How To Enter Winrar Serial Key

 

This tutorial describes how to crack Winrar.

Goto the symbols tab in x64dbg and double click the row that contains the winrar.exe module. You are now in winrar.exe region of the memory shown in the CPU tab. Right click somewhere in the CPU window and goto Search for- Current module- String references. Now you are in the References tab of x64dbg. Enter evaluation copy in the search box.

Needed

How To Enter Winrar Serial Key Filmora

  • Winrar 64-bit (version 5.40 and 5.60 are tested)
  • x64dbg site
  • Resource hacker site

A Winrar (a file with.rar as a suffix), when it comes to WinRar program, we all know it's a common utility for compressing files on Windows platform and often used for online downloads. A key feature on Winrar is that users can compressed some important files into a RAR archive and create password to protect the RAR file from prevents most. If you don't have winrar yet you can download it from here:the rarreg.key file herelink: http://q.gs/6785176. I will be using diablo2oo2’s Universal Patcher (UPE) for creating the patch. The patch will work like any authentic one for that WinRAR version. Just like the one U downloaded at anytime of your life from any Crack and Keygen website. Launch Patch Creator and click on add new project. Enter project Information and click on save.

Note

Memory addresses mentioned in this tutorial are likely to be different on your system. Only the last couple of bytes should be the same. E.g. for address 00007FF6A403AE4A only check if 4A is the same.

Load the application inside the debugger

Run x64dbg and open the WinRAR.exe executable in x64dbg by pressing F3 to open a file. Now the application is running inside the debugger and it will pause (break) at some address, this is the entry break point. Click the right arrow located under the menu in x64dbg (or press F9) repeatedly until the text in the lower-left of the window stays at ‘Running’.

The application is now running without pausing at any break points.

Finding the routine that checks if the application is registered

When the application starts it must somehow check if the application is registered. So somewhere in the executable there must be a function (routine in Assembly) that checks if the application is registered. The trick is to find that routine and modify it so that the application thinks it is registered. The registration routine can be found in many ways, but usually a good place to search is for certain strings. The application window states that this is an evaluation copy:

If you think of how this application was written, somewhere in the code a decision must be made (if/else statement) to show the string evaluation copy instead of something else like registered. We don’t know what the string will be when the application is registerd, but we know for sure that evaluation copy should not be shown.

Attack the string

In x64dbg you can search for strings in the executable. You want to limit your search to only the Winrar executable and not search all the other modules (DLL’s) that are loaded by the application. Goto the symbols tab in x64dbg and double click the row that contains the winrar.exe module.

You are now in winrar.exe region of the memory shown in the CPU tab. Right click somewhere in the CPU window and goto Search for -> Current module -> String references. Now you are in the References tab of x64dbg. Enter evaluation copy in the search box below.

The string cannot be found, so most likely it is not stored as consecutive characters in the executable. Windows applications can store strings in a string table ‘resource’, so we use a tool to read the string tables of the executable which is called Resource hacker.

Search for the string in string tables

Run Resource hacker and open the WinRAR.exe executable. Press ctrl+f to search for a string. Enter evaluation copy and click search. The string evaluation copy appears to be in a string table with the constant 873 mapped to it. These constants are used in the executable to load the string mapped to it. String tables are used to save memory.

Find constant mapped to the string

Search for the constant 873 in x64dbg: right click somewhere in the CPU window and goto Search for -> Current module -> Constant. In the window that appears enter 873 in the Signed: box and click OK.

x64dbg finds one occurance of the constant located at address 00007FF6A403AE4A. This address is likely to be a bit different on your system, but the last two bytes should be the same: 4A.

If nothing is found, make sure you are in the winrar.exe memory region by going to the Symbols tab and double clicking winrar.exe.

Double click the search results to go to that address location in the CPU tab. We are now in the CPU tab at the memory address that uses the constant. You see that the constant is represented as 369, which is hexadecimal for 873. The instruction that uses the constant is mov ecx, 369 which means copy the value 369 to the register ecx.

Change the string

As this is the only location where 369 is used it is highly likely that this instruction will load the evaluation copy string from the string table. We test this by changing 369 to another constant from the string table. In Resource Hacker we see the constant 872 mapped to the string Registration has been successfully completed. Modify the assembly by double clicking on it. Change 369 to 368, which is 872 in hex. Click OK once, and then click cancel to not further modify instructions

The instruction at 00007FF6A403AE4A should now be mov ecx, 368 as show below:

Press F9 or the right arrow a couple of times until the application is running without pausing at a breakpoint. The string in the titlebar has changed to Registration has been successfully completed. We have verified that the constant 369 in the instruction is used for the evaluation copy string.

Find the registration-check routine

In WinRAR goto help -> about WinRAR. It still mentions the 40 days trial copy. We have only patched the executable to show another string. Logically, the string evaluation copy will be shown when the registration routine has decided that the application is not registered.

Have a look at the instructions surrounding the instruction where the constant 369 is used. More specifically, trace back which instructions preceded the instruction at 00007FF6A403AE4A, how did we get there? The only way that instruction could have been executed is by coming from address 00007FF7B91EAE20, which is also made clear by the grey dashed arrow on the left of the addresses.

At 00007FF7B91EAE20 a conditional jump is done, ja, which means jump above. This means the jump will be taken when the zero flag ZF and the carry flag CF are set. These flags are in turn set by the instruction before that at 00007FF7B91EAE1D. There, the instruction cmp eax, 13 will compare the eax register with the value 13 (in hex), and set the ZF if eax <= 0x13. Set a breakpoint at 00007FF7B91EAE20 by highlighting the row and pressing F2. Now restart the application by pressing ctrl+F2. Press F9 until x64dbg breaks at the breakpoint you just set at 00007FF7B91EAE20. The value of eax are the 32 least significant bits of the rax register (image), which can be seen on the top-right window in x64dbg. The value of eax is FFFFFFEE.

This means the instruction you are at now, cmp eax, 13, will result in a value that is higher than 0. This results in the CF flag not be set and the jump at ja is taken. We modify the eax register so that it contains a value <= 13 and the ja jump is not taken. Double click on the rax register, and enter the value 13 (or anything lower than 13).

Press OK and press F9 to continue execution. The string in the title bar has now changed to only xx days left to buy a license. Apparently this is not the registration flow we are looking for.

Trace back a bit trough the instructions in x64dbg. We are looking for jumps that will change the instruction flow to show another string in the title bar. At 00007FF70E2FAE0E there is a jump, jne, that jumps past both the instructions mov ecx, 368 and mov eax, 369. jne stands for jump not equal and takes the jump when ZF 0. Right now the jump is not taken because we will end up in the instructions right after this jne. To see what will happen when the jump is taken, we change jne to jmp, so it will unconditionally jump. Set a break point at 00007FF70E2FAE0E and restart the application. Press F9 until the application pauses at the break point we just set. Press space to modify the row and change jne to jmp.

Press F9 again until the application runs. No string is shown any more in the title bar, this looks like the registration flow.

So when the jne is taken we get into the registration flow. The instruction at 00007FF70E2FAE07 that decides if the jne is taken, cmp byte ptr ds:[7FF7B92848E4],dil, compares the byte located at memory address 7FF7B92848E4 with the contents of the dil register. dil is the least significant byte of the rdi register.

We want to know what value is at memory location 7FF7B92848E4 and in dil when the application breaks at 00007FF70E2FAE07, because this value decides whether we come in the registration flow or in the ‘evaluation’ flow. Set a break point at 00007FF70E2FAE07, restart the application with ctrl+F2 and press F9 until you pause at the break point. Right click on the row where the cmp instruction is and goto Follow in Dump -> Constant: 7FF7B92848E4.

The value of 7FF7B92848E4 and dil is both 00. This means that the result of cmp byte ptr ds:[7FF7B92848E4],dil will be 0 and ZF will be set. jne is then not taken an we will enter the flow where the evaluation copy string is set.

We could trace back where dil is set or we can check whether the byte located at 7FF7B92848E4 is written to at some point. We do the latter first because this can be easily checked by setting a hardware write breakpoint at 7FF7B92848E4. Right click on the 00 byte and goto Breakpoint -> Hardware, Write -> Byte.

This type of breakpoint will break when a value is written to that memory address. Now restart the application (ctrl+F2). Press F9 until you arrive the hardware breakpoint you just set.

x64 will break at 00007FF6F0E78FB1, one instruction after the byte was written. So the byte was written at 00007FF6F0E78FAB, with the instruction mov byte ptr ds:[7FF6F0F148E4],al. We trace back again where al is modified. al is the the least significant byte of the rax register, which is used to hold return values of routines (functions). The instruction before this one at 00007FF6F0E78FA6 is a routine call. After exiting a routine call the return value is stored in rax. It is highly likely that the rax register is modified in there.

We have a look inside that routine by right clicking on the row and goto Follow in Disassembler -> click on the address.

We are now at the beginning of the routine that is very likely to modify the al (rax) register that eventually will decide if evaluation copy or no string is shown in the title bar.

We back trace from the end of the routine, which can be found by the ret instruction. We search for the instructions that modify the rax register.

Analysing the routine, at 00007FF70E2F80D4 the al register is specifically modified to contain the value 1. This does not look like a coincidence. We test what execution path will be taken around this instruction mov al,1 by setting a break point at the beginning of the routine at 00007FF70E2F80A8. Press F9 until we arrive at the break point and then press F8 (step over) until 00007FF70E2F80D2. Then watch what happens when we press F9 again. je at 00007FF70E2F80D2 is taken and mov al,1 is not executed.

We check what happens when je is not taken by changing the je with nop instructions (we could also invert je to jne). Break at the beginning of the routine. Click on the row with je and press space, enter nop and tick “keep size” and “fill with NOP’s”

nop means no-op and does not execute anything. So now the je has basically been erased and execution will continue at 00007FF70E2F80D4. Press F9 until the application runs. The evaluation copy string is not in the title bar any more and the “about” window also shows that the application is registered to “” (empty). The application is now cracked.

Wrap up

We found the registration routine by tracing back from the evaluation copy string. Then we patched this routine by removing the je instruction that was causing the application to execute in the non-registered state.

'Any RAR password unlocker that can unlock a file downloaded from other sources?'

'Any WinRAR password recovery method? I added a password to protect my RAR files, but embarrassing, I completely forgot it now.'


To save storage and protect files, you tend to create protection passwords for RAR. But when you forgot WinRAR password, this may cause you break out into tears.


But, fortunately, you can learn about the methods for RAR password recovery in this article and unlock RAR/WinRAR password.

Things You Need to Know in Advance

Part 1 will describe 3 free ways to unlock files when you have forgotten WinRAR password.


Part 2 provides you with an online RAR password unlocker, which is great if you don't want to install software on PC.


Part 3 introduces you an excellent Win RAR password recovery tool, which can do more.



Part 1. Unlock WinRAR Password (Free)

First, you should try out the various possible combinations of numbers and letters that you personally use. If you can't find it, you can give priority to the free ways: Notepad and CMD.

How To Enter Serial Key In Winrar


#1. Frequently-Used Passwords

Take a deep breath and relax. Now search and recall all possible passwords, list them, and try them one by one to unlock .rar password.


such as


How To Enter Winrar Serial Key

default numbers 123456, 00000, 007, abc123, and more

birthday of your wife, your girlfriend, or your baby

wedding anniversary, divorce date, payment password



#2. Use Notepad & Commands

This is a free WinRAR password cracker, very rare, although it is the most complicated one. If you want to try, you must complete each step perfectly.


Now let's check out the steps to recover:


Step 1. First, create a Notepad, copy and paste the specific commands to it, then save it as a bat file, e.g. RAR-password.bat (You can Find the commands in the end of Crack RAR. Passwords)


Step 2. Double-click to pen the bat file. You'll see a 'Rar Password Cracker' window.


Step 3. Go back to the locked RAR file, right-click it, select 'Properties', and copy the name and folder path.


Step 4. Now you can past them to the window as:

Enter File Name:

Enter Full Path: Vlc 2.1 mac download.


Step 5. Press 'Enter' key to run, and after that, you can see the password of the RAR file in the Window.


#3. Open RAR with Notepad

I will show you how to unlock RAR files without password. You can use Notepad on Windows to unlock, which may be something you never thought of. But it did work bypass RAR password, for some cases.


Let's take a look at the specific steps.


Step 1. Right-click the encrypted RAR file and open it with Notepad. You'll find that complex characters fill the entire document.


Step 2. Press the 'Ctrl + F' shortcut to find the string. Find Ûtà and replace it with 53tà.


Step 3. Similarly, replace 'IžC0 with IžC0.


Step 4. Save the modified file and close it.


Step 5. Now double-click to open it with RAR. Tada! You unlock RAR without password successfully.



Part 2. Win RAR Password Unlocker Online

There are many online sites. I tried several ones and pick password-online. It takes 10 Euros for unlocking 1 RAR file, not so cost-effective. And it requires me to upload the RAR and wait for an e-mail for confirmation.


Step 1. Copy and paste 'password-online.com' to your web browser on PC.


Step 2. In its home page, click the 'Upload your encrypted file' button and select the RAR file you want to unlock.

How to enter winrar serial key office 2016


Step 3. Enter your email address twice.


Step 4. Now check the notification email sent by the website and activate it.


If you're looking for a more cost-effective tool, please keep reading.



Part 3. WinRAR Password Recovery - Password Genius

Here is the ultimate weapon for RAR password recovery - Password Genius. It can help you recover forgotten WinRAR password with simple steps. And it's better than others for:


1. You can use it unlimited times as it provides a lifetime license.

2. Apart from RAR, it also can recover forgotten password on Excel File, Word, PPT, PDF and more office program

3. It's easy to use and it works fast, saving you time and avoiding invalid attempts.



Now that you get to know its features, follow the steps for Win RAR password recover:


Step 1. Download Password Genius and install it to your computer.


Step 2. Select the 'Recover Passwords for Files and Archives' mode.


How To Enter Winrar Serial Key Generator

Step 3. Since your goal is to recover forgotten WinRAR password, please select 'RAR Password Recovery'.


Step 4. Click the folder icon on the right and select the RAR file you want to unlock.


Step 5. Now select the attack type and options and click the 'Start' button.


Step 6. Finally, it automatically finds out the password and displays it on the desktop.


Let me now introduce its 4 attack modes and the corresponding settings.


'Brute-force': After selecting the 'Brute-force' attack mode, mark the options in the 'Length' and 'Range' tabs respectively.


'Mask': The most important thing after selecting 'Mask' is to enter the known characters and replace the unknown characters with '?'.


'Dictionary': Select the 'Dictionary' attack mode, then select the 'Dictionary' tab and click the 'Select Dictionary' button to import the TXT document. (You can create a TXT password dictionary if you come up with a few guesses.)


'Smart': After selecting the 'Smart' attack mode, click the 'Start' button.



RAR Password genius can retrieve your forgotten password. Compared with RAR Password genius, PassFab for RAR is faster to unlock rar winrar password. Because it uses advanced technology and new search algorithms, the time required for the retrieve process is reduced. What are you waiting for? Use it to remove RAR pass now.



Tip 1. How to Unlock WinRAR after You Get the Password

When you have already obtained the password, to unlock a RAR file is very simple and convenient.


Step 1. Double-click the RAR file with password-protection to open it in WinRAR (or other compression program).


Step 2. Click the second option 'Extract to' on the toolbar to save it to the same location as the original RAR file, and then click the 'OK' button.


Step 3. Type the RAR password and click 'OK' to extract the file.



Tip 2. Does Convert RAR to Zip Work When Forgot WinRAR Password?

When collecting effective solutions, I saw a saying that when converting from RAR to ZIP format, the password would be automatically removed. This seems to be a reliable WinRAR password cracker or method, but after a specific attempt I found that impossible.


I tested the first 4 online ZIP converters on Google and none of them works.


#1. For archive.online-convert.com


When I import a password-protected RAR and click 'Start Conversion', the following error occurs.


#2. For convertio.co/zh/zip-converter

When I click 'Select File' to upload an encrypted RAR file, an error occurs as well.


#3. For files2zip.com

How To Enter Winrar Serial Key Office 2016


I clicked 'Browse' to import the file, but it didn't work. I do not know why.

How To Enter Winrar Serial Key 64-bit


#4. For ezyzip.com


I successfully converted the RAR to a Zip file, but it still requires a password to access the file.



The Bottom Line

This article describes 3 ways to unlock WinRAR password for free, a way to unlock RAR without password, and a WinRAR password recovery software. All in all, Password Genius is a reliable RAR password unlocker, the easiest and most convenient solution. And in the end, I also mention 2 additional tips for you.


If you have any questions, you can write it down below. And our professional technical team will get to you soon.