Tuesday, September 27, 2011

Practical Reverse Engineering Tutorial - Cracking Winrar

After a series of two fairly long and tough tutorials, finally I have reached to the end of Reverse Engineering series. Hope you might have enjoyed the previous two tutorials. I had to put in lot of effort. In case you have missed any of the tutorials, please go back and read them in order to have a clear understanding of this tutorial.

Fast draft Assembly for basic Reverse Engineering

The basics of Computer Architecture for Reverse Engineering

 Here I will show you how you can practically reverse engineer Winrar (any version) using Olly debugger. In this tutorial I will show you the attackers approach of simply hacking a software with just basic understanding of Assembly. But in my next practical reverse engineer tutorial I will show an advanced approach.
 So lets get started . You will need Olly dbg(v 1.10) and Winrar(any version)

NOTE - Click on the images to have a larger and clearer view for better understanding.

Our target is to bypass the registration screen that pops in-front of us everytime we load winrar. We have to prevent that screen from appearing without registering the software. So all we have to do is get rid of this Reminder.

STEP 1 - Run olly dbg and open winrar in it by dragging it and dropping it in olly dbg.

STEP 2 - You will find a screen similar to it. If you have read the previous two tutorials of this series thaen it will help you understand the things that will come in-front of you else everything will appear Greek. You will find something similar to this. Go through the whole code once.

STEP 3 - Now right clcik on the CPU main thread module and go to Search For > All Referenced text String.

STEP 4 - Now a new process containing all the reference stings will open .

STEP 5 - Now again right click on this new window and click on Search for text.

STEP 6 - Now search for "reminder" in the search box as shown in the figure.

STEP 7 - On pressing enter you will reach to the particular string location . You will see similar to the one shown in figure.

STEP 8 - Now double click it (reminder)  and you will be taken to the main thread location of the string "reminder". Refer figure again. So now you have reached to the location that is responsible for generating the particular reminder message that pops up every-time we start winrar. Now from here you will need a basic understanding of Assembly.

STEP 9 - Upon careful analysis of the region around the "reminder" text you will find a statement similar to this " JE SHORT winrar.00441219 " . If you remember the things we learned in our previous tutorial then "JE" means "jump if equals". This means that if your copy of winrar is already a registered copy then this statement will prevent the execution of the reminder message. So what shold we do here so that it still doesn't display the reminder even though we have an unregistered copy of winrar.

STEP 10 - Now go to the jump statement and double click it. Now change "JE SHORT winrar.00441219" to " JMP SHORT winrar.0041219 " . BUT WHY ? Find out the answer yourself. If the concept is clear then you already have the answer.

STEP 11 - Now you have to save changes to the executable to see if you have performed the RE process correctly or not. All you need to do now is go to the CPU main thread module , right click > copy to executable > all modifications.  Press yes for the alert messages. You can either save it with the same name as winrar.exe to over-right the previous file or you can first save it with a different name to check if you have succeeded or not.

Once you are done with the saving part , you can now run the executable. If everything is right then you will not find any alert message this time. In my next tutorial I will bring a more advanced tutorial that will need more assembly implimentation and take your hacking knowledge to next level. Till then keep experimenting and keep learning . In case you face any difficulty of doubt then add your comment here.


  1. Thanks for the great engineering tutorial,really helpful.

  2. i m having a trouble with it...while searching for "reminder" in referenced text ollydbg is not able to find it. i ticked 'use entire scope' n unticked 'case sensitive' still didnt work, it says item not found

  3. @Pramod : cant really say what the problem is, coz it works fine..make sure you make a search from the top option.Dont scroll down and then make a search...IN case you are still not able to find it then manually analyse every line to find "reminder"..this process can be time taking but I cant really figure out any other solution..

  4. problem solved...great tutorial

  5. Everything works fine..
    I got a problem at the end... The file is not getting saved.. Its showing me an error that "cannot save with this name".. I tried diferent names.. Still the problm persists..!!!

  6. @Srinivas : change the working drive..you might be saving it in C drive which is protected by windows...try saving it in D drive or reduce the privacy setting of C drive then it will get saved..Hope this helps..Comment back for any other query.

  7. Thanx for ur response. Its saving now.
    Changed the drive.
    Waiting for advanced cracking tutorials..
    Plz post some more on practical reverse engineering. This is not to crack the softwares. But to get the deeper understanding..

    thanx alot Abhinav...

  8. Olly dbg cant load winrar 64-bit

  9. This is so interesting to read this article. The game was so wonderful. At each moment it was surprising.

  10. N0thng shows when i enter "reminder"

  11. helo,i want to ask,is there a way to hack the winrar pasword?

  12. I want a perfect working step-by-step procedure for cracking password for a winrar file.
    please share it @ pittalanaveen0@gmail.com
    Would be thankfull to you. :)

  13. also see my blog to learn hacking tips and tricks

  14. here i have lot more cool tricks u can get http://tips0808.blogspot.com