I was storing some files on my webserver and my WinRAR license was past its due date (like a really long time) and the nag screen annoyed me as fuck.Thats why I decided to reverse engineer it and write a tutorial upon it.
X32Dbg License Was PastWinRAR has a 32 and 64 bit installer, whereas the previous target (Internet Downloader Manager) only has a 32 bit installer. Now 32 bit applications runs fine on 64 bit but not vice versa. Olly cant handle 64 bit applications and if you try to load the 64 bit WinRAR to Olly it will probably notice you about how it couldnt load the file. So, I fired up Google and started looking for license keys and I found out that if you purchase a key, you will get a file named rarkey.key or rarreg.txt. This tells us the target hash multiple license formats, which we can and will exploit. Note that the JE instruction jumps over a call, which could be the function where the nagscreen is located: call 13F169968. You might already have seen due the bytes between the last 2 addresses are minimal that they are really close to eachother. It could be some testing code or just there to brainfuck reversers but as long as the code wont get executed we can leave it there and have no worries about it. This usually means the function we are in is inside a thread, which matches the behaviour of the nag screen. Make sure you stand on the call instruction (like in the screenshot, the address on the left side is black at the call instruction, this means that is where we are currently). Step over some more instructions and you will see a few JEs. If you put a breakpoint on the first JE and run the program again (F9) you will notice it keeps getting hit. Whenever it hits the breakpoint and you hit F9 again, it will instantly hit the breakpoint again. I noticed after putting the breakpoint that 910 times it takes the second JE to the end of the method. If you have used WinRAR for awhile you know that the nag screen appears randomly, so my guess would be this is the right method. Also, when you look through the method you will see strings like reminder and you will see the link that is on the nag screen. Now whenever you resume the program and get past the breakpoint a nag screen will appear If you want it to stop (it will keep opening a nag screen every second) change it back to JE. But we dont want to see it 910 or 110 times, we dont want to see it at all. JMP (jump) means that it will always take the jump, no matter what and that means we will never have to see the nag again:).
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |