• 玻利维亚发生交通事故30多人死伤 2019-11-09
  • 停车收费新政首日举报量攀升 2019-11-08
  • 指尖触碰 你我结缘丨浙江新闻4周年 我们再出发 2019-11-08
  • 图解2017:为网络空间“岁月静好” 网信工作不骛虚声 2019-10-29
  • 警方出重拳 守护个人信息安全 2019-10-25
  • 广州今年建成1500公里污水管网 2019-10-25
  • 湖南提前一年全面建立河长制 地表水水质监测总体为优 2019-10-23
  • 又高又壮的男人易患前列腺癌 2019-10-23
  • 杨梅:谣言太多伤不起 2019-10-18
  • 陈毓圭:引领新的社会阶层人士服务中国特色社会主义事业 2019-10-18
  • 快讯:博格巴破门 法国2 2019-10-13
  • “四大发明”是什么制? 2019-10-09
  • 池州:上千名幼儿及家长共同诵读古今经典(图) 2019-10-09
  • [微笑]正是因为土地是属于全民的,你个人要使用就必须付钱,不然就占了大家的便宜。 2019-10-08
  • 西部网(陕西新闻网)www.cnwest.com 2019-10-06
  • 吾爱破解 - LCG - LSG |安卓破解|病毒分析|破解软件|北京pk10最稳办法 www.yhhjx.com

     找回密码
     注册[Register]

    QQ登录

    只需一步,快速开始

    搜索
    查看: 5780|回复: 52
    上一主题 下一主题

    北京pk10微信平台: [原创] 最新Winrar 32位版本爆破笔记

      [复制链接]
    跳转到指定楼层
    楼主
    zyjsuper 发表于 2019-7-10 07:36 回帖奖励
    本帖最后由 zyjsuper 于 2019-7-11 16:03 编辑

    winrar每次运行都会弹出广告窗口,并且主窗口标题栏会有许可到期时间的提醒,爆破的目的是去掉这两项。


    Winrar解压缩软件32位(5.71)版本下载地址:

    //www.winrar.com.cn/download/wrar571scp.exe


    64位下载地址:

    //www.winrar.com.cn/download/winrar-x64-571scp.exe



    所需工具: OllyDbg吾爱北京pk10最稳办法版、Binary Ninja
    https://down.52pojie.cn/Tools/Debuggers/%E5%90%BE%E7%88%B1%E7%A0%B4%E8%A7%A3%E4%B8%93%E7%94%A8%E7%89%88Ollydbg.rar

    https://cdn.binary.ninja/installers/BinaryNinja-demo.exe


    本文参考了飘云上一位牛人的文章:https://www.chinapyg.com/forum.php?mod=viewthread&tid=125493&highlight=winrar

    该方法非常理想,所以借鉴了一下,适合我这种菜菜来练习动手能力。

    使用OD加载winrar,如图:


    按F9键运行winrar软件,直到弹出主窗口和广告窗口时,按F12键暂停程序,此时点击OD上方的“K”按键或者点击"ALT+K"来查看程序调用的堆栈,查看一下窗口弹出前的函数调用情况,得到如下图所示:

    这一步需要注意的是需要看到广告窗口正常弹出,没有其他提示再暂停程序然后查看堆栈,例如在调试时遇到的如下图:



    下图只在我们正??吹焦愀嬉呈辈呕岬秸庖徊?。



    右击最后一条调用如图所示,选择“显示调用”命令。



    得到如下图的调用位置:



    直接在该位置点击回车键或者F7步进调试,我们会得到下面的汇编代码段,这段内容包含我们想破解的两处,即去广告和去标题的许可过期提示,看代码注释就可以判断了。

    [Asm] 纯文本查看 复制代码
     北京pk10最稳办法 www.yhhjx.com 00AE1520   $  55            push ebp
    00AE1521   .  8DAC24 E8CFFF>lea ebp,dword ptr ss:[esp-0x3018]
    00AE1528   .  B8 18300000   mov eax,0x3018
    00AE152D   .  E8 9E3F0100   call WinRAR.00AF54D0
    00AE1532   .  6A FF         push -0x1
    00AE1534   .  68 5832B100   push WinRAR.00B13258
    00AE1539   .  64:A1 0000000>mov eax,dword ptr fs:[0]
    00AE153F   .  50            push eax
    00AE1540   .  83EC 14       sub esp,0x14
    00AE1543   .  A1 341BB300   mov eax,dword ptr ds:[0xB31B34]
    00AE1548   .  33C5          xor eax,ebp
    00AE154A   .  8985 14300000 mov dword ptr ss:[ebp+0x3014],eax
    00AE1550   .  53            push ebx
    00AE1551   .  56            push esi
    00AE1552   .  57            push edi
    00AE1553   .  50            push eax
    00AE1554   .  8D45 F4       lea eax,dword ptr ss:[ebp-0xC]
    00AE1557   .  64:A3 0000000>mov dword ptr fs:[0],eax
    00AE155D   .  8965 F0       mov dword ptr ss:[ebp-0x10],esp
    00AE1560   .  8BB5 20300000 mov esi,dword ptr ss:[ebp+0x3020]
    00AE1566   .  6A 01         push 0x1
    00AE1568   .  E8 531EFBFF   call WinRAR.00A933C0
    00AE156D   .  68 05800000   push 0x8005                              ; /ErrorMode = SEM_FAILCRITICALERRORS|SEM_NOALIGNMENTFAULTEXCEPT|SEM_NOOPENFILEERRORBOX
    00AE1572   .  FF15 0442B100 call dword ptr ds:[<&KERNEL32.SetErrorMo>; \SetErrorMode
    00AE1578   .  B9 A04BB400   mov ecx,WinRAR.00B44BA0
    00AE157D   .  E8 DED3F7FF   call WinRAR.00A5E960
    00AE1582   .  C605 D592B300>mov byte ptr ds:[0xB392D5],0x0
    00AE1589   .  C705 F0A2B300>mov dword ptr ds:[0xB3A2F0],0x0
    00AE1593   .  FF15 F441B100 call dword ptr ds:[<&KERNEL32.GetCurrent>; [GetCurrentThreadId
    00AE1599   .  A3 F4A2B300   mov dword ptr ds:[0xB3A2F4],eax
    00AE159E   .  6A 00         push 0x0                                 ; /EventName = NULL
    00AE15A0   .  6A 00         push 0x0                                 ; |InitiallySignaled = FALSE
    00AE15A2   .  6A 01         push 0x1                                 ; |ManualReset = TRUE
    00AE15A4   .  6A 00         push 0x0                                 ; |pSecurity = NULL
    00AE15A6   .  FF15 6841B100 call dword ptr ds:[<&KERNEL32.CreateEven>; \CreateEventW
    00AE15AC   .  A3 F8A2B300   mov dword ptr ds:[0xB3A2F8],eax
    00AE15B1   .  68 04DEB100   push WinRAR.00B1DE04                     ; /MsgName = "WMUser_DisplayError"
    00AE15B6   .  FF15 7445B100 call dword ptr ds:[<&USER32.RegisterWind>; \RegisterWindowMessageW
    00AE15BC   .  A3 20A3B300   mov dword ptr ds:[0xB3A320],eax
    00AE15C1   .  68 A44BB100   push WinRAR.00B14BA4                     ;  UNICODE "General"
    00AE15C6   .  E8 C504FCFF   call WinRAR.00AA1A90
    00AE15CB   .  84C0          test al,al
    00AE15CD   .  0f94c3        sete bl
    00AE15D0   .  885D EF       mov byte ptr ss:[ebp-0x11],bl
    00AE15D3   .  6A 01         push 0x1
    00AE15D5   .  68 00080000   push 0x800
    00AE15DA   .  8D85 00100000 lea eax,dword ptr ss:[ebp+0x1000]
    00AE15E0   .  50            push eax
    00AE15E1   .  E8 EAA3F9FF   call WinRAR.00A7B9D0
    00AE15E6   .  68 00080000   push 0x800
    00AE15EB   .  8D85 00100000 lea eax,dword ptr ss:[ebp+0x1000]
    00AE15F1   .  50            push eax
    00AE15F2   .  E8 1993F9FF   call WinRAR.00A7A910
    00AE15F7   .  68 00080000   push 0x800
    00AE15FC   .  8D85 00100000 lea eax,dword ptr ss:[ebp+0x1000]
    00AE1602   .  50            push eax
    00AE1603   .  68 E092B300   push WinRAR.00B392E0                     ;  UNICODE "C:\Users\IEUser\AppData\Roaming\WinRAR\rar.log"
    00AE1608   .  E8 4312FBFF   call WinRAR.00A92850
    00AE160D   .  68 00080000   push 0x800
    00AE1612   .  68 CC89B100   push WinRAR.00B189CC                     ;  UNICODE "rar.log"
    00AE1617   .  68 E092B300   push WinRAR.00B392E0                     ;  UNICODE "C:\Users\IEUser\AppData\Roaming\WinRAR\rar.log"
    00AE161C   .  E8 EF11FBFF   call WinRAR.00A92810
    00AE1621   .  6A 00         push 0x0
    00AE1623   .  56            push esi
    00AE1624   .  B9 08F0B600   mov ecx,WinRAR.00B6F008
    00AE1629   .  E8 12AEFAFF   call WinRAR.00A8C440
    00AE162E   .  68 2CDEB100   push WinRAR.00B1DE2C                     ;  UNICODE "winrar.lng"
    00AE1633   .  B9 0CF0B600   mov ecx,WinRAR.00B6F00C
    00AE1638   .  E8 639FFAFF   call WinRAR.00A8B5A0
    00AE163D   .  56            push esi
    00AE163E   .  E8 ADDBFFFF   call WinRAR.00ADF1F0
    00AE1643   .  85C0          test eax,eax
    00AE1645   .  0F84 66060000 je WinRAR.00AE1CB1
    00AE164B   .  8D4D E0       lea ecx,dword ptr ss:[ebp-0x20]
    00AE164E   .  E8 AD11FFFF   call WinRAR.00AD2800
    00AE1653   .  C745 FC 00000>mov dword ptr ss:[ebp-0x4],0x0
    00AE165A   .  8935 04F0B600 mov dword ptr ds:[0xB6F004],esi
    00AE1660   .  B9 F0B5B500   mov ecx,WinRAR.00B5B5F0
    00AE1665   .  E8 8643F2FF   call WinRAR.00A059F0
    00AE166A   .  E8 6137FEFF   call WinRAR.00AC4DD0
    00AE166F   .  E8 4CEAFDFF   call WinRAR.00AC00C0
    00AE1674   .  E8 07FBFFFF   call WinRAR.00AE1180
    00AE1679   .  68 44DEB100   push WinRAR.00B1DE44                     ; /MutexName = "WinRAR_Busy"
    00AE167E   .  6A 00         push 0x0                                 ; |InitialOwner = FALSE
    00AE1680   .  6A 00         push 0x0                                 ; |pSecurity = NULL
    00AE1682   .  FF15 5C43B100 call dword ptr ds:[<&KERNEL32.CreateMute>; \CreateMutexW
    00AE1688   .  A3 D092B300   mov dword ptr ds:[0xB392D0],eax
    00AE168D   .  6A 00         push 0x0                                 ; /Title = NULL
    00AE168F   .  68 B858B100   push WinRAR.00B158B8                     ; |Class = "WinRarWindow"
    00AE1694   .  FF15 8C45B100 call dword ptr ds:[<&USER32.FindWindowW>>; \FindWindowW
    00AE169A   .  8BF8          mov edi,eax
    00AE169C   .  897D E8       mov dword ptr ss:[ebp-0x18],edi
    00AE169F      6A 00         push 0x0                                 ; /lParam = NULL
    00AE16A1      56            push esi                                 ; |hInst = 00DBCB64
    00AE16A2      6A 00         push 0x0                                 ; |hMenu = NULL
    00AE16A4      6A 00         push 0x0                                 ; |hParent = NULL
    00AE16A6      68 00000080   push 0x80000000                          ; |Height = 80000000 (-2147483648.)
    00AE16AB      68 00000080   push 0x80000000                          ; |Width = 80000000 (-2147483648.)
    00AE16B0      68 00000080   push 0x80000000                          ; |Y = 80000000 (-2147483648.)
    00AE16B5      68 00000080   push 0x80000000                          ; |X = 80000000 (-2147483648.)
    00AE16BA      68 0000CF06   push 0x6CF0000                           ; |Style = WS_OVERLAPPED|WS_MINIMIZEBOX|WS_MAXIMIZEBOX|WS_CLIPSIBLINGS|WS_CLIPCHILDREN|WS_SYSMENU|WS_THICKFRAME|WS_CAPTION
    00AE16BF      68 6C71B100   push WinRAR.00B1716C                     ; |WindowName = "WinRAR"
    00AE16C4      68 B858B100   push WinRAR.00B158B8                     ; |Class = "WinRarWindow"
    00AE16C9      6A 10         push 0x10                                ; |ExtStyle = WS_EX_ACCEPTFILES
    00AE16CB      FF15 A045B100 call dword ptr ds:[<&USER32.CreateWindow>; \CreateWindowExW
    00AE16D1   .  A3 AC81B300   mov dword ptr ds:[0xB381AC],eax
    00AE16D6   .  85C0          test eax,eax
    00AE16D8   .  0F84 C4050000 je WinRAR.00AE1CA2
    00AE16DE   .  50            push eax
    00AE16DF   .  B9 0CF0B600   mov ecx,WinRAR.00B6F00C
    00AE16E4   .  E8 F7A6FAFF   call WinRAR.00A8BDE0
    00AE16E9   .  6A 00         push 0x0
    00AE16EB   .  E8 60DAFFFF   call WinRAR.00ADF150
    00AE16F0   .  E8 8BF8FFFF   call WinRAR.00AE0F80
    00AE16F5   .  84DB          test bl,bl
    00AE16F7   .  74 1A         je short WinRAR.00AE1713
    00AE16F9   .  E8 D22EFCFF   call WinRAR.00AA45D0
    00AE16FE   .  84C0          test al,al
    00AE1700   .  75 11         jnz short WinRAR.00AE1713
    00AE1702   .  6A 01         push 0x1
    00AE1704   .  6A 00         push 0x0
    00AE1706   .  E8 D596F2FF   call WinRAR.00A0ADE0
    00AE170B   .  84C0          test al,al
    00AE170D   .  75 04         jnz short WinRAR.00AE1713
    00AE170F   .  B7 01         mov bh,0x1
    00AE1711   .  EB 02         jmp short WinRAR.00AE1715
    00AE1713   >  32FF          xor bh,bh
    00AE1715   >  8D85 00300000 lea eax,dword ptr ss:[ebp+0x3000]
    00AE171B   .  50            push eax
    00AE171C   .  E8 FF8BF2FF   call WinRAR.00A0A320
    00AE1721   .  0FB785 003000>movzx eax,word ptr ss:[ebp+0x3000]
    00AE1728   .  50            push eax                                 ; /StringOrChar = 27BC
    00AE1729   .  E8 5247FBFF   call <jmp.&USER32.CharUpperW>            ; \CharUpperW
    00AE172E   .  0FB7F0        movzx esi,ax
    00AE1731   .  68 34040000   push 0x434
    00AE1736   .  6A 00         push 0x0
    00AE1738   .  68 38A3B300   push WinRAR.00B3A338
    00AE173D   .  E8 DE620100   call WinRAR.00AF7A20
    00AE1742   .  83C4 0C       add esp,0xC
    00AE1745   .  6A 00         push 0x0
    00AE1747   .  6A 00         push 0x0
    00AE1749   .  6A 01         push 0x1
    00AE174B   .  B9 A04BB400   mov ecx,WinRAR.00B44BA0
    00AE1750   .  E8 FBD6F7FF   call WinRAR.00A5EE50
    00AE1755   .  E8 06E9F2FF   call WinRAR.00A10060
    00AE175A   .  66:85F6       test si,si
    00AE175D   .  74 66         je short WinRAR.00AE17C5
    00AE175F   .  803D B46BB400>cmp byte ptr ds:[0xB46BB4],0x0
    00AE1766   .  75 5D         jnz short WinRAR.00AE17C5
    00AE1768   .  56            push esi
    00AE1769   .  68 5CDEB100   push WinRAR.00B1DE5C                     ;  UNICODE "AFUMD"
    00AE176E   .  E8 6F500100   call WinRAR.00AF67E2
    00AE1773   .  83C4 08       add esp,0x8
    00AE1776   .  85C0          test eax,eax
    00AE1778   .  75 32         jnz short WinRAR.00AE17AC
    00AE177A   .  83FE 43       cmp esi,0x43
    00AE177D   .  75 09         jnz short WinRAR.00AE1788
    00AE177F   .  66:3985 02300>cmp word ptr ss:[ebp+0x3002],ax
    00AE1786   .  74 24         je short WinRAR.00AE17AC
    00AE1788   >  803D B46BB400>cmp byte ptr ds:[0xB46BB4],0x0
    00AE178F   .  75 34         jnz short WinRAR.00AE17C5
    00AE1791   .  56            push esi
    00AE1792   .  68 68DEB100   push WinRAR.00B1DE68                     ;  UNICODE "TXE"
    00AE1797   .  E8 46500100   call WinRAR.00AF67E2
    00AE179C   .  83C4 08       add esp,0x8
    00AE179F   .  85C0          test eax,eax
    00AE17A1   .  74 22         je short WinRAR.00AE17C5
    00AE17A3   .  6A 00         push 0x0
    00AE17A5   .  E8 3609FFFF   call WinRAR.00AD20E0
    00AE17AA   .  EB 20         jmp short WinRAR.00AE17CC
    00AE17AC   >  E8 3F6FFEFF   call WinRAR.00AC86F0
    00AE17B1   .  83FE 44       cmp esi,0x44
    00AE17B4   .  74 05         je short WinRAR.00AE17BB
    00AE17B6   .  83FE 43       cmp esi,0x43
    00AE17B9   .  75 11         jnz short WinRAR.00AE17CC
    00AE17BB   >  33C0          xor eax,eax
    00AE17BD   .  66:A3 B05BB40>mov word ptr ds:[0xB45BB0],ax
    00AE17C3   .  EB 07         jmp short WinRAR.00AE17CC
    00AE17C5   >  6A 00         push 0x0
    00AE17C7   .  E8 4436FEFF   call WinRAR.00AC4E10
    00AE17CC   >  6A 00         push 0x0
    00AE17CE   .  6A 00         push 0x0
    00AE17D0   .  6A 01         push 0x1
    00AE17D2   .  B9 A04BB400   mov ecx,WinRAR.00B44BA0
    00AE17D7   .  E8 74D6F7FF   call WinRAR.00A5EE50
    00AE17DC   .  68 A04BB400   push WinRAR.00B44BA0
    00AE17E1   .  B9 D011B500   mov ecx,WinRAR.00B511D0
    00AE17E6   .  E8 6567F2FF   call WinRAR.00A07F50
    00AE17EB   .  68 00080000   push 0x800
    00AE17F0   .  68 EAFFB400   push WinRAR.00B4FFEA
    00AE17F5   .  68 B081B300   push WinRAR.00B381B0
    00AE17FA   .  E8 5110FBFF   call WinRAR.00A92850
    00AE17FF   .  33C0          xor eax,eax
    00AE1801   .  66:A3 EAFFB40>mov word ptr ds:[0xB4FFEA],ax
    00AE1807   .  68 00080000   push 0x800
    00AE180C   .  8D45 00       lea eax,dword ptr ss:[ebp]
    00AE180F   .  50            push eax
    00AE1810   .  E8 CB93FEFF   call WinRAR.00ACABE0
    00AE1815   .  8D45 00       lea eax,dword ptr ss:[ebp]
    00AE1818   .  50            push eax
    00AE1819   .  B9 78E2B500   mov ecx,WinRAR.00B5E278
    00AE181E   .  E8 1D38F6FF   call WinRAR.00A45040
    00AE1823   .  C705 5492B300>mov dword ptr ds:[0xB39254],0x0
    00AE182D   .  C645 FC 01    mov byte ptr ss:[ebp-0x4],0x1
    00AE1831   .  E8 4A87F2FF   call WinRAR.00A09F80
    00AE1836   .  C745 FC 00000>mov dword ptr ss:[ebp-0x4],0x0
    00AE183D   .  FF35 AC81B300 push dword ptr ds:[0xB381AC]
    00AE1843   .  E8 58FBFFFF   call WinRAR.00AE13A0
    00AE1848   .  66:833D CC9CB>cmp word ptr ds:[0xB49CCC],0x0
    00AE1850   .  74 2C         je short WinRAR.00AE187E
    00AE1852   .  68 CC9CB400   push WinRAR.00B49CCC
    00AE1857   .  E8 54ACF9FF   call WinRAR.00A7C4B0
    00AE185C   .  68 00080000   push 0x800
    00AE1861   .  68 CC9CB400   push WinRAR.00B49CCC
    00AE1866   .  68 E092B300   push WinRAR.00B392E0                     ;  UNICODE "C:\Users\IEUser\AppData\Roaming\WinRAR\rar.log"
    00AE186B   .  3D CC9CB400   cmp eax,WinRAR.00B49CCC
    00AE1870   .  75 07         jnz short WinRAR.00AE1879
    00AE1872   .  E8 39ADF9FF   call WinRAR.00A7C5B0
    00AE1877   .  EB 05         jmp short WinRAR.00AE187E
    00AE1879   >  E8 D20FFBFF   call WinRAR.00A92850
    00AE187E   >  6A 00         push 0x0                                 ; /lParam = 0x0
    00AE1880   .  6A 00         push 0x0                                 ; |wParam = 0x0
    00AE1882   .  68 03800000   push 0x8003                              ; |Message = MSG(0x8003)
    00AE1887   .  FF35 AC81B300 push dword ptr ds:[0xB381AC]             ; |hWnd = 0xB05BC
    00AE188D   .  FF15 9845B100 call dword ptr ds:[<&USER32.SendMessageW>; \SendMessageW
    00AE1893   .  833D AC81B300>cmp dword ptr ds:[0xB381AC],0x0
    00AE189A   .  0F84 93010000 je WinRAR.00AE1A33
    00AE18A0   .  66:833D CAEFB>cmp word ptr ds:[0xB4EFCA],0x0
    00AE18A8   .  0F85 6F030000 jnz WinRAR.00AE1C1D
    00AE18AE   .  32DB          xor bl,bl
    00AE18B0   .  66:833D EAFFB>cmp word ptr ds:[0xB4FFEA],0x0
    00AE18B8   .  0F84 3A030000 je WinRAR.00AE1BF8
    00AE18BE   .  68 EAFFB400   push WinRAR.00B4FFEA
    00AE18C3   .  E8 F8A7F8FF   call WinRAR.00A6C0C0
    00AE18C8   .  83F8 FF       cmp eax,-0x1
    00AE18CB   .  74 06         je short WinRAR.00AE18D3
    00AE18CD   .  A8 10         test al,0x10
    00AE18CF   .  74 02         je short WinRAR.00AE18D3
    00AE18D1   .  B3 01         mov bl,0x1
    00AE18D3   >  66:833D EAFFB>cmp word ptr ds:[0xB4FFEA],0x0
    00AE18DB   .  0F84 EB020000 je WinRAR.00AE1BCC
    00AE18E1   .  84DB          test bl,bl
    00AE18E3   .  0F85 E7020000 jnz WinRAR.00AE1BD0
    00AE18E9   .  6A 00         push 0x0
    00AE18EB   .  68 8850B100   push WinRAR.00B15088                     ;  UNICODE "ReuseWindow"
    00AE18F0   .  68 A44BB100   push WinRAR.00B14BA4                     ;  UNICODE "General"
    00AE18F5   .  E8 9623FCFF   call WinRAR.00AA3C90
    00AE18FA   .  85C0          test eax,eax
    00AE18FC   .  0F84 F7000000 je WinRAR.00AE19F9
    00AE1902   .  85FF          test edi,edi
    00AE1904   .  0F84 EF000000 je WinRAR.00AE19F9
    00AE190A   .  6A 00         push 0x0
    00AE190C   .  68 00080000   push 0x800
    00AE1911   .  8D85 00200000 lea eax,dword ptr ss:[ebp+0x2000]
    00AE1917   .  50            push eax
    00AE1918   .  E8 F37FFEFF   call WinRAR.00AC9910
    00AE191D   .  68 00080000   push 0x800
    00AE1922   .  8D85 00200000 lea eax,dword ptr ss:[ebp+0x2000]
    00AE1928   .  50            push eax
    00AE1929   .  E8 E28FF9FF   call WinRAR.00A7A910
    00AE192E   .  68 00080000   push 0x800
    00AE1933   .  68 8CC3B100   push WinRAR.00B1C38C                     ;  UNICODE "Rar$"
    00AE1938   .  8D85 00200000 lea eax,dword ptr ss:[ebp+0x2000]
    00AE193E   .  50            push eax
    00AE193F   .  E8 CC0EFBFF   call WinRAR.00A92810
    00AE1944   .  8D8D 00200000 lea ecx,dword ptr ss:[ebp+0x2000]
    00AE194A   .  8D51 02       lea edx,dword ptr ds:[ecx+0x2]
    00AE194D   .  8D49 00       lea ecx,dword ptr ds:[ecx]
    00AE1950   >  66:8B01       mov ax,word ptr ds:[ecx]
    00AE1953   .  83C1 02       add ecx,0x2
    00AE1956   .  66:85C0       test ax,ax
    00AE1959   .^ 75 F5         jnz short WinRAR.00AE1950
    00AE195B   .  2BCA          sub ecx,edx
    00AE195D   .  D1F9          sar ecx,1
    00AE195F   .  51            push ecx
    00AE1960   .  8D85 00200000 lea eax,dword ptr ss:[ebp+0x2000]
    00AE1966   .  50            push eax
    00AE1967   .  68 EAFFB400   push WinRAR.00B4FFEA
    00AE196C   .  E8 DF45FBFF   call WinRAR.00A95F50
    00AE1971   .  85C0          test eax,eax
    00AE1973   .  0F84 80000000 je WinRAR.00AE19F9
    00AE1979   .  68 20DDB100   push WinRAR.00B1DD20                     ; /MapName = "RarArchiveWideName"
    00AE197E   .  68 00100000   push 0x1000                              ; |MaximumSizeLow = 0x1000
    00AE1983   .  6A 00         push 0x0                                 ; |MaximumSizeHigh = 0x0
    00AE1985   .  68 04000008   push 0x8000004                           ; |Protection = PAGE_READWRITE|SEC_COMMIT
    00AE198A   .  6A 00         push 0x0                                 ; |pSecurity = NULL
    00AE198C   .  6A FF         push -0x1                                ; |hFile = FFFFFFFF
    00AE198E   .  FF15 9843B100 call dword ptr ds:[<&KERNEL32.CreateFile>; \CreateFileMappingW
    00AE1994   .  8BF8          mov edi,eax
    00AE1996   .  85FF          test edi,edi
    00AE1998   .  74 5C         je short WinRAR.00AE19F6
    00AE199A   .  68 00100000   push 0x1000                              ; /MapSize = 1000 (4096.)
    00AE199F   .  6A 00         push 0x0                                 ; |OffsetLow = 0x0
    00AE19A1   .  6A 00         push 0x0                                 ; |OffsetHigh = 0x0
    00AE19A3   .  6A 02         push 0x2                                 ; |AccessMode = FILE_MAP_WRITE
    00AE19A5   .  57            push edi                                 ; |hMapObject = NULL
    00AE19A6   .  FF15 A043B100 call dword ptr ds:[<&KERNEL32.MapViewOfF>; \MapViewOfFile
    00AE19AC   .  8BF0          mov esi,eax
    00AE19AE   .  68 00080000   push 0x800
    00AE19B3   .  56            push esi
    00AE19B4   .  68 EAFFB400   push WinRAR.00B4FFEA
    00AE19B9   .  B9 78E2B500   mov ecx,WinRAR.00B5E278
    00AE19BE   .  E8 8DF6F5FF   call WinRAR.00A41050
    00AE19C3   .  56            push esi                                 ; /BaseAddress = 00DBCB64
    00AE19C4   .  FF15 9C43B100 call dword ptr ds:[<&KERNEL32.UnmapViewO>; \UnmapViewOfFile
    00AE19CA   .  68 F164E97A   push 0x7AE964F1                          ; /lParam = 0x7AE964F1
    00AE19CF   .  68 5EAC89D4   push 0xD489AC5E                          ; |wParam = 0xD489AC5E
    00AE19D4   .  68 01800000   push 0x8001                              ; |Message = MSG(0x8001)
    00AE19D9   .  FF75 E8       push dword ptr ss:[ebp-0x18]             ; |hWnd = 0xDBCBB0
    00AE19DC   .  FF15 9845B100 call dword ptr ds:[<&USER32.SendMessageW>; \SendMessageW
    00AE19E2   .  85C0          test eax,eax
    00AE19E4   .  0f95c3        setne bl
    00AE19E7   .  57            push edi                                 ; /hObject = NULL
    00AE19E8   .  FF15 A443B100 call dword ptr ds:[<&KERNEL32.CloseHandl>; \CloseHandle
    00AE19EE   .  84DB          test bl,bl
    00AE19F0   .  0F85 B8010000 jnz WinRAR.00AE1BAE
    00AE19F6   >  8B7D E8       mov edi,dword ptr ss:[ebp-0x18]
    00AE19F9   >  68 EAFFB400   push WinRAR.00B4FFEA
    00AE19FE   .  B9 78E2B500   mov ecx,WinRAR.00B5E278
    00AE1A03   .  E8 68FFF5FF   call WinRAR.00A41970
    00AE1A08   .  84C0          test al,al
    00AE1A0A      0F84 9E010000 je WinRAR.00AE1BAE
    00AE1A10   .  803D D491B300>cmp byte ptr ds:[0xB391D4],0x0
    00AE1A17   .  75 17         jnz short WinRAR.00AE1A30
    00AE1A19   .  833D BC91B300>cmp dword ptr ds:[0xB391BC],0x0
    00AE1A20   .  0F84 77010000 je WinRAR.00AE1B9D
    00AE1A26   .  B9 78E2B500   mov ecx,WinRAR.00B5E278
    00AE1A2B   .  E8 302EF6FF   call WinRAR.00A44860
    00AE1A30   >  8A5D EF       mov bl,byte ptr ss:[ebp-0x11]
    00AE1A33   >  57            push edi
    00AE1A34   .  68 00000100   push 0x10000
    00AE1A39   .  68 B038AD00   push WinRAR.00AD38B0
    00AE1A3E   .  E8 DEAC0100   call WinRAR.00AFC721
    00AE1A43   .  83C4 0C       add esp,0xC
    00AE1A46   .  FF35 AC81B300 push dword ptr ds:[0xB381AC]             ; /hWnd = 000B05BC ('winrar32 (评估版本)',class='WinRarWindow')
    00AE1A4C   .  FF15 C445B100 call dword ptr ds:[<&USER32.IsWindowVisi>; \IsWindowVisible
    00AE1A52   .  85C0          test eax,eax
    00AE1A54   .  75 0E         jnz short WinRAR.00AE1A64
    00AE1A56   .  85FF          test edi,edi
    00AE1A58   .  0f95c0        setne al
    00AE1A5B   .  0FB6C0        movzx eax,al
    00AE1A5E   .  50            push eax
    00AE1A5F   .  E8 CCF5FFFF   call WinRAR.00AE1030
    00AE1A64   >  FF35 AC81B300 push dword ptr ds:[0xB381AC]             ; /hWnd = 000B05BC ('winrar32 (评估版本)',class='WinRarWindow')
    00AE1A6A   .  FF15 0C45B100 call dword ptr ds:[<&USER32.UpdateWindow>; \UpdateWindow
    00AE1A70   .  84FF          test bh,bh
    00AE1A72   .  74 27         je short WinRAR.00AE1A9B
    00AE1A74   .  84DB          test bl,bl
    00AE1A76   .  74 23         je short WinRAR.00AE1A9B
    00AE1A78   .  68 704BB100   push WinRAR.00B14B70                     ;  UNICODE "Setup"
    00AE1A7D   .  E8 0E00FCFF   call WinRAR.00AA1A90
    00AE1A82   .  84C0          test al,al
    00AE1A84   .  75 15         jnz short WinRAR.00AE1A9B
    00AE1A86   .  68 844CB100   push WinRAR.00B14C84                     ;  UNICODE ".rar"
    00AE1A8B   .  E8 8096F5FF   call WinRAR.00A3B110
    00AE1A90   .  84C0          test al,al
    00AE1A92   .  75 07         jnz short WinRAR.00AE1A9B
    00AE1A94   .  6A 06         push 0x6
    00AE1A96   .  E8 65B2F2FF   call WinRAR.00A0CD00
    00AE1A9B   >  6A 00         push 0x0
    00AE1A9D   .  68 1855B100   push WinRAR.00B15518                     ;  UNICODE "ExportedSettings"
    00AE1AA2   .  68 7C48B100   push WinRAR.00B1487C
    00AE1AA7   .  E8 E421FCFF   call WinRAR.00AA3C90
    00AE1AAC   .  85C0          test eax,eax
    00AE1AAE   .  74 05         je short WinRAR.00AE1AB5
    00AE1AB0   .  E8 7B92F2FF   call WinRAR.00A0AD30
    00AE1AB5   >  6A 00         push 0x0
    00AE1AB7   .  6A 01         push 0x1
    00AE1AB9   .  E8 E238FCFF   call WinRAR.00AA53A0
    00AE1ABE   .  6A 00         push 0x0
    00AE1AC0   .  68 7050B100   push WinRAR.00B15070                     ;  UNICODE "WizardMode"
    00AE1AC5   .  68 A44BB100   push WinRAR.00B14BA4                     ;  UNICODE "General"
    00AE1ACA   .  E8 C121FCFF   call WinRAR.00AA3C90
    00AE1ACF   .  85C0          test eax,eax
    00AE1AD1   .  74 24         je short WinRAR.00AE1AF7
    00AE1AD3   .  FF35 AC81B300 push dword ptr ds:[0xB381AC]
    00AE1AD9   .  E8 E2390000   call WinRAR.00AE54C0
    00AE1ADE   .  84C0          test al,al
    00AE1AE0   .  74 15         je short WinRAR.00AE1AF7
    00AE1AE2   .  833D BC91B300>cmp dword ptr ds:[0xB391BC],0x0
    00AE1AE9   .  75 0C         jnz short WinRAR.00AE1AF7
    00AE1AEB   .  FF35 AC81B300 push dword ptr ds:[0xB381AC]             ; /hWnd = 000B05BC ('winrar32 (评估版本)',class='WinRarWindow')
    00AE1AF1   .  FF15 A445B100 call dword ptr ds:[<&USER32.DestroyWindo>; \DestroyWindow
    00AE1AF7   >  6A 00         push 0x0
    00AE1AF9   .  6A 00         push 0x0
    00AE1AFB   .  E8 00F0FFFF   call WinRAR.00AE0B00
    00AE1B00   .  84C0          test al,al
    00AE1B02   .^ 75 F3         jnz short WinRAR.00AE1AF7
    00AE1B04   .  6A 01         push 0x1
    00AE1B06   .  6A 00         push 0x0
    00AE1B08   .  6A 00         push 0x0
    00AE1B0A   .  E8 7187FEFF   call WinRAR.00ACA280
    00AE1B0F   .  B9 34A3B300   mov ecx,WinRAR.00B3A334
    00AE1B14   .  E8 C7080000   call WinRAR.00AE23E0
    00AE1B19   .  E8 A21EFFFF   call WinRAR.00AD39C0
    00AE1B1E   .  C605 D592B300>mov byte ptr ds:[0xB392D5],0x1
    00AE1B25   .  FF35 F8A2B300 push dword ptr ds:[0xB3A2F8]             ; /hEvent = 00000238 (window)
    00AE1B2B   .  FF15 9441B100 call dword ptr ds:[<&KERNEL32.SetEvent>] ; \SetEvent
    00AE1B31   .  33F6          xor esi,esi
    00AE1B33   .  8B3D 5043B100 mov edi,dword ptr ds:[<&KERNEL32.Sleep>] ;  KERNEL32.Sleep
    00AE1B39   .  8DA424 000000>lea esp,dword ptr ss:[esp]
    00AE1B40   >  833D F0A2B300>cmp dword ptr ds:[0xB3A2F0],0x0
    00AE1B47   .  7E 0D         jle short WinRAR.00AE1B56
    00AE1B49   .  6A 64         push 0x64
    00AE1B4B   .  FFD7          call edi
    00AE1B4D   .  4E            dec esi
    00AE1B4E   .  81FE C8000000 cmp esi,0xC8
    00AE1B54   .^ 7C EA         jl short WinRAR.00AE1B40
    00AE1B56   >  FF35 F8A2B300 push dword ptr ds:[0xB3A2F8]             ; /hObject = 00000238 (window)
    00AE1B5C   .  FF15 A443B100 call dword ptr ds:[<&KERNEL32.CloseHandl>; \CloseHandle
    00AE1B62   .  833D CC92B300>cmp dword ptr ds:[0xB392CC],0x0
    00AE1B69   .  0F84 0B010000 je WinRAR.00AE1C7A
    00AE1B6F   .  83C8 FF       or eax,-0x1
    00AE1B72   .  A3 CC92B300   mov dword ptr ds:[0xB392CC],eax
    00AE1B77   .  33F6          xor esi,esi
    00AE1B79   .  8DA424 000000>lea esp,dword ptr ss:[esp]
    00AE1B80   >  85C0          test eax,eax
    00AE1B82   .  0F84 10010000 je WinRAR.00AE1C98
    00AE1B88   .  6A 64         push 0x64
    00AE1B8A   .  FFD7          call edi
    00AE1B8C   .  46            inc esi
    00AE1B8D   .  83FE 0A       cmp esi,0xA
    00AE1B90   .  0F8D 02010000 jge WinRAR.00AE1C98
    00AE1B96   .  A1 CC92B300   mov eax,dword ptr ds:[0xB392CC]
    00AE1B9B   .^ EB E3         jmp short WinRAR.00AE1B80
    00AE1B9D   >  FF35 AC81B300 push dword ptr ds:[0xB381AC]             ; /hWnd = 000B05BC ('winrar32 (评估版本)',class='WinRarWindow')
    00AE1BA3   .  FF15 A445B100 call dword ptr ds:[<&USER32.DestroyWindo>; \DestroyWindow
    00AE1BA9   .^ E9 82FEFFFF   jmp WinRAR.00AE1A30
    00AE1BAE   >  E8 FDDDFEFF   call WinRAR.00ACF9B0




    其中在“DestroyWindow”这一处(这里有两处,分别代表关闭主窗口和广告窗口,不知道是哪个的话我们可以下断点测试一下),应该是关闭窗口的操作,那么广告窗口应该就在它的上方,向上找相关调用,下断点调试肯定找到调用广告窗口的地方,判断出00AE1AB9位置的call WinRAR.00AA53A0这个函数调用,在这个位置向上找关键跳转,看看能否跳过这个函数调用,也可以直接nop掉该处的调用,找到00AE1AAE位置的跳转操作je short WinRAR.00AE1AB5,将其改为jmp 0x00AE1AF7直接跳过DestroyWindow函数,

    另一处的修改我选择用Binary Ninja这款反编译工具来完成,因为这款软件的流程图排版比较合理容易分析,并且占用系统资源比较小,其右键"patch"功能在修改汇编代码方面相对比较优秀。

    使用Binary Ninja加载winrar主程序后,按“G”键输入我们需要查找的地址,与OD的偏移地址不同,我们需要自己对应一下,00AE1520对应的是004E1520,直接查找该位置如图所示:

    在上述代码中我们关注到有一处调用系统API函数IsWindowVisible(设置可见属性)的地方,即位置00AE1A4C处,这处如果调用起来的话就会使得标题栏对应的许可信息隐藏,那么我们在Binary Ninja中查找位置004E1A4C,得到如下图所示:


    点选该位置所在的流程块的第一行即“push  edi {var_18_13}”处,在左下角的“Cross References”窗口中可以看到两个地址跳转到它,分析之后我们判断可以将最早跳转的地址0x4e189a的汇编代码修改为“jmp 0x4e1a33”(在该位置右击-->"patch"-->"Edit Current Line",如图所示)



    修改之后如下图:


    完成这两步后保存好修改,然后我们运行一下winrar得到如图:这下可以软件可以安静的启动,没有广告弹窗和标题栏的许可过期提醒。



    可是别高兴太早,我们将系统时间调至软件过期,重新启动winrar,还是会出现如下窗口,提示购买winrar许可。


    重复运行、暂停、查看堆栈、查看调用、步进调试一系列操作我们会找到如下代码段,可以看到这段代码包含广告的链接地址//ad.winrar.com.cn/show_2.html?L=7&bl=7&v=Vpersonal&a=Vpersonal&a=A&src=pe001以及提醒许可过期需要重新购买的函数RarReminder。

    [Asm] 纯文本查看 复制代码
    00B853A0  /$  B8 18100000   mov eax,0x1018
    00B853A5  |.  E8 26010500   call WinRAR1.00BD54D0
    00B853AA  |.  A1 341BC100   mov eax,dword ptr ds:[0xC11B34]
    00B853AF  |.  33C4          xor eax,esp
    00B853B1  |.  898424 141000>mov dword ptr ss:[esp+0x1014],eax
    00B853B8  |.  803D 74A5C500>cmp byte ptr ds:[0xC5A574],0x0
    00B853BF  |.  74 0E         je short WinRAR1.00B853CF
    00B853C1  |.  80BC24 201000>cmp byte ptr ss:[esp+0x1020],0x0
    00B853C9  |.  0F84 08040000 je WinRAR1.00B857D7
    00B853CF  |>  833D ACFBC000>cmp dword ptr ds:[0xC0FBAC],0x0
    00B853D6  |.  56            push esi
    00B853D7  |.  74 1C         je short WinRAR1.00B853F5
    00B853D9  |.  B9 98FBC000   mov ecx,WinRAR1.00C0FB98                 ;  ASCII "8g3#0w1$5r7%2ta"
    00B853DE  |.  E8 1DF9FFFF   call WinRAR1.00B84D00
    00B853E3  |.  833D ACFBC000>cmp dword ptr ds:[0xC0FBAC],0x0
    00B853EA  |.  0F84 A1000000 je WinRAR1.00B85491
    00B853F0  |.  E9 88000000   jmp WinRAR1.00B8547D
    00B853F5  |>  68 FD040000   push 0x4FD
    00B853FA  |.  E8 6171FEFF   call WinRAR1.00B6C560
    00B853FF  |.  8BF0          mov esi,eax
    00B85401  |.  66:833E 23    cmp word ptr ds:[esi],0x23
    00B85405  |.  75 20         jnz short WinRAR1.00B85427
    00B85407  |.  66:837E 02 23 cmp word ptr ds:[esi+0x2],0x23
    00B8540C  |.  75 19         jnz short WinRAR1.00B85427
    00B8540E  |.  8BCE          mov ecx,esi
    00B85410  |.  8D51 02       lea edx,dword ptr ds:[ecx+0x2]
    00B85413  |>  66:8B01       /mov ax,word ptr ds:[ecx]
    00B85416  |.  83C1 02       |add ecx,0x2
    00B85419  |.  66:85C0       |test ax,ax
    00B8541C  |.^ 75 F5         \jnz short WinRAR1.00B85413
    00B8541E  |.  2BCA          sub ecx,edx
    00B85420  |.  D1F9          sar ecx,1
    00B85422  |.  83F9 64       cmp ecx,0x64
    00B85425  |.  73 06         jnb short WinRAR1.00B8542D
    00B85427  |>  8B35 1800C100 mov esi,dword ptr ds:[0xC10018]          ;  WinRAR1.00BF9628
    00B8542D  |>  68 00100000   push 0x1000
    00B85432  |.  8D4424 1C     lea eax,dword ptr ss:[esp+0x1C]
    00B85436  |.  6A 00         push 0x0
    00B85438  |.  50            push eax
    00B85439  |.  E8 E2250500   call WinRAR1.00BD7A20
    00B8543E  |.  83C4 0C       add esp,0xC
    00B85441  |.  8D4424 18     lea eax,dword ptr ss:[esp+0x18]
    00B85445  |.  68 00100000   push 0x1000
    00B8544A  |.  50            push eax
    00B8544B  |.  8D46 04       lea eax,dword ptr ds:[esi+0x4]
    00B8544E  |.  50            push eax
    00B8544F  |.  E8 0C07FFFF   call WinRAR1.00B75B60
    00B85454  |.  8D4C24 18     lea ecx,dword ptr ss:[esp+0x18]
    00B85458  |.  8D51 01       lea edx,dword ptr ds:[ecx+0x1]
    00B8545B  |.  EB 03         jmp short WinRAR1.00B85460
    00B8545D  |   8D49 00       lea ecx,dword ptr ds:[ecx]
    00B85460  |>  8A01          /mov al,byte ptr ds:[ecx]
    00B85462  |.  41            |inc ecx
    00B85463  |.  84C0          |test al,al
    00B85465  |.^ 75 F9         \jnz short WinRAR1.00B85460
    00B85467  |.  2BCA          sub ecx,edx
    00B85469  |.  8D4424 18     lea eax,dword ptr ss:[esp+0x18]
    00B8546D  |.  51            push ecx
    00B8546E  |.  50            push eax
    00B8546F  |.  B9 98FBC000   mov ecx,WinRAR1.00C0FB98                 ;  ASCII "8g3#0w1$5r7%2ta"
    00B85474  |.  E8 67F4FFFF   call WinRAR1.00B848E0
    00B85479  |.  84C0          test al,al
    00B8547B  |.  75 14         jnz short WinRAR1.00B85491
    00B8547D  |>  68 80040000   push 0x480
    00B85482  |.  6A 00         push 0x0
    00B85484  |.  68 98FBC000   push WinRAR1.00C0FB98                    ;  ASCII "8g3#0w1$5r7%2ta"
    00B85489  |.  E8 92250500   call WinRAR1.00BD7A20
    00B8548E  |.  83C4 0C       add esp,0xC
    00B85491  |>  803D B467C400>cmp byte ptr ds:[0xC467B4],0x0
    00B85498  |.  53            push ebx
    00B85499  |.  75 12         jnz short WinRAR1.00B854AD
    00B8549B  |.  A1 DC92C100   mov eax,dword ptr ds:[0xC192DC]
    00B854A0  |.  83F8 28       cmp eax,0x28
    00B854A3  |.  7F 04         jg short WinRAR1.00B854A9
    00B854A5  |.  85C0          test eax,eax
    00B854A7  |.  79 04         jns short WinRAR1.00B854AD
    00B854A9  |>  B3 01         mov bl,0x1
    00B854AB  |.  EB 02         jmp short WinRAR1.00B854AF
    00B854AD  |>  32DB          xor bl,bl
    00B854AF  |>  80BC24 241000>cmp byte ptr ss:[esp+0x1024],0x0
    00B854B7  |.  0F84 EE020000 je WinRAR1.00B857AB
    00B854BD  |.  E8 4EA0FCFF   call WinRAR1.00B4F510
    00B854C2  |.  3D 01050000   cmp eax,0x501
    00B854C7  |.  77 10         ja short WinRAR1.00B854D9
    00B854C9  |.  F705 A8FBC000>test dword ptr ds:[0xC0FBA8],0x200
    00B854D3  |.  0F84 FC020000 je WinRAR1.00B857D5
    00B854D9  |>  803D 18FFC000>cmp byte ptr ds:[0xC0FF18],0x0
    00B854E0  |.  0F84 EF020000 je WinRAR1.00B857D5
    00B854E6  |.  C605 C3FCC000>mov byte ptr ds:[0xC0FCC3],0x0
    00B854ED  |.  C605 C7FDC000>mov byte ptr ds:[0xC0FDC7],0x0
    00B854F4  |.  C605 1700C100>mov byte ptr ds:[0xC10017],0x0
    00B854FB  |.  84DB          test bl,bl
    00B854FD  |.  75 14         jnz short WinRAR1.00B85513
    00B854FF  |.  A0 A8FBC000   mov al,byte ptr ds:[0xC0FBA8]
    00B85504  |.  24 80         and al,0x80
    00B85506  |.  0FB6C0        movzx eax,al
    00B85509  |.  F7D8          neg eax
    00B8550B  |.  1BC0          sbb eax,eax
    00B8550D  |.  2105 B0FBC000 and dword ptr ds:[0xC0FBB0],eax
    00B85513  |>  32FF          xor bh,bh
    00B85515  |.  833D C0FBC000>cmp dword ptr ds:[0xC0FBC0],0x0
    00B8551C  |.  76 50         jbe short WinRAR1.00B8556E
    00B8551E  |.  383D B467C400 cmp byte ptr ds:[0xC467B4],bh
    00B85524  |.  75 48         jnz short WinRAR1.00B8556E
    00B85526  |.  6A 00         push 0x0
    00B85528  |.  68 A098BF00   push WinRAR1.00BF98A0                    ;  UNICODE "RemShown"
    00B8552D  |.  68 306CBF00   push WinRAR1.00BF6C30                    ;  UNICODE "Interface\Misc"
    00B85532  |.  E8 59E7FFFF   call WinRAR1.00B83C90
    00B85537  |.  3B05 C0FBC000 cmp eax,dword ptr ds:[0xC0FBC0]
    00B8553D  |.  73 2F         jnb short WinRAR1.00B8556E
    00B8553F  |.  40            inc eax
    00B85540  |.  50            push eax
    00B85541  |.  68 A098BF00   push WinRAR1.00BF98A0                    ;  UNICODE "RemShown"
    00B85546  |.  68 306CBF00   push WinRAR1.00BF6C30                    ;  UNICODE "Interface\Misc"
    00B8554B  |.  E8 50F3FFFF   call WinRAR1.00B848A0
    00B85550  |.  803D C4FBC000>cmp byte ptr ds:[0xC0FBC4],0x0
    00B85557  |.  B7 01         mov bh,0x1
    00B85559  |.  0F84 B8000000 je WinRAR1.00B85617
    00B8555F  |.  68 00010000   push 0x100
    00B85564  |.  68 C4FBC000   push WinRAR1.00C0FBC4                    ;  ASCII "//ad.winrar.com.cn/show_1.html?L=7&bl=7&v=$Vpersonal&a=$A&src=pe001"
    00B85569  |.  E9 9F000000   jmp WinRAR1.00B8560D
    00B8556E  |>  833D C4FCC000>cmp dword ptr ds:[0xC0FCC4],0x0
    00B85575  |.  76 45         jbe short WinRAR1.00B855BC
    00B85577  |.  84DB          test bl,bl
    00B85579  |.  74 41         je short WinRAR1.00B855BC
    00B8557B  |.  6A 00         push 0x0
    00B8557D  |.  68 B498BF00   push WinRAR1.00BF98B4                    ;  UNICODE "ExpRemShown"
    00B85582  |.  68 306CBF00   push WinRAR1.00BF6C30                    ;  UNICODE "Interface\Misc"
    00B85587  |.  E8 04E7FFFF   call WinRAR1.00B83C90
    00B8558C  |.  3B05 C4FCC000 cmp eax,dword ptr ds:[0xC0FCC4]
    00B85592  |.  73 28         jnb short WinRAR1.00B855BC
    00B85594  |.  40            inc eax
    00B85595  |.  50            push eax
    00B85596  |.  68 B498BF00   push WinRAR1.00BF98B4                    ;  UNICODE "ExpRemShown"
    00B8559B  |.  68 306CBF00   push WinRAR1.00BF6C30                    ;  UNICODE "Interface\Misc"
    00B855A0  |.  E8 FBF2FFFF   call WinRAR1.00B848A0
    00B855A5  |.  803D C8FCC000>cmp byte ptr ds:[0xC0FCC8],0x0
    00B855AC  |.  B7 01         mov bh,0x1
    00B855AE  |.  74 67         je short WinRAR1.00B85617
    00B855B0  |.  68 00010000   push 0x100
    00B855B5  |.  68 C8FCC000   push WinRAR1.00C0FCC8                    ;  ASCII "//ad.winrar.com.cn/show_2.html?L=7&bl=7&v=$Vpersonal&a=$A&src=pe001"
    00B855BA  |.  EB 51         jmp short WinRAR1.00B8560D
    00B855BC  |>  833D C8FDC000>cmp dword ptr ds:[0xC0FDC8],0x0
    00B855C3  |.  76 52         jbe short WinRAR1.00B85617
    00B855C5  |.  803D B467C400>cmp byte ptr ds:[0xC467B4],0x0
    00B855CC  |.  74 49         je short WinRAR1.00B85617
    00B855CE  |.  6A 00         push 0x0
    00B855D0  |.  68 CC98BF00   push WinRAR1.00BF98CC                    ;  UNICODE "RegRemShown"
    00B855D5  |.  68 306CBF00   push WinRAR1.00BF6C30                    ;  UNICODE "Interface\Misc"
    00B855DA  |.  E8 B1E6FFFF   call WinRAR1.00B83C90
    00B855DF  |.  3B05 C8FDC000 cmp eax,dword ptr ds:[0xC0FDC8]
    00B855E5  |.  73 30         jnb short WinRAR1.00B85617
    00B855E7  |.  40            inc eax
    00B855E8  |.  50            push eax
    00B855E9  |.  68 CC98BF00   push WinRAR1.00BF98CC                    ;  UNICODE "RegRemShown"
    00B855EE  |.  68 306CBF00   push WinRAR1.00BF6C30                    ;  UNICODE "Interface\Misc"
    00B855F3  |.  E8 A8F2FFFF   call WinRAR1.00B848A0
    00B855F8  |.  803D CCFDC000>cmp byte ptr ds:[0xC0FDCC],0x0
    00B855FF  |.  B7 01         mov bh,0x1
    00B85601  |.  74 14         je short WinRAR1.00B85617
    00B85603  |.  68 00010000   push 0x100
    00B85608  |.  68 CCFDC000   push WinRAR1.00C0FDCC
    00B8560D  |>  68 18FFC000   push WinRAR1.00C0FF18                    ;  ASCII "//ad.winrar.com.cn/show_2.html?L=7&bl=7&v=$Vpersonal&a=$A&src=pe001"
    00B85612  |.  E8 49D1FEFF   call WinRAR1.00B72760
    00B85617  |>  FF15 3843BF00 call dword ptr ds:[<&KERNEL32.GetTickCou>; [GetTickCount
    00B8561D  |.  8BC8          mov ecx,eax
    00B8561F  |.  B8 D34D6210   mov eax,0x10624DD3
    00B85624  |.  F7E1          mul ecx
    00B85626  |.  C1EA 06       shr edx,0x6
    00B85629  |.  803D B467C400>cmp byte ptr ds:[0xC467B4],0x0
    00B85630  |.  74 08         je short WinRAR1.00B8563A
    00B85632  |.  8B0D BCFBC000 mov ecx,dword ptr ds:[0xC0FBBC]
    00B85638  |.  EB 20         jmp short WinRAR1.00B8565A
    00B8563A  |>  84DB          test bl,bl
    00B8563C  |.  75 16         jnz short WinRAR1.00B85654
    00B8563E  |.  8B0D B4FBC000 mov ecx,dword ptr ds:[0xC0FBB4]
    00B85644  |.  85C9          test ecx,ecx
    00B85646  |.  74 20         je short WinRAR1.00B85668
    00B85648  |.  8BC2          mov eax,edx
    00B8564A  |.  33D2          xor edx,edx
    00B8564C  |.  F7F1          div ecx
    00B8564E  |.  85D2          test edx,edx
    00B85650  |.  75 16         jnz short WinRAR1.00B85668
    00B85652  |.  EB 1C         jmp short WinRAR1.00B85670
    00B85654  |>  8B0D B8FBC000 mov ecx,dword ptr ds:[0xC0FBB8]
    00B8565A  |>  85C9          test ecx,ecx
    00B8565C  |.  74 0A         je short WinRAR1.00B85668
    00B8565E  |.  8BC2          mov eax,edx
    00B85660  |.  33D2          xor edx,edx
    00B85662  |.  F7F1          div ecx
    00B85664  |.  85D2          test edx,edx
    00B85666  |.  74 08         je short WinRAR1.00B85670
    00B85668  |>  84FF          test bh,bh
    00B8566A  |.  0F84 65010000 je WinRAR1.00B857D5
    00B85670  |>  55            push ebp
    00B85671  |.  57            push edi
    00B85672  |.  8B3D A8FBC000 mov edi,dword ptr ds:[0xC0FBA8]
    00B85678  |.  C1E7 11       shl edi,0x11
    00B8567B  |.  F7D7          not edi
    00B8567D  |.  81E7 00000400 and edi,0x40000
    00B85683  |.  81CF 0000C816 or edi,0x16C80000
    00B85689  |.  F605 A8FBC000>test byte ptr ds:[0xC0FBA8],0x8
    00B85690  |.  75 06         jnz short WinRAR1.00B85698
    00B85692  |.  81CF 00000300 or edi,0x30000
    00B85698  |>  A1 D0FEC000   mov eax,dword ptr ds:[0xC0FED0]
    00B8569D  |.  BD 00000080   mov ebp,0x80000000
    00B856A2  |.  C74424 10 000>mov dword ptr ss:[esp+0x10],0x80000000
    00B856AA  |.  8BF5          mov esi,ebp
    00B856AC  |.  8BDE          mov ebx,esi
    00B856AE  |.  85C0          test eax,eax
    00B856B0  |.  0F84 90000000 je WinRAR1.00B85746
    00B856B6  |.  833D CCFEC000>cmp dword ptr ds:[0xC0FECC],0x0
    00B856BD  |.  0F84 83000000 je WinRAR1.00B85746
    00B856C3  |.  50            push eax
    00B856C4  |.  E8 87530200   call WinRAR1.00BAAA50
    00B856C9  |.  8B2D 8C46BF00 mov ebp,dword ptr ds:[<&USER32.GetSystem>;  USER32.GetSystemMetrics
    00B856CF  |.  8BF0          mov esi,eax
    00B856D1  |.  6A 21         push 0x21                                ; /Index = SM_CYFRAME
    00B856D3  |.  FFD5          call ebp                                 ; \GetSystemMetrics
    00B856D5  |.  6A 04         push 0x4                                 ; /Index = SM_CYCAPTION
    00B856D7  |.  8D1C46        lea ebx,dword ptr ds:[esi+eax*2]         ; |
    00B856DA  |.  FFD5          call ebp                                 ; \GetSystemMetrics
    00B856DC  |.  03D8          add ebx,eax
    00B856DE  |.  F605 A8FBC000>test byte ptr ds:[0xC0FBA8],0x40
    00B856E5  |.  75 0C         jnz short WinRAR1.00B856F3
    00B856E7  |.  F705 A8FBC000>test dword ptr ds:[0xC0FBA8],0x100
    00B856F1  |.  75 06         jnz short WinRAR1.00B856F9
    00B856F3  |>  031D 70A5C500 add ebx,dword ptr ds:[0xC5A570]
    00B856F9  |>  FF35 CCFEC000 push dword ptr ds:[0xC0FECC]
    00B856FF  |.  E8 FC520200   call WinRAR1.00BAAA00
    00B85704  |.  6A 20         push 0x20
    00B85706  |.  8BF0          mov esi,eax
    00B85708  |.  FFD5          call ebp
    00B8570A  |.  6A 00         push 0x0                                 ; /UpdateProfile = 0
    00B8570C  |.  8D3446        lea esi,dword ptr ds:[esi+eax*2]         ; |
    00B8570F  |.  8D4424 18     lea eax,dword ptr ss:[esp+0x18]          ; |
    00B85713  |.  50            push eax                                 ; |pParam = NULL
    00B85714  |.  6A 00         push 0x0                                 ; |wParam = 0x0
    00B85716  |.  6A 30         push 0x30                                ; |Action = SPI_GETWORKAREA
    00B85718  |.  FF15 8C44BF00 call dword ptr ds:[<&USER32.SystemParame>; \SystemParametersInfoW
    00B8571E  |.  8B4424 1C     mov eax,dword ptr ss:[esp+0x1C]
    00B85722  |.  3BF0          cmp esi,eax
    00B85724  |.  7C 02         jl short WinRAR1.00B85728
    00B85726  |.  8BF0          mov esi,eax
    00B85728  |>  2BC6          sub eax,esi
    00B8572A  |.  99            cdq
    00B8572B  |.  2BC2          sub eax,edx
    00B8572D  |.  D1F8          sar eax,1
    00B8572F  |.  894424 10     mov dword ptr ss:[esp+0x10],eax
    00B85733  |.  8B4424 20     mov eax,dword ptr ss:[esp+0x20]          ;  WinRAR1.00C4D45D
    00B85737  |.  3BD8          cmp ebx,eax
    00B85739  |.  7C 02         jl short WinRAR1.00B8573D
    00B8573B  |.  8BD8          mov ebx,eax
    00B8573D  |>  2BC3          sub eax,ebx
    00B8573F  |.  99            cdq
    00B85740  |.  2BC2          sub eax,edx
    00B85742  |.  8BE8          mov ebp,eax
    00B85744  |.  D1FD          sar ebp,1
    00B85746  |>  68 00010000   push 0x100
    00B8574B  |.  68 18FFC000   push WinRAR1.00C0FF18                    ;  ASCII "//ad.winrar.com.cn/show_2.html?L=7&bl=7&v=$Vpersonal&a=$A&src=pe001"
    00B85750  |.  E8 3BF3FFFF   call WinRAR1.00B84A90
    00B85755  |.  6A 00         push 0x0                                 ; /lParam = NULL
    00B85757  |.  FF35 04F0C400 push dword ptr ds:[0xC4F004]             ; |hInst = 00AE0000
    00B8575D  |.  6A 00         push 0x0                                 ; |hMenu = NULL
    00B8575F  |.  6A 00         push 0x0                                 ; |hParent = NULL
    00B85761  |.  53            push ebx                                 ; |Height = 902DC (590556.)
    00B85762  |.  56            push esi                                 ; |Width = 0x0
    00B85763  |.  55            push ebp                                 ; |Y = 5FA518 (6268184.)
    00B85764  |.  FF7424 2C     push dword ptr ss:[esp+0x2C]             ; |X = 0x0
    00B85768  |.  57            push edi                                 ; |Style = WS_OVERLAPPED|WS_MINIMIZEBOX|WS_SYSMENU|WS_THICKFRAME|3FE
    00B85769  |.  68 6C71BF00   push WinRAR1.00BF716C                    ; |WindowName = "WinRAR"
    00B8576E  |.  68 E498BF00   push WinRAR1.00BF98E4                    ; |Class = "RarReminder"
    00B85773  |.  6A 00         push 0x0                                 ; |ExtStyle = 0
    00B85775  |.  FF15 A045BF00 call dword ptr ds:[<&USER32.CreateWindow>; \CreateWindowExW
    00B8577B  |.  F605 A8FBC000>test byte ptr ds:[0xC0FBA8],0x1
    00B85782  |.  5F            pop edi                                  ;  USER32.76CD87ED
    00B85783  |.  5D            pop ebp                                  ;  USER32.76CD87ED
    00B85784  |.  74 13         je short WinRAR1.00B85799
    00B85786  |.  6A 03         push 0x3                                 ; /Flags = SWP_NOSIZE|SWP_NOMOVE
    00B85788  |.  6A 00         push 0x0                                 ; |Height = 0x0
    00B8578A  |.  6A 00         push 0x0                                 ; |Width = 0x0
    00B8578C  |.  6A 00         push 0x0                                 ; |Y = 0x0
    00B8578E  |.  6A 00         push 0x0                                 ; |X = 0x0
    00B85790  |.  6A FF         push -0x1                                ; |InsertAfter = HWND_TOPMOST
    00B85792  |.  50            push eax                                 ; |hWnd = NULL
    00B85793  |.  FF15 B845BF00 call dword ptr ds:[<&USER32.SetWindowPos>; \SetWindowPos
    00B85799  |>  833D C091C100>cmp dword ptr ds:[0xC191C0],0x0
    00B857A0  |.  74 33         je short WinRAR1.00B857D5
    00B857A2  |.  C605 74A5C500>mov byte ptr ds:[0xC5A574],0x1
    00B857A9  |.  EB 2A         jmp short WinRAR1.00B857D5
    00B857AB  |>  84DB          test bl,bl
    00B857AD  |.  74 26         je short WinRAR1.00B857D5
    00B857AF  |.  6A 00         push 0x0                                 ; /lParam = NULL
    00B857B1  |.  68 10C2BB00   push WinRAR1.00BBC210                    ; |DlgProc = WinRAR1.00BBC210
    00B857B6  |.  C605 74A5C500>mov byte ptr ds:[0xC5A574],0x1           ; |
    00B857BD  |.  FF15 F444BF00 call dword ptr ds:[<&USER32.GetFocus>]   ; |[GetFocus
    00B857C3  |.  50            push eax                                 ; |hOwner = NULL
    00B857C4  |.  68 FC98BF00   push WinRAR1.00BF98FC                    ; |pTemplate = "REMINDER"
    00B857C9  |.  FF35 00F0C400 push dword ptr ds:[0xC4F000]             ; |hInst = 00AE0000
    00B857CF  |.  FF15 C845BF00 call dword ptr ds:[<&USER32.DialogBoxPar>; \DialogBoxParamW
    00B857D5  |>  5B            pop ebx                                  ;  USER32.76CD87ED
    00B857D6  |.  5E            pop esi                                  ;  USER32.76CD87ED
    00B857D7  |>  8B8C24 141000>mov ecx,dword ptr ss:[esp+0x1014]
    00B857DE  |.  33CC          xor ecx,esp
    00B857E0  |.  E8 D7FC0400   call WinRAR1.00BD54BC
    00B857E5  |.  81C4 18100000 add esp,0x1018
    00B857EB  \.  C2 0800       retn 0x8

    经过分析判断,我们需要关注两处跳转,在函数开始第7行和第9行的跳转,将第7行的跳转NOP掉,第9行改jmp无条件跳转,即可以将程序的执行流程跳过广告链接和重新购买许可证的窗口。
      7 00B853BF  |.  74 0E         je short WinRAR1.00B853CF  8 00B853C1  |.  80BC24 201000>cmp byte ptr ss:[esp+0x1020],0x0  9 00B853C9  |.  0F84 08040000 je WinRAR1.00B857D7
    完成修改后,点击鼠标右键,在弹出的菜单中依次选择“复制到可执行文件”-->“所有修改”-->“复制”。


    然后在新窗口中右击选择“保存文件”即可保存修改。


    整个世界彻底清净来,老衲要继续清修了^_^!!!!
    附:分享几个系统函数。
    CreateWindowEx function:https://msdn.microsoft.com/zh-cn/vstudio/ms632680(v=vs.90)

    DestroyWindow function:https://docs.microsoft.com/zh-cn/windows/win32/api/winuser/nf-winuser-destroywindow

    IsWindowVisible function:https://docs.microsoft.com/zh-cn/windows/win32/api/winuser/nf-winuser-iswindowvisible

    还有一个大牛写的注册机:
    //www.yhhjx.com/thread-984747-1-1.html

    免费评分

    参与人数 10吾爱币 +9 热心值 +10 收起 理由
    super163 + 1 + 1 谢谢@Thanks!
    ttd_2001 + 1 + 1 我很赞同!
    networkbox + 1 谢谢@Thanks!
    wuxinwudi + 1 + 1 热心回复!
    zmyzzx + 1 + 1 谢谢@Thanks!
    笙若 + 1 + 1 谢谢@Thanks!
    liphily + 1 + 1 感谢发布原创作品,吾爱破解论坛因你更精彩!
    海天一色001 + 1 + 1 谢谢@Thanks!
    axainglaoban + 1 + 1 我很赞同!
    ALCATEL + 1 + 1 欢迎分析讨论交流,吾爱破解论坛有你更精彩!

    查看全部评分

    发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

    推荐
     楼主| zyjsuper 发表于 2019-7-10 09:28 <
    神秘来宾 发表于 2019-7-10 08:47
    有没有可能破解winrar加密的密码?

    https://github.com/hyc/fcrackzip
    德国人写的破解工具
    推荐
    hackcat 发表于 2019-7-10 10:26
    4#
    _小白 发表于 2019-7-10 08:09
    5#
    我的猫在等我 发表于 2019-7-10 08:36
    围观一下楼主,没激活弹窗的确很烦
    6#
    axldh 发表于 2019-7-10 08:37
    学习下,谢谢楼主的分享。
    7#
    神秘来宾 发表于 2019-7-10 08:46
    要是能有64位的就好了
    8#
    神秘来宾 发表于 2019-7-10 08:47
    有没有可能破解winrar加密的密码?
    9#
    纯粹520 发表于 2019-7-10 09:00
    支持一下,小白看看就好
    10#
    xjh88232259 发表于 2019-7-10 09:06
    感谢楼主无私分享与贡献!
    11#
    babyinsun 发表于 2019-7-10 09:20
    感谢楼主分享,支持一下!
    12#
    寻妳芳踪 发表于 2019-7-10 09:24
    楼主到底有多绿。。。
    您需要登录后才可以回帖 登录 | 注册[Register]

    本版积分规则 警告:禁止回复与主题无关内容,违者重罚!

    快速回复 收藏帖子 返回列表 搜索

    RSS订阅|小黑屋|联系我们|北京pk10最稳办法 ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

    GMT+8, 2019-11-15 14:06

    Powered by Discuz!

    © 2001-2017 Comsenz Inc.

    快速回复 北京pk10最稳办法 返回列表
  • 玻利维亚发生交通事故30多人死伤 2019-11-09
  • 停车收费新政首日举报量攀升 2019-11-08
  • 指尖触碰 你我结缘丨浙江新闻4周年 我们再出发 2019-11-08
  • 图解2017:为网络空间“岁月静好” 网信工作不骛虚声 2019-10-29
  • 警方出重拳 守护个人信息安全 2019-10-25
  • 广州今年建成1500公里污水管网 2019-10-25
  • 湖南提前一年全面建立河长制 地表水水质监测总体为优 2019-10-23
  • 又高又壮的男人易患前列腺癌 2019-10-23
  • 杨梅:谣言太多伤不起 2019-10-18
  • 陈毓圭:引领新的社会阶层人士服务中国特色社会主义事业 2019-10-18
  • 快讯:博格巴破门 法国2 2019-10-13
  • “四大发明”是什么制? 2019-10-09
  • 池州:上千名幼儿及家长共同诵读古今经典(图) 2019-10-09
  • [微笑]正是因为土地是属于全民的,你个人要使用就必须付钱,不然就占了大家的便宜。 2019-10-08
  • 西部网(陕西新闻网)www.cnwest.com 2019-10-06
  • 运怎么玩 2019竞彩停售时间 007娱乐 街机奔驰宝马破解版内购 浙江15选5彩票走势图 红球第五位尾数走势图 浙江11选5基本走势任选 360双色球购彩大厅 快乐飞艇官网 360老时时彩基本走势图 买大小单双稳赚买法 安徽十一选五任五历史最大遗漏 四肖中特期期准兔费公开 河南22选5大星走势图 广东快乐十分号码推荐