winrar 95 ver.2.0: the guts of a protection
by Little-John, 3 January 1998
Slightly edited by reverser+
here
Courtesy of Reverser's page of reverse engineering
reverser's comments
Well, an interesting little essay which deals with an utility by Eugene Roshal that is in my opinion injustely underestimated. Winrar should by all means be on your desktop: it has, on mine, taken the place of my Winzip 6.2 (it deals without problems with all zipped files as well), and that for many reasons, the more important one is that RARed archives are SMALLER than pkzipped archives!
No, I'm not speaking of the solid archive option (you don't know what 'solid' archiving is? Go and study winrar), I'm speaking of a normal, default rar archive: it's smaller than a zip!
I know that many don't even know it, and I myself am still compelled to use the zip format when I dump something on the web 'because everybody zips'. Yet I myself, for myself, on my own harddisks, use only RAR, because with the monstruous overbloated programs we are dealing with 'every spared byte counts'... and you'll spare a lot of bytes in comparison with zipped files if you rar. You still don't believe me? Well, read, enjoy and then go and download winrar... you'll be surprised seeing how GOOD this tool is.

BTW: this is the LAST essay I will re-format: Please use THE SAME FORMATTING for all future essays you send to me! In order to do it download this redFORMATTING MUSTER and use it, pasting your essay inside it.
here
There is a crack, a crack in everything
That's how the light gets in
Rating
(x)Beginner ( )Intermediate ( )Advanced ( )Expert
A well-written, very easy to follow essay, useful for beginners in order to see how a call into a protection scheme can easily be dealt with
Title
winrar 95 ver.2.0: the guts of a simple protection
Written by Little-John
Introduction
The only time Micro$oft has is the time to make money 
with stupid overbloated programs. No time to improve 
their OS like Win95 which is very bugful, no time 
to think a better use of system resources like RAM'n'Disk space.
What do we have to do? Compress. Compress to make ONE (big) file containing 
MANY (little) files. (Who has a 32k clustered FAT will understand me.)
To do this in a quick way some softwares are on the scene. One of them
(the most popular) is Winzip 6.x which uses the old good Pkzip 
compression method. But I'm never satisfied, so I sough and found 
another pretty GUI-based (Windoze) 32-bit compressor: 
WinRAR 95 v2.0 by Eugene Roshal.
Tools Required
Debugger (SoftIce)
Hexeditor
Brain


Of course, you may choose any other tools you like.
Program History
No history
T
H
E

E
S
S
A
Y
One of Winrar's features I appreciate most is the 'Authenticity Code' 
which insures the paternity of an archive. But I was able to use it 
only in the non-$hareware version. 
Money, money, money, money, money, money... ahhh.
In fact when I ticked this feature a (pretty :) dialog box says to me:
"Available in registered version only". But it's Xmas and everybody 
is more kind to the others... I decided that Eugene wouldn't be angry 
with me if I made a little present to myself: a registered yet 
"non-commercial" version of WinRAR95. Of course I could have fished 
a completely regged copy out of the warez scene, without paying a cent 
and without having to work on this protection, but I prefer to crack 
myself my proggies instead of using stolen ones.

I took the old good Soft-Ice and put myself down to crac...ehm ...study 
the code.
Start WinRAR95 and in the menu Option choose Registration. In the textbox
"Enter yuor registration (AV) text" write your (nick:)name for example 
Johnny.
And in the registration code textbox enter your favourite number sequence,
(mine is 123321).
Now let's go in Soft-Ice (press Ctrl-D) and put a break point on 
GetDlgItemTexta and see what happens. Your name is stored in memory. 
The first thing to be done should be putting a breakpoint on the 
memory range to see what happens to our name, but first study the code. 
You have to study your targets to reverse them. 
So continue, by pressing g, and you will fall into another 
USER32!GetDlgItemTextA, but this time don't restudy the code 
(it's the same as the name says; Repetita iuvant sed stufant :)
Continue tracing the code and very soon you will see this:

:004226CC  8D8554FFFFFF		LEA 	EAX,[EBP+FFFFFF54]
:004226D2  50			PUSH 	EAX
:004226D3  8D459C		LEA 	EAX,[EBP-64]
:004226D6  50			PUSH 	EAX
:004226D7  E84D66FFFF		CALL 	00418D29    ;Very Interesting Call
:004226DC  83C408		ADD 	ESP,08	    ;Stack Correction
:004226DF  85C0			TEST 	EAX,EAX	    ;Is the Reg. Code Right?
:004226E1  752F			JNZ 	00422712    ;YES/NO!
:004226E3  6A30			PUSH	30
:004226E5  6A1A			PUSH	1A

If you wanna see the "Correct Registration. Thank you for support" 
DialogBox you can change

:004226E1  752F			JNZ 	00422712    ;YES/NO!

in

:004226E1  742F			JZ 	00422712    ;YES/NO!

but this apparently easy patch is not enough: you haven't cracked this 
target, I'm afraid. Infact if you go in Options->General and tick the 
Autenticity Code you'll still obtain "Available in registered version 
only".
The thing to do is therefore entering inside the "CALL 00418D29" and 
study our target's behaviour. 
There are a lot of CALL routines, as usual and we can act in two ways: 
understanding what happens to our name and Reg. Code to know the right 
Reg. Code (long way, d'you think it would really be necessary?), or 
either make the Reg. Code "calzare" to our name (short and pretty way 
that I prefer: I don't need, nor care to prepare keygenerators for the 
stupid ones) 
I hope you have choosen the second way... 
Oh, nice, I'm glad you have done it :)
To understand where the program decides if our Reg. Code is the correct 
one or not we have to trace that call (CALL 00418D29). We see a lot code 
scrolling under our eyes and, quite at the end:

:00418F7D  8D8574FFFFFF	LEA	EAX,[EBP+FFFFFF74]	;Call result for name/reg
:00418F83  50		PUSH	EAX			;Save it
:00418F84  FF35706D4400	PUSH	DWORD PTR [00446D70]	;Call result for name/reg
:00418F8A  E871240100	CALL	0041B400		;Don't mind this call
:00418F8F  83C40C	ADD	ESP,0C			;Stack Correction
:00418F92  85C0		TEST	EAX,EAX
:00418F94  0F94C0	SETZ	AL
:00418F97  83E001	AND	EAX,01		;if EAX<>1 => EAX=0 =>
:00418F9A  A348074400	MOV	[00440748],EAX	;          =>Not Regged
:00418F9F  FF3528074400	PUSH	DWORD PTR [00440728]
:00418FA5  E8BA830100	CALL	00431364
:00418FAA  59		POP	ECX
:00418FAB  33C0		XOR	EAX,EAX
:00418FAD  A328074400	MOV	[00440728],EAX
:00418FB2  A148074400	MOV	EAX,[00440748]	;EAX=1 => WINRAR95 Regged
:00418FB7  5F		POP	EDI		;EAX=0 => WINRAR95 UnRegged
:00418FB8  5E		POP	ESI
:00418FB9  5B		POP	EBX
:00418FBA  8BE5		MOV	ESP,EBP
:00418FBC  5D		POP	EBP
:00418FBD  C3		RET

After the RET we find:

:004226DC  83C408	ADD 	ESP,08	    ;Stack Correction
:004226DF  85C0		TEST 	EAX,EAX	    ;Is EAX=1? No 	BAD_GUY :(
:004226E1  752F		JNZ 	00422712    ;          Yes	CLEVER_CRACKER


The code above convoys the previous CALL result. EAX=0 means you have 
entered a bad Reg.code; instead, if EAX=1, the Reg.code is RIGHT :).
The only thing to do is to FORCE this flag (EAX) to be true (1). 
How? 
Very easy. Do you remember:

:00418F8F  83C40C	ADD	ESP,0C
:00418F92  85C0		TEST	EAX,EAX
:00418F94  0F94C0	SETZ	AL
:00418F97  83E001	AND	EAX,01
:00418F9A  A348074400	MOV	[00440748],EAX

For our purpouse we can change this piece of code to make EAX=1.

:00418F8F  83C40C	ADD	ESP,0C
:00418F92  33C0		XOR	EAX,EAX		;Clear EAX just in case
:00418F94  B800010000	MOV	EAX,1		;EAX=1 =>REGGED
:00418F97  90		NOP
:00418F9A  A348074400	MOV	[00440748],EAX

The value of EAX now must be 1 so that whatever Name'n'Reg.code you use 
will be good. The program believes you've entered the right code so now 
you can enjoy all the features of this pretty program.

Ciao a tutti
						By Little-John

Ob duh
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell.
Final Notes
No final notes
way out
You are deep inside reverser's page of reverse engineering, choose your way out:

redBack to project 1
redhomepage redlinks redanonymity +ORC redstudents' essays redacademy database
redtools redcocktails redantismut CGI-scripts redsearch_forms redmail_reverser
redIs reverse engineering legal?