INTRO
I have already explained cracking PowerISO yourself easily with some basic software. I thought that it would be more fun to move on to some difficult challenges. So, I picked this very well known software WinRAR. it is not that hard. but you can call this level 2 hard whereas PowerISO was level 1 hard. I don’t think that I will need to introduce this software. you may already know about this. I haven’t seen a single Windows user yet that doesn’t have WinRAR installed.
What does that mean by cracking WinRAR? well, you may see that after installing WinRAR, you may see an “evaluation copy” warning on the tab. if you have passed the time of your free trial, you may also see that registration pop-up every time you open it. so, we are going to do something that may prevent these such things to happen. we won’t see the “evaluation copy” warning and we won’t see the registration error pop-up again.
CRACK
First, we will start WinRAR and examine what we don’t want to appear while starting the WinRAR.
And I have still left some days to expire WinRAR. maybe that’s is why I am not getting that pop-up. but it is possible that you may be seeing it every time you start WinRAR. but I can see that string “evaluation copy”. So, we are going to remove it.
We are going to use x64dbg to disassemble the WinRAR.exe
. you can download this tool for free from here. after installing the x64dbg, open the WinRAR.exe
in it.
Screenshot:
Now search for the string “evaluation copy” by (CPU)Right-Click>Searchfor>AllModules>Strings.
Screenshot:
why can’t we see the string here in disassembler? so, x64dbg was searching for string references, not for strings. Since strings contained in resources aren’t referenced directly, but by ID, x64dbg doesn’t display them. but we can see it with the Resourcehacker tool.
Screenshot:
Press CTRL+F to search the string.
Screenshot:
Note down the id which is 873
. now go back to x64dbg and search for constant.
Screenshot:
And let the x64dbg do rest.
Screenshot:
Double click on the first result and it will take you to disassembly. remember that whatever memory addresses you can see in these photos will be different for you.
Screenshot:
so, as you can see that the string is being called when the program jumps to it. and we can bypass it easily. so, you can change the opcode or you can basically fill it with nops(\x90). I am filling it with nops.
Screenshot:
Now run it in x64dbg and see what do we have this time.
Screenshot:
well, I think that’s it for this article. I will make another part for removing the pop-up window. because I have noticed that you don’t read long articles.
Thanks For Visiting.
nice
Ok