After a series of two fairly long and tough tutorials, finally I have reached to the end of Reverse Engineering series. Hope you might have enjoyed the previous two tutorials. I had to put in lot of effort. In case you have missed any of the tutorials, please go back and read them in order to have a clear understanding of this tutorial.
Fast draft Assembly for basic Reverse Engineering
The basics of Computer Architecture for Reverse Engineering
Here I will show you how you can practically reverse engineer Winrar (any version) using Olly debugger. In this tutorial I will show you the attackers approach of simply hacking a software with just basic understanding of Assembly. But in my next practical reverse engineer tutorial I will show an advanced approach.
So lets get started . You will need Olly dbg(v 1.10) and Winrar(any version)
NOTE - Click on the images to have a larger and clearer view for better understanding.
Our target is to bypass the registration screen that pops in-front of us everytime we load winrar. We have to prevent that screen from appearing without registering the software. So all we have to do is get rid of this Reminder.
STEP 1 - Run olly dbg and open winrar in it by dragging it and dropping it in olly dbg.
STEP 2 - You will find a screen similar to it. If you have read the previous two tutorials of this series thaen it will help you understand the things that will come in-front of you else everything will appear Greek. You will find something similar to this. Go through the whole code once.
STEP 3 - Now right clcik on the CPU main thread module and go to Search For > All Referenced text String.
STEP 4 - Now a new process containing all the reference stings will open .
STEP 5 - Now again right click on this new window and click on Search for text.
STEP 6 - Now search for "reminder" in the search box as shown in the figure.
STEP 7 - On pressing enter you will reach to the particular string location . You will see similar to the one shown in figure.
STEP 8 - Now double click it (reminder) and you will be taken to the main thread location of the string "reminder". Refer figure again. So now you have reached to the location that is responsible for generating the particular reminder message that pops up every-time we start winrar. Now from here you will need a basic understanding of Assembly.
STEP 9 - Upon careful analysis of the region around the "reminder" text you will find a statement similar to this " JE SHORT winrar.00441219 " . If you remember the things we learned in our previous tutorial then "JE" means "jump if equals". This means that if your copy of winrar is already a registered copy then this statement will prevent the execution of the reminder message. So what shold we do here so that it still doesn't display the reminder even though we have an unregistered copy of winrar.
STEP 10 - Now go to the jump statement and double click it. Now change "JE SHORT winrar.00441219" to " JMP SHORT winrar.0041219 " . BUT WHY ? Find out the answer yourself. If the concept is clear then you already have the answer.
STEP 11 - Now you have to save changes to the executable to see if you have performed the RE process correctly or not. All you need to do now is go to the CPU main thread module , right click > copy to executable > all modifications. Press yes for the alert messages. You can either save it with the same name as winrar.exe to over-right the previous file or you can first save it with a different name to check if you have succeeded or not.
Once you are done with the saving part , you can now run the executable. If everything is right then you will not find any alert message this time. In my next tutorial I will bring a more advanced tutorial that will need more assembly implimentation and take your hacking knowledge to next level. Till then keep experimenting and keep learning . In case you face any difficulty of doubt then add your comment here.