<script language="JavaScript"> 



var message="Please don't remove the text..\n\n\n\Acid_Cool_178"; // Message for the alert box



function click(e) {

if (document.all) {

if (event.button == 2) {

alert(message);

return false;

}

}

if (document.layers) {

if (e.which == 3) {

alert(message);

return false;

}

}

}

if (document.layers) {

document.captureEvents(Event.MOUSEDOWN);

}

document.onmousedown=click;

// --> </script>



<html>



<head>

<title>Cracking WinRar 2.70 Beta 1</title>

</head>



<body>



<p align="center"><font face="Times New Roman"><big><big><big><big>Acid_Cool_178 <br>

presents he's</big></big></big></big></font></p>

<div align="center"><center>



<table border="1" width="177" height="14"

style="font-family: Times New Roman; font-size: 22pt; background-color: rgb(0,0,0); color: rgb(255,255,255)">

  <tr>

    <td width="177" height="14"><font color="#FF0000" face="Times New Roman">#35&nbsp;

    Tutorial</font></td>

  </tr>

</table>

</center></div>



<p>&nbsp;</p>

<div align="center"><center>



<table border="1" width="290" height="71">

  <tr>

    <td width="290" height="71" style="background-color: rgb(0,0,0); color: rgb(255,255,255)"><font

    color="#FF0000" face="Times New Roman"><big><big><big><big>For Hellforge</big></big></big></big></font></td>

  </tr>

</table>

</center></div>



<p><font face="Times New Roman">This Text Are Only Ment To Edcucational Purpose And Not To

Be Used Illegaly, I Take No Response For Illegal Use Of This Text. Move On On Your Risc.</font></p>



<table border="1" width="100%">

  <tr>

    <td width="100%" bgcolor="#FF0000"><font face="Times New Roman"><big><big>Athour

    Information</big></big></font></td>

  </tr>

</table>



<table border="1" width="99%">

  <tr>

    <td width="25%" align="left"><font face="Times New Roman">E-mail</font></td>

    <td width="75%" align="left" colspan="2"><font face="Times New Roman"><a

    href="mailto:acid_cool_178@hotmail.com">acid_cool_178@hotmail.com</a> </font></td>

  </tr>

  <tr>

    <td width="25%" align="left"><font face="Times New Roman">Age</font></td>

    <td width="75%" align="left" colspan="2"><font face="Times New Roman">17</font></td>

  </tr>

  <tr>

    <td width="25%" align="left"><font face="Times New Roman">Web Page</font></td>

    <td width="75%" align="left" colspan="2"><font face="Times New Roman"><a

    href="http://acidcool.cjb.net/" target="_blank">http://acidcool.cjb.net/</a> </font></td>

  </tr>

  <tr>

    <td width="25%" align="left"><font face="Times New Roman">Date</font></td>

    <td width="75%" align="left" colspan="2"><font face="Times New Roman">March 2K</font></td>

  </tr>

  <tr>

    <td width="25%" align="left"><font face="Times New Roman">Member in</font></td>

    <td width="38%" align="left"><font face="Times New Roman">Hellforge</font></td>

    <td width="37%" align="left"><font face="Times New Roman">Flying Horse Cracking Force</font></td>

  </tr>

  <tr>

    <td width="25%" align="left"><font face="Times New Roman">Groups Web Page</font></td>

    <td width="38%" align="left"><font face="Times New Roman"><a href="http://hforge.cjb.net/"

    target="_blank">Hellforge Login</a></font></td>

    <td width="37%" align="left"><font face="Times New Roman"><a href="http://FHCF.cjb.net"

    target="_blank">FHCF Login</a></font></td>

  </tr>

</table>



<p>&nbsp;</p>



<table border="1" width="100%">

  <tr>

    <td width="100%" bgcolor="#FF0000"><font face="Times New Roman"><big><big>Program

    Infromation</big></big></font></td>

  </tr>

</table>



<table border="1" width="99%">

  <tr>

    <td width="26%" rowspan="2"><font face="Times New Roman">Name</font></td>

    <td width="76%" colspan="5">WinRar 2.70 Beta 1</td>

  </tr>

  <tr>

    <td width="76%" colspan="5">winrar.exe</td>

  </tr>

  <tr>

    <td width="26%"><font face="Times New Roman">Size</font></td>

    <td width="76%" colspan="5">555KB (Only the EXE file)</td>

  </tr>

  <tr>

    <td width="26%"><font face="Times New Roman">Athour</font></td>

    <td width="76%" colspan="5">Eugene Roshal</td>

  </tr>

  <tr>

    <td width="26%"><font face="Times New Roman">Where to Downlaod</font></td>

    <td width="76%" colspan="5"><a href="http://www.download.com">www.download.com</a><br>

    <a href="http://www.winfiles.com">www.winfiles.com</a><br>

    <a href="http://www.shareware.com">www.shareware.com</a><br>

    <a href="http://www.rarsoft.net">www.rarsoft.net</a><br>

    <a href="http://www.rararchiver.com">www.rararchiver.com</a><br>

    <a href="http://www.nowpc.com">www.nowpc.com</a><br>

    <a href="http://www.rarsoft.de">www.rarsoft.de</a></td>

  </tr>

  <tr>

    <td width="26%" rowspan="3"><font face="Times New Roman">Tools used</font></td>

    <td width="39%" colspan="3" rowspan="3">W32Dasm<br>

    Hiew</td>

    <td width="37%" colspan="2"><font face="Times New Roman">Downlaod At</font></td>

  </tr>

  <tr>

    <td width="37%" colspan="2"><font face="Times New Roman">1. <a

    href="http://playtools.cjb.net/" target="_blank">Player Tools</a></font></td>

  </tr>

  <tr>

    <td width="37%" colspan="2"><font face="Times New Roman">2. <a

    href="http://protools.cjb.net/" target="_blank">Programmer Tools</a></font></td>

  </tr>

  <tr>

    <td width="26%" rowspan="2"><font face="Times New Roman">What kind of a program</font></td>

    <td width="43%" colspan="3"><font face="Times New Roman">Crackme</font></td>

    <td width="33%" colspan="2"><font face="Times New Roman">Shareware</font></td>

  </tr>

  <tr>

    <td width="43%" colspan="3" bgcolor="#FFFFFF">&nbsp;</td>

    <td width="33%" colspan="2" bgcolor="#000000">&nbsp;</td>

  </tr>

  <tr>

    <td width="26%" rowspan="2"><font face="Times New Roman">Skill</font></td>

    <td width="28%" colspan="2"><font face="Times New Roman">Easy</font></td>

    <td width="14%"><font face="Times New Roman">Not so easy</font></td>

    <td width="17%"><font face="Times New Roman">Hard</font></td>

    <td width="16%"><font face="Times New Roman">X-pert</font></td>

  </tr>

  <tr>

    <td width="13%" bgcolor="#FFFFFF">&nbsp;</td>

    <td width="13%" bgcolor="#000000">&nbsp;</td>

    <td width="14%">&nbsp;</td>

    <td width="17%">&nbsp;</td>

    <td width="16%">&nbsp;</td>

  </tr>

</table>



<p>&nbsp;</p>



<table border="1" width="100%">

  <tr>

    <td width="100%" bgcolor="#FF0000"><font face="Times New Roman"><big><big>Information

    about the Protection I</big></big></font></td>

  </tr>

</table>



<p>When you are running the program so can you see that it's unregistered and shareware.

It don't got any &quot;Enter code here&quot; stuff, the only protection are one NAG that

will pop up after 40 days. And some Commands are disabled.</p>



<table border="1" width="100%">

  <tr>

    <td width="100%" bgcolor="#FF0000"><font face="Times New Roman"><big><big>Before We Start</big></big></font></td>

  </tr>

</table>



<p>Now we have to NOP the NAG out and NOP are 90 in NEX. NOP means No Operation. If you

got any problems then please reas LaZaRuS Assemberly For Cracker II at the <a

href="http://hforge.cjb.net">Hellforge Site</a></p>



<p><strong>Task1</strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;-- Disabled

Function<br>

<strong>Task2</strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;-- Removing 40 Day

Protection<br>

<strong>Task3</strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;-- removing the

Evalution Copy in the titlebare og WinRar</p>



<table border="1" width="100%">

  <tr>

    <td width="100%" bgcolor="#FF0000"><font face="Times New Roman"><big><big>The Process</big></big></font></td>

  </tr>

</table>



<p><strong>Task1</strong><br>

Open WinRar in W32Dasm and under String Data References can you se this string Available

in registered version only&quot;<br>

Dubbelclick on that string twice and you can see this code<br>

<br>

00404D4D 803DAC5C460000 cmp byte ptr [00465CAC], 00<br>

:00404D54 7522 jne 00404D78

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <strong>

&lt;-- Make it to JMP</strong><br>

:00404D56 6A30 push 00000030<br>

*<br>

*<br>

*<br>

* Possible Reference to String Resource ID=00106: &quot;Available in registered version

only&quot;&nbsp;&nbsp;&nbsp; <strong>&lt;-- Bad Words<br>

|</strong><br>

:00404D60 6A6A push 0000006A<br>

:00404D62 E865330000 call 004080CC</p>



<p>This NAG will you find under Options--&gt;Settings--&gt;Logging--&gt;Log errors to file<br>

Scroll up to the Jump and in W32Dasm's statusbar can you see this. <br>

Line:8751 Pg 93 of 2181 Code Data @:00404D54 @Offset <strong>00004354</strong>h in

file:WinRAR.exe</p>



<p>The important here are the offset wich are 4354 the h indicates that it are in HEX.<br>

</p>



<p>Open WinRAR.exe in W32Dasm and press F4. Now you can choose between &quot;Text, Hex,

Decode&quot; Choose Decode. Press F5 wich are Goto and enter in the offset and enter. Now

you will stant at the jump. Press F3 wich will edit the Code and F2 and you will now edit

the ASM Code, change JE to JMP.<br>

Press enter to accept the cange and update the code by pressing F9 and exit by pressing

Escape og F10.<br>

<br>

Run WinRar and the messagebox are gone to hell :))<br>

<br>

Now, lets tight the 30 day trial.<br>

<br>

<strong>Task2<br>

</strong>Open the windows clock and move the date one month longer forward. I did change

2000 to 2001 :) I too lazy :D<br>

<br>

Now, run winrar and you can se one NAG comming up.<br>

Now we now that there are one place in theis code where it's comparing routine and it will

be easyer to find. I hope..</p>



<p>The NAG got the caption &quot;Please Register&quot; so in W32Dasm search for

&quot;Please Register and than you can see this.<br>

<strong>Name: REMINDER, # of Controls=007, Caption:&quot;Please register&quot;,

ClassName:&quot;&quot;</strong><br>

Then search for &quot;REMINDER&quot; and now you can see this code.</p>



<p>:004014F9 83F828 cmp eax, 00000028

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <strong>&lt;--28Hex

= 40 Dec</strong><br>

:004014FC 7F04 jg 00401502

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <strong>

&lt;-- Jump if EAX are over 40</strong><br>

:004014FE 85C0 test eax, eax

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <strong>

&lt;-- Tests again</strong><br>

:00401500 7D26 jge 00401528

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <strong>

&nbsp; &lt;-- Jump over the Reminder</strong><br>

*<br>

*<br>

* Possible StringData Ref from Data Obj -&gt;&quot;REMINDER&quot;<br>

|<br>

:00401517 68142C4600 push 00462C14<br>

:0040151C 8B0D04BC4600 mov ecx, dword ptr [0046BC04]<br>

:00401522 51 push ecx<br>

<br>

The first jump got the @Offset <strong>AFC </strong>wich you have to NOP<br>

The seccond jump have we to change to JMP and then everything are OK :)</p>



<p>Open Winrar.exe in Hiew, Press F4 and choose Decode. Goto offset AFC and at the jump <strong>ONLY

EDIT THE CODE </strong>by pressing F3 and type in 9090 (NOPNOP) and Update the file. The

last jump can be one small challange to you :D</p>



<p>Run the program and The NAG are gone :)</p>



<p><strong>Task3<br>

</strong>Search for evaluation copy and you can now see this code</p>



<p>:0041B942 83C40C add esp, 0000000C<br>

:0041B945 803DAC5C460000 cmp byte ptr [00465CAC], 00<br>

:0041B94C 752E jne 0041B97C

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <strong>&lt;--

Jump if still an evalution copy</strong><br>

<br>

* Possible Reference to String Resource ID=00873: &quot;evaluation copy&quot;<br>

|<br>

:0041B94E 6869030000 push 00000369<br>

:0041B953 E874C7FEFF call 004080CC<br>

:0041B958 50 push eax</p>



<p>Just change the JNE to JMP ant woala.</p>



<table border="1" width="100%">

  <tr>

    <td width="100%" bgcolor="#FF0000"><font face="Times New Roman"><big><big>Greetings</big></big></font></td>

  </tr>

</table>



<p><font color="#0000FF" face="Times New Roman">LaZaRuS, Wajid, Borna Janes, ManKind,

Eddie Van Camper, ACiD BuRN, KoRnFLeX, Eternal_Bliss, Potsmoke, DiABLO. <a

href="mailto:Torn@d">Torn@d</a>o, ^AlX^&nbsp; and all the other i have forgotten</font></p>



<p>&nbsp;</p>



<p>&nbsp;</p>



<p>&nbsp;</p>



<p>&nbsp;</p>



<p>&nbsp;</p>

</body>

</html>

