winrar中国代理版本每次运行都会弹出广告窗口,并且主窗口标题栏会有许可到期时间的提醒,爆破的目的是去掉这两项。

Winrar解压缩软件32位(5.71)版本下载地址:

http://www.winrar.com.cn/download/wrar571scp.exe

64位下载地址:

http://www.winrar.com.cn/download/winrar-x64-571scp.exe

所需工具: OllyDbg吾爱破解版、Binary Ninja

https://down.52pojie.cn/Tools/Debuggers/%E5%90%BE%E7%88%B1%E7%A0%B4%E8%A7%A3%E4%B8%93%E7%94%A8%E7%89%88Ollydbg.rar

https://cdn.binary.ninja/installers/BinaryNinja-demo.exe

本文参考了飘云上一位牛人的文章:https://www.chinapyg.com/forum.php?mod=viewthread&tid=125493&highlight=winrar

该方法非常理想,所以借鉴了一下,适合我这种菜菜来练习动手能力。

使用OD加载winrar,如图:

按F9键运行winrar软件,直到弹出主窗口和广告窗口时,按F12键暂停程序,此时点击OD上方的“K”按键或者点击"ALT+K"来查看程序调用的堆栈,查看一下窗口弹出前的函数调用情况,得到如下图所示:

这一步需要注意的是需要看到广告窗口正常弹出,没有其他提示再暂停程序然后查看堆栈,例如在调试时遇到的如下图:

下图只在我们正常看到广告页时才会到这一步。

右击最后一条调用如图所示,选择“显示调用”命令。

得到如下图的调用位置:

直接在该位置点击回车键或者F7步进调试,我们会得到下面的汇编代码段,这段内容包含我们想破解的两处,即去广告和去标题的许可过期提示,看代码注释就可以判断了。

00AE1520   $  55            push ebp
00AE1521   .  8DAC24 E8CFFF>lea ebp,dword ptr ss:[esp-0x3018]
00AE1528   .  B8 18300000   mov eax,0x3018
00AE152D   .  E8 9E3F0100   call WinRAR.00AF54D0
00AE1532   .  6A FF         push -0x1
00AE1534   .  68 5832B100   push WinRAR.00B13258
00AE1539   .  64:A1 0000000>mov eax,dword ptr fs:[0]
00AE153F   .  50            push eax 00AE1540 . 83EC 14 sub esp,0x14 00AE1543 . A1 341BB300 mov eax,dword ptr ds:[0xB31B34] 00AE1548 . 33C5 xor eax,ebp 00AE154A . 8985 14300000 mov dword ptr ss:[ebp+0x3014],eax 00AE1550 . 53 push ebx 00AE1551 . 56 push esi 00AE1552 . 57 push edi 00AE1553 . 50 push eax 00AE1554 . 8D45 F4 lea eax,dword ptr ss:[ebp-0xC] 00AE1557 . 64:A3 0000000>mov dword ptr fs:[0],eax 00AE155D . 8965 F0 mov dword ptr ss:[ebp-0x10],esp 00AE1560 . 8BB5 20300000 mov esi,dword ptr ss:[ebp+0x3020] 00AE1566 . 6A 01 push 0x1 00AE1568 . E8 531EFBFF call WinRAR.00A933C0 00AE156D . 68 05800000 push 0x8005 ; /ErrorMode = SEM_FAILCRITICALERRORS|SEM_NOALIGNMENTFAULTEXCEPT|SEM_NOOPENFILEERRORBOX 00AE1572 . FF15 0442B100 call dword ptr ds:[<&KERNEL32.SetErrorMo>; \SetErrorMode 00AE1578 . B9 A04BB400 mov ecx,WinRAR.00B44BA0 00AE157D . E8 DED3F7FF call WinRAR.00A5E960 00AE1582 . C605 D592B300>mov byte ptr ds:[0xB392D5],0x0 00AE1589 . C705 F0A2B300>mov dword ptr ds:[0xB3A2F0],0x0 00AE1593 . FF15 F441B100 call dword ptr ds:[<&KERNEL32.GetCurrent>; [GetCurrentThreadId 00AE1599 . A3 F4A2B300 mov dword ptr ds:[0xB3A2F4],eax 00AE159E . 6A 00 push 0x0 ; /EventName = NULL 00AE15A0 . 6A 00 push 0x0 ; |InitiallySignaled = FALSE 00AE15A2 . 6A 01 push 0x1 ; |ManualReset = TRUE 00AE15A4 . 6A 00 push 0x0 ; |pSecurity = NULL 00AE15A6 . FF15 6841B100 call dword ptr ds:[<&KERNEL32.CreateEven>; \CreateEventW 00AE15AC . A3 F8A2B300 mov dword ptr ds:[0xB3A2F8],eax 00AE15B1 . 68 04DEB100 push WinRAR.00B1DE04 ; /MsgName = "WMUser_DisplayError" 00AE15B6 . FF15 7445B100 call dword ptr ds:[<&USER32.RegisterWind>; \RegisterWindowMessageW 00AE15BC . A3 20A3B300 mov dword ptr ds:[0xB3A320],eax 00AE15C1 . 68 A44BB100 push WinRAR.00B14BA4 ; UNICODE "General" 00AE15C6 . E8 C504FCFF call WinRAR.00AA1A90 00AE15CB . 84C0 test al,al 00AE15CD . 0f94c3 sete bl 00AE15D0 . 885D EF mov byte ptr ss:[ebp-0x11],bl 00AE15D3 . 6A 01 push 0x1 00AE15D5 . 68 00080000 push 0x800 00AE15DA . 8D85 00100000 lea eax,dword ptr ss:[ebp+0x1000] 00AE15E0 . 50 push eax 00AE15E1 . E8 EAA3F9FF call WinRAR.00A7B9D0 00AE15E6 . 68 00080000 push 0x800 00AE15EB . 8D85 00100000 lea eax,dword ptr ss:[ebp+0x1000] 00AE15F1 . 50 push eax 00AE15F2 . E8 1993F9FF call WinRAR.00A7A910 00AE15F7 . 68 00080000 push 0x800 00AE15FC . 8D85 00100000 lea eax,dword ptr ss:[ebp+0x1000] 00AE1602 . 50 push eax 00AE1603 . 68 E092B300 push WinRAR.00B392E0 ; UNICODE "C:\Users\IEUser\AppData\Roaming\WinRAR\rar.log" 00AE1608 . E8 4312FBFF call WinRAR.00A92850 00AE160D . 68 00080000 push 0x800 00AE1612 . 68 CC89B100 push WinRAR.00B189CC ; UNICODE "rar.log" 00AE1617 . 68 E092B300 push WinRAR.00B392E0 ; UNICODE "C:\Users\IEUser\AppData\Roaming\WinRAR\rar.log" 00AE161C . E8 EF11FBFF call WinRAR.00A92810 00AE1621 . 6A 00 push 0x0 00AE1623 . 56 push esi 00AE1624 . B9 08F0B600 mov ecx,WinRAR.00B6F008 00AE1629 . E8 12AEFAFF call WinRAR.00A8C440 00AE162E . 68 2CDEB100 push WinRAR.00B1DE2C ; UNICODE "winrar.lng" 00AE1633 . B9 0CF0B600 mov ecx,WinRAR.00B6F00C 00AE1638 . E8 639FFAFF call WinRAR.00A8B5A0 00AE163D . 56 push esi 00AE163E . E8 ADDBFFFF call WinRAR.00ADF1F0 00AE1643 . 85C0 test eax,eax 00AE1645 . 0F84 66060000 je WinRAR.00AE1CB1 00AE164B . 8D4D E0 lea ecx,dword ptr ss:[ebp-0x20] 00AE164E . E8 AD11FFFF call WinRAR.00AD2800 00AE1653 . C745 FC 00000>mov dword ptr ss:[ebp-0x4],0x0 00AE165A . 8935 04F0B600 mov dword ptr ds:[0xB6F004],esi 00AE1660 . B9 F0B5B500 mov ecx,WinRAR.00B5B5F0 00AE1665 . E8 8643F2FF call WinRAR.00A059F0 00AE166A . E8 6137FEFF call WinRAR.00AC4DD0 00AE166F . E8 4CEAFDFF call WinRAR.00AC00C0 00AE1674 . E8 07FBFFFF call WinRAR.00AE1180 00AE1679 . 68 44DEB100 push WinRAR.00B1DE44 ; /MutexName = "WinRAR_Busy" 00AE167E . 6A 00 push 0x0 ; |InitialOwner = FALSE 00AE1680 . 6A 00 push 0x0 ; |pSecurity = NULL 00AE1682 . FF15 5C43B100 call dword ptr ds:[<&KERNEL32.CreateMute>; \CreateMutexW 00AE1688 . A3 D092B300 mov dword ptr ds:[0xB392D0],eax 00AE168D . 6A 00 push 0x0 ; /Title = NULL 00AE168F . 68 B858B100 push WinRAR.00B158B8 ; |Class = "WinRarWindow" 00AE1694 . FF15 8C45B100 call dword ptr ds:[<&USER32.FindWindowW>>; \FindWindowW 00AE169A . 8BF8 mov edi,eax 00AE169C . 897D E8 mov dword ptr ss:[ebp-0x18],edi 00AE169F 6A 00 push 0x0 ; /lParam = NULL 00AE16A1 56 push esi ; |hInst = 00DBCB64 00AE16A2 6A 00 push 0x0 ; |hMenu = NULL 00AE16A4 6A 00 push 0x0 ; |hParent = NULL 00AE16A6 68 00000080 push 0x80000000 ; |Height = 80000000 (-2147483648.) 00AE16AB 68 00000080 push 0x80000000 ; |Width = 80000000 (-2147483648.) 00AE16B0 68 00000080 push 0x80000000 ; |Y = 80000000 (-2147483648.) 00AE16B5 68 00000080 push 0x80000000 ; |X = 80000000 (-2147483648.) 00AE16BA 68 0000CF06 push 0x6CF0000 ; |Style = WS_OVERLAPPED|WS_MINIMIZEBOX|WS_MAXIMIZEBOX|WS_CLIPSIBLINGS|WS_CLIPCHILDREN|WS_SYSMENU|WS_THICKFRAME|WS_CAPTION 00AE16BF 68 6C71B100 push WinRAR.00B1716C ; |WindowName = "WinRAR" 00AE16C4 68 B858B100 push WinRAR.00B158B8 ; |Class = "WinRarWindow" 00AE16C9 6A 10 push 0x10 ; |ExtStyle = WS_EX_ACCEPTFILES 00AE16CB FF15 A045B100 call dword ptr ds:[<&USER32.CreateWindow>; \CreateWindowExW 00AE16D1 . A3 AC81B300 mov dword ptr ds:[0xB381AC],eax 00AE16D6 . 85C0 test eax,eax 00AE16D8 . 0F84 C4050000 je WinRAR.00AE1CA2 00AE16DE . 50 push eax 00AE16DF . B9 0CF0B600 mov ecx,WinRAR.00B6F00C 00AE16E4 . E8 F7A6FAFF call WinRAR.00A8BDE0 00AE16E9 . 6A 00 push 0x0 00AE16EB . E8 60DAFFFF call WinRAR.00ADF150 00AE16F0 . E8 8BF8FFFF call WinRAR.00AE0F80 00AE16F5 . 84DB test bl,bl 00AE16F7 . 74 1A je short WinRAR.00AE1713 00AE16F9 . E8 D22EFCFF call WinRAR.00AA45D0 00AE16FE . 84C0 test al,al 00AE1700 . 75 11 jnz short WinRAR.00AE1713 00AE1702 . 6A 01 push 0x1 00AE1704 . 6A 00 push 0x0 00AE1706 . E8 D596F2FF call WinRAR.00A0ADE0 00AE170B . 84C0 test al,al 00AE170D . 75 04 jnz short WinRAR.00AE1713 00AE170F . B7 01 mov bh,0x1 00AE1711 . EB 02 jmp short WinRAR.00AE1715 00AE1713 > 32FF xor bh,bh 00AE1715 > 8D85 00300000 lea eax,dword ptr ss:[ebp+0x3000] 00AE171B . 50 push eax 00AE171C . E8 FF8BF2FF call WinRAR.00A0A320 00AE1721 . 0FB785 003000>movzx eax,word ptr ss:[ebp+0x3000] 00AE1728 . 50 push eax ; /StringOrChar = 27BC 00AE1729 . E8 5247FBFF call <jmp.&USER32.CharUpperW> ; \CharUpperW 00AE172E . 0FB7F0 movzx esi,ax 00AE1731 . 68 34040000 push 0x434 00AE1736 . 6A 00 push 0x0 00AE1738 . 68 38A3B300 push WinRAR.00B3A338 00AE173D . E8 DE620100 call WinRAR.00AF7A20 00AE1742 . 83C4 0C add esp,0xC 00AE1745 . 6A 00 push 0x0 00AE1747 . 6A 00 push 0x0 00AE1749 . 6A 01 push 0x1 00AE174B . B9 A04BB400 mov ecx,WinRAR.00B44BA0 00AE1750 . E8 FBD6F7FF call WinRAR.00A5EE50 00AE1755 . E8 06E9F2FF call WinRAR.00A10060 00AE175A . 66:85F6 test si,si 00AE175D . 74 66 je short WinRAR.00AE17C5 00AE175F . 803D B46BB400>cmp byte ptr ds:[0xB46BB4],0x0 00AE1766 . 75 5D jnz short WinRAR.00AE17C5 00AE1768 . 56 push esi 00AE1769 . 68 5CDEB100 push WinRAR.00B1DE5C ; UNICODE "AFUMD" 00AE176E . E8 6F500100 call WinRAR.00AF67E2 00AE1773 . 83C4 08 add esp,0x8 00AE1776 . 85C0 test eax,eax 00AE1778 . 75 32 jnz short WinRAR.00AE17AC 00AE177A . 83FE 43 cmp esi,0x43 00AE177D . 75 09 jnz short WinRAR.00AE1788 00AE177F . 66:3985 02300>cmp word ptr ss:[ebp+0x3002],ax 00AE1786 . 74 24 je short WinRAR.00AE17AC 00AE1788 > 803D B46BB400>cmp byte ptr ds:[0xB46BB4],0x0 00AE178F . 75 34 jnz short WinRAR.00AE17C5 00AE1791 . 56 push esi 00AE1792 . 68 68DEB100 push WinRAR.00B1DE68 ; UNICODE "TXE" 00AE1797 . E8 46500100 call WinRAR.00AF67E2 00AE179C . 83C4 08 add esp,0x8 00AE179F . 85C0 test eax,eax 00AE17A1 . 74 22 je short WinRAR.00AE17C5 00AE17A3 . 6A 00 push 0x0 00AE17A5 . E8 3609FFFF call WinRAR.00AD20E0 00AE17AA . EB 20 jmp short WinRAR.00AE17CC 00AE17AC > E8 3F6FFEFF call WinRAR.00AC86F0 00AE17B1 . 83FE 44 cmp esi,0x44 00AE17B4 . 74 05 je short WinRAR.00AE17BB 00AE17B6 . 83FE 43 cmp esi,0x43 00AE17B9 . 75 11 jnz short WinRAR.00AE17CC 00AE17BB > 33C0 xor eax,eax 00AE17BD . 66:A3 B05BB40>mov word ptr ds:[0xB45BB0],ax 00AE17C3 . EB 07 jmp short WinRAR.00AE17CC 00AE17C5 > 6A 00 push 0x0 00AE17C7 . E8 4436FEFF call WinRAR.00AC4E10 00AE17CC > 6A 00 push 0x0 00AE17CE . 6A 00 push 0x0 00AE17D0 . 6A 01 push 0x1 00AE17D2 . B9 A04BB400 mov ecx,WinRAR.00B44BA0 00AE17D7 . E8 74D6F7FF call WinRAR.00A5EE50 00AE17DC . 68 A04BB400 push WinRAR.00B44BA0 00AE17E1 . B9 D011B500 mov ecx,WinRAR.00B511D0 00AE17E6 . E8 6567F2FF call WinRAR.00A07F50 00AE17EB . 68 00080000 push 0x800 00AE17F0 . 68 EAFFB400 push WinRAR.00B4FFEA 00AE17F5 . 68 B081B300 push WinRAR.00B381B0 00AE17FA . E8 5110FBFF call WinRAR.00A92850 00AE17FF . 33C0 xor eax,eax 00AE1801 . 66:A3 EAFFB40>mov word ptr ds:[0xB4FFEA],ax 00AE1807 . 68 00080000 push 0x800 00AE180C . 8D45 00 lea eax,dword ptr ss:[ebp] 00AE180F . 50 push eax 00AE1810 . E8 CB93FEFF call WinRAR.00ACABE0 00AE1815 . 8D45 00 lea eax,dword ptr ss:[ebp] 00AE1818 . 50 push eax 00AE1819 . B9 78E2B500 mov ecx,WinRAR.00B5E278 00AE181E . E8 1D38F6FF call WinRAR.00A45040 00AE1823 . C705 5492B300>mov dword ptr ds:[0xB39254],0x0 00AE182D . C645 FC 01 mov byte ptr ss:[ebp-0x4],0x1 00AE1831 . E8 4A87F2FF call WinRAR.00A09F80 00AE1836 . C745 FC 00000>mov dword ptr ss:[ebp-0x4],0x0 00AE183D . FF35 AC81B300 push dword ptr ds:[0xB381AC] 00AE1843 . E8 58FBFFFF call WinRAR.00AE13A0 00AE1848 . 66:833D CC9CB>cmp word ptr ds:[0xB49CCC],0x0 00AE1850 . 74 2C je short WinRAR.00AE187E 00AE1852 . 68 CC9CB400 push WinRAR.00B49CCC 00AE1857 . E8 54ACF9FF call WinRAR.00A7C4B0 00AE185C . 68 00080000 push 0x800 00AE1861 . 68 CC9CB400 push WinRAR.00B49CCC 00AE1866 . 68 E092B300 push WinRAR.00B392E0 ; UNICODE "C:\Users\IEUser\AppData\Roaming\WinRAR\rar.log" 00AE186B . 3D CC9CB400 cmp eax,WinRAR.00B49CCC 00AE1870 . 75 07 jnz short WinRAR.00AE1879 00AE1872 . E8 39ADF9FF call WinRAR.00A7C5B0 00AE1877 . EB 05 jmp short WinRAR.00AE187E 00AE1879 > E8 D20FFBFF call WinRAR.00A92850 00AE187E > 6A 00 push 0x0 ; /lParam = 0x0 00AE1880 . 6A 00 push 0x0 ; |wParam = 0x0 00AE1882 . 68 03800000 push 0x8003 ; |Message = MSG(0x8003) 00AE1887 . FF35 AC81B300 push dword ptr ds:[0xB381AC] ; |hWnd = 0xB05BC 00AE188D . FF15 9845B100 call dword ptr ds:[<&USER32.SendMessageW>; \SendMessageW 00AE1893 . 833D AC81B300>cmp dword ptr ds:[0xB381AC],0x0 00AE189A . 0F84 93010000 je WinRAR.00AE1A33 00AE18A0 . 66:833D CAEFB>cmp word ptr ds:[0xB4EFCA],0x0 00AE18A8 . 0F85 6F030000 jnz WinRAR.00AE1C1D 00AE18AE . 32DB xor bl,bl 00AE18B0 . 66:833D EAFFB>cmp word ptr ds:[0xB4FFEA],0x0 00AE18B8 . 0F84 3A030000 je WinRAR.00AE1BF8 00AE18BE . 68 EAFFB400 push WinRAR.00B4FFEA 00AE18C3 . E8 F8A7F8FF call WinRAR.00A6C0C0 00AE18C8 . 83F8 FF cmp eax,-0x1 00AE18CB . 74 06 je short WinRAR.00AE18D3 00AE18CD . A8 10 test al,0x10 00AE18CF . 74 02 je short WinRAR.00AE18D3 00AE18D1 . B3 01 mov bl,0x1 00AE18D3 > 66:833D EAFFB>cmp word ptr ds:[0xB4FFEA],0x0 00AE18DB . 0F84 EB020000 je WinRAR.00AE1BCC 00AE18E1 . 84DB test bl,bl 00AE18E3 . 0F85 E7020000 jnz WinRAR.00AE1BD0 00AE18E9 . 6A 00 push 0x0 00AE18EB . 68 8850B100 push WinRAR.00B15088 ; UNICODE "ReuseWindow" 00AE18F0 . 68 A44BB100 push WinRAR.00B14BA4 ; UNICODE "General" 00AE18F5 . E8 9623FCFF call WinRAR.00AA3C90 00AE18FA . 85C0 test eax,eax 00AE18FC . 0F84 F7000000 je WinRAR.00AE19F9 00AE1902 . 85FF test edi,edi 00AE1904 . 0F84 EF000000 je WinRAR.00AE19F9 00AE190A . 6A 00 push 0x0 00AE190C . 68 00080000 push 0x800 00AE1911 . 8D85 00200000 lea eax,dword ptr ss:[ebp+0x2000] 00AE1917 . 50 push eax 00AE1918 . E8 F37FFEFF call WinRAR.00AC9910 00AE191D . 68 00080000 push 0x800 00AE1922 . 8D85 00200000 lea eax,dword ptr ss:[ebp+0x2000] 00AE1928 . 50 push eax 00AE1929 . E8 E28FF9FF call WinRAR.00A7A910 00AE192E . 68 00080000 push 0x800 00AE1933 . 68 8CC3B100 push WinRAR.00B1C38C ; UNICODE "Rar$" 00AE1938 . 8D85 00200000 lea eax,dword ptr ss:[ebp+0x2000] 00AE193E . 50 push eax 00AE193F . E8 CC0EFBFF call WinRAR.00A92810 00AE1944 . 8D8D 00200000 lea ecx,dword ptr ss:[ebp+0x2000] 00AE194A . 8D51 02 lea edx,dword ptr ds:[ecx+0x2] 00AE194D . 8D49 00 lea ecx,dword ptr ds:[ecx] 00AE1950 > 66:8B01 mov ax,word ptr ds:[ecx] 00AE1953 . 83C1 02 add ecx,0x2 00AE1956 . 66:85C0 test ax,ax 00AE1959 .^ 75 F5 jnz short WinRAR.00AE1950 00AE195B . 2BCA sub ecx,edx 00AE195D . D1F9 sar ecx,1 00AE195F . 51 push ecx 00AE1960 . 8D85 00200000 lea eax,dword ptr ss:[ebp+0x2000] 00AE1966 . 50 push eax 00AE1967 . 68 EAFFB400 push WinRAR.00B4FFEA 00AE196C . E8 DF45FBFF call WinRAR.00A95F50 00AE1971 . 85C0 test eax,eax 00AE1973 . 0F84 80000000 je WinRAR.00AE19F9 00AE1979 . 68 20DDB100 push WinRAR.00B1DD20 ; /MapName = "RarArchiveWideName" 00AE197E . 68 00100000 push 0x1000 ; |MaximumSizeLow = 0x1000 00AE1983 . 6A 00 push 0x0 ; |MaximumSizeHigh = 0x0 00AE1985 . 68 04000008 push 0x8000004 ; |Protection = PAGE_READWRITE|SEC_COMMIT 00AE198A . 6A 00 push 0x0 ; |pSecurity = NULL 00AE198C . 6A FF push -0x1 ; |hFile = FFFFFFFF 00AE198E . FF15 9843B100 call dword ptr ds:[<&KERNEL32.CreateFile>; \CreateFileMappingW 00AE1994 . 8BF8 mov edi,eax 00AE1996 . 85FF test edi,edi 00AE1998 . 74 5C je short WinRAR.00AE19F6 00AE199A . 68 00100000 push 0x1000 ; /MapSize = 1000 (4096.) 00AE199F . 6A 00 push 0x0 ; |OffsetLow = 0x0 00AE19A1 . 6A 00 push 0x0 ; |OffsetHigh = 0x0 00AE19A3 . 6A 02 push 0x2 ; |AccessMode = FILE_MAP_WRITE 00AE19A5 . 57 push edi ; |hMapObject = NULL 00AE19A6 . FF15 A043B100 call dword ptr ds:[<&KERNEL32.MapViewOfF>; \MapViewOfFile 00AE19AC . 8BF0 mov esi,eax 00AE19AE . 68 00080000 push 0x800 00AE19B3 . 56 push esi 00AE19B4 . 68 EAFFB400 push WinRAR.00B4FFEA 00AE19B9 . B9 78E2B500 mov ecx,WinRAR.00B5E278 00AE19BE . E8 8DF6F5FF call WinRAR.00A41050 00AE19C3 . 56 push esi ; /BaseAddress = 00DBCB64 00AE19C4 . FF15 9C43B100 call dword ptr ds:[<&KERNEL32.UnmapViewO>; \UnmapViewOfFile 00AE19CA . 68 F164E97A push 0x7AE964F1 ; /lParam = 0x7AE964F1 00AE19CF . 68 5EAC89D4 push 0xD489AC5E ; |wParam = 0xD489AC5E 00AE19D4 . 68 01800000 push 0x8001 ; |Message = MSG(0x8001) 00AE19D9 . FF75 E8 push dword ptr ss:[ebp-0x18] ; |hWnd = 0xDBCBB0 00AE19DC . FF15 9845B100 call dword ptr ds:[<&USER32.SendMessageW>; \SendMessageW 00AE19E2 . 85C0 test eax,eax 00AE19E4 . 0f95c3 setne bl 00AE19E7 . 57 push edi ; /hObject = NULL 00AE19E8 . FF15 A443B100 call dword ptr ds:[<&KERNEL32.CloseHandl>; \CloseHandle 00AE19EE . 84DB test bl,bl 00AE19F0 . 0F85 B8010000 jnz WinRAR.00AE1BAE 00AE19F6 > 8B7D E8 mov edi,dword ptr ss:[ebp-0x18] 00AE19F9 > 68 EAFFB400 push WinRAR.00B4FFEA 00AE19FE . B9 78E2B500 mov ecx,WinRAR.00B5E278 00AE1A03 . E8 68FFF5FF call WinRAR.00A41970 00AE1A08 . 84C0 test al,al 00AE1A0A 0F84 9E010000 je WinRAR.00AE1BAE 00AE1A10 . 803D D491B300>cmp byte ptr ds:[0xB391D4],0x0 00AE1A17 . 75 17 jnz short WinRAR.00AE1A30 00AE1A19 . 833D BC91B300>cmp dword ptr ds:[0xB391BC],0x0 00AE1A20 . 0F84 77010000 je WinRAR.00AE1B9D 00AE1A26 . B9 78E2B500 mov ecx,WinRAR.00B5E278 00AE1A2B . E8 302EF6FF call WinRAR.00A44860 00AE1A30 > 8A5D EF mov bl,byte ptr ss:[ebp-0x11] 00AE1A33 > 57 push edi 00AE1A34 . 68 00000100 push 0x10000 00AE1A39 . 68 B038AD00 push WinRAR.00AD38B0 00AE1A3E . E8 DEAC0100 call WinRAR.00AFC721 00AE1A43 . 83C4 0C add esp,0xC 00AE1A46 . FF35 AC81B300 push dword ptr ds:[0xB381AC] ; /hWnd = 000B05BC ('winrar32 (评估版本)',class='WinRarWindow') 00AE1A4C . FF15 C445B100 call dword ptr ds:[<&USER32.IsWindowVisi>; \IsWindowVisible 00AE1A52 . 85C0 test eax,eax 00AE1A54 . 75 0E jnz short WinRAR.00AE1A64 00AE1A56 . 85FF test edi,edi 00AE1A58 . 0f95c0 setne al 00AE1A5B . 0FB6C0 movzx eax,al 00AE1A5E . 50 push eax 00AE1A5F . E8 CCF5FFFF call WinRAR.00AE1030 00AE1A64 > FF35 AC81B300 push dword ptr ds:[0xB381AC] ; /hWnd = 000B05BC ('winrar32 (评估版本)',class='WinRarWindow') 00AE1A6A . FF15 0C45B100 call dword ptr ds:[<&USER32.UpdateWindow>; \UpdateWindow 00AE1A70 . 84FF test bh,bh 00AE1A72 . 74 27 je short WinRAR.00AE1A9B 00AE1A74 . 84DB test bl,bl 00AE1A76 . 74 23 je short WinRAR.00AE1A9B 00AE1A78 . 68 704BB100 push WinRAR.00B14B70 ; UNICODE "Setup" 00AE1A7D . E8 0E00FCFF call WinRAR.00AA1A90 00AE1A82 . 84C0 test al,al 00AE1A84 . 75 15 jnz short WinRAR.00AE1A9B 00AE1A86 . 68 844CB100 push WinRAR.00B14C84 ; UNICODE ".rar" 00AE1A8B . E8 8096F5FF call WinRAR.00A3B110 00AE1A90 . 84C0 test al,al 00AE1A92 . 75 07 jnz short WinRAR.00AE1A9B 00AE1A94 . 6A 06 push 0x6 00AE1A96 . E8 65B2F2FF call WinRAR.00A0CD00 00AE1A9B > 6A 00 push 0x0 00AE1A9D . 68 1855B100 push WinRAR.00B15518 ; UNICODE "ExportedSettings" 00AE1AA2 . 68 7C48B100 push WinRAR.00B1487C 00AE1AA7 . E8 E421FCFF call WinRAR.00AA3C90 00AE1AAC . 85C0 test eax,eax 00AE1AAE . 74 05 je short WinRAR.00AE1AB5 00AE1AB0 . E8 7B92F2FF call WinRAR.00A0AD30 00AE1AB5 > 6A 00 push 0x0 00AE1AB7 . 6A 01 push 0x1 00AE1AB9 . E8 E238FCFF call WinRAR.00AA53A0 00AE1ABE . 6A 00 push 0x0 00AE1AC0 . 68 7050B100 push WinRAR.00B15070 ; UNICODE "WizardMode" 00AE1AC5 . 68 A44BB100 push WinRAR.00B14BA4 ; UNICODE "General" 00AE1ACA . E8 C121FCFF call WinRAR.00AA3C90 00AE1ACF . 85C0 test eax,eax 00AE1AD1 . 74 24 je short WinRAR.00AE1AF7 00AE1AD3 . FF35 AC81B300 push dword ptr ds:[0xB381AC] 00AE1AD9 . E8 E2390000 call WinRAR.00AE54C0 00AE1ADE . 84C0 test al,al 00AE1AE0 . 74 15 je short WinRAR.00AE1AF7 00AE1AE2 . 833D BC91B300>cmp dword ptr ds:[0xB391BC],0x0 00AE1AE9 . 75 0C jnz short WinRAR.00AE1AF7 00AE1AEB . FF35 AC81B300 push dword ptr ds:[0xB381AC] ; /hWnd = 000B05BC ('winrar32 (评估版本)',class='WinRarWindow') 00AE1AF1 . FF15 A445B100 call dword ptr ds:[<&USER32.DestroyWindo>; \DestroyWindow 00AE1AF7 > 6A 00 push 0x0 00AE1AF9 . 6A 00 push 0x0 00AE1AFB . E8 00F0FFFF call WinRAR.00AE0B00 00AE1B00 . 84C0 test al,al 00AE1B02 .^ 75 F3 jnz short WinRAR.00AE1AF7 00AE1B04 . 6A 01 push 0x1 00AE1B06 . 6A 00 push 0x0 00AE1B08 . 6A 00 push 0x0 00AE1B0A . E8 7187FEFF call WinRAR.00ACA280 00AE1B0F . B9 34A3B300 mov ecx,WinRAR.00B3A334 00AE1B14 . E8 C7080000 call WinRAR.00AE23E0 00AE1B19 . E8 A21EFFFF call WinRAR.00AD39C0 00AE1B1E . C605 D592B300>mov byte ptr ds:[0xB392D5],0x1 00AE1B25 . FF35 F8A2B300 push dword ptr ds:[0xB3A2F8] ; /hEvent = 00000238 (window) 00AE1B2B . FF15 9441B100 call dword ptr ds:[<&KERNEL32.SetEvent>] ; \SetEvent 00AE1B31 . 33F6 xor esi,esi 00AE1B33 . 8B3D 5043B100 mov edi,dword ptr ds:[<&KERNEL32.Sleep>] ; KERNEL32.Sleep 00AE1B39 . 8DA424 000000>lea esp,dword ptr ss:[esp] 00AE1B40 > 833D F0A2B300>cmp dword ptr ds:[0xB3A2F0],0x0 00AE1B47 . 7E 0D jle short WinRAR.00AE1B56 00AE1B49 . 6A 64 push 0x64 00AE1B4B . FFD7 call edi 00AE1B4D . 4E dec esi 00AE1B4E . 81FE C8000000 cmp esi,0xC8 00AE1B54 .^ 7C EA jl short WinRAR.00AE1B40 00AE1B56 > FF35 F8A2B300 push dword ptr ds:[0xB3A2F8] ; /hObject = 00000238 (window) 00AE1B5C . FF15 A443B100 call dword ptr ds:[<&KERNEL32.CloseHandl>; \CloseHandle 00AE1B62 . 833D CC92B300>cmp dword ptr ds:[0xB392CC],0x0 00AE1B69 . 0F84 0B010000 je WinRAR.00AE1C7A 00AE1B6F . 83C8 FF or eax,-0x1 00AE1B72 . A3 CC92B300 mov dword ptr ds:[0xB392CC],eax 00AE1B77 . 33F6 xor esi,esi 00AE1B79 . 8DA424 000000>lea esp,dword ptr ss:[esp] 00AE1B80 > 85C0 test eax,eax 00AE1B82 . 0F84 10010000 je WinRAR.00AE1C98 00AE1B88 . 6A 64 push 0x64 00AE1B8A . FFD7 call edi 00AE1B8C . 46 inc esi 00AE1B8D . 83FE 0A cmp esi,0xA 00AE1B90 . 0F8D 02010000 jge WinRAR.00AE1C98 00AE1B96 . A1 CC92B300 mov eax,dword ptr ds:[0xB392CC] 00AE1B9B .^ EB E3 jmp short WinRAR.00AE1B80 00AE1B9D > FF35 AC81B300 push dword ptr ds:[0xB381AC] ; /hWnd = 000B05BC ('winrar32 (评估版本)',class='WinRarWindow') 00AE1BA3 . FF15 A445B100 call dword ptr ds:[<&USER32.DestroyWindo>; \DestroyWindow 00AE1BA9 .^ E9 82FEFFFF jmp WinRAR.00AE1A30 00AE1BAE > E8 FDDDFEFF call WinRAR.00ACF9B0

其中在“DestroyWindow”这一处(这里有两处,分别代表关闭主窗口和广告窗口,不知道是哪个的话我们可以下断点测试一下),应该是关闭窗口的操作,那么广告窗口应该就在它的上方,向上找相关调用,下断点调试肯定找到调用广告窗口的地方,判断出00AE1AB9位置的call WinRAR.00AA53A0这个函数调用,在这个位置向上找关键跳转,看看能否跳过这个函数调用,也可以直接nop掉该处的调用,找到00AE1AAE位置的跳转操作je short WinRAR.00AE1AB5,将其改为jmp 0x00AE1AF7直接跳过DestroyWindow函数,

另一处的修改我选择用Binary Ninja这款反编译工具来完成,因为这款软件的流程图排版比较合理容易分析,并且占用系统资源比较小,其右键"patch"功能在修改汇编代码方面相对比较优秀。

使用Binary Ninja加载winrar主程序后,按“G”键输入我们需要查找的地址,与OD的偏移地址不同,我们需要自己对应一下,00AE1520对应的是004E1520,直接查找该位置如图所示:

在上述代码中我们关注到有一处调用系统API函数IsWindowVisible(设置可见属性)的地方,即位置00AE1A4C处,这处如果调用起来的话就会使得标题栏对应的许可信息隐藏,那么我们在Binary Ninja中查找位置004E1A4C,得到如下图所示:

点选该位置所在的流程块的第一行即“push  edi {var_18_13}”处,在左下角的“Cross References”窗口中可以看到两个地址跳转到它,分析之后我们判断可以将最早跳转的地址0x4e189a的汇编代码修改为“jmp 0x4e1a33”(在该位置右击-->"patch"-->"Edit Current Line",如图所示)

修改之后如下图:

完成这两步后保存好修改,然后我们运行一下winrar得到如图:这下可以软件可以安静的启动,没有广告弹窗和标题栏的许可过期提醒。

可是别高兴太早,我们将系统时间调至软件过期,重新启动winrar,还是会出现如下窗口,提示购买winrar许可。

重复运行、暂停、查看堆栈、查看调用、步进调试一系列操作我们会找到如下代码段,可以看到这段代码包含广告的链接地址http://ad.winrar.com.cn/show_2.html?L=7&bl=7&v=$Vpersonal&a=$A&src=pe001以及提醒许可过期需要重新购买的函数RarReminder。

  1 00B853A0  /$  B8 18100000   mov eax,0x10182 00B853A5  |.  E8 26010500   call WinRAR1.00BD54D03 00B853AA  |.  A1 341BC100   mov eax,dword ptr ds:[0xC11B34]4 00B853AF  |.  33C4          xor eax,esp5 00B853B1  |.  898424 141000>mov dword ptr ss:[esp+0x1014],eax6 00B853B8  |.  803D 74A5C500>cmp byte ptr ds:[0xC5A574],0x07 00B853BF  |.  74 0E         je short WinRAR1.00B853CF8 00B853C1  |.  80BC24 201000>cmp byte ptr ss:[esp+0x1020],0x0 9 00B853C9 |. 0F84 08040000 je WinRAR1.00B857D7 10 00B853CF |> 833D ACFBC000>cmp dword ptr ds:[0xC0FBAC],0x0 11 00B853D6 |. 56 push esi 12 00B853D7 |. 74 1C je short WinRAR1.00B853F5 13 00B853D9 |. B9 98FBC000 mov ecx,WinRAR1.00C0FB98 ; ASCII "8g3#0w1$5r7%2ta" 14 00B853DE |. E8 1DF9FFFF call WinRAR1.00B84D00 15 00B853E3 |. 833D ACFBC000>cmp dword ptr ds:[0xC0FBAC],0x0 16 00B853EA |. 0F84 A1000000 je WinRAR1.00B85491 17 00B853F0 |. E9 88000000 jmp WinRAR1.00B8547D 18 00B853F5 |> 68 FD040000 push 0x4FD 19 00B853FA |. E8 6171FEFF call WinRAR1.00B6C560 20 00B853FF |. 8BF0 mov esi,eax 21 00B85401 |. 66:833E 23 cmp word ptr ds:[esi],0x23 22 00B85405 |. 75 20 jnz short WinRAR1.00B85427 23 00B85407 |. 66:837E 02 23 cmp word ptr ds:[esi+0x2],0x23 24 00B8540C |. 75 19 jnz short WinRAR1.00B85427 25 00B8540E |. 8BCE mov ecx,esi 26 00B85410 |. 8D51 02 lea edx,dword ptr ds:[ecx+0x2] 27 00B85413 |> 66:8B01 /mov ax,word ptr ds:[ecx] 28 00B85416 |. 83C1 02 |add ecx,0x2 29 00B85419 |. 66:85C0 |test ax,ax 30 00B8541C |.^ 75 F5 \jnz short WinRAR1.00B85413 31 00B8541E |. 2BCA sub ecx,edx 32 00B85420 |. D1F9 sar ecx,1 33 00B85422 |. 83F9 64 cmp ecx,0x64 34 00B85425 |. 73 06 jnb short WinRAR1.00B8542D 35 00B85427 |> 8B35 1800C100 mov esi,dword ptr ds:[0xC10018] ; WinRAR1.00BF9628 36 00B8542D |> 68 00100000 push 0x1000 37 00B85432 |. 8D4424 1C lea eax,dword ptr ss:[esp+0x1C] 38 00B85436 |. 6A 00 push 0x0 39 00B85438 |. 50 push eax 40 00B85439 |. E8 E2250500 call WinRAR1.00BD7A20 41 00B8543E |. 83C4 0C add esp,0xC 42 00B85441 |. 8D4424 18 lea eax,dword ptr ss:[esp+0x18] 43 00B85445 |. 68 00100000 push 0x1000 44 00B8544A |. 50 push eax 45 00B8544B |. 8D46 04 lea eax,dword ptr ds:[esi+0x4] 46 00B8544E |. 50 push eax 47 00B8544F |. E8 0C07FFFF call WinRAR1.00B75B60 48 00B85454 |. 8D4C24 18 lea ecx,dword ptr ss:[esp+0x18] 49 00B85458 |. 8D51 01 lea edx,dword ptr ds:[ecx+0x1] 50 00B8545B |. EB 03 jmp short WinRAR1.00B85460 51 00B8545D | 8D49 00 lea ecx,dword ptr ds:[ecx] 52 00B85460 |> 8A01 /mov al,byte ptr ds:[ecx] 53 00B85462 |. 41 |inc ecx 54 00B85463 |. 84C0 |test al,al 55 00B85465 |.^ 75 F9 \jnz short WinRAR1.00B85460 56 00B85467 |. 2BCA sub ecx,edx 57 00B85469 |. 8D4424 18 lea eax,dword ptr ss:[esp+0x18] 58 00B8546D |. 51 push ecx 59 00B8546E |. 50 push eax 60 00B8546F |. B9 98FBC000 mov ecx,WinRAR1.00C0FB98 ; ASCII "8g3#0w1$5r7%2ta" 61 00B85474 |. E8 67F4FFFF call WinRAR1.00B848E0 62 00B85479 |. 84C0 test al,al 63 00B8547B |. 75 14 jnz short WinRAR1.00B85491 64 00B8547D |> 68 80040000 push 0x480 65 00B85482 |. 6A 00 push 0x0 66 00B85484 |. 68 98FBC000 push WinRAR1.00C0FB98 ; ASCII "8g3#0w1$5r7%2ta" 67 00B85489 |. E8 92250500 call WinRAR1.00BD7A20 68 00B8548E |. 83C4 0C add esp,0xC 69 00B85491 |> 803D B467C400>cmp byte ptr ds:[0xC467B4],0x0 70 00B85498 |. 53 push ebx 71 00B85499 |. 75 12 jnz short WinRAR1.00B854AD 72 00B8549B |. A1 DC92C100 mov eax,dword ptr ds:[0xC192DC] 73 00B854A0 |. 83F8 28 cmp eax,0x28 74 00B854A3 |. 7F 04 jg short WinRAR1.00B854A9 75 00B854A5 |. 85C0 test eax,eax 76 00B854A7 |. 79 04 jns short WinRAR1.00B854AD 77 00B854A9 |> B3 01 mov bl,0x1 78 00B854AB |. EB 02 jmp short WinRAR1.00B854AF 79 00B854AD |> 32DB xor bl,bl 80 00B854AF |> 80BC24 241000>cmp byte ptr ss:[esp+0x1024],0x0 81 00B854B7 |. 0F84 EE020000 je WinRAR1.00B857AB 82 00B854BD |. E8 4EA0FCFF call WinRAR1.00B4F510 83 00B854C2 |. 3D 01050000 cmp eax,0x501 84 00B854C7 |. 77 10 ja short WinRAR1.00B854D9 85 00B854C9 |. F705 A8FBC000>test dword ptr ds:[0xC0FBA8],0x200 86 00B854D3 |. 0F84 FC020000 je WinRAR1.00B857D5 87 00B854D9 |> 803D 18FFC000>cmp byte ptr ds:[0xC0FF18],0x0 88 00B854E0 |. 0F84 EF020000 je WinRAR1.00B857D5 89 00B854E6 |. C605 C3FCC000>mov byte ptr ds:[0xC0FCC3],0x0 90 00B854ED |. C605 C7FDC000>mov byte ptr ds:[0xC0FDC7],0x0 91 00B854F4 |. C605 1700C100>mov byte ptr ds:[0xC10017],0x0 92 00B854FB |. 84DB test bl,bl 93 00B854FD |. 75 14 jnz short WinRAR1.00B85513 94 00B854FF |. A0 A8FBC000 mov al,byte ptr ds:[0xC0FBA8] 95 00B85504 |. 24 80 and al,0x80 96 00B85506 |. 0FB6C0 movzx eax,al 97 00B85509 |. F7D8 neg eax 98 00B8550B |. 1BC0 sbb eax,eax 99 00B8550D |. 2105 B0FBC000 and dword ptr ds:[0xC0FBB0],eax 100 00B85513 |> 32FF xor bh,bh 101 00B85515 |. 833D C0FBC000>cmp dword ptr ds:[0xC0FBC0],0x0 102 00B8551C |. 76 50 jbe short WinRAR1.00B8556E 103 00B8551E |. 383D B467C400 cmp byte ptr ds:[0xC467B4],bh 104 00B85524 |. 75 48 jnz short WinRAR1.00B8556E 105 00B85526 |. 6A 00 push 0x0 106 00B85528 |. 68 A098BF00 push WinRAR1.00BF98A0 ; UNICODE "RemShown" 107 00B8552D |. 68 306CBF00 push WinRAR1.00BF6C30 ; UNICODE "Interface\Misc" 108 00B85532 |. E8 59E7FFFF call WinRAR1.00B83C90 109 00B85537 |. 3B05 C0FBC000 cmp eax,dword ptr ds:[0xC0FBC0] 110 00B8553D |. 73 2F jnb short WinRAR1.00B8556E 111 00B8553F |. 40 inc eax 112 00B85540 |. 50 push eax 113 00B85541 |. 68 A098BF00 push WinRAR1.00BF98A0 ; UNICODE "RemShown" 114 00B85546 |. 68 306CBF00 push WinRAR1.00BF6C30 ; UNICODE "Interface\Misc" 115 00B8554B |. E8 50F3FFFF call WinRAR1.00B848A0 116 00B85550 |. 803D C4FBC000>cmp byte ptr ds:[0xC0FBC4],0x0 117 00B85557 |. B7 01 mov bh,0x1 118 00B85559 |. 0F84 B8000000 je WinRAR1.00B85617 119 00B8555F |. 68 00010000 push 0x100 120 00B85564 |. 68 C4FBC000 push WinRAR1.00C0FBC4 ; ASCII "http://ad.winrar.com.cn/show_1.html?L=7&bl=7&v=$Vpersonal&a=$A&src=pe001" 121 00B85569 |. E9 9F000000 jmp WinRAR1.00B8560D 122 00B8556E |> 833D C4FCC000>cmp dword ptr ds:[0xC0FCC4],0x0 123 00B85575 |. 76 45 jbe short WinRAR1.00B855BC 124 00B85577 |. 84DB test bl,bl 125 00B85579 |. 74 41 je short WinRAR1.00B855BC 126 00B8557B |. 6A 00 push 0x0 127 00B8557D |. 68 B498BF00 push WinRAR1.00BF98B4 ; UNICODE "ExpRemShown" 128 00B85582 |. 68 306CBF00 push WinRAR1.00BF6C30 ; UNICODE "Interface\Misc" 129 00B85587 |. E8 04E7FFFF call WinRAR1.00B83C90 130 00B8558C |. 3B05 C4FCC000 cmp eax,dword ptr ds:[0xC0FCC4] 131 00B85592 |. 73 28 jnb short WinRAR1.00B855BC 132 00B85594 |. 40 inc eax 133 00B85595 |. 50 push eax 134 00B85596 |. 68 B498BF00 push WinRAR1.00BF98B4 ; UNICODE "ExpRemShown" 135 00B8559B |. 68 306CBF00 push WinRAR1.00BF6C30 ; UNICODE "Interface\Misc" 136 00B855A0 |. E8 FBF2FFFF call WinRAR1.00B848A0 137 00B855A5 |. 803D C8FCC000>cmp byte ptr ds:[0xC0FCC8],0x0 138 00B855AC |. B7 01 mov bh,0x1 139 00B855AE |. 74 67 je short WinRAR1.00B85617 140 00B855B0 |. 68 00010000 push 0x100 141 00B855B5 |. 68 C8FCC000 push WinRAR1.00C0FCC8 ; ASCII "http://ad.winrar.com.cn/show_2.html?L=7&bl=7&v=$Vpersonal&a=$A&src=pe001" 142 00B855BA |. EB 51 jmp short WinRAR1.00B8560D 143 00B855BC |> 833D C8FDC000>cmp dword ptr ds:[0xC0FDC8],0x0 144 00B855C3 |. 76 52 jbe short WinRAR1.00B85617 145 00B855C5 |. 803D B467C400>cmp byte ptr ds:[0xC467B4],0x0 146 00B855CC |. 74 49 je short WinRAR1.00B85617 147 00B855CE |. 6A 00 push 0x0 148 00B855D0 |. 68 CC98BF00 push WinRAR1.00BF98CC ; UNICODE "RegRemShown" 149 00B855D5 |. 68 306CBF00 push WinRAR1.00BF6C30 ; UNICODE "Interface\Misc" 150 00B855DA |. E8 B1E6FFFF call WinRAR1.00B83C90 151 00B855DF |. 3B05 C8FDC000 cmp eax,dword ptr ds:[0xC0FDC8] 152 00B855E5 |. 73 30 jnb short WinRAR1.00B85617 153 00B855E7 |. 40 inc eax 154 00B855E8 |. 50 push eax 155 00B855E9 |. 68 CC98BF00 push WinRAR1.00BF98CC ; UNICODE "RegRemShown" 156 00B855EE |. 68 306CBF00 push WinRAR1.00BF6C30 ; UNICODE "Interface\Misc" 157 00B855F3 |. E8 A8F2FFFF call WinRAR1.00B848A0 158 00B855F8 |. 803D CCFDC000>cmp byte ptr ds:[0xC0FDCC],0x0 159 00B855FF |. B7 01 mov bh,0x1 160 00B85601 |. 74 14 je short WinRAR1.00B85617 161 00B85603 |. 68 00010000 push 0x100 162 00B85608 |. 68 CCFDC000 push WinRAR1.00C0FDCC 163 00B8560D |> 68 18FFC000 push WinRAR1.00C0FF18 ; ASCII "http://ad.winrar.com.cn/show_2.html?L=7&bl=7&v=$Vpersonal&a=$A&src=pe001" 164 00B85612 |. E8 49D1FEFF call WinRAR1.00B72760 165 00B85617 |> FF15 3843BF00 call dword ptr ds:[<&KERNEL32.GetTickCou>; [GetTickCount 166 00B8561D |. 8BC8 mov ecx,eax 167 00B8561F |. B8 D34D6210 mov eax,0x10624DD3 168 00B85624 |. F7E1 mul ecx 169 00B85626 |. C1EA 06 shr edx,0x6 170 00B85629 |. 803D B467C400>cmp byte ptr ds:[0xC467B4],0x0 171 00B85630 |. 74 08 je short WinRAR1.00B8563A 172 00B85632 |. 8B0D BCFBC000 mov ecx,dword ptr ds:[0xC0FBBC] 173 00B85638 |. EB 20 jmp short WinRAR1.00B8565A 174 00B8563A |> 84DB test bl,bl 175 00B8563C |. 75 16 jnz short WinRAR1.00B85654 176 00B8563E |. 8B0D B4FBC000 mov ecx,dword ptr ds:[0xC0FBB4] 177 00B85644 |. 85C9 test ecx,ecx 178 00B85646 |. 74 20 je short WinRAR1.00B85668 179 00B85648 |. 8BC2 mov eax,edx 180 00B8564A |. 33D2 xor edx,edx 181 00B8564C |. F7F1 div ecx 182 00B8564E |. 85D2 test edx,edx 183 00B85650 |. 75 16 jnz short WinRAR1.00B85668 184 00B85652 |. EB 1C jmp short WinRAR1.00B85670 185 00B85654 |> 8B0D B8FBC000 mov ecx,dword ptr ds:[0xC0FBB8] 186 00B8565A |> 85C9 test ecx,ecx 187 00B8565C |. 74 0A je short WinRAR1.00B85668 188 00B8565E |. 8BC2 mov eax,edx 189 00B85660 |. 33D2 xor edx,edx 190 00B85662 |. F7F1 div ecx 191 00B85664 |. 85D2 test edx,edx 192 00B85666 |. 74 08 je short WinRAR1.00B85670 193 00B85668 |> 84FF test bh,bh 194 00B8566A |. 0F84 65010000 je WinRAR1.00B857D5 195 00B85670 |> 55 push ebp 196 00B85671 |. 57 push edi 197 00B85672 |. 8B3D A8FBC000 mov edi,dword ptr ds:[0xC0FBA8] 198 00B85678 |. C1E7 11 shl edi,0x11 199 00B8567B |. F7D7 not edi 200 00B8567D |. 81E7 00000400 and edi,0x40000 201 00B85683 |. 81CF 0000C816 or edi,0x16C80000 202 00B85689 |. F605 A8FBC000>test byte ptr ds:[0xC0FBA8],0x8 203 00B85690 |. 75 06 jnz short WinRAR1.00B85698 204 00B85692 |. 81CF 00000300 or edi,0x30000 205 00B85698 |> A1 D0FEC000 mov eax,dword ptr ds:[0xC0FED0] 206 00B8569D |. BD 00000080 mov ebp,0x80000000 207 00B856A2 |. C74424 10 000>mov dword ptr ss:[esp+0x10],0x80000000 208 00B856AA |. 8BF5 mov esi,ebp 209 00B856AC |. 8BDE mov ebx,esi 210 00B856AE |. 85C0 test eax,eax 211 00B856B0 |. 0F84 90000000 je WinRAR1.00B85746 212 00B856B6 |. 833D CCFEC000>cmp dword ptr ds:[0xC0FECC],0x0 213 00B856BD |. 0F84 83000000 je WinRAR1.00B85746 214 00B856C3 |. 50 push eax 215 00B856C4 |. E8 87530200 call WinRAR1.00BAAA50 216 00B856C9 |. 8B2D 8C46BF00 mov ebp,dword ptr ds:[<&USER32.GetSystem>; USER32.GetSystemMetrics 217 00B856CF |. 8BF0 mov esi,eax 218 00B856D1 |. 6A 21 push 0x21 ; /Index = SM_CYFRAME 219 00B856D3 |. FFD5 call ebp ; \GetSystemMetrics 220 00B856D5 |. 6A 04 push 0x4 ; /Index = SM_CYCAPTION 221 00B856D7 |. 8D1C46 lea ebx,dword ptr ds:[esi+eax*2] ; | 222 00B856DA |. FFD5 call ebp ; \GetSystemMetrics 223 00B856DC |. 03D8 add ebx,eax 224 00B856DE |. F605 A8FBC000>test byte ptr ds:[0xC0FBA8],0x40 225 00B856E5 |. 75 0C jnz short WinRAR1.00B856F3 226 00B856E7 |. F705 A8FBC000>test dword ptr ds:[0xC0FBA8],0x100 227 00B856F1 |. 75 06 jnz short WinRAR1.00B856F9 228 00B856F3 |> 031D 70A5C500 add ebx,dword ptr ds:[0xC5A570] 229 00B856F9 |> FF35 CCFEC000 push dword ptr ds:[0xC0FECC] 230 00B856FF |. E8 FC520200 call WinRAR1.00BAAA00 231 00B85704 |. 6A 20 push 0x20 232 00B85706 |. 8BF0 mov esi,eax 233 00B85708 |. FFD5 call ebp 234 00B8570A |. 6A 00 push 0x0 ; /UpdateProfile = 0 235 00B8570C |. 8D3446 lea esi,dword ptr ds:[esi+eax*2] ; | 236 00B8570F |. 8D4424 18 lea eax,dword ptr ss:[esp+0x18] ; | 237 00B85713 |. 50 push eax ; |pParam = NULL 238 00B85714 |. 6A 00 push 0x0 ; |wParam = 0x0 239 00B85716 |. 6A 30 push 0x30 ; |Action = SPI_GETWORKAREA 240 00B85718 |. FF15 8C44BF00 call dword ptr ds:[<&USER32.SystemParame>; \SystemParametersInfoW 241 00B8571E |. 8B4424 1C mov eax,dword ptr ss:[esp+0x1C] 242 00B85722 |. 3BF0 cmp esi,eax 243 00B85724 |. 7C 02 jl short WinRAR1.00B85728 244 00B85726 |. 8BF0 mov esi,eax 245 00B85728 |> 2BC6 sub eax,esi 246 00B8572A |. 99 cdq 247 00B8572B |. 2BC2 sub eax,edx 248 00B8572D |. D1F8 sar eax,1 249 00B8572F |. 894424 10 mov dword ptr ss:[esp+0x10],eax 250 00B85733 |. 8B4424 20 mov eax,dword ptr ss:[esp+0x20] ; WinRAR1.00C4D45D 251 00B85737 |. 3BD8 cmp ebx,eax 252 00B85739 |. 7C 02 jl short WinRAR1.00B8573D 253 00B8573B |. 8BD8 mov ebx,eax 254 00B8573D |> 2BC3 sub eax,ebx 255 00B8573F |. 99 cdq 256 00B85740 |. 2BC2 sub eax,edx 257 00B85742 |. 8BE8 mov ebp,eax 258 00B85744 |. D1FD sar ebp,1 259 00B85746 |> 68 00010000 push 0x100 260 00B8574B |. 68 18FFC000 push WinRAR1.00C0FF18 ; ASCII "http://ad.winrar.com.cn/show_2.html?L=7&bl=7&v=$Vpersonal&a=$A&src=pe001" 261 00B85750 |. E8 3BF3FFFF call WinRAR1.00B84A90 262 00B85755 |. 6A 00 push 0x0 ; /lParam = NULL 263 00B85757 |. FF35 04F0C400 push dword ptr ds:[0xC4F004] ; |hInst = 00AE0000 264 00B8575D |. 6A 00 push 0x0 ; |hMenu = NULL 265 00B8575F |. 6A 00 push 0x0 ; |hParent = NULL 266 00B85761 |. 53 push ebx ; |Height = 902DC (590556.) 267 00B85762 |. 56 push esi ; |Width = 0x0 268 00B85763 |. 55 push ebp ; |Y = 5FA518 (6268184.) 269 00B85764 |. FF7424 2C push dword ptr ss:[esp+0x2C] ; |X = 0x0 270 00B85768 |. 57 push edi ; |Style = WS_OVERLAPPED|WS_MINIMIZEBOX|WS_SYSMENU|WS_THICKFRAME|3FE 271 00B85769 |. 68 6C71BF00 push WinRAR1.00BF716C ; |WindowName = "WinRAR" 272 00B8576E |. 68 E498BF00 push WinRAR1.00BF98E4 ; |Class = "RarReminder" 273 00B85773 |. 6A 00 push 0x0 ; |ExtStyle = 0 274 00B85775 |. FF15 A045BF00 call dword ptr ds:[<&USER32.CreateWindow>; \CreateWindowExW 275 00B8577B |. F605 A8FBC000>test byte ptr ds:[0xC0FBA8],0x1 276 00B85782 |. 5F pop edi ; USER32.76CD87ED 277 00B85783 |. 5D pop ebp ; USER32.76CD87ED 278 00B85784 |. 74 13 je short WinRAR1.00B85799 279 00B85786 |. 6A 03 push 0x3 ; /Flags = SWP_NOSIZE|SWP_NOMOVE 280 00B85788 |. 6A 00 push 0x0 ; |Height = 0x0 281 00B8578A |. 6A 00 push 0x0 ; |Width = 0x0 282 00B8578C |. 6A 00 push 0x0 ; |Y = 0x0 283 00B8578E |. 6A 00 push 0x0 ; |X = 0x0 284 00B85790 |. 6A FF push -0x1 ; |InsertAfter = HWND_TOPMOST 285 00B85792 |. 50 push eax ; |hWnd = NULL 286 00B85793 |. FF15 B845BF00 call dword ptr ds:[<&USER32.SetWindowPos>; \SetWindowPos 287 00B85799 |> 833D C091C100>cmp dword ptr ds:[0xC191C0],0x0 288 00B857A0 |. 74 33 je short WinRAR1.00B857D5 289 00B857A2 |. C605 74A5C500>mov byte ptr ds:[0xC5A574],0x1 290 00B857A9 |. EB 2A jmp short WinRAR1.00B857D5 291 00B857AB |> 84DB test bl,bl 292 00B857AD |. 74 26 je short WinRAR1.00B857D5 293 00B857AF |. 6A 00 push 0x0 ; /lParam = NULL 294 00B857B1 |. 68 10C2BB00 push WinRAR1.00BBC210 ; |DlgProc = WinRAR1.00BBC210 295 00B857B6 |. C605 74A5C500>mov byte ptr ds:[0xC5A574],0x1 ; | 296 00B857BD |. FF15 F444BF00 call dword ptr ds:[<&USER32.GetFocus>] ; |[GetFocus 297 00B857C3 |. 50 push eax ; |hOwner = NULL 298 00B857C4 |. 68 FC98BF00 push WinRAR1.00BF98FC ; |pTemplate = "REMINDER" 299 00B857C9 |. FF35 00F0C400 push dword ptr ds:[0xC4F000] ; |hInst = 00AE0000 300 00B857CF |. FF15 C845BF00 call dword ptr ds:[<&USER32.DialogBoxPar>; \DialogBoxParamW 301 00B857D5 |> 5B pop ebx ; USER32.76CD87ED 302 00B857D6 |. 5E pop esi ; USER32.76CD87ED 303 00B857D7 |> 8B8C24 141000>mov ecx,dword ptr ss:[esp+0x1014] 304 00B857DE |. 33CC xor ecx,esp 305 00B857E0 |. E8 D7FC0400 call WinRAR1.00BD54BC 306 00B857E5 |. 81C4 18100000 add esp,0x1018 307 00B857EB \. C2 0800 retn 0x8

经过分析判断,我们需要关注两处跳转,在函数开始第7行和第9行的跳转,将第7行的跳转NOP掉,第9行改jmp无条件跳转,即可以将程序的执行流程跳过广告链接和重新购买许可证的窗口。

  7 00B853BF  |.  74 0E         je short WinRAR1.00B853CF8 00B853C1  |.  80BC24 201000>cmp byte ptr ss:[esp+0x1020],0x09 00B853C9  |.  0F84 08040000 je WinRAR1.00B857D7

完成修改后,点击鼠标右键,在弹出的菜单中依次选择“复制到可执行文件”-->“所有修改”-->“复制”。

然后在新窗口中右击选择“保存文件”即可保存修改。

整个世界彻底清净来,老衲要继续清修了^_^!!!!

附:分享几个系统函数。

CreateWindowEx function:https://msdn.microsoft.com/zh-cn/vstudio/ms632680(v=vs.90)

DestroyWindow function:https://docs.microsoft.com/zh-cn/windows/win32/api/winuser/nf-winuser-destroywindow

IsWindowVisible function:https://docs.microsoft.com/zh-cn/windows/win32/api/winuser/nf-winuser-iswindowvisible

还有一个大牛写的注册机:https://www.chinapyg.com/forum.php?mod=viewthread&tid=120703&highlight=winrar

转载于:https://www.cnblogs.com/heycomputer/articles/11161532.html

最新Winrar 32位中国代理版爆破笔记相关推荐

  1. 雨林木风 GHOST WIN7 装机版 32位 2013 新春版

    雨林木风 GHOST WIN7 装机版 32位 2013 新春版 文件: I:newyear_ylmf2013.iso 大小: 2850308096 字节 MD5: EE3375CE11F7FCA50 ...

  2. 萝卜家园 GHOST WIN7 32位快速装机版

    萝卜家园 GHOST Win7 32位快速装机版 V2020.08 采用适当的精简与优化,全面提升运行速度,充分保留原版性能.系统安装后自动永久激活,且通过微软正版认证系统.此系统优化了注册表,禁用了 ...

  3. 萝卜家园win11 32位官方旗舰版iso文件v2021.08

    萝卜家园win11 32位官方旗舰版iso文件v2021.08是一款专为笔记本用户准备的电脑系统,这是一个镜像系统,所以安装速度非常快,且充满了独具的特色,让你可以快速的将系统完成安装,而且不用激活, ...

  4. 大地最新win11 32位专业版镜像v2021.07

    大地最新win11 32位专业版镜像v2021.07是微软全新推出的电脑操作系统,这里款系统带来全新的功能,如任务栏居中,右键刷新等等,采用最实用.最纯粹的系统,轻松满足用户多样化的系统服务需求,有需 ...

  5. 中关村win11 32位全新官方版镜像v2021.07

    中关村win11 32位全新官方版镜像v2021.07是一款全新的电脑系统,用户可以轻松感受到微软在新版本系统方面的强大性.无论开机菜单的实用性还是桌面的简洁性都给用户带来了全新的感受.系统自带多种类 ...

  6. 番茄花园win11 32位官方纯净版镜像v2021.07

    番茄花园win11 32位官方纯净版镜像v2021.07是一款全新的电脑系统,用户可以轻松感受到微软在新版本系统方面的强大性.无论开机菜单的实用性还是桌面的简洁性都给用户带来了全新的感受.系统自带多种 ...

  7. 2018年IEEE Fellow名单:32位中国学者入选,清华成最大赢家

    安妮 发自 凹非寺 量子位 出品 | 公众号 QbitAI 感恩节前一天,2018年度IEEE Fellow名单出炉了. 在这42页新入选Fellow列表中,17位大陆学者入选,15位香港台湾学者入选 ...

  8. 微软官方原版win7(64位/32位)旗舰版系统下载

    http://blog.sina.com.cn/s/blog_541caaee01014q8t.html 好多友友一直在问,需要微软官方win7系统,特别是64位win7旗舰版由于联想官方(其他品牌相 ...

  9. 如何在MySQL官网上下载32位的解压缩版安装包

    如何在MySQL官网上下载32位的解压缩版安装包 介于工作的原因,不能联网安装某些方便快捷的软件包,只能老老实实的下载解压缩版的安装包进行配置使用.所以顺手纪录一下如何在MySQL官网上下载32位的解 ...

最新文章

  1. 2020考研 统考英语 核心词汇:社会生活(1)(苗嘉)
  2. R语言实战 - 基本统计分析(2)- 频数表和列联表
  3. 用html怎么 显示直线,html怎么用鼠标画出一条直线,鼠标移动时候要能看到线条...
  4. 创建一个Android模拟器
  5. java 轻量级 web 框架,Fast-FrameWork
  6. 快速获取本机IP地址AWK功能
  7. javascript canvas九宫格小程序
  8. Appium+Robotframework实现Android应用的自动化测试-2:Windows中启动Appium和模拟器
  9. Flutter中State深入分析理解
  10. 【BZOJ1146】网络管理,整体二分
  11. 计算机的组成 —— 显卡
  12. php7.1 win7,win7 配置AMP环境(apache2.4.39 + php7.1.28)
  13. mybatis字符串转成数字_JavaScript 字符串中的 pad 方法!
  14. Oracle ERP Interface堵住--Request Running too long time,查找Request执行的Sql
  15. 【matlab 图像处理】图像锐化
  16. ubuntu的不同版本
  17. excel取整数的函数_EXCEL的知识考点
  18. 自用工具 猴子都会用的unity视频播放器
  19. FZOJ P2109 【卡德加的兔子】
  20. selenium+python基本知识

热门文章

  1. Java异常面试题(2022版)
  2. JS事件对象5--阻止默认事件(鼠标事件)
  3. 小米口碑营销的五大秘诀
  4. 随机造句工具-曾经四五千块的工资工作的产物现在想想
  5. rav4 android,2020年丰田RAV4终于配备了AndroidAuto
  6. LintCode 310. 数字变形 JavaScript算法
  7. python 中运算符的使用
  8. PyQuery 简介
  9. 2013腾讯编程马拉松初赛第〇场(3月20日)(HDU 4500 4501 4502 4503 4504)
  10. 学习笔记(3):零基础掌握 Python 入门到实战-一个圆点的何去何从(二)