View Full Version : Nasty Nag removal
Panemuckl
July 1st, 2004, 10:47
Hi!
To practise, I'm currently working on some DSL driver software.
I've done so far:
- unpacking, full restore, imp fixing (unpacked version works fine)
- removed anti-debug (now OllyDBG is my friend)
- removed CRC (MD5) self-check (naggy "CRC failure" -> Terminate)
Now the app runs with all modifications without any problems,
but still a little NAG appears on start-up:
"Application out of date, please update"
[ OK ]
After pressing OK, the program executes normaly. So all I have
to do is removing that last nag screen. May sound stupid, but it's
not that easy after all...
My problem: I can't find the corresponding call to MessageBoxA!
If you wanna give it a try yourself, PM me for the modified executable.
Hopefully, some1 will teach me how to find the correspondig nag.
BTW: [ ALT+F1: BPX MessageBoxA ] ==>> "Not found"
SvensK
July 1st, 2004, 11:21
PM me an url for the target and I'll have a look.
MaRKuS-DJM
July 1st, 2004, 12:06
maybe MessageBoxW? try to use a BP instead a BPX
Panemuckl
July 1st, 2004, 12:19
Tried it all:
BP User32.MessageBoxA
BP User32.CreateWindowExA
...
doesn't work. Really annoying.
naides
July 1st, 2004, 12:40
Quote:
[Originally Posted by Panemuckl]Tried it all:
BP User32.MessageBoxA
BP User32.CreateWindowExA
|
Try braking on the message that gets sent when you click the OK button.
SvensK
July 1st, 2004, 14:23
Weird app, it's constantly polling something it refers to as "magic value #1".
004172F4 |> 81BD 70FFFFFF 71187639 CMP DWORD PTR SS:[EBP-90],39761871
004172FE |. 74 1E JE SHORT removed.0041731E
If something is off with it, the Expire nag shows. If you load the app in Olly and start it, you can search for references to "Your evaluation period has expired. Order Name Deleted today!".
004174A1 |. 50 PUSH EAX
004174A2 |. 68 30964700 PUSH removed.00479630 ; UNICODE "Your evaluation period has expired. Order Name Deleted today!"
The above code is part of the polling code, I hope you can work your way through from here.
And another thing, if you leave the original .exe in the folder and run your patched exe as <orgname>Crk.exe you don't have to patch the CRC check.
All you need to patch for the CRC check is EB at 17C32h.
Edit: If this still isn't enough for you, I might have another look at it later on.
Regards
SvensK
Panemuckl
July 1st, 2004, 16:22
I noticed the "Magic value #1" stuff, but it it's not important to crack
the nag. Obviously, the author included various anti debugging stuff, but
thanks to your help I finally solved that issue.
1. Passing through the code, I noticed that the app is calling
User32.MessageBoxIndirectW, as you can see on the SS below
function MessageBoxIndirectW; external user32 name 'MessageBoxIndirectW';
{
Other BP worthy calls:
CreateDialogIndirectParamA / CreateDialogIndirectParam
CreateDialogParamA / CreateDialogParamW
DialogBox
DialogBoxIndirect
DialogBoxParam / DialogBoxParamA / DialogBoxParamW
EndDialog
MessageBeep
MessageBoxA / MessageBoxW
MessageBoxExA / MessageBoxExW
MessageBoxIndirect / MessageBoxIndirectA / MessageBoxIndirectW
}
2. having a look at the stack, I saw that there's a push of "expired" to it
3. passing some more lines of code, you will end up on the corresponding call
to User32.MessageBoxIndirectW
4. step 2-3 lines up and change the JE to JNE
5. Run -> Window still pops up
What's wrong? Apparently there's some more hidden checks, so
I took a closer look on the following lines of code. Et voila: Another call
to MessageBoxIndirectW. After patching the corresponding JE (same
procedure as above), the NAG has finaly gone...
So Winkler & Luders did a good job, but considering myself an intermideate, not good enough 
Thanks for your help though.
Panemuckl
July 1st, 2004, 16:43
Quote:
| [Originally Posted by naides]Try braking on the message that gets sent when you click the OK button. |
How's that? You mean SoftIce?
Panemuckl and SvensK:
Our Forum rules clearly PROHIBIT the posting of target code which identifies a commercial target.
Both of you have violated this rule and I have edited your posts to remove the offending identifications.
Further violation of this rule will result in drastic consequences. Make sure you do not repeat this violation.
Regards,
naides
July 1st, 2004, 17:23
Yes, I meant with softIce. I do not know if it is doable in OLLY, shame on me, I do not use Olly as often as I should.
You need to know the handle of the Nag, window etc that has the button.
You find that out with a SPY program (Ispy, Spy++ etc)
Then you place a breakpoint on message in SoftIce
bmsg Hwnd WM_LEFTBUTTONUP or WM_DESTROY, among others.
When you click the OK button in the NAG, SoftIce breaks and you are deep into USER32 code woods, but you can trace your way back (F12) into your app near the code that create and destroy your NAG. It works in a fair number of cases.
Panemuckl
July 1st, 2004, 17:41
Dear Super Moderator,
Sorry, wasn't aware of that
Then please read the FAQ linked in the BIG RED LETTERS on the main page of the Forums to learn the rest of the do's and don'ts.
http://www.woodmann.com/fravia/rce-faq.htm
Regards,
hipu
July 2nd, 2004, 12:20
u tried looking for the string "Application out of date, please update" and trace it?
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.