
               Cracking for newbies #1 - done by woody^drn

In Vaczine #3 I talked about nags and splash screens, this is just to
complete the tutorial.

How do we know what to break on in softice? is it a messagebox or
a dialogbox .. or something else? Take a look at the style of the nag
sceen, is the close button in the top right disabled ? then it's
probably a messagebox, if not it's a dialogbox. We can also check the
buttons that are on the nag screen, does it have yes, no, ok or cancel?
probably a messagebox then, if not ... messageboxes have icons on them
too, ( ! )  / ! \, it's the standard icons for windows.
The break for a messagebox in softice is "bpx messageboxa" if it's a
32bit program, if not remove the a "bpx messagebox". For a dialogbox
"bpx dialogboxparama" or just use the normal "bpx getwindowtexta" or
"bpx getdlgitemtexta".

Messageboxes waits for you to push a button, when you do it will use
goto the nearst ret (return) command. What you can do here is, to find
the place where it called or jne/je (jumped) to this location, just
nop the je/jne or patch that byte with C3 (ret), so it thinks that you
pressed the button.

But there's several types of nag screens, not just messageboxes or
dialogboxes, but also splash screens that uses pictures instead of
normal text. Here we have to break on "bpx loadbitmapa", now softice
will break when it's ready to display the image/splash screen.
One thing that comes with splash screens is a timer. If the author wants
his splash screen to show for 10 seconds. That command is SetTimer.

What we should do here is find the loadbitmapa and find the push nearest
that. The opposite of SetTimer is KillTimer, find the killtimer and
patch the push to a jmp, so it jumps direcly to the killtimer command.
This defeats most splash screens.

-wOODY^dRN

