Hello!
I am reversing a console that has a nag implemented through asm. It calls it via GetProcAddress & GetModuleHandleA.




First time i see this kind of nagscreen.

I tried jmping the nag screen but it crashes the program.


Thanks

You did well to remove the target link yourself, however you left the target name in the code you posted. I removed the code as well, not so much because it also violates the rules but because that bunch of HexRays output was of no use to anyone.

That said, the first question is easy, what API did GetProcAddress return? Also, how is the GetModuleHandle return value being used?

I took a look at some of your other pastebin code you deleted. There's one call to GetProcAddress(hModule, esp).
Then a whole bunch of calls to an unknown function in the form of Function(hModule, random_hex_byte,..).

What does this unknown function do with the random hex byte and hModule value? Does it lead to further GetProcAddress calls? If so, it may be Api Hashing going on to get the addresses of other functions that might have nothing to do with the nag. If you tried jumping the whole call, yes it will likely crash.

You need to step through everything more carefully, taking note of what real API's are being called, and try to isolate the nag screen function itself.

The most interesting thing you could do to start with is to find and understand the Api Hash routine, if indeed that is what the code is doing.

if i try to NOP two calls works in IDA Pro. But when i patch it in hex it runs for few secs then exits :S

Hmm, I find out now that one of our other moderators was the one who removed the target link from your original post, as well as the target name you left in your second post, even after reading my comment about how that violates our rules about naming commercial targets for the purposes of asking specific details about cracking them. You obviously didn't read the FAQ that's in big letters in your sig before or after posting.

That said, again, you're still posting relatively useless code for anyone to make any sense of to help you. You need to understand the code, not just blindly nop instructions hoping the problem will go away. That's why I asked the questions I did, to try to guide you to comprehending the code so you could find an intelligent place to patch.

Doesn't matter, forget it. If you don't show more effort this thread goes away.

I tried everything it either crashes or exits right after execution. Too hard for me i guess.

I got it to work in either Olly or IDA Pro. But it exits fast after patching it.

and why do you think that is?

What do you think is the difference between an in-memory patch and an on-disk patch?

How could the application detect that it has been modified?

I don't know I just compile the Delphi test console app with a trial library.

Nothing special.

Patched it myself

Had to do a bit of analyzing first. Was a simple MOV EBX,1

But thanks!