reverse practice: 32-bit and 64 bit winrar cracking and de advertising

Posted by tzul at 2020-03-13

Shandong new trend information

Professional focus excellence safety

Statement: original article of tide security team, reprint please state the source! The technologies, ideas and tools involved in this article are only for learning and exchange for safety purposes, and no one is allowed to use them for illegal purposes and profit purposes, or the consequences will be borne by themselves!

The first thing to crack is the 32-bit winrar

As we all know, when we use winrar to decompress files, this annoying ad page will pop up. Today, we are going to solve this ad page.

Cracking tools: OD, spy++

By using Spy + +, we can see that the class of advertising window is rarreminder, which we will remember to use later to filter breakpoints.

Because we want to pop up an ad window, we can guess the API to create the window, and then set the API breakpoint. For example, we can guess that the API he uses is the API such as createwindowexw or createwindowexa. Then we can set the API breakpoint according to our guess

Open od debugging WinRAR, first enter the API breakpoint under BP createwindowexw in the command window below, and press enter to observe whether the breakpoint list window is broken successfully

Click to view the breakpoint window, and then press F9 to run the program

Find that the program breaks here, and then we find the code calling this function through stack backtracking. Press enter at the position indicated by the arrow below to enter

Then slide the mouse up to see the createwindowexw function, and press Ctrl + A to analyze the parameter data of the function

We can see from the function prototype that the second parameter class is a pointer to the registered class name.

According to the class name of the advertising window we used Spy + + to view above, we can use this conditional breakpoint to make filtering, let the program break at the place where the class name is rarreminder, we return to the place where the breakpoint of createwindowexw just broke and add the conditional input [Unicode [ESP + 0x8]] = = "rarreminder"

Then press F9 to run the program, the program will break, and the stack is shown as follows

It means that we have correctly broken to the creation of the advertisement window, and then through the stack traceback point to the above call to createwindowexw, press enter to return to the place where this function is called, and then press Ctrl + A to analyze, as shown in the following figure

At this point, we can modify the assembly code to skip to the next line of instructions of createwindowexw without executing the createwindowexw to create the advertisement. Press the space at 13fa879 above

Directly input the assembly instruction shown in the figure below and confirm. Click on the modified assembly instruction and you will find the ellipse circle as shown in the figure below. The next instruction of createwindowexw function will be displayed

Then we can right-click to copy to the executable - "all modifications -" copy all right-click in the window out, and click save

My name is WinRAR go to the ad board. At this time, we click to open it. We can't see the pop-up of the ad page. We go to the ad and it's finished.

But at this time, our software just removes the advertisement, not the permanent free version. With the passage of time, the software will pop up such an annoying window as shown in the figure below (PS: if it doesn't pop up, modify the next system time later, such as one year later):

This is very uncomfortable, how to do, get rid of it!!!!

Because it can be seen from the observation that the pop-up is modal, and there are text and many buttons in it, so we guess that dialogboxparama / W is used, and then we can try the same API breakpoint as above

Drag our WinRAR to the ad board into od: enter the API breakpoint, and then run F9

It is found that the breakpoint is broken, as shown in the figure below. Press enter to trace back to the place where this function is called:

Press enter and Ctrl + A to analyze:

For this function prototype, 5 parameters correspond to the OD shown above.

We went up and found a je command.

This indicates that only when test Al, Al makes ZF = 1 can the jump be made:

At this time, click the observation room to jump to the top, that is, do not execute the code below to create the prompt purchase window, then we can directly make it do not need to judge the jump, just change JE jump to JMP jump

Let's try

At this time, after modification and saving, the running found that the registration and purchase window was missing, and the test of modifying the system time again would not pop up again, even if the real success was achieved.

But the students who will have obsessive-compulsive disorder will say, I look at the title (non-commercial personal edition) above and I will not stop until I change my name, OK, no problem, don't say more, let's do it.

Because according to the API of setting window title, we guess that the API of setwindowtextw should be used, so we set the API breakpoint. Follow the previous steps to find the code calling this function, as shown in the figure:

Here I introduce two ways to modify the title,

First, this method must remove the random base address of the program before modifying the assembly code.

The way to remove the random base address is as follows: open our program with 010editor, click the ntheader indicated by the arrow below, find 4081 in the blue data block above, and then modify it to 0081 (friends who know PE files can find this field layer by layer, that is, word image? Dllcartistics? Dynamic? Base , change the value 1 to 0); Ctrl + s save

Let's go back to OD: This is the prototype of SetWindowText function. The parameters are described as follows

Now we know that the text parameter is the window title

Because we have modified the random base address (if we don't modify the random address, we need to relocate ourselves, calculate the address of the pressed string, and then push), so we can directly modify the content stored in ECX, for example, I want to change it to Zheng xiaolun's special edition, so we first search a space of 0 for our new title by Ctrl + B

Then click OK and double-click on the assembly code for 00 to write our new title in the memory window. Remember the first address of this string

Because this API is setwindowtextw, we need to write our title in Unicode.

Then we go back to the text position

Then copy it to the executable file as shown before, and then run it to see the effect as follows:

After that, we will introduce a method to modify the title without removing the random base address.

The second way to modify the title:

Let's use Ctrl + B to find a space of 0 to write the title we want, and remember the first address of the string we stored

At this time, we will return to the previous position and modify the way to get the string. Modify the assembly code at 00be3770.8d8c24 040400 > lea ECX, DWORD PTR SS: [ESP + 0x404] of the original code as follows

Because we have not removed the random base address of the program itself, it is not feasible to modify the address directly by using the first method. We use the relative position to find the string region defined by ourselves. Because the relative position will not change no matter how the base address is changed, the relative distance of the two instructions will not change, so we use call as shown in the figure above 0x00be3775 (that is, the address of the next hop instruction). In this way, the address of the next instruction is pushed into the stack. Then we jump to a useless empty space (JMP is selected to 0x00be3797 in the above figure) and pop At this time, ECX is equivalent to assigning the address just pushed into the stack to ECX, and then we subtract the address of ECX (0xbe3775) from the first address of our custom string (0xc1ccb6) to get a relative difference of 0 × 39541, so we add ECX, 0 × 39541, find the location of our string, store it in ECX, and then JMP returns to pushecx, push EDX. In this way, the incoming parameter text, that is, ECX, is our own defined string, so that we can modify the title under random base address. Run the program to see the following effect:

If the modification is successful, then it will be a real success.

Of course, we can also use software such as reshack to modify the title of the software. We will not repeat it here.

The new 64 bit WinRAR has directly changed the ad page into a daily point of view, and sometimes the pop-up interface is flashy and can't be seen, so it's more annoying than a single ad page before, so today we will remove it.


First, we need to drag winrar.exe into x64dbg

Then we press F9 to run until the position indicated in the figure below is in operation, not paused


At this time, you can see that the hateful advertising window is popping up


At this time, we will enter the next destroywindow API breakpoint in x64dbg, as shown in the figure below, enter BP destroywindow, press enter, and then check the breakpoint list to confirm whether the disconnection is successful


Then we click to close the advertisement page, and the breakpoint will break. Then we press enter at the position shown in the figure below to backtrack the stack and find the function calling destorywindow

Then we analyze this function, because the position of the command call destorywindow is 0x00007ff676dcfc0b, We can copy this address for backup. Right click on the specified instruction - > copy - > address to copy it. Then we can find a suitable location to jump to the copied address directly, so that we can directly execute the destroy window function, and achieve the purpose of advertising.


We find the starting position of the function calling destorywindow function, that is, the mouse is drawn on the Internet until it reaches the position shown below. We can see a lot of JE jumps when we look down. There is no specific analysis on the situation of jump, so we directly change the first JE to JMP 0x00007ff676dcfc0b That's where we found the call store window command

After modification, click the icon of the image band aid to save it as exe, then replace the original winrar.exe, and then open it to find that the hateful advertising page has been eliminated, so that we can decompress the file every time by one second, 10 times by ten seconds, and 1000 times by one hour. Think it's really profitable~

PS: this post is only for my friends to solve some problems in life. It's not a technical post, because I was also a student when I wrote this post. If there is any mistake, please give me more advice. I'm very grateful. (●’◡’●)




Gu n








Tide security team was formally established in January 2019. It is a security team under the banner of new information, aiming at the research of Internet attack and defense technology. At present, it has gathered more than ten professional security attack and defense technology researchers, focusing on network attack and defense, web security, mobile terminals, security development, IOT / Internet of things / industrial control security and other directions.

For more Tide security teams, please pay attention to team official website: or long by two-dimensional code, pay attention to official account number: