This tutorial describes how to crack Winrar.

Needed

Winrar 64-bit (version 5.40 and 5.60 are tested)

x64dbg site

Resource hacker site

Note

Memory addresses mentioned in this tutorial are likely to be different on your system. Only the last couple of bytes should be the same. E.g. for address 00007FF6A403AE4A only check if 4A is the same.

Load the application inside the debugger

Run x64dbg and open the WinRAR.exe executable in x64dbg by pressing F3 to open a file. Now the application is running inside the debugger and it will pause (break) at some address, this is the entry break point. Click the right arrow located under the menu in x64dbg (or press F9) repeatedly until the text in the lower-left of the window stays at ‘Running’.

The application is now running without pausing at any break points.

Finding the routine that checks if the application is registered

When the application starts it must somehow check if the application is registered. So somewhere in the executable there must be a function (routine in Assembly) that checks if the application is registered. The trick is to find that routine and modify it so that the application thinks it is registered. The registration routine can be found in many ways, but usually a good place to search is for certain strings. The application window states that this is an evaluation copy :

If you think of how this application was written, somewhere in the code a decision must be made (if/else statement) to show the string evaluation copy instead of something else like registered . We don’t know what the string will be when the application is registerd, but we know for sure that evaluation copy should not be shown.

Attack the string

In x64dbg you can search for strings in the executable. You want to limit your search to only the Winrar executable and not search all the other modules (DLL’s) that are loaded by the application. Goto the symbols tab in x64dbg and double click the row that contains the winrar.exe module.

You are now in winrar.exe region of the memory shown in the CPU tab. Right click somewhere in the CPU window and goto Search for -> Current module -> String references . Now you are in the References tab of x64dbg. Enter evaluation copy in the search box below.

The string cannot be found, so most likely it is not stored as consecutive characters in the executable. Windows applications can store strings in a string table ‘resource’, so we use a tool to read the string tables of the executable which is called Resource hacker.

Search for the string in string tables

Run Resource hacker and open the WinRAR.exe executable. Press ctrl+f to search for a string. Enter evaluation copy and click search. The string evaluation copy appears to be in a string table with the constant 873 mapped to it. These constants are used in the executable to load the string mapped to it. String tables are used to save memory.

Find constant mapped to the string

Search for the constant 873 in x64dbg: right click somewhere in the CPU window and goto Search for -> Current module -> Constant . In the window that appears enter 873 in the Signed: box and click OK.

x64dbg finds one occurance of the constant located at address 00007FF6A403AE4A . This address is likely to be a bit different on your system, but the last two bytes should be the same: 4A .

If nothing is found, make sure you are in the winrar.exe memory region by going to the Symbols tab and double clicking winrar.exe.

Double click the search results to go to that address location in the CPU tab. We are now in the CPU tab at the memory address that uses the constant. You see that the constant is represented as 369 , which is hexadecimal for 873 . The instruction that uses the constant is mov ecx, 369 which means copy the value 369 to the register ecx .

Change the string

As this is the only location where 369 is used it is highly likely that this instruction will load the evaluation copy string from the string table. We test this by changing 369 to another constant from the string table. In Resource Hacker we see the constant 872 mapped to the string Registration has been successfully completed . Modify the assembly by double clicking on it. Change 369 to 368 , which is 872 in hex. Click OK once, and then click cancel to not further modify instructions

The instruction at 00007FF6A403AE4A should now be mov ecx, 368 as show below:

Press F9 or the right arrow a couple of times until the application is running without pausing at a breakpoint. The string in the titlebar has changed to Registration has been successfully completed . We have verified that the constant 369 in the instruction is used for the evaluation copy string.

Find the registration-check routine

In WinRAR goto help -> about WinRAR. It still mentions the 40 days trial copy . We have only patched the executable to show another string. Logically, the string evaluation copy will be shown when the registration routine has decided that the application is not registered.

Have a look at the instructions surrounding the instruction where the constant 369 is used. More specifically, trace back which instructions preceded the instruction at 00007FF6A403AE4A , how did we get there? The only way that instruction could have been executed is by coming from address 00007FF7B91EAE20 , which is also made clear by the grey dashed arrow on the left of the addresses.

At 00007FF7B91EAE20 a conditional jump is done, ja , which means jump above. This means the jump will be taken when the zero flag ZF and the carry flag CF are set. These flags are in turn set by the instruction before that at 00007FF7B91EAE1D . There, the instruction cmp eax, 13 will compare the eax register with the value 13 (in hex), and set the ZF if eax <= 0x13 . Set a breakpoint at 00007FF7B91EAE20 by highlighting the row and pressing F2. Now restart the application by pressing ctrl+F2. Press F9 until x64dbg breaks at the breakpoint you just set at 00007FF7B91EAE20 . The value of eax are the 32 least significant bits of the rax register (image), which can be seen on the top-right window in x64dbg. The value of eax is FFFFFFEE .

This means the instruction you are at now, cmp eax, 13 , will result in a value that is higher than 0. This results in the CF flag not be set and the jump at ja is taken. We modify the eax register so that it contains a value <= 13 and the ja jump is not taken. Double click on the rax register, and enter the value 13 (or anything lower than 13).

Press OK and press F9 to continue execution. The string in the title bar has now changed to only xx days left to buy a license . Apparently this is not the registration flow we are looking for.

Trace back a bit trough the instructions in x64dbg. We are looking for jumps that will change the instruction flow to show another string in the title bar. At 00007FF70E2FAE0E there is a jump, jne , that jumps past both the instructions mov ecx, 368 and mov eax, 369 . jne stands for jump not equal and takes the jump when ZF == 0 . Right now the jump is not taken because we will end up in the instructions right after this jne . To see what will happen when the jump is taken, we change jne to jmp , so it will unconditionally jump. Set a break point at 00007FF70E2FAE0E and restart the application. Press F9 until the application pauses at the break point we just set. Press space to modify the row and change jne to jmp .

Press F9 again until the application runs. No string is shown any more in the title bar, this looks like the registration flow.

So when the jne is taken we get into the registration flow. The instruction at 00007FF70E2FAE07 that decides if the jne is taken, cmp byte ptr ds:[7FF7B92848E4],dil , compares the byte located at memory address 7FF7B92848E4 with the contents of the dil register. dil is the least significant byte of the rdi register.

We want to know what value is at memory location 7FF7B92848E4 and in dil when the application breaks at 00007FF70E2FAE07 , because this value decides whether we come in the registration flow or in the ‘evaluation’ flow. Set a break point at 00007FF70E2FAE07 , restart the application with ctrl+F2 and press F9 until you pause at the break point. Right click on the row where the cmp instruction is and goto Follow in Dump -> Constant: 7FF7B92848E4 .

The value of 7FF7B92848E4 and dil is both 00 . This means that the result of cmp byte ptr ds:[7FF7B92848E4],dil will be 0 and ZF will be set. jne is then not taken an we will enter the flow where the evaluation copy string is set.

We could trace back where dil is set or we can check whether the byte located at 7FF7B92848E4 is written to at some point. We do the latter first because this can be easily checked by setting a hardware write breakpoint at 7FF7B92848E4 . Right click on the 00 byte and goto Breakpoint -> Hardware, Write -> Byte .

This type of breakpoint will break when a value is written to that memory address. Now restart the application (ctrl+F2). Press F9 until you arrive the hardware breakpoint you just set.

x64 will break at 00007FF6F0E78FB1 , one instruction after the byte was written. So the byte was written at 00007FF6F0E78FAB , with the instruction mov byte ptr ds:[7FF6F0F148E4],al . We trace back again where al is modified. al is the the least significant byte of the rax register, which is used to hold return values of routines (functions). The instruction before this one at 00007FF6F0E78FA6 is a routine call. After exiting a routine call the return value is stored in rax . It is highly likely that the rax register is modified in there.

We have a look inside that routine by right clicking on the row and goto Follow in Disassembler -> click on the address.

We are now at the beginning of the routine that is very likely to modify the al ( rax ) register that eventually will decide if evaluation copy or no string is shown in the title bar.

We back trace from the end of the routine, which can be found by the ret instruction. We search for the instructions that modify the rax register.

Analysing the routine, at 00007FF70E2F80D4 the al register is specifically modified to contain the value 1 . This does not look like a coincidence. We test what execution path will be taken around this instruction mov al,1 by setting a break point at the beginning of the routine at 00007FF70E2F80A8 . Press F9 until we arrive at the break point and then press F8 (step over) until 00007FF70E2F80D2 . Then watch what happens when we press F9 again. je at 00007FF70E2F80D2 is taken and mov al,1 is not executed.

We check what happens when je is not taken by changing the je with nop instructions (we could also invert je to jne ). Break at the beginning of the routine. Click on the row with je and press space, enter nop and tick “keep size” and “fill with NOP’s”

nop means no-op and does not execute anything. So now the je has basically been erased and execution will continue at 00007FF70E2F80D4 . Press F9 until the application runs. The evaluation copy string is not in the title bar any more and the “about” window also shows that the application is registered to “” (empty). The application is now cracked.

Wrap up