HOW TO CRACK Net.Medic 1.2.2

Tutorial by UmE

Introduction: this time we will crack Net.Medic 1.2.2, a great program to mantain under control 
you internet connection. We will re-enable some functions that we can not use in demo version.

Necessary tools: Wdasm 8.9.

Program description: Net.Medic 1.2.2, netMedic.exe, 1.030.144 bytes.


PARENTAL ADVISORY: this tutorial is cracking oriented!!!


Step 1: when you run the program the main screen shows you a window with some parameters that 
the application will monitorize during an Internet session. If you want to see more parameters 
you can go to the "View" -> "Details" menu and choose an item....when you select one a message 
box appear and tells you:

"The feature you have requested is available only in the retail version of Net.Medic. If you 
would like a temporary license to try all the advanced features of Net.Medic for the next 30 
days, click OK "

Now if you push the OK button the program will start with a time trial period of 30 days after 
that you got to buy the full version of the program. Push the "Cancel" buttom and let's try to 
re-enabled the crippled features. Notice: also other features in the "Window" menù are disabled.

Step 2: open W32Dasm and dissasemble the netMedic.exe file. 
Go to the "Refs" -> "String Data Reference..." menu and search for the string "The feature you 
have.....". When you find it double clik on it and W32Dasm will bring you to the piece of code 
where the string is referenced. You have:

:0043F1FE 7403                    	je 0043F203
:0043F200 8B7020                  	mov esi, dword ptr [eax+20]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043F1FE(C)
|
:0043F203 8D4DEC                  	lea ecx, dword ptr [ebp-14]
:0043F206 BB01000000              	mov ebx, 00000001

* Reference To: MFC40.Ordinal:01E6, Ord:01E6h
                                  |
:0043F20B E888A80400              	Call 00489A98
:0043F210 8B45E4                  	mov eax, dword ptr [ebp-1C]
:0043F213 885DFC                  	mov byte ptr [ebp-04], bl
:0043F216 83B8C800000005   		cmp dword ptr [eax+000000C8], 00000005
:0043F21D 754E                    	jne 0043F26D

* Possible Reference to String Resource ID=57882: "The feature you have requested is available 
only in the reta"
                                  |
:0043F21F 681AE20000         		push 0000E21A			<- This is the string!!!
:0043F224 8D4DF0                  	lea ecx, dword ptr [ebp-10]

* Reference To: MFC40.Ordinal:0E48, Ord:0E48h
                                  	|
:0043F227 E878A80400              	Call 00489AA4

If you look a little above you can notice that this code is referenced by a conditiona jump at 
the address 0043F1FE. Let's go at 0043F1FE address and we have:

:0043F1F4 1BFF                    	sbb edi, edi
:0043F1F6 83E7E2                  	and edi, FFFFFFE2
:0043F1F9 83C73C                  	add edi, 0000003C
:0043F1FC 3BC6                    	cmp eax, esi
:0043F1FE 7403                    	je 0043F203
:0043F200 8B7020                  	mov esi, dword ptr [eax+20]

Move upward the code and you'll find that this piece of code is called from the 0043F1AA 
address. Go to the 0043F1AA address and you find:

* Referenced by a CALL at Addresses:
|:004091ED   , :0040922D   , :0040926D   , :004092CD   , :0040932D   
|:0040938D   , :004093ED   , :0040944D   , :004094AD   , :0040950D   
|:00409BF4   , :00409C41   , :00409C8E   , :00409CDB   , :00409D28   
|:00409D9F   , :0040A38E   , :0042703D   , :0042829E   , :0042C18E   
|:00437D9D   
|
:0043F1A0 8B442404                	mov eax, dword ptr [esp+04]
:0043F1A4 B998704A00            	mov ecx, 004A7098
:0043F1A9 50                      	push eax
:0043F1AA E801000000              	call 0043F1B0
:0043F1AF C3                      	ret

You can notice that this piece of code is referenced from a lot of call. Every call rapresents 
a disabled function. If you go to analyze the caller code at the various addresses you can 
notice a similar way to proceed for all the calls; for example at 004091ED (the first call in 
the list above) you have:

:004091ED E8AE5F0300             	call 0043F1A0		<- the fatidical call!!
:004091F2 83C404                    add esp, 00000004		<-updates the stack
:004091F5 85C0                    	test eax, eax		<-test eax
:004091F7 740D                    	je 00409206			<-jump if eax=1 (func. enable)

Idem for the others callers.
Now we must do that the function at 0043F1A0 retrives always eax=1...how can we do this? In 
this way.....just patch the instruction at 0043F1A0 with this instructions:

push 	00000001		<- push 1 in the stack
pop   eax			<- load the value you have pushed in eax
ret				<- return to the caller

In exadecimal is: 	6A 01 58 C3

The function will retrive now always eax=1 and all the functions will be enable when you'll go 
to use them.

Ok guys that's all for now. I hope this tutorial could be useful for someone.

Greetings to Volatility and all the Immortal Descendants.

Contact me at: ume15@hotmail.com