首页
社区
课程
招聘
[原创]最新Winrar 32位版本爆破笔记
发表于: 2019-7-10 07:19 5264

[原创]最新Winrar 32位版本爆破笔记

2019-7-10 07:19
5264

看到了许多论坛的朋友分享的winrar破解的教程,参考大神们的教程我也整理了一篇文章,分享给同样菜菜的我们,希望大家能够共同学习到一些经验和方法。

winrar每次运行都会弹出广告窗口,并且主窗口标题栏会有许可到期时间的提醒,爆破的目的是去掉这两项。

Winrar解压缩软件32位(5.71)版本下载地址:

http://www.winrar.com.cn/download/wrar571scp.exe

64位下载地址:

http://www.winrar.com.cn/download/winrar-x64-571scp.exe

所需工具: OllyDbg吾爱破解版、Binary Ninja

https://down.52pojie.cn/Tools/Debuggers/%E5%90%BE%E7%88%B1%E7%A0%B4%E8%A7%A3%E4%B8%93%E7%94%A8%E7%89%88Ollydbg.rar

https://cdn.binary.ninja/installers/BinaryNinja-demo.exe

本文参考了飘云上一位牛人的文章:https://www.chinapyg.com/forum.php?mod=viewthread&tid=125493&highlight=winrar

该方法非常理想,所以借鉴了一下,适合我这种菜菜来练习动手能力。

使用OD加载winrar,如图:

按F9键运行winrar软件,直到弹出主窗口和广告窗口时,按F12键暂停程序,此时点击OD上方的“K”按键或者点击"ALT+K"来查看程序调用的堆栈,查看一下窗口弹出前的函数调用情况,得到如下图所示:

这一步需要注意的是需要看到广告窗口正常弹出,没有其他提示再暂停程序然后查看堆栈,例如在调试时遇到的如下图:

下图只在我们正常看到广告页时才会到这一步。

 右击最后一条调用如图所示,选择“显示调用”命令。

 得到如下图的调用位置:

直接在该位置点击回车键或者F7步进调试,我们会得到下面的汇编代码段,这段内容包含我们想破解的两处,即去广告和去标题的许可过期提示,看代码注释就可以判断了。

00AE1520   $  55            push ebp
00AE1521   .  8DAC24 E8CFFF>lea ebp,dword ptr ss:[esp-0x3018]
00AE1528   .  B8 18300000   mov eax,0x3018
00AE152D   .  E8 9E3F0100   call WinRAR.00AF54D0
00AE1532   .  6A FF         push -0x1
00AE1534   .  68 5832B100   push WinRAR.00B13258
00AE1539   .  64:A1 0000000>mov eax,dword ptr fs:[0]
00AE153F   .  50            push eax
00AE1540   .  83EC 14       sub esp,0x14
00AE1543   .  A1 341BB300   mov eax,dword ptr ds:[0xB31B34]
00AE1548   .  33C5          xor eax,ebp
00AE154A   .  8985 14300000 mov dword ptr ss:[ebp+0x3014],eax
00AE1550   .  53            push ebx
00AE1551   .  56            push esi
00AE1552   .  57            push edi
00AE1553   .  50            push eax
00AE1554   .  8D45 F4       lea eax,dword ptr ss:[ebp-0xC]
00AE1557   .  64:A3 0000000>mov dword ptr fs:[0],eax
00AE155D   .  8965 F0       mov dword ptr ss:[ebp-0x10],esp
00AE1560   .  8BB5 20300000 mov esi,dword ptr ss:[ebp+0x3020]
00AE1566   .  6A 01         push 0x1
00AE1568   .  E8 531EFBFF   call WinRAR.00A933C0
00AE156D   .  68 05800000   push 0x8005                              ; /ErrorMode = SEM_FAILCRITICALERRORS|SEM_NOALIGNMENTFAULTEXCEPT|SEM_NOOPENFILEERRORBOX
00AE1572   .  FF15 0442B100 call dword ptr ds:[<&KERNEL32.SetErrorMo>; \SetErrorMode
00AE1578   .  B9 A04BB400   mov ecx,WinRAR.00B44BA0
00AE157D   .  E8 DED3F7FF   call WinRAR.00A5E960
00AE1582   .  C605 D592B300>mov byte ptr ds:[0xB392D5],0x0
00AE1589   .  C705 F0A2B300>mov dword ptr ds:[0xB3A2F0],0x0
00AE1593   .  FF15 F441B100 call dword ptr ds:[<&KERNEL32.GetCurrent>; [GetCurrentThreadId
00AE1599   .  A3 F4A2B300   mov dword ptr ds:[0xB3A2F4],eax
00AE159E   .  6A 00         push 0x0                                 ; /EventName = NULL
00AE15A0   .  6A 00         push 0x0                                 ; |InitiallySignaled = FALSE
00AE15A2   .  6A 01         push 0x1                                 ; |ManualReset = TRUE
00AE15A4   .  6A 00         push 0x0                                 ; |pSecurity = NULL
00AE15A6   .  FF15 6841B100 call dword ptr ds:[<&KERNEL32.CreateEven>; \CreateEventW
00AE15AC   .  A3 F8A2B300   mov dword ptr ds:[0xB3A2F8],eax
00AE15B1   .  68 04DEB100   push WinRAR.00B1DE04                     ; /MsgName = "WMUser_DisplayError"
00AE15B6   .  FF15 7445B100 call dword ptr ds:[<&USER32.RegisterWind>; \RegisterWindowMessageW
00AE15BC   .  A3 20A3B300   mov dword ptr ds:[0xB3A320],eax
00AE15C1   .  68 A44BB100   push WinRAR.00B14BA4                     ;  UNICODE "General"
00AE15C6   .  E8 C504FCFF   call WinRAR.00AA1A90
00AE15CB   .  84C0          test al,al
00AE15CD   .  0f94c3        sete bl
00AE15D0   .  885D EF       mov byte ptr ss:[ebp-0x11],bl
00AE15D3   .  6A 01         push 0x1
00AE15D5   .  68 00080000   push 0x800
00AE15DA   .  8D85 00100000 lea eax,dword ptr ss:[ebp+0x1000]
00AE15E0   .  50            push eax
00AE15E1   .  E8 EAA3F9FF   call WinRAR.00A7B9D0
00AE15E6   .  68 00080000   push 0x800
00AE15EB   .  8D85 00100000 lea eax,dword ptr ss:[ebp+0x1000]
00AE15F1   .  50            push eax
00AE15F2   .  E8 1993F9FF   call WinRAR.00A7A910
00AE15F7   .  68 00080000   push 0x800
00AE15FC   .  8D85 00100000 lea eax,dword ptr ss:[ebp+0x1000]
00AE1602   .  50            push eax
00AE1603   .  68 E092B300   push WinRAR.00B392E0                     ;  UNICODE "C:\Users\IEUser\AppData\Roaming\WinRAR\rar.log"
00AE1608   .  E8 4312FBFF   call WinRAR.00A92850
00AE160D   .  68 00080000   push 0x800
00AE1612   .  68 CC89B100   push WinRAR.00B189CC                     ;  UNICODE "rar.log"
00AE1617   .  68 E092B300   push WinRAR.00B392E0                     ;  UNICODE "C:\Users\IEUser\AppData\Roaming\WinRAR\rar.log"
00AE161C   .  E8 EF11FBFF   call WinRAR.00A92810
00AE1621   .  6A 00         push 0x0
00AE1623   .  56            push esi
00AE1624   .  B9 08F0B600   mov ecx,WinRAR.00B6F008
00AE1629   .  E8 12AEFAFF   call WinRAR.00A8C440
00AE162E   .  68 2CDEB100   push WinRAR.00B1DE2C                     ;  UNICODE "winrar.lng"
00AE1633   .  B9 0CF0B600   mov ecx,WinRAR.00B6F00C
00AE1638   .  E8 639FFAFF   call WinRAR.00A8B5A0
00AE163D   .  56            push esi
00AE163E   .  E8 ADDBFFFF   call WinRAR.00ADF1F0
00AE1643   .  85C0          test eax,eax
00AE1645   .  0F84 66060000 je WinRAR.00AE1CB1
00AE164B   .  8D4D E0       lea ecx,dword ptr ss:[ebp-0x20]
00AE164E   .  E8 AD11FFFF   call WinRAR.00AD2800
00AE1653   .  C745 FC 00000>mov dword ptr ss:[ebp-0x4],0x0
00AE165A   .  8935 04F0B600 mov dword ptr ds:[0xB6F004],esi
00AE1660   .  B9 F0B5B500   mov ecx,WinRAR.00B5B5F0
00AE1665   .  E8 8643F2FF   call WinRAR.00A059F0
00AE166A   .  E8 6137FEFF   call WinRAR.00AC4DD0
00AE166F   .  E8 4CEAFDFF   call WinRAR.00AC00C0
00AE1674   .  E8 07FBFFFF   call WinRAR.00AE1180
00AE1679   .  68 44DEB100   push WinRAR.00B1DE44                     ; /MutexName = "WinRAR_Busy"
00AE167E   .  6A 00         push 0x0                                 ; |InitialOwner = FALSE
00AE1680   .  6A 00         push 0x0                                 ; |pSecurity = NULL
00AE1682   .  FF15 5C43B100 call dword ptr ds:[<&KERNEL32.CreateMute>; \CreateMutexW
00AE1688   .  A3 D092B300   mov dword ptr ds:[0xB392D0],eax
00AE168D   .  6A 00         push 0x0                                 ; /Title = NULL
00AE168F   .  68 B858B100   push WinRAR.00B158B8                     ; |Class = "WinRarWindow"
00AE1694   .  FF15 8C45B100 call dword ptr ds:[<&USER32.FindWindowW>>; \FindWindowW
00AE169A   .  8BF8          mov edi,eax
00AE169C   .  897D E8       mov dword ptr ss:[ebp-0x18],edi
00AE169F      6A 00         push 0x0                                 ; /lParam = NULL
00AE16A1      56            push esi                                 ; |hInst = 00DBCB64
00AE16A2      6A 00         push 0x0                                 ; |hMenu = NULL
00AE16A4      6A 00         push 0x0                                 ; |hParent = NULL
00AE16A6      68 00000080   push 0x80000000                          ; |Height = 80000000 (-2147483648.)
00AE16AB      68 00000080   push 0x80000000                          ; |Width = 80000000 (-2147483648.)
00AE16B0      68 00000080   push 0x80000000                          ; |Y = 80000000 (-2147483648.)
00AE16B5      68 00000080   push 0x80000000                          ; |X = 80000000 (-2147483648.)
00AE16BA      68 0000CF06   push 0x6CF0000                           ; |Style = WS_OVERLAPPED|WS_MINIMIZEBOX|WS_MAXIMIZEBOX|WS_CLIPSIBLINGS|WS_CLIPCHILDREN|WS_SYSMENU|WS_THICKFRAME|WS_CAPTION
00AE16BF      68 6C71B100   push WinRAR.00B1716C                     ; |WindowName = "WinRAR"
00AE16C4      68 B858B100   push WinRAR.00B158B8                     ; |Class = "WinRarWindow"
00AE16C9      6A 10         push 0x10                                ; |ExtStyle = WS_EX_ACCEPTFILES
00AE16CB      FF15 A045B100 call dword ptr ds:[<&USER32.CreateWindow>; \CreateWindowExW
00AE16D1   .  A3 AC81B300   mov dword ptr ds:[0xB381AC],eax
00AE16D6   .  85C0          test eax,eax
00AE16D8   .  0F84 C4050000 je WinRAR.00AE1CA2
00AE16DE   .  50            push eax
00AE16DF   .  B9 0CF0B600   mov ecx,WinRAR.00B6F00C
00AE16E4   .  E8 F7A6FAFF   call WinRAR.00A8BDE0
00AE16E9   .  6A 00         push 0x0
00AE16EB   .  E8 60DAFFFF   call WinRAR.00ADF150
00AE16F0   .  E8 8BF8FFFF   call WinRAR.00AE0F80
00AE16F5   .  84DB          test bl,bl
00AE16F7   .  74 1A         je short WinRAR.00AE1713
00AE16F9   .  E8 D22EFCFF   call WinRAR.00AA45D0
00AE16FE   .  84C0          test al,al
00AE1700   .  75 11         jnz short WinRAR.00AE1713
00AE1702   .  6A 01         push 0x1
00AE1704   .  6A 00         push 0x0
00AE1706   .  E8 D596F2FF   call WinRAR.00A0ADE0
00AE170B   .  84C0          test al,al
00AE170D   .  75 04         jnz short WinRAR.00AE1713
00AE170F   .  B7 01         mov bh,0x1
00AE1711   .  EB 02         jmp short WinRAR.00AE1715
00AE1713   >  32FF          xor bh,bh
00AE1715   >  8D85 00300000 lea eax,dword ptr ss:[ebp+0x3000]
00AE171B   .  50            push eax
00AE171C   .  E8 FF8BF2FF   call WinRAR.00A0A320
00AE1721   .  0FB785 003000>movzx eax,word ptr ss:[ebp+0x3000]
00AE1728   .  50            push eax                                 ; /StringOrChar = 27BC
00AE1729   .  E8 5247FBFF   call <jmp.&USER32.CharUpperW>            ; \CharUpperW
00AE172E   .  0FB7F0        movzx esi,ax
00AE1731   .  68 34040000   push 0x434
00AE1736   .  6A 00         push 0x0
00AE1738   .  68 38A3B300   push WinRAR.00B3A338
00AE173D   .  E8 DE620100   call WinRAR.00AF7A20
00AE1742   .  83C4 0C       add esp,0xC
00AE1745   .  6A 00         push 0x0
00AE1747   .  6A 00         push 0x0
00AE1749   .  6A 01         push 0x1
00AE174B   .  B9 A04BB400   mov ecx,WinRAR.00B44BA0
00AE1750   .  E8 FBD6F7FF   call WinRAR.00A5EE50
00AE1755   .  E8 06E9F2FF   call WinRAR.00A10060
00AE175A   .  66:85F6       test si,si
00AE175D   .  74 66         je short WinRAR.00AE17C5
00AE175F   .  803D B46BB400>cmp byte ptr ds:[0xB46BB4],0x0
00AE1766   .  75 5D         jnz short WinRAR.00AE17C5
00AE1768   .  56            push esi
00AE1769   .  68 5CDEB100   push WinRAR.00B1DE5C                     ;  UNICODE "AFUMD"
00AE176E   .  E8 6F500100   call WinRAR.00AF67E2
00AE1773   .  83C4 08       add esp,0x8
00AE1776   .  85C0          test eax,eax
00AE1778   .  75 32         jnz short WinRAR.00AE17AC
00AE177A   .  83FE 43       cmp esi,0x43
00AE177D   .  75 09         jnz short WinRAR.00AE1788
00AE177F   .  66:3985 02300>cmp word ptr ss:[ebp+0x3002],ax
00AE1786   .  74 24         je short WinRAR.00AE17AC
00AE1788   >  803D B46BB400>cmp byte ptr ds:[0xB46BB4],0x0
00AE178F   .  75 34         jnz short WinRAR.00AE17C5
00AE1791   .  56            push esi
00AE1792   .  68 68DEB100   push WinRAR.00B1DE68                     ;  UNICODE "TXE"
00AE1797   .  E8 46500100   call WinRAR.00AF67E2
00AE179C   .  83C4 08       add esp,0x8
00AE179F   .  85C0          test eax,eax
00AE17A1   .  74 22         je short WinRAR.00AE17C5
00AE17A3   .  6A 00         push 0x0
00AE17A5   .  E8 3609FFFF   call WinRAR.00AD20E0
00AE17AA   .  EB 20         jmp short WinRAR.00AE17CC
00AE17AC   >  E8 3F6FFEFF   call WinRAR.00AC86F0
00AE17B1   .  83FE 44       cmp esi,0x44
00AE17B4   .  74 05         je short WinRAR.00AE17BB
00AE17B6   .  83FE 43       cmp esi,0x43
00AE17B9   .  75 11         jnz short WinRAR.00AE17CC
00AE17BB   >  33C0          xor eax,eax
00AE17BD   .  66:A3 B05BB40>mov word ptr ds:[0xB45BB0],ax
00AE17C3   .  EB 07         jmp short WinRAR.00AE17CC
00AE17C5   >  6A 00         push 0x0
00AE17C7   .  E8 4436FEFF   call WinRAR.00AC4E10
00AE17CC   >  6A 00         push 0x0
00AE17CE   .  6A 00         push 0x0
00AE17D0   .  6A 01         push 0x1
00AE17D2   .  B9 A04BB400   mov ecx,WinRAR.00B44BA0
00AE17D7   .  E8 74D6F7FF   call WinRAR.00A5EE50
00AE17DC   .  68 A04BB400   push WinRAR.00B44BA0
00AE17E1   .  B9 D011B500   mov ecx,WinRAR.00B511D0
00AE17E6   .  E8 6567F2FF   call WinRAR.00A07F50
00AE17EB   .  68 00080000   push 0x800
00AE17F0   .  68 EAFFB400   push WinRAR.00B4FFEA
00AE17F5   .  68 B081B300   push WinRAR.00B381B0
00AE17FA   .  E8 5110FBFF   call WinRAR.00A92850
00AE17FF   .  33C0          xor eax,eax
00AE1801   .  66:A3 EAFFB40>mov word ptr ds:[0xB4FFEA],ax
00AE1807   .  68 00080000   push 0x800
00AE180C   .  8D45 00       lea eax,dword ptr ss:[ebp]
00AE180F   .  50            push eax
00AE1810   .  E8 CB93FEFF   call WinRAR.00ACABE0
00AE1815   .  8D45 00       lea eax,dword ptr ss:[ebp]
00AE1818   .  50            push eax
00AE1819   .  B9 78E2B500   mov ecx,WinRAR.00B5E278
00AE181E   .  E8 1D38F6FF   call WinRAR.00A45040
00AE1823   .  C705 5492B300>mov dword ptr ds:[0xB39254],0x0
00AE182D   .  C645 FC 01    mov byte ptr ss:[ebp-0x4],0x1
00AE1831   .  E8 4A87F2FF   call WinRAR.00A09F80
00AE1836   .  C745 FC 00000>mov dword ptr ss:[ebp-0x4],0x0
00AE183D   .  FF35 AC81B300 push dword ptr ds:[0xB381AC]
00AE1843   .  E8 58FBFFFF   call WinRAR.00AE13A0
00AE1848   .  66:833D CC9CB>cmp word ptr ds:[0xB49CCC],0x0
00AE1850   .  74 2C         je short WinRAR.00AE187E
00AE1852   .  68 CC9CB400   push WinRAR.00B49CCC
00AE1857   .  E8 54ACF9FF   call WinRAR.00A7C4B0
00AE185C   .  68 00080000   push 0x800
00AE1861   .  68 CC9CB400   push WinRAR.00B49CCC
00AE1866   .  68 E092B300   push WinRAR.00B392E0                     ;  UNICODE "C:\Users\IEUser\AppData\Roaming\WinRAR\rar.log"
00AE186B   .  3D CC9CB400   cmp eax,WinRAR.00B49CCC
00AE1870   .  75 07         jnz short WinRAR.00AE1879
00AE1872   .  E8 39ADF9FF   call WinRAR.00A7C5B0
00AE1877   .  EB 05         jmp short WinRAR.00AE187E
00AE1879   >  E8 D20FFBFF   call WinRAR.00A92850
00AE187E   >  6A 00         push 0x0                                 ; /lParam = 0x0
00AE1880   .  6A 00         push 0x0                                 ; |wParam = 0x0
00AE1882   .  68 03800000   push 0x8003                              ; |Message = MSG(0x8003)
00AE1887   .  FF35 AC81B300 push dword ptr ds:[0xB381AC]             ; |hWnd = 0xB05BC
00AE188D   .  FF15 9845B100 call dword ptr ds:[<&USER32.SendMessageW>; \SendMessageW
00AE1893   .  833D AC81B300>cmp dword ptr ds:[0xB381AC],0x0
00AE189A   .  0F84 93010000 je WinRAR.00AE1A33
00AE18A0   .  66:833D CAEFB>cmp word ptr ds:[0xB4EFCA],0x0
00AE18A8   .  0F85 6F030000 jnz WinRAR.00AE1C1D
00AE18AE   .  32DB          xor bl,bl
00AE18B0   .  66:833D EAFFB>cmp word ptr ds:[0xB4FFEA],0x0
00AE18B8   .  0F84 3A030000 je WinRAR.00AE1BF8
00AE18BE   .  68 EAFFB400   push WinRAR.00B4FFEA
00AE18C3   .  E8 F8A7F8FF   call WinRAR.00A6C0C0
00AE18C8   .  83F8 FF       cmp eax,-0x1
00AE18CB   .  74 06         je short WinRAR.00AE18D3
00AE18CD   .  A8 10         test al,0x10
00AE18CF   .  74 02         je short WinRAR.00AE18D3
00AE18D1   .  B3 01         mov bl,0x1
00AE18D3   >  66:833D EAFFB>cmp word ptr ds:[0xB4FFEA],0x0
00AE18DB   .  0F84 EB020000 je WinRAR.00AE1BCC
00AE18E1   .  84DB          test bl,bl
00AE18E3   .  0F85 E7020000 jnz WinRAR.00AE1BD0
00AE18E9   .  6A 00         push 0x0
00AE18EB   .  68 8850B100   push WinRAR.00B15088                     ;  UNICODE "ReuseWindow"
00AE18F0   .  68 A44BB100   push WinRAR.00B14BA4                     ;  UNICODE "General"
00AE18F5   .  E8 9623FCFF   call WinRAR.00AA3C90
00AE18FA   .  85C0          test eax,eax
00AE18FC   .  0F84 F7000000 je WinRAR.00AE19F9
00AE1902   .  85FF          test edi,edi
00AE1904   .  0F84 EF000000 je WinRAR.00AE19F9
00AE190A   .  6A 00         push 0x0
00AE190C   .  68 00080000   push 0x800
00AE1911   .  8D85 00200000 lea eax,dword ptr ss:[ebp+0x2000]
00AE1917   .  50            push eax
00AE1918   .  E8 F37FFEFF   call WinRAR.00AC9910
00AE191D   .  68 00080000   push 0x800
00AE1922   .  8D85 00200000 lea eax,dword ptr ss:[ebp+0x2000]
00AE1928   .  50            push eax
00AE1929   .  E8 E28FF9FF   call WinRAR.00A7A910
00AE192E   .  68 00080000   push 0x800
00AE1933   .  68 8CC3B100   push WinRAR.00B1C38C                     ;  UNICODE "Rar$"
00AE1938   .  8D85 00200000 lea eax,dword ptr ss:[ebp+0x2000]
00AE193E   .  50            push eax
00AE193F   .  E8 CC0EFBFF   call WinRAR.00A92810
00AE1944   .  8D8D 00200000 lea ecx,dword ptr ss:[ebp+0x2000]
00AE194A   .  8D51 02       lea edx,dword ptr ds:[ecx+0x2]
00AE194D   .  8D49 00       lea ecx,dword ptr ds:[ecx]
00AE1950   >  66:8B01       mov ax,word ptr ds:[ecx]
00AE1953   .  83C1 02       add ecx,0x2
00AE1956   .  66:85C0       test ax,ax
00AE1959   .^ 75 F5         jnz short WinRAR.00AE1950
00AE195B   .  2BCA          sub ecx,edx
00AE195D   .  D1F9          sar ecx,1
00AE195F   .  51            push ecx
00AE1960   .  8D85 00200000 lea eax,dword ptr ss:[ebp+0x2000]
00AE1966   .  50            push eax
00AE1967   .  68 EAFFB400   push WinRAR.00B4FFEA
00AE196C   .  E8 DF45FBFF   call WinRAR.00A95F50
00AE1971   .  85C0          test eax,eax
00AE1973   .  0F84 80000000 je WinRAR.00AE19F9
00AE1979   .  68 20DDB100   push WinRAR.00B1DD20                     ; /MapName = "RarArchiveWideName"
00AE197E   .  68 00100000   push 0x1000                              ; |MaximumSizeLow = 0x1000
00AE1983   .  6A 00         push 0x0                                 ; |MaximumSizeHigh = 0x0
00AE1985   .  68 04000008   push 0x8000004                           ; |Protection = PAGE_READWRITE|SEC_COMMIT
00AE198A   .  6A 00         push 0x0                                 ; |pSecurity = NULL
00AE198C   .  6A FF         push -0x1                                ; |hFile = FFFFFFFF
00AE198E   .  FF15 9843B100 call dword ptr ds:[<&KERNEL32.CreateFile>; \CreateFileMappingW
00AE1994   .  8BF8          mov edi,eax
00AE1996   .  85FF          test edi,edi
00AE1998   .  74 5C         je short WinRAR.00AE19F6
00AE199A   .  68 00100000   push 0x1000                              ; /MapSize = 1000 (4096.)
00AE199F   .  6A 00         push 0x0                                 ; |OffsetLow = 0x0
00AE19A1   .  6A 00         push 0x0                                 ; |OffsetHigh = 0x0
00AE19A3   .  6A 02         push 0x2                                 ; |AccessMode = FILE_MAP_WRITE
00AE19A5   .  57            push edi                                 ; |hMapObject = NULL
00AE19A6   .  FF15 A043B100 call dword ptr ds:[<&KERNEL32.MapViewOfF>; \MapViewOfFile
00AE19AC   .  8BF0          mov esi,eax
00AE19AE   .  68 00080000   push 0x800
00AE19B3   .  56            push esi
00AE19B4   .  68 EAFFB400   push WinRAR.00B4FFEA
00AE19B9   .  B9 78E2B500   mov ecx,WinRAR.00B5E278
00AE19BE   .  E8 8DF6F5FF   call WinRAR.00A41050
00AE19C3   .  56            push esi                                 ; /BaseAddress = 00DBCB64
00AE19C4   .  FF15 9C43B100 call dword ptr ds:[<&KERNEL32.UnmapViewO>; \UnmapViewOfFile
00AE19CA   .  68 F164E97A   push 0x7AE964F1                          ; /lParam = 0x7AE964F1
00AE19CF   .  68 5EAC89D4   push 0xD489AC5E                          ; |wParam = 0xD489AC5E
00AE19D4   .  68 01800000   push 0x8001                              ; |Message = MSG(0x8001)
00AE19D9   .  FF75 E8       push dword ptr ss:[ebp-0x18]             ; |hWnd = 0xDBCBB0
00AE19DC   .  FF15 9845B100 call dword ptr ds:[<&USER32.SendMessageW>; \SendMessageW
00AE19E2   .  85C0          test eax,eax
00AE19E4   .  0f95c3        setne bl
00AE19E7   .  57            push edi                                 ; /hObject = NULL
00AE19E8   .  FF15 A443B100 call dword ptr ds:[<&KERNEL32.CloseHandl>; \CloseHandle
00AE19EE   .  84DB          test bl,bl
00AE19F0   .  0F85 B8010000 jnz WinRAR.00AE1BAE
00AE19F6   >  8B7D E8       mov edi,dword ptr ss:[ebp-0x18]
00AE19F9   >  68 EAFFB400   push WinRAR.00B4FFEA
00AE19FE   .  B9 78E2B500   mov ecx,WinRAR.00B5E278
00AE1A03   .  E8 68FFF5FF   call WinRAR.00A41970
00AE1A08   .  84C0          test al,al
00AE1A0A      0F84 9E010000 je WinRAR.00AE1BAE
00AE1A10   .  803D D491B300>cmp byte ptr ds:[0xB391D4],0x0
00AE1A17   .  75 17         jnz short WinRAR.00AE1A30
00AE1A19   .  833D BC91B300>cmp dword ptr ds:[0xB391BC],0x0
00AE1A20   .  0F84 77010000 je WinRAR.00AE1B9D
00AE1A26   .  B9 78E2B500   mov ecx,WinRAR.00B5E278
00AE1A2B   .  E8 302EF6FF   call WinRAR.00A44860
00AE1A30   >  8A5D EF       mov bl,byte ptr ss:[ebp-0x11]
00AE1A33   >  57            push edi
00AE1A34   .  68 00000100   push 0x10000
00AE1A39   .  68 B038AD00   push WinRAR.00AD38B0
00AE1A3E   .  E8 DEAC0100   call WinRAR.00AFC721
00AE1A43   .  83C4 0C       add esp,0xC
00AE1A46   .  FF35 AC81B300 push dword ptr ds:[0xB381AC]             ; /hWnd = 000B05BC ('winrar32 (评估版本)',class='WinRarWindow')
00AE1A4C   .  FF15 C445B100 call dword ptr ds:[<&USER32.IsWindowVisi>; \IsWindowVisible
00AE1A52   .  85C0          test eax,eax
00AE1A54   .  75 0E         jnz short WinRAR.00AE1A64
00AE1A56   .  85FF          test edi,edi
00AE1A58   .  0f95c0        setne al
00AE1A5B   .  0FB6C0        movzx eax,al
00AE1A5E   .  50            push eax
00AE1A5F   .  E8 CCF5FFFF   call WinRAR.00AE1030
00AE1A64   >  FF35 AC81B300 push dword ptr ds:[0xB381AC]             ; /hWnd = 000B05BC ('winrar32 (评估版本)',class='WinRarWindow')
00AE1A6A   .  FF15 0C45B100 call dword ptr ds:[<&USER32.UpdateWindow>; \UpdateWindow
00AE1A70   .  84FF          test bh,bh
00AE1A72   .  74 27         je short WinRAR.00AE1A9B
00AE1A74   .  84DB          test bl,bl
00AE1A76   .  74 23         je short WinRAR.00AE1A9B
00AE1A78   .  68 704BB100   push WinRAR.00B14B70                     ;  UNICODE "Setup"
00AE1A7D   .  E8 0E00FCFF   call WinRAR.00AA1A90
00AE1A82   .  84C0          test al,al
00AE1A84   .  75 15         jnz short WinRAR.00AE1A9B
00AE1A86   .  68 844CB100   push WinRAR.00B14C84                     ;  UNICODE ".rar"
00AE1A8B   .  E8 8096F5FF   call WinRAR.00A3B110
00AE1A90   .  84C0          test al,al
00AE1A92   .  75 07         jnz short WinRAR.00AE1A9B
00AE1A94   .  6A 06         push 0x6
00AE1A96   .  E8 65B2F2FF   call WinRAR.00A0CD00
00AE1A9B   >  6A 00         push 0x0
00AE1A9D   .  68 1855B100   push WinRAR.00B15518                     ;  UNICODE "ExportedSettings"
00AE1AA2   .  68 7C48B100   push WinRAR.00B1487C
00AE1AA7   .  E8 E421FCFF   call WinRAR.00AA3C90
00AE1AAC   .  85C0          test eax,eax
00AE1AAE   .  74 05         je short WinRAR.00AE1AB5
00AE1AB0   .  E8 7B92F2FF   call WinRAR.00A0AD30
00AE1AB5   >  6A 00         push 0x0
00AE1AB7   .  6A 01         push 0x1
00AE1AB9   .  E8 E238FCFF   call WinRAR.00AA53A0
00AE1ABE   .  6A 00         push 0x0
00AE1AC0   .  68 7050B100   push WinRAR.00B15070                     ;  UNICODE "WizardMode"
00AE1AC5   .  68 A44BB100   push WinRAR.00B14BA4                     ;  UNICODE "General"
00AE1ACA   .  E8 C121FCFF   call WinRAR.00AA3C90
00AE1ACF   .  85C0          test eax,eax
00AE1AD1   .  74 24         je short WinRAR.00AE1AF7
00AE1AD3   .  FF35 AC81B300 push dword ptr ds:[0xB381AC]
00AE1AD9   .  E8 E2390000   call WinRAR.00AE54C0
00AE1ADE   .  84C0          test al,al
00AE1AE0   .  74 15         je short WinRAR.00AE1AF7
00AE1AE2   .  833D BC91B300>cmp dword ptr ds:[0xB391BC],0x0
00AE1AE9   .  75 0C         jnz short WinRAR.00AE1AF7
00AE1AEB   .  FF35 AC81B300 push dword ptr ds:[0xB381AC]             ; /hWnd = 000B05BC ('winrar32 (评估版本)',class='WinRarWindow')
00AE1AF1   .  FF15 A445B100 call dword ptr ds:[<&USER32.DestroyWindo>; \DestroyWindow
00AE1AF7   >  6A 00         push 0x0
00AE1AF9   .  6A 00         push 0x0
00AE1AFB   .  E8 00F0FFFF   call WinRAR.00AE0B00
00AE1B00   .  84C0          test al,al
00AE1B02   .^ 75 F3         jnz short WinRAR.00AE1AF7
00AE1B04   .  6A 01         push 0x1
00AE1B06   .  6A 00         push 0x0
00AE1B08   .  6A 00         push 0x0
00AE1B0A   .  E8 7187FEFF   call WinRAR.00ACA280
00AE1B0F   .  B9 34A3B300   mov ecx,WinRAR.00B3A334
00AE1B14   .  E8 C7080000   call WinRAR.00AE23E0
00AE1B19   .  E8 A21EFFFF   call WinRAR.00AD39C0
00AE1B1E   .  C605 D592B300>mov byte ptr ds:[0xB392D5],0x1
00AE1B25   .  FF35 F8A2B300 push dword ptr ds:[0xB3A2F8]             ; /hEvent = 00000238 (window)
00AE1B2B   .  FF15 9441B100 call dword ptr ds:[<&KERNEL32.SetEvent>] ; \SetEvent
00AE1B31   .  33F6          xor esi,esi
00AE1B33   .  8B3D 5043B100 mov edi,dword ptr ds:[<&KERNEL32.Sleep>] ;  KERNEL32.Sleep
00AE1B39   .  8DA424 000000>lea esp,dword ptr ss:[esp]
00AE1B40   >  833D F0A2B300>cmp dword ptr ds:[0xB3A2F0],0x0
00AE1B47   .  7E 0D         jle short WinRAR.00AE1B56
00AE1B49   .  6A 64         push 0x64
00AE1B4B   .  FFD7          call edi
00AE1B4D   .  4E            dec esi
00AE1B4E   .  81FE C8000000 cmp esi,0xC8
00AE1B54   .^ 7C EA         jl short WinRAR.00AE1B40
00AE1B56   >  FF35 F8A2B300 push dword ptr ds:[0xB3A2F8]             ; /hObject = 00000238 (window)
00AE1B5C   .  FF15 A443B100 call dword ptr ds:[<&KERNEL32.CloseHandl>; \CloseHandle
00AE1B62   .  833D CC92B300>cmp dword ptr ds:[0xB392CC],0x0
00AE1B69   .  0F84 0B010000 je WinRAR.00AE1C7A
00AE1B6F   .  83C8 FF       or eax,-0x1
00AE1B72   .  A3 CC92B300   mov dword ptr ds:[0xB392CC],eax
00AE1B77   .  33F6          xor esi,esi
00AE1B79   .  8DA424 000000>lea esp,dword ptr ss:[esp]
00AE1B80   >  85C0          test eax,eax
00AE1B82   .  0F84 10010000 je WinRAR.00AE1C98
00AE1B88   .  6A 64         push 0x64
00AE1B8A   .  FFD7          call edi
00AE1B8C   .  46            inc esi
00AE1B8D   .  83FE 0A       cmp esi,0xA
00AE1B90   .  0F8D 02010000 jge WinRAR.00AE1C98
00AE1B96   .  A1 CC92B300   mov eax,dword ptr ds:[0xB392CC]
00AE1B9B   .^ EB E3         jmp short WinRAR.00AE1B80
00AE1B9D   >  FF35 AC81B300 push dword ptr ds:[0xB381AC]             ; /hWnd = 000B05BC ('winrar32 (评估版本)',class='WinRarWindow')
00AE1BA3   .  FF15 A445B100 call dword ptr ds:[<&USER32.DestroyWindo>; \DestroyWindow
00AE1BA9   .^ E9 82FEFFFF   jmp WinRAR.00AE1A30
00AE1BAE   >  E8 FDDDFEFF   call WinRAR.00ACF9B0

其中在“DestroyWindow”这一处(这里有两处,分别代表关闭主窗口和广告窗口,不知道是哪个的话我们可以下断点测试一下),应该是关闭窗口的操作,那么广告窗口应该就在它的上方,向上找相关调用,下断点调试肯定找到调用广告窗口的地方,判断出00AE1AB9位置的call WinRAR.00AA53A0这个函数调用,在这个位置向上找关键跳转,看看能否跳过这个函数调用,也可以直接nop掉该处的调用,找到00AE1AAE位置的跳转操作je short WinRAR.00AE1AB5,将其改为jmp 0x00AE1AF7直接跳过DestroyWindow函数,

另一处的修改我选择用Binary Ninja这款反编译工具来完成,因为这款软件的流程图排版比较合理容易分析,并且占用系统资源比较小,其右键"patch"功能在修改汇编代码方面相对比较优秀。

使用Binary Ninja加载winrar主程序后,按“G”键输入我们需要查找的地址,与OD的偏移地址不同,我们需要自己对应一下,00AE1520对应的是004E1520,直接查找该位置如图所示:

在上述代码中我们关注到有一处调用系统API函数IsWindowVisible(设置可见属性)的地方,即位置00AE1A4C处,这处如果调用起来的话就会使得标题栏对应的许可信息隐藏,那么我们在Binary Ninja中查找位置004E1A4C,得到如下图所示:

点选该位置所在的流程块的第一行即“push  edi {var_18_13}”处,在左下角的“Cross References”窗口中可以看到两个地址跳转到它,分析之后我们判断可以将最早跳转的地址0x4e189a的汇编代码修改为“jmp 0x4e1a33”(在该位置右击-->"patch"-->"Edit Current Line",如图所示)

修改之后如下图:

完成这两步后保存好修改,然后我们运行一下winrar得到如图:这下可以软件可以安静的启动,没有广告弹窗和标题栏的许可过期提醒。

可是别高兴太早,我们将系统时间调至软件过期,重新启动winrar,还是会出现如下窗口,提示购买winrar许可。

重复运行、暂停、查看堆栈、查看调用、步进调试一系列操作我们会找到如下代码段,可以看到这段代码包含广告的链接地址"http://ad.winrar.com.cn/show_2.html?L=7&bl=7&v=Vpersonal&a=A&src=pe001"以及提醒许可过期需要重新购买的函数RarReminder。

  1 00B853A0  /$  B8 18100000   mov eax,0x1018
  2 00B853A5  |.  E8 26010500   call WinRAR1.00BD54D0
  3 00B853AA  |.  A1 341BC100   mov eax,dword ptr ds:[0xC11B34]
  4 00B853AF  |.  33C4          xor eax,esp
  5 00B853B1  |.  898424 141000>mov dword ptr ss:[esp+0x1014],eax
  6 00B853B8  |.  803D 74A5C500>cmp byte ptr ds:[0xC5A574],0x0
  7 00B853BF  |.  74 0E         je short WinRAR1.00B853CF
  8 00B853C1  |.  80BC24 201000>cmp byte ptr ss:[esp+0x1020],0x0
  9 00B853C9  |.  0F84 08040000 je WinRAR1.00B857D7
 10 00B853CF  |>  833D ACFBC000>cmp dword ptr ds:[0xC0FBAC],0x0
 11 00B853D6  |.  56            push esi
 12 00B853D7  |.  74 1C         je short WinRAR1.00B853F5
 13 00B853D9  |.  B9 98FBC000   mov ecx,WinRAR1.00C0FB98                 ;  ASCII "8g3#0w1$5r7%2ta"
 14 00B853DE  |.  E8 1DF9FFFF   call WinRAR1.00B84D00
 15 00B853E3  |.  833D ACFBC000>cmp dword ptr ds:[0xC0FBAC],0x0
 16 00B853EA  |.  0F84 A1000000 je WinRAR1.00B85491
 17 00B853F0  |.  E9 88000000   jmp WinRAR1.00B8547D
 18 00B853F5  |>  68 FD040000   push 0x4FD
 19 00B853FA  |.  E8 6171FEFF   call WinRAR1.00B6C560
 20 00B853FF  |.  8BF0          mov esi,eax
 21 00B85401  |.  66:833E 23    cmp word ptr ds:[esi],0x23
 22 00B85405  |.  75 20         jnz short WinRAR1.00B85427
 23 00B85407  |.  66:837E 02 23 cmp word ptr ds:[esi+0x2],0x23
 24 00B8540C  |.  75 19         jnz short WinRAR1.00B85427
 25 00B8540E  |.  8BCE          mov ecx,esi
 26 00B85410  |.  8D51 02       lea edx,dword ptr ds:[ecx+0x2]
 27 00B85413  |>  66:8B01       /mov ax,word ptr ds:[ecx]
 28 00B85416  |.  83C1 02       |add ecx,0x2
 29 00B85419  |.  66:85C0       |test ax,ax
 30 00B8541C  |.^ 75 F5         \jnz short WinRAR1.00B85413
 31 00B8541E  |.  2BCA          sub ecx,edx
 32 00B85420  |.  D1F9          sar ecx,1
 33 00B85422  |.  83F9 64       cmp ecx,0x64
 34 00B85425  |.  73 06         jnb short WinRAR1.00B8542D
 35 00B85427  |>  8B35 1800C100 mov esi,dword ptr ds:[0xC10018]          ;  WinRAR1.00BF9628
 36 00B8542D  |>  68 00100000   push 0x1000
 37 00B85432  |.  8D4424 1C     lea eax,dword ptr ss:[esp+0x1C]
 38 00B85436  |.  6A 00         push 0x0
 39 00B85438  |.  50            push eax
 40 00B85439  |.  E8 E2250500   call WinRAR1.00BD7A20
 41 00B8543E  |.  83C4 0C       add esp,0xC
 42 00B85441  |.  8D4424 18     lea eax,dword ptr ss:[esp+0x18]
 43 00B85445  |.  68 00100000   push 0x1000
 44 00B8544A  |.  50            push eax
 45 00B8544B  |.  8D46 04       lea eax,dword ptr ds:[esi+0x4]
 46 00B8544E  |.  50            push eax
 47 00B8544F  |.  E8 0C07FFFF   call WinRAR1.00B75B60
 48 00B85454  |.  8D4C24 18     lea ecx,dword ptr ss:[esp+0x18]
 49 00B85458  |.  8D51 01       lea edx,dword ptr ds:[ecx+0x1]
 50 00B8545B  |.  EB 03         jmp short WinRAR1.00B85460
 51 00B8545D  |   8D49 00       lea ecx,dword ptr ds:[ecx]
 52 00B85460  |>  8A01          /mov al,byte ptr ds:[ecx]
 53 00B85462  |.  41            |inc ecx
 54 00B85463  |.  84C0          |test al,al
 55 00B85465  |.^ 75 F9         \jnz short WinRAR1.00B85460
 56 00B85467  |.  2BCA          sub ecx,edx
 57 00B85469  |.  8D4424 18     lea eax,dword ptr ss:[esp+0x18]
 58 00B8546D  |.  51            push ecx
 59 00B8546E  |.  50            push eax
 60 00B8546F  |.  B9 98FBC000   mov ecx,WinRAR1.00C0FB98                 ;  ASCII "8g3#0w1$5r7%2ta"
 61 00B85474  |.  E8 67F4FFFF   call WinRAR1.00B848E0
 62 00B85479  |.  84C0          test al,al
 63 00B8547B  |.  75 14         jnz short WinRAR1.00B85491
 64 00B8547D  |>  68 80040000   push 0x480
 65 00B85482  |.  6A 00         push 0x0
 66 00B85484  |.  68 98FBC000   push WinRAR1.00C0FB98                    ;  ASCII "8g3#0w1$5r7%2ta"
 67 00B85489  |.  E8 92250500   call WinRAR1.00BD7A20
 68 00B8548E  |.  83C4 0C       add esp,0xC
 69 00B85491  |>  803D B467C400>cmp byte ptr ds:[0xC467B4],0x0
 70 00B85498  |.  53            push ebx
 71 00B85499  |.  75 12         jnz short WinRAR1.00B854AD
 72 00B8549B  |.  A1 DC92C100   mov eax,dword ptr ds:[0xC192DC]
 73 00B854A0  |.  83F8 28       cmp eax,0x28
 74 00B854A3  |.  7F 04         jg short WinRAR1.00B854A9
 75 00B854A5  |.  85C0          test eax,eax
 76 00B854A7  |.  79 04         jns short WinRAR1.00B854AD
 77 00B854A9  |>  B3 01         mov bl,0x1
 78 00B854AB  |.  EB 02         jmp short WinRAR1.00B854AF
 79 00B854AD  |>  32DB          xor bl,bl
 80 00B854AF  |>  80BC24 241000>cmp byte ptr ss:[esp+0x1024],0x0
 81 00B854B7  |.  0F84 EE020000 je WinRAR1.00B857AB
 82 00B854BD  |.  E8 4EA0FCFF   call WinRAR1.00B4F510
 83 00B854C2  |.  3D 01050000   cmp eax,0x501
 84 00B854C7  |.  77 10         ja short WinRAR1.00B854D9
 85 00B854C9  |.  F705 A8FBC000>test dword ptr ds:[0xC0FBA8],0x200
 86 00B854D3  |.  0F84 FC020000 je WinRAR1.00B857D5
 87 00B854D9  |>  803D 18FFC000>cmp byte ptr ds:[0xC0FF18],0x0
 88 00B854E0  |.  0F84 EF020000 je WinRAR1.00B857D5
 89 00B854E6  |.  C605 C3FCC000>mov byte ptr ds:[0xC0FCC3],0x0
 90 00B854ED  |.  C605 C7FDC000>mov byte ptr ds:[0xC0FDC7],0x0
 91 00B854F4  |.  C605 1700C100>mov byte ptr ds:[0xC10017],0x0
 92 00B854FB  |.  84DB          test bl,bl
 93 00B854FD  |.  75 14         jnz short WinRAR1.00B85513
 94 00B854FF  |.  A0 A8FBC000   mov al,byte ptr ds:[0xC0FBA8]
 95 00B85504  |.  24 80         and al,0x80
 96 00B85506  |.  0FB6C0        movzx eax,al
 97 00B85509  |.  F7D8          neg eax
 98 00B8550B  |.  1BC0          sbb eax,eax
 99 00B8550D  |.  2105 B0FBC000 and dword ptr ds:[0xC0FBB0],eax
100 00B85513  |>  32FF          xor bh,bh
101 00B85515  |.  833D C0FBC000>cmp dword ptr ds:[0xC0FBC0],0x0
102 00B8551C  |.  76 50         jbe short WinRAR1.00B8556E
103 00B8551E  |.  383D B467C400 cmp byte ptr ds:[0xC467B4],bh
104 00B85524  |.  75 48         jnz short WinRAR1.00B8556E
105 00B85526  |.  6A 00         push 0x0
106 00B85528  |.  68 A098BF00   push WinRAR1.00BF98A0                    ;  UNICODE "RemShown"
107 00B8552D  |.  68 306CBF00   push WinRAR1.00BF6C30                    ;  UNICODE "Interface\Misc"
108 00B85532  |.  E8 59E7FFFF   call WinRAR1.00B83C90
109 00B85537  |.  3B05 C0FBC000 cmp eax,dword ptr ds:[0xC0FBC0]
110 00B8553D  |.  73 2F         jnb short WinRAR1.00B8556E
111 00B8553F  |.  40            inc eax
112 00B85540  |.  50            push eax
113 00B85541  |.  68 A098BF00   push WinRAR1.00BF98A0                    ;  UNICODE "RemShown"
114 00B85546  |.  68 306CBF00   push WinRAR1.00BF6C30                    ;  UNICODE "Interface\Misc"
115 00B8554B  |.  E8 50F3FFFF   call WinRAR1.00B848A0
116 00B85550  |.  803D C4FBC000>cmp byte ptr ds:[0xC0FBC4],0x0
117 00B85557  |.  B7 01         mov bh,0x1
118 00B85559  |.  0F84 B8000000 je WinRAR1.00B85617
119 00B8555F  |.  68 00010000   push 0x100
120 00B85564  |.  68 C4FBC000   push WinRAR1.00C0FBC4                    ;  ASCII "http://ad.winrar.com.cn/show_1.html?L=7&bl=7&v=$Vpersonal&a=$A&src=pe001"
121 00B85569  |.  E9 9F000000   jmp WinRAR1.00B8560D
122 00B8556E  |>  833D C4FCC000>cmp dword ptr ds:[0xC0FCC4],0x0
123 00B85575  |.  76 45         jbe short WinRAR1.00B855BC
124 00B85577  |.  84DB          test bl,bl
125 00B85579  |.  74 41         je short WinRAR1.00B855BC
126 00B8557B  |.  6A 00         push 0x0
127 00B8557D  |.  68 B498BF00   push WinRAR1.00BF98B4                    ;  UNICODE "ExpRemShown"
128 00B85582  |.  68 306CBF00   push WinRAR1.00BF6C30                    ;  UNICODE "Interface\Misc"
129 00B85587  |.  E8 04E7FFFF   call WinRAR1.00B83C90
130 00B8558C  |.  3B05 C4FCC000 cmp eax,dword ptr ds:[0xC0FCC4]
131 00B85592  |.  73 28         jnb short WinRAR1.00B855BC
132 00B85594  |.  40            inc eax
133 00B85595  |.  50            push eax
134 00B85596  |.  68 B498BF00   push WinRAR1.00BF98B4                    ;  UNICODE "ExpRemShown"
135 00B8559B  |.  68 306CBF00   push WinRAR1.00BF6C30                    ;  UNICODE "Interface\Misc"
136 00B855A0  |.  E8 FBF2FFFF   call WinRAR1.00B848A0
137 00B855A5  |.  803D C8FCC000>cmp byte ptr ds:[0xC0FCC8],0x0
138 00B855AC  |.  B7 01         mov bh,0x1
139 00B855AE  |.  74 67         je short WinRAR1.00B85617
140 00B855B0  |.  68 00010000   push 0x100
141 00B855B5  |.  68 C8FCC000   push WinRAR1.00C0FCC8                    ;  ASCII "http://ad.winrar.com.cn/show_2.html?L=7&bl=7&v=$Vpersonal&a=$A&src=pe001"
142 00B855BA  |.  EB 51         jmp short WinRAR1.00B8560D
143 00B855BC  |>  833D C8FDC000>cmp dword ptr ds:[0xC0FDC8],0x0
144 00B855C3  |.  76 52         jbe short WinRAR1.00B85617
145 00B855C5  |.  803D B467C400>cmp byte ptr ds:[0xC467B4],0x0
146 00B855CC  |.  74 49         je short WinRAR1.00B85617
147 00B855CE  |.  6A 00         push 0x0
148 00B855D0  |.  68 CC98BF00   push WinRAR1.00BF98CC                    ;  UNICODE "RegRemShown"
149 00B855D5  |.  68 306CBF00   push WinRAR1.00BF6C30                    ;  UNICODE "Interface\Misc"
150 00B855DA  |.  E8 B1E6FFFF   call WinRAR1.00B83C90
151 00B855DF  |.  3B05 C8FDC000 cmp eax,dword ptr ds:[0xC0FDC8]
152 00B855E5  |.  73 30         jnb short WinRAR1.00B85617
153 00B855E7  |.  40            inc eax
154 00B855E8  |.  50            push eax
155 00B855E9  |.  68 CC98BF00   push WinRAR1.00BF98CC                    ;  UNICODE "RegRemShown"
156 00B855EE  |.  68 306CBF00   push WinRAR1.00BF6C30                    ;  UNICODE "Interface\Misc"
157 00B855F3  |.  E8 A8F2FFFF   call WinRAR1.00B848A0
158 00B855F8  |.  803D CCFDC000>cmp byte ptr ds:[0xC0FDCC],0x0
159 00B855FF  |.  B7 01         mov bh,0x1
160 00B85601  |.  74 14         je short WinRAR1.00B85617
161 00B85603  |.  68 00010000   push 0x100
162 00B85608  |.  68 CCFDC000   push WinRAR1.00C0FDCC
163 00B8560D  |>  68 18FFC000   push WinRAR1.00C0FF18                    ;  ASCII "http://ad.winrar.com.cn/show_2.html?L=7&bl=7&v=$Vpersonal&a=$A&src=pe001"
164 00B85612  |.  E8 49D1FEFF   call WinRAR1.00B72760
165 00B85617  |>  FF15 3843BF00 call dword ptr ds:[<&KERNEL32.GetTickCou>; [GetTickCount
166 00B8561D  |.  8BC8          mov ecx,eax
167 00B8561F  |.  B8 D34D6210   mov eax,0x10624DD3
168 00B85624  |.  F7E1          mul ecx
169 00B85626  |.  C1EA 06       shr edx,0x6
170 00B85629  |.  803D B467C400>cmp byte ptr ds:[0xC467B4],0x0
171 00B85630  |.  74 08         je short WinRAR1.00B8563A
172 00B85632  |.  8B0D BCFBC000 mov ecx,dword ptr ds:[0xC0FBBC]
173 00B85638  |.  EB 20         jmp short WinRAR1.00B8565A
174 00B8563A  |>  84DB          test bl,bl
175 00B8563C  |.  75 16         jnz short WinRAR1.00B85654
176 00B8563E  |.  8B0D B4FBC000 mov ecx,dword ptr ds:[0xC0FBB4]
177 00B85644  |.  85C9          test ecx,ecx
178 00B85646  |.  74 20         je short WinRAR1.00B85668
179 00B85648  |.  8BC2          mov eax,edx
180 00B8564A  |.  33D2          xor edx,edx
181 00B8564C  |.  F7F1          div ecx
182 00B8564E  |.  85D2          test edx,edx
183 00B85650  |.  75 16         jnz short WinRAR1.00B85668
184 00B85652  |.  EB 1C         jmp short WinRAR1.00B85670
185 00B85654  |>  8B0D B8FBC000 mov ecx,dword ptr ds:[0xC0FBB8]
186 00B8565A  |>  85C9          test ecx,ecx
187 00B8565C  |.  74 0A         je short WinRAR1.00B85668
188 00B8565E  |.  8BC2          mov eax,edx
189 00B85660  |.  33D2          xor edx,edx
190 00B85662  |.  F7F1          div ecx
191 00B85664  |.  85D2          test edx,edx
192 00B85666  |.  74 08         je short WinRAR1.00B85670
193 00B85668  |>  84FF          test bh,bh
194 00B8566A  |.  0F84 65010000 je WinRAR1.00B857D5
195 00B85670  |>  55            push ebp
196 00B85671  |.  57            push edi
197 00B85672  |.  8B3D A8FBC000 mov edi,dword ptr ds:[0xC0FBA8]
198 00B85678  |.  C1E7 11       shl edi,0x11
199 00B8567B  |.  F7D7          not edi
200 00B8567D  |.  81E7 00000400 and edi,0x40000
201 00B85683  |.  81CF 0000C816 or edi,0x16C80000
202 00B85689  |.  F605 A8FBC000>test byte ptr ds:[0xC0FBA8],0x8
203 00B85690  |.  75 06         jnz short WinRAR1.00B85698
204 00B85692  |.  81CF 00000300 or edi,0x30000
205 00B85698  |>  A1 D0FEC000   mov eax,dword ptr ds:[0xC0FED0]
206 00B8569D  |.  BD 00000080   mov ebp,0x80000000
207 00B856A2  |.  C74424 10 000>mov dword ptr ss:[esp+0x10],0x80000000
208 00B856AA  |.  8BF5          mov esi,ebp
209 00B856AC  |.  8BDE          mov ebx,esi
210 00B856AE  |.  85C0          test eax,eax
211 00B856B0  |.  0F84 90000000 je WinRAR1.00B85746
212 00B856B6  |.  833D CCFEC000>cmp dword ptr ds:[0xC0FECC],0x0
213 00B856BD  |.  0F84 83000000 je WinRAR1.00B85746
214 00B856C3  |.  50            push eax
215 00B856C4  |.  E8 87530200   call WinRAR1.00BAAA50
216 00B856C9  |.  8B2D 8C46BF00 mov ebp,dword ptr ds:[<&USER32.GetSystem>;  USER32.GetSystemMetrics
217 00B856CF  |.  8BF0          mov esi,eax
218 00B856D1  |.  6A 21         push 0x21                                ; /Index = SM_CYFRAME
219 00B856D3  |.  FFD5          call ebp                                 ; \GetSystemMetrics
220 00B856D5  |.  6A 04         push 0x4                                 ; /Index = SM_CYCAPTION
221 00B856D7  |.  8D1C46        lea ebx,dword ptr ds:[esi+eax*2]         ; |
222 00B856DA  |.  FFD5          call ebp                                 ; \GetSystemMetrics
223 00B856DC  |.  03D8          add ebx,eax
224 00B856DE  |.  F605 A8FBC000>test byte ptr ds:[0xC0FBA8],0x40
225 00B856E5  |.  75 0C         jnz short WinRAR1.00B856F3
226 00B856E7  |.  F705 A8FBC000>test dword ptr ds:[0xC0FBA8],0x100
227 00B856F1  |.  75 06         jnz short WinRAR1.00B856F9
228 00B856F3  |>  031D 70A5C500 add ebx,dword ptr ds:[0xC5A570]
229 00B856F9  |>  FF35 CCFEC000 push dword ptr ds:[0xC0FECC]
230 00B856FF  |.  E8 FC520200   call WinRAR1.00BAAA00
231 00B85704  |.  6A 20         push 0x20
232 00B85706  |.  8BF0          mov esi,eax
233 00B85708  |.  FFD5          call ebp
234 00B8570A  |.  6A 00         push 0x0                                 ; /UpdateProfile = 0
235 00B8570C  |.  8D3446        lea esi,dword ptr ds:[esi+eax*2]         ; |
236 00B8570F  |.  8D4424 18     lea eax,dword ptr ss:[esp+0x18]          ; |
237 00B85713  |.  50            push eax                                 ; |pParam = NULL
238 00B85714  |.  6A 00         push 0x0                                 ; |wParam = 0x0
239 00B85716  |.  6A 30         push 0x30                                ; |Action = SPI_GETWORKAREA
240 00B85718  |.  FF15 8C44BF00 call dword ptr ds:[<&USER32.SystemParame>; \SystemParametersInfoW
241 00B8571E  |.  8B4424 1C     mov eax,dword ptr ss:[esp+0x1C]
242 00B85722  |.  3BF0          cmp esi,eax
243 00B85724  |.  7C 02         jl short WinRAR1.00B85728
244 00B85726  |.  8BF0          mov esi,eax
245 00B85728  |>  2BC6          sub eax,esi
246 00B8572A  |.  99            cdq
247 00B8572B  |.  2BC2          sub eax,edx
248 00B8572D  |.  D1F8          sar eax,1
249 00B8572F  |.  894424 10     mov dword ptr ss:[esp+0x10],eax
250 00B85733  |.  8B4424 20     mov eax,dword ptr ss:[esp+0x20]          ;  WinRAR1.00C4D45D
251 00B85737  |.  3BD8          cmp ebx,eax
252 00B85739  |.  7C 02         jl short WinRAR1.00B8573D
253 00B8573B  |.  8BD8          mov ebx,eax
254 00B8573D  |>  2BC3          sub eax,ebx
255 00B8573F  |.  99            cdq
256 00B85740  |.  2BC2          sub eax,edx
257 00B85742  |.  8BE8          mov ebp,eax
258 00B85744  |.  D1FD          sar ebp,1
259 00B85746  |>  68 00010000   push 0x100
260 00B8574B  |.  68 18FFC000   push WinRAR1.00C0FF18                    ;  ASCII "http://ad.winrar.com.cn/show_2.html?L=7&bl=7&v=$Vpersonal&a=$A&src=pe001"
261 00B85750  |.  E8 3BF3FFFF   call WinRAR1.00B84A90
262 00B85755  |.  6A 00         push 0x0                                 ; /lParam = NULL
263 00B85757  |.  FF35 04F0C400 push dword ptr ds:[0xC4F004]             ; |hInst = 00AE0000
264 00B8575D  |.  6A 00         push 0x0                                 ; |hMenu = NULL
265 00B8575F  |.  6A 00         push 0x0                                 ; |hParent = NULL
266 00B85761  |.  53            push ebx                                 ; |Height = 902DC (590556.)
267 00B85762  |.  56            push esi                                 ; |Width = 0x0
268 00B85763  |.  55            push ebp                                 ; |Y = 5FA518 (6268184.)
269 00B85764  |.  FF7424 2C     push dword ptr ss:[esp+0x2C]             ; |X = 0x0
270 00B85768  |.  57            push edi                                 ; |Style = WS_OVERLAPPED|WS_MINIMIZEBOX|WS_SYSMENU|WS_THICKFRAME|3FE
271 00B85769  |.  68 6C71BF00   push WinRAR1.00BF716C                    ; |WindowName = "WinRAR"
272 00B8576E  |.  68 E498BF00   push WinRAR1.00BF98E4                    ; |Class = "RarReminder"
273 00B85773  |.  6A 00         push 0x0                                 ; |ExtStyle = 0
274 00B85775  |.  FF15 A045BF00 call dword ptr ds:[<&USER32.CreateWindow>; \CreateWindowExW
275 00B8577B  |.  F605 A8FBC000>test byte ptr ds:[0xC0FBA8],0x1
276 00B85782  |.  5F            pop edi                                  ;  USER32.76CD87ED
277 00B85783  |.  5D            pop ebp                                  ;  USER32.76CD87ED
278 00B85784  |.  74 13         je short WinRAR1.00B85799
279 00B85786  |.  6A 03         push 0x3                                 ; /Flags = SWP_NOSIZE|SWP_NOMOVE
280 00B85788  |.  6A 00         push 0x0                                 ; |Height = 0x0
281 00B8578A  |.  6A 00         push 0x0                                 ; |Width = 0x0
282 00B8578C  |.  6A 00         push 0x0                                 ; |Y = 0x0
283 00B8578E  |.  6A 00         push 0x0                                 ; |X = 0x0
284 00B85790  |.  6A FF         push -0x1                                ; |InsertAfter = HWND_TOPMOST
285 00B85792  |.  50            push eax                                 ; |hWnd = NULL
286 00B85793  |.  FF15 B845BF00 call dword ptr ds:[<&USER32.SetWindowPos>; \SetWindowPos
287 00B85799  |>  833D C091C100>cmp dword ptr ds:[0xC191C0],0x0
288 00B857A0  |.  74 33         je short WinRAR1.00B857D5
289 00B857A2  |.  C605 74A5C500>mov byte ptr ds:[0xC5A574],0x1
290 00B857A9  |.  EB 2A         jmp short WinRAR1.00B857D5
291 00B857AB  |>  84DB          test bl,bl
292 00B857AD  |.  74 26         je short WinRAR1.00B857D5
293 00B857AF  |.  6A 00         push 0x0                                 ; /lParam = NULL
294 00B857B1  |.  68 10C2BB00   push WinRAR1.00BBC210                    ; |DlgProc = WinRAR1.00BBC210
295 00B857B6  |.  C605 74A5C500>mov byte ptr ds:[0xC5A574],0x1           ; |
296 00B857BD  |.  FF15 F444BF00 call dword ptr ds:[<&USER32.GetFocus>]   ; |[GetFocus
297 00B857C3  |.  50            push eax                                 ; |hOwner = NULL
298 00B857C4  |.  68 FC98BF00   push WinRAR1.00BF98FC                    ; |pTemplate = "REMINDER"
299 00B857C9  |.  FF35 00F0C400 push dword ptr ds:[0xC4F000]             ; |hInst = 00AE0000
300 00B857CF  |.  FF15 C845BF00 call dword ptr ds:[<&USER32.DialogBoxPar>; \DialogBoxParamW
301 00B857D5  |>  5B            pop ebx                                  ;  USER32.76CD87ED
302 00B857D6  |.  5E            pop esi                                  ;  USER32.76CD87ED
303 00B857D7  |>  8B8C24 141000>mov ecx,dword ptr ss:[esp+0x1014]
304 00B857DE  |.  33CC          xor ecx,esp
305 00B857E0  |.  E8 D7FC0400   call WinRAR1.00BD54BC
306 00B857E5  |.  81C4 18100000 add esp,0x1018
307 00B857EB  \.  C2 0800       retn 0x8

 经过分析判断,我们需要关注两处跳转,在函数开始第7行和第9行的跳转,将第7行的跳转NOP掉,第9行改jmp无条件跳转,即可以将程序的执行流程跳过广告链接和重新购买许可证的窗口。

  7 00B853BF  |.  74 0E         je short WinRAR1.00B853CF
  8 00B853C1  |.  80BC24 201000>cmp byte ptr ss:[esp+0x1020],0x0
  9 00B853C9  |.  0F84 08040000 je WinRAR1.00B857D7

完成修改后,点击鼠标右键,在弹出的菜单中依次选择“复制到可执行文件”-->“所有修改”-->“复制”。 

然后在新窗口中右击选择“保存文件”即可保存修改。

整个世界彻底清净来,老衲要继续清修了^_^!!!!

附:分享几个系统函数。

CreateWindowEx function:https://msdn.microsoft.com/zh-cn/vstudio/ms632680(v=vs.90)

DestroyWindow function:https://docs.microsoft.com/zh-cn/windows/win32/api/winuser/nf-winuser-destroywindow

IsWindowVisible function:https://docs.microsoft.com/zh-cn/windows/win32/api/winuser/nf-winuser-iswindowvisible

还有一个大牛写的注册机:https://www.52pojie.cn/thread-984747-1-1.html


[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

最后于 2019-7-11 16:05 被zyj_super编辑 ,原因:
收藏
免费 0
支持
分享
最新回复 (1)
雪    币: 6047
活跃值: (5450)
能力值: ( LV5,RANK:65 )
在线值:
发帖
回帖
粉丝
2
感谢分享,个人版的不是免费用吗,之前用,5.70的时候,用了好久了,一直可以用啊!
2019-7-11 20:34
0
游客
登录 | 注册 方可回帖
返回
//