The string in the titlebar has changed to Registration has been successfully completed. Press F9 or the right arrow a couple of times until the application is running without pausing at a breakpoint. The instruction at 00007FF6A403AE4A should now be mov ecx, 368 as show below: Click OK once, and then click cancel to not further modify instructions Modify the assembly by double clicking on it. In Resource Hacker we see the constant 872 mapped to the string Registration has been successfully completed.
We test this by changing 369 to another constant from the string table. The instruction that uses the constant is mov ecx, 369 which means copy the value 369 to the register ecx.Īs this is the only location where 369 is used it is highly likely that this instruction will load the evaluation copy string from the string table. You see that the constant is represented as 369, which is hexadecimal for 873. We are now in the CPU tab at the memory address that uses the constant. If nothing is found, make sure you are in the winrar.exe memory region by going to the Symbols tab and double clicking winrar.exe.ĭouble click the search results to go to that address location in the CPU tab. This address is likely to be a bit different on your system, but the last two bytes should be the same: 4A. X64dbg finds one occurance of the constant located at address 00007FF6A403AE4A. In the window that appears enter 873 in the Signed: box and click OK. Search for the constant 873 in 圆4dbg: right click somewhere in the CPU window and goto Search for -> Current module -> Constant. These constants are used in the executable to load the string mapped to it. The string evaluation copy appears to be in a string table with the constant 873 mapped to it. Run Resource hacker and open the WinRAR.exe executable.
RESHACK RAR WINDOWS
Windows applications can store strings in a string table ‘resource’, so we use a tool to read the string tables of the executable which is called Resource hacker. The string cannot be found, so most likely it is not stored as consecutive characters in the executable. Enter evaluation copy in the search box below. Now you are in the References tab of 圆4dbg. Right click somewhere in the CPU window and goto Search for -> Current module -> String references. You are now in winrar.exe region of the memory shown in the CPU tab. Goto the symbols tab in 圆4dbg and double click the row that contains the winrar.exe module. You want to limit your search to only the Winrar executable and not search all the other modules (DLL’s) that are loaded by the application. In 圆4dbg you can search for strings in the executable. We don’t know what the string will be when the application is registerd, but we know for sure that evaluation copy should not be shown.
RESHACK RAR CODE
If you think of how this application was written, somewhere in the code a decision must be made (if/else statement) to show the string evaluation copy instead of something else like registered. The application window states that this is an evaluation copy: The registration routine can be found in many ways, but usually a good place to search is for certain strings. The trick is to find that routine and modify it so that the application thinks it is registered. So somewhere in the executable there must be a function (routine in Assembly) that checks if the application is registered. When the application starts it must somehow check if the application is registered. Finding the routine that checks if the application is registered The application is now running without pausing at any break points. Click the right arrow located under the menu in 圆4dbg (or press F9) repeatedly until the text in the lower-left of the window stays at ‘Running’. Now the application is running inside the debugger and it will pause (break) at some address, this is the entry break point. Run 圆4dbg and open the WinRAR.exe executable in 圆4dbg by pressing F3 to open a file. for address 00007FF6A403AE4A only check if 4A is the same. Only the last couple of bytes should be the same. Memory addresses mentioned in this tutorial are likely to be different on your system.
RESHACK RAR HOW TO
This tutorial describes how to crack Winrar.
0 kommentar(er)
