and stuff). Ok, after your modification save the exe and run it, check out the help screen... officially cracked and personalized... ÝàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàÝ [Cracking winrar the short way] This part im not sure if how its explained is perfectly correct but it works so here goes! in w32dasm :00440729 c60580CB480001 mov byte ptr [0048CB80], 00 change to: :00440729 c60580CB480001 mov byte ptr [0048CB80], 01 this moves the value "1" into code location 0048CB80 THEN :0040B81C 55 push ebp :0040B81D 8BEC mov ebp, esp change to: :0040B81C B001 mov al, 01 :0040B81E C3 ret We pretty much killed this call down to 2 lines, put a 1 in AL and return. This will return the 4 calls with 1 stored in AL This means good flags are set to go as if regged. Start up winrar, you should be able to see what happens now, Winrar is regged! Now winrar stores the serial in memory and when it is called a 0 represents that it is unregged and a 1 represents regged, so we just need to always be 1, hence the changes above. first place above code is called from... :00435B43 E8D45CFDFF call 0040B81C : :00435B4A 881D80CB4800 mov byte ptr [0048CB80], bl :00435B50 84DB test bl, bl return with one and flag set second place above code is called from... :00435D72 E8A55AFDFF call 0040B81C :00435D77 A280CB4800 mov byte ptr [0048CB80], al return with one and flag set thrid place above code is called from... :0043DAE0 E837DDFCFF call 0040B81C :0043DAE5 A280CB4800 mov byte ptr [0048CB80], al return with one and flag set :0043E422 E8F5D3FCFF call 0040B81C : :0043E429 881D80CB4800 mov byte ptr [0048CB80], bl return with 1 and flag set ÝàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàÝ Extras: 1.use resource hacker, modify under "Help", "Winrar home page", you can change that text, then change the webpage it goes to to your own or something. 2.Make a crack!, i modified this prog the 'legendary' FLUX from Phrozen Crew made to create my patches, find a generic patcher or make your own. Later! ¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿ email me if you are bored: sleepy@linuxwaves.com ._Tutorialz_. [--------------------------------------------------------------------] [ 1. Cracking Cosmi's Generic Installshield Protection ] [ 2. CRACKING(?) MATH WORKSHOP 2.0 ] [ 3. CrAcKiNG DLSuperCBT Resynchronizing Byte Compare Program ] [ 4. CrAcKiNG the nag on DLSuperCBF - Dir Binary File Compare Program] [ 5. CrAcKiNG n)0(va crackme v3 (crazy approach) ] [ 6. CrAcKiNG mIRC(R) v5.91 Internet Relay Chat Client ] [ 7. CrAcKiNG Actionizer 1.4 ] [ 8. CrAcKiNG Tag Wizard 4.3.0 ] [ 9. CrAcKiNG Freecell for Win2k and WinXP ] [10. CrAcKiNG Netrace 1.0a ] [11. CrAcKiNG Winrar 3 Beta 2 THROUGHLY ] ¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿ gReEtz: MiNioN, GreycZ, KlutCh, KiNgEr, MidNight, FWA, NWA, FTPiRatEz! HAR! BEASTFXP! ¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿ CopyLeft: __ ______ __ __ _ _____/ / ___ / ____/__\ \/ /(_) / ___/ / / _ \/ __/ / __ \ // / (__ ) /__/ __/ /___/ /_/ / / _/_ /____/_____|___/_____/ .___/_/\___/ /_/ [all rights reversed] Boredom causes crackers and babies. ¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿ ax