Log in

View Full Version : product key/ time trial


ksbrace
July 16th, 2004, 14:26
Hello,
I am relatively new to Rev. Eng. I have done several tutorials which always make it look short and simple. It probably will get the way for me, but I'm stuck on a little personal project. Anyway, I downloaded a target with a 30 day timetrial. Then I changed my clock to go beyond the 30 days and I get the message:
Your trial period has expired , I loaded up W32DASM and found the area:




* Referenced by a CALL at Address:
|:0042A0C1
|
:004295C9 B86C0D4600 mov eax, 00460D6C
:004295CE E8DD9D0100 call 004433B0
:004295D3 51 push ecx
:004295D4 51 push ecx
:004295D5 53 push ebx
:004295D6 56 push esi
:004295D7 8BF1 mov esi, ecx
:004295D9 33DB xor ebx, ebx
:004295DB 57 push edi
:004295DC 895E50 mov dword ptr [esi+50], ebx
:004295DF A160D04700 mov eax, dword ptr [0047D060]
:004295E4 8945F0 mov dword ptr [ebp-10], eax
:004295E7 395E60 cmp dword ptr [esi+60], ebx
:004295EA 895DFC mov dword ptr [ebp-04], ebx
:004295ED 7E30 jle 0042961F
:004295EF 8945EC mov dword ptr [ebp-14], eax

* Possible Reference to String Resource ID=00189: "Your trial period expires in %d days."
|
:004295F2 68BD000000 push 000000BD
:004295F7 8D4DEC lea ecx, dword ptr [ebp-14]
:004295FA C645FC01 mov [ebp-04], 01
:004295FE E86284FDFF call 00401A65
:00429603 FF7660 push [esi+60]
:00429606 8D45F0 lea eax, dword ptr [ebp-10]
:00429609 FF75EC push [ebp-14]
:0042960C 50 push eax
:0042960D E88E67FEFF call 0040FDA0
:00429612 83C40C add esp, 0000000C
:00429615 8D4DEC lea ecx, dword ptr [ebp-14]
:00429618 E8C882FDFF call 004018E5
:0042961D EB0D jmp 0042962C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004295ED(C)
|

* Possible Reference to String Resource ID=00190: "Your trial period has expired."
|
:0042961F 68BE000000 push 000000BE
:00429624 8D4DF0 lea ecx, dword ptr [ebp-10]
:00429627 E83984FDFF call 00401A65

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042961D(U)
|
:0042962C FF75F0 push [ebp-10]

* Possible Reference to Dialog: DialogID_007B, CONTROL_ID:016C, "Your trial period expires in %d days."



I also found this area that looks of interest:



* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040EA54(C)
|
:0040EAD3 51 push ecx
:0040EAD4 8D8F04010000 lea ecx, dword ptr [edi+00000104]
:0040EADA 8BC4 mov eax, esp
:0040EADC 8965E0 mov dword ptr [ebp-20], esp

* Possible StringData Ref from Data Obj ->"}"
|
:0040EADF 6860EB4700 push 0047EB60
:0040EAE4 8918 mov dword ptr [eax], ebx
:0040EAE6 E88F330000 call 00411E7A
:0040EAEB 33C9 xor ecx, ecx
:0040EAED 3BC3 cmp eax, ebx
:0040EAEF 0F9CC1 setl cl
:0040EAF2 3BCB cmp ecx, ebx
:0040EAF4 894DEC mov dword ptr [ebp-14], ecx
:0040EAF7 7413 je 0040EB0C
:0040EAF9 395DDC cmp dword ptr [ebp-24], ebx
:0040EAFC 7C0E jl 0040EB0C
:0040EAFE 6AFF push FFFFFFFF
:0040EB00 6A30 push 00000030

* Possible Reference to String Resource ID=00229: "The licence code you provided is not valid for this product."



I made a couple of changes using HIEW, but I can't get it to work. Any help would be greatly appreciated! Thanks in advance!

JMI
July 16th, 2004, 14:36
ksbrace:

I've sent you a follow-up PM about this post and how you might make it comply with our Rules and your second attempt is much better, with the additional point that you can state that you downloaded a target with a 30 day timetrial, without naming the target, which is prohibited by our Rules when code is posted. I edited your post to include this information from your original post, to make it more clear.

I make this Reply simply to bring this point to other new posters and to mention that your "Code" sections have been identified as "PHP Code" which they obviously aren't. You used the "tag" [PHP] instead of [CODE] which would correctly label them for you. I also fixed that for you.

Regards,

naides
July 16th, 2004, 14:54
Quote:
[Originally Posted by ksbrace]Hello,


* Referenced by a CALL at Address:
|:0042A0C1
|
:004295C9 B86C0D4600 mov eax, 00460D6C
:004295CE E8DD9D0100 call 004433B0
:004295D3 51 push ecx
:004295D4 51 push ecx
:004295D5 53 push ebx
:004295D6 56 push esi
:004295D7 8BF1 mov esi, ecx
:004295D9 33DB xor ebx, ebx
:004295DB 57 push edi
:004295DC 895E50 mov dword ptr [esi+50], ebx <-
:004295DF A160D04700 mov eax, dword ptr [0047D060]
:004295E4 8945F0 mov dword ptr [ebp-10], eax
:004295E7 395E60 cmp dword ptr [esi+60], ebx
:004295EA 895DFC mov dword ptr [ebp-04], ebx
:004295ED 7E30 jle 0042961F <-- Here, this jump seems to send you to "expired"
:004295EF 8945EC mov dword ptr [ebp-14], eax This Code should run instead

* Possible Reference to String Resource ID=00189: "Your trial period expires in %d days."
|
:004295F2 68BD000000 push 000000BD
:004295F7 8D4DEC lea ecx, dword ptr [ebp-14]
:004295FA C645FC01 mov [ebp-04], 01
:004295FE E86284FDFF call 00401A65
:00429603 FF7660 push [esi+60]
:00429606 8D45F0 lea eax, dword ptr [ebp-10]
:00429609 FF75EC push [ebp-14]
:0042960C 50 push eax
:0042960D E88E67FEFF call 0040FDA0
:00429612 83C40C add esp, 0000000C
:00429615 8D4DEC lea ecx, dword ptr [ebp-14]
:00429618 E8C882FDFF call 004018E5
:0042961D EB0D jmp 0042962C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004295ED(C)
|

* Possible Reference to String Resource ID=00190: "Your trial period has expired."
|
:0042961F 68BE000000 push 000000BE
:00429624 8D4DF0 lea ecx, dword ptr [ebp-10]
:00429627 E83984FDFF call 00401A65

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042961D(U)
|
:0042962C FF75F0 push [ebp-10]

* Possible Reference to Dialog: DialogID_007B, CONTROL_ID:016C, "Your trial period expires in %d days."



I also found this area that looks of interest:



* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040EA54(C)
|
:0040EAD3 51 push ecx
:0040EAD4 8D8F04010000 lea ecx, dword ptr [edi+00000104]
:0040EADA 8BC4 mov eax, esp
:0040EADC 8965E0 mov dword ptr [ebp-20], esp

* Possible StringData Ref from Data Obj ->"}"
|
:0040EADF 6860EB4700 push 0047EB60
:0040EAE4 8918 mov dword ptr [eax], ebx
:0040EAE6 E88F330000 call 00411E7A
:0040EAEB 33C9 xor ecx, ecx
:0040EAED 3BC3 cmp eax, ebx
:0040EAEF 0F9CC1 setl cl
:0040EAF2 3BCB cmp ecx, ebx
:0040EAF4 894DEC mov dword ptr [ebp-14], ecx
:0040EAF7 7413 je 0040EB0C
:0040EAF9 395DDC cmp dword ptr [ebp-24], ebx
:0040EAFC 7C0E jl 0040EB0C
:0040EAFE 6AFF push FFFFFFFF
:0040EB00 6A30 push 00000030

* Possible Reference to String Resource ID=00229: "The licence code you provided is not valid for this product."





Be aware, that unless the protection is very primitive, reversing this code may only change the message (Don't shoot the messanger), bu not the decision of expired or not. That decision may have been taken before this piece of code runs.

Suggestions: Learn to trace this program live, using either SoftIce or better, OllyDebug.
Put a breakpoint in the code you/I pointed above.
While tracing make the code not take the jump (by manually changing the instruction or the status of the flag that controls the jle, and see what happens.

If not, find out who call this code, by either looking at the dead list or if live looking at the call stack, and how it decides if the expired versus you have %d days decision is taken.

See, we are nice!!!

ksbrace
July 16th, 2004, 17:43
Thanks for the reply. I noped the following line:
Code:

:004295ED 7E30 jle 0042961F


to look like:

Code:

:004295ED 9090 jle 0042961F


This didn't work.
I guess my next thought was to make the jle into jg and see what happens. If it's less than or equal it jumps to expired. If it's greater, it shouldn't jump to expired, right or am I way off?

ksbrace
July 16th, 2004, 22:41
I got it!!!

I had to change the program as follows.

:004295ED 7E30 JLE 0042961F <-CHANGE TO EB30 JMP 0042961F

AND

:00429640 7E05 JLE 00429647 <- NOP THIS LINE

This will get rid of the expiration but not the nag screens.

dELTA
July 17th, 2004, 07:11
Since you haven't showed us the surrounding code at the location of the second patch (00429640), it's hard to know for sure, but my guess is that it affects the return value of the procedure you displayed the code of above, which is in turn used as an indicator by the program as to if it should carry on or exit.

Another guess is that the procedure that displays the nag is the one at 00401A65, and if you skip this call (with the correct stack balancing of course) you will get rid of the nags in a clean way too. You could actually most likely skip the entire body of the procedure in which you made the patches, just making sure it returns the right value.

ksbrace
July 17th, 2004, 11:06
dELTA, sorry I thought I posted the whole section previously. I do still have the nag screens to deal with yet.
Code:

* Reference To: MFC42.MFC42:NoName0395, Ord:0320h
|
:004295C4 E9C7940100 Jmp 00442A90

* Referenced by a CALL at Address:
|:0042A0C1
|
:004295C9 B86C0D4600 mov eax, 00460D6C
:004295CE E8DD9D0100 call 004433B0
:004295D3 51 push ecx
:004295D4 51 push ecx
:004295D5 53 push ebx
:004295D6 56 push esi
:004295D7 8BF1 mov esi, ecx
:004295D9 33DB xor ebx, ebx
:004295DB 57 push edi
:004295DC 895E50 mov dword ptr [esi+50], ebx
:004295DF A160D04700 mov eax, dword ptr [0047D060]
:004295E4 8945F0 mov dword ptr [ebp-10], eax
:004295E7 395E60 cmp dword ptr [esi+60], ebx
:004295EA 895DFC mov dword ptr [ebp-04], ebx
:004295ED EB30 jmp 0042961F
:004295EF 8945EC mov dword ptr [ebp-14], eax

* Possible Reference to String Resource ID=00189: "Your trial period expires in %d days."
|
:004295F2 68BD000000 push 000000BD
:004295F7 8D4DEC lea ecx, dword ptr [ebp-14]
:004295FA C645FC01 mov [ebp-04], 01
:004295FE E86284FDFF call 00401A65
:00429603 FF7660 push [esi+60]
:00429606 8D45F0 lea eax, dword ptr [ebp-10]
:00429609 FF75EC push [ebp-14]
:0042960C 50 push eax
:0042960D E88E67FEFF call 0040FDA0
:00429612 83C40C add esp, 0000000C
:00429615 8D4DEC lea ecx, dword ptr [ebp-14]
:00429618 E8C882FDFF call 004018E5
:0042961D EB0D jmp 0042962C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004295ED(U)
|

* Possible Reference to String Resource ID=00190: "Your trial period has expired."
|
:0042961F 68BE000000 push 000000BE
:00429624 8D4DF0 lea ecx, dword ptr [ebp-10]
:00429627 E83984FDFF call 00401A65

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042961D(U)
|
:0042962C FF75F0 push [ebp-10]

* Possible Reference to Dialog: DialogID_007B, CONTROL_ID:016C, "Your trial period expires in %d days."
|
:0042962F 686C010000 push 0000016C
:00429634 FF7604 push [esi+04]

* Reference To: USER32.SetDlgItemTextA, Ord:0253h
|
:00429637 FF150C604600 Call dword ptr [0046600C]
:0042963D 395E60 cmp dword ptr [esi+60], ebx
:00429640 90 nop
:00429641 90 nop
:00429642 6A02 push 00000002
:00429644 5F pop edi
:00429645 EB02 jmp 00429649
:00429647 33FF xor edi, edi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00429645(U)
|
:00429649 FF7604 push [esi+04]

* Reference To: USER32.GetParent, Ord:0145h



00401A65
Code:

* Referenced by a CALL at Addresses:
|:004013BE , :004074F1 , :00407514 , :0040755F , :00407582
|:00407612 , :0040FD6B , :004261F1 , :00426403 , :00426410
|:004265C0 , :00426AD2 , :00426BD9 , :00426BE6 , :00426E7B
|:00426E88 , :00427151 , :0042715E , :004272B0 , :004272BD
|:00427368 , :00427375 , :0042745A , :00427467 , :0042945A
|:0042946F , :004295FE , :00429627 , :0042976B , :0042A651
|:0042AD9F , :0042ADB4 , :00441DEF , :00441F8F , :00441F9F
|:00441FAF , :00441FBF
|
:00401A65 55 push ebp
:00401A66 8BEC mov ebp, esp
:00401A68 81EC08010000 sub esp, 00000108
:00401A6E 53 push ebx
:00401A6F A110554900 mov eax, dword ptr [00495510]
:00401A74 56 push esi
:00401A75 894DF8 mov dword ptr [ebp-08], ecx
:00401A78 BE00010000 mov esi, 00000100
:00401A7D 57 push edi

dELTA
July 18th, 2004, 06:07
So, did you try what I recommended above, about the nags? And since you didn't include the end of the function this tim eeither, it is still not possible to really see what that last patch does, all you can see is that it affects the contents of the edi register, setting it to 2 instead of 0 (I'm not telling you that you necessarily need to include the whole function though, especially not if it's big).

ksbrace
July 18th, 2004, 07:27
dELTA,
Thanks for your help/guidance. I haven't tried anything w/the nags because I wasn't sure what to do at 00401A65. I thought that I got the surrounding code for 00429640 on my last reply. I thought the function ended on :00429649. I hate to sound ignorant (but if you don't know, you have to ask), how do I know when the function ends? I have included some more:
Code:

* Possible Reference to Dialog: DialogID_007B, CONTROL_ID:016C, "Your trial period expires in %d days."
|
:0042962F 686C010000 push 0000016C
:00429634 FF7604 push [esi+04]

* Reference To: USER32.SetDlgItemTextA, Ord:0253h
|
:00429637 FF150C604600 Call dword ptr [0046600C]
:0042963D 395E60 cmp dword ptr [esi+60], ebx
:00429640 7E05 jle 00429647
:00429642 6A02 push 00000002
:00429644 5F pop edi
:00429645 EB02 jmp 00429649

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00429640(C)
|
:00429647 33FF xor edi, edi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00429645(U)
|
:00429649 FF7604 push [esi+04]

* Reference To: USER32.GetParent, Ord:0145h
|
:0042964C FF158C604600 Call dword ptr [0046608C]
:00429652 83CF01 or edi, 00000001
:00429655 57 push edi
:00429656 53 push ebx
:00429657 6870040000 push 00000470
:0042965C 50 push eax

* Reference To: USER32.PostMessageA, Ord:01FFh
|
:0042965D FF1594604600 Call dword ptr [00466094]
:00429663 8D4DF0 lea ecx, dword ptr [ebp-10]
:00429666 E87A82FDFF call 004018E5
:0042966B 8B4DF4 mov ecx, dword ptr [ebp-0C]
:0042966E 33C0 xor eax, eax
:00429670 5F pop edi
:00429671 5E pop esi
:00429672 40 inc eax
:00429673 5B pop ebx
:00429674 64890D00000000 mov dword ptr fs:[00000000], ecx
:0042967B C9 leave
:0042967C C3 ret



* Referenced by a CALL at Addresses:
|:0042A0DA , :0042BA8F
|

* Possible Reference to Dialog: DialogID_007D
|
:0042967D 6A7D push 0000007D
:0042967F 58 pop eax
:00429680 C3 ret



* Referenced by a CALL at Address:
|:004294C7
|
:00429681 B8A00D4600 mov eax, 00460DA0
:00429686 E8259D0100 call 004433B0
:0042968B 83EC2C sub esp, 0000002C
:0042968E 53 push ebx
:0042968F 56 push esi
:00429690 57 push edi

ksbrace
July 18th, 2004, 08:44
ok, I've been 'attempting' to remove the nag screens. dELTA, you had mentioned that if I skip the call at 00401A65 that may eliminate the nag screens. I thought by changing this
Code:
:004013A0 7405 je 004013A7

To
Code:
:004013A0 7505 jne 004013A7


but that didn't work. Any guidance would be greatly appreciated. Thanks,

Code:

* Possible Reference to Dialog: DialogID_00DE, CONTROL_ID:0175, "Settings:"
|
:0040135E 6875010000 push 00000175
:00401363 50 push eax
:00401364 895DFC mov dword ptr [ebp-04], ebx
:00401367 E8B9120000 call 00402625
:0040136C 53 push ebx
:0040136D 6A05 push 00000005
:0040136F 8D45E0 lea eax, dword ptr [ebp-20]
:00401372 6A01 push 00000001
:00401374 50 push eax
:00401375 8D4E4C lea ecx, dword ptr [esi+4C]
:00401378 C645FC01 mov [ebp-04], 01
:0040137C E80E130000 call 0040268F
:00401381 8BC8 mov ecx, eax
:00401383 C645FC03 mov [ebp-04], 03
:00401387 E898130000 call 00402724
:0040138C 8BC8 mov ecx, eax
:0040138E C645FC04 mov [ebp-04], 04
:00401392 E88D130000 call 00402724
:00401397 8B4DE0 mov ecx, dword ptr [ebp-20]
:0040139A 834DFCFF or dword ptr [ebp-04], FFFFFFFF
:0040139E 3BCB cmp ecx, ebx
:004013A0 7405 je 004013A7
:004013A2 E8D38C0000 call 0040A07A

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004013A0(C)
|
:004013A7 A160D04700 mov eax, dword ptr [0047D060]
:004013AC 8945C0 mov dword ptr [ebp-40], eax

* Possible Reference to String Resource ID=00225: "General"
|
:004013AF 68E1000000 push 000000E1
:004013B4 8D4DC0 lea ecx, dword ptr [ebp-40]
:004013B7 C745FC05000000 mov [ebp-04], 00000005
:004013BE E8A2060000 call 00401A65
:004013C3 680200FFFF push FFFF0002
:004013C8 680000FFFF push FFFF0000
:004013CD 6A0E push 0000000E
:004013CF 6A0E push 0000000E
:004013D1 53 push ebx
:004013D2 6884574800 push 00485784
:004013D7 FF75C0 push [ebp-40]
:004013DA E81B080000 call 00401BFA
:004013DF 83C40C add esp, 0000000C
:004013E2 8BCF mov ecx, edi
:004013E4 50 push eax
:004013E5 E803100000 call 004023ED
:004013EA 395E0C cmp dword ptr [esi+0C], ebx
:004013ED 8945A4 mov dword ptr [ebp-5C], eax
:004013F0 895DC4 mov dword ptr [ebp-3C], ebx
:004013F3 0F86CD040000 jbe 004018C6

* Reference To: OLEAUT32.SysFreeString, Ord:0006h
|
:004013F9 8B3D485F4600 mov edi, dword ptr [00465F48]

dELTA
July 18th, 2004, 09:39
Most normal functions end with the instruction "ret" or "retn". Do note that all execution paths of the function must be ended with this instruction before the code of the functions ends though, not just one of them (i.e. the first occurrence).

And I'm not sure where you are suggesting to make that latest patch, you are no longer located in the same function as above. The call that I guessed might display the nags must be skipped inside the function you were in before, not just at any place, it might be a more generic message/dialog related function. But that was just a guess from my side anyway, it would need more analysis to verify. Try my earlier suggestion about returning immediately from the entire function instead (just balance the stack first), and see if there are any checks for specific return values afterwards, in that case return those.

Finally, after you posted the additional code it can be seen that your earlier patch that "made it work" affects a parameter to the PostMessage API, use an API reference to see exactly what it did.

Anyway, my internet access is quite limited right now, and I won't be able to provide any more detailed help on this matter. Someone else is welcome to take it from here, maybe naides, or someone else who is usually helpful to newbies?

ksbrace
July 23rd, 2004, 09:14
Ok, I read this tutorial today on killing nags and it said to look for FF FF 82 or FF FF FF FF 82 and to look at the text and see if that was related to one of the nag screens. There were several FF FF 82 spots, I changed one of them to FF FF 7E and it got rid of the first nag. I tried it with the second and third nag and the proggy gave me an error. Funny thing, when I change an FF FF 82 to FF FF 7E on either of the final 2 nag screens, it just takes out a block of the entire window/dialog box. Leaving a big blue space in it. Is this the preferred method on killing nags or not?

naides
July 23rd, 2004, 11:49
Quote:
[Originally Posted by ksbrace]Ok, I read this tutorial today on killing nags and it said to look for FF FF 82 or FF FF FF FF 82 and to look at the text and see if that was related to one of the nag screens. There were several FF FF 82 spots, I changed one of them to FF FF 7E and it got rid of the first nag. I tried it with the second and third nag and the proggy gave me an error. Funny thing, when I change an FF FF 82 to FF FF 7E on either of the final 2 nag screens, it just takes out a block of the entire window/dialog box. Leaving a big blue space in it. Is this the preferred method on killing nags or not?


I have been assigned by the administration to help you in this matter.

The "readymade" methods you read in some tutorials may work or may not, but it is the wrong path to learn RCE. Rather concentrate on learning why things happen, then how to modify the code so things do happen the way you wanted.

Code:
* Referenced by a CALL at Addresses:
|:004013BE , :004074F1 , :00407514 , :0040755F , :00407582
|:00407612 , :0040FD6B , :004261F1 , :00426403 , :00426410
|:004265C0 , :00426AD2 , :00426BD9 , :00426BE6 , :00426E7B
|:00426E88 , :00427151 , :0042715E , :004272B0 , :004272BD
|:00427368 , :00427375 , :0042745A , :00427467 , :0042945A
|:0042946F , :004295FE , :00429627 , :0042976B , :0042A651
|:0042AD9F , :0042ADB4 , :00441DEF , :00441F8F , :00441F9F
|:00441FAF , :00441FBF
|
:00401A65 55 push ebp
:00401A66 8BEC mov ebp, esp


As you can see the code at :001A65 gets called from dozens of areas in your program so we better leave it alone, or you may sabotage a lot of important functionality.

On the other hand the nags seem to be generated in code like this:

Code:
:004295ED EB30 jmp 0042961F
:004295EF 8945EC mov dword ptr [ebp-14], eax

* Possible Reference to String Resource ID=00189: "Your trial period expires in %d days."
|
:004295F2 68BD000000 push 000000BD The NAG text is pushed
:004295F7 8D4DEC lea ecx, dword ptr [ebp-14] More setup stuff
:004295FA C645FC01 mov [ebp-04], 01
:004295FE E86284FDFF call 00401A65 This call displays the NAG
:00429603 FF7660 push [esi+60]
:00429606 8D45F0 lea eax, dword ptr [ebp-10]
:00429609 FF75EC push [ebp-14]
:0042960C 50 push eax


At least is a good thing to explore. So prevent the line:

:004295FE E86284FDFF call 00401A65 from executing.

How?

If you just nop it the program will crash because

:004295F2 68BD000000 push 000000BD right before the call changes the stack

so replace the bytes

:004295FE E86284FDFF call 00401A65


for

:004295FE 59 pop ECX One pushed one poped, we are even
:004295FF 90909090 nop nop nop

If you do this at the code that generates you NAG (Which you can identify by the text that gets pushed, you prevent the nag form being generated, and finish your project.

Be aware that the NAG may be called from other areas in the code appart from :004295FE which I used AS AN EXAMPLE. you have to figure out where it gets called and neutralize it. If my hypothesis is correct is one or more of the many addresses that call

:00401A65 routine

JMI
July 23rd, 2004, 13:51
See why we gave "nobody" this assignment.

Regards,

Woodmann
July 23rd, 2004, 16:00
Hi,

naides is a great choice for this job.
He spends enough time here, may as well make him work while he is here.



Woodmann

dELTA
July 23rd, 2004, 18:56
Thanks naides, I knew we could trust you for a nice and patient explanation like this.

Btw, I've always been wondering what these magical FF FF FF 82 bytes really are? They are described but never explained in bunches of nag removal tutorials, and sadly I never got around to investigating them myself.

Does anyone have a good explanation for what these bytes really are?

Since they appear to always occur in connection to the text of the nag inside the executable, I guess they must be located in either the data section or the resource section of the exe, and hence not being part of any opcode or opcode parameter. What makes me even more curious is that this simple generic patch seems to work flawlessly so often, both in the old days, since it originally appeared in that old tKc tutorial I think, and today, for example in the program discussed in this thread.

Are they some kind of resource flags, and in that case exactly what flags are they? Or is it something else? Please help me put an end to this mystery once and for all.

JMI
July 23rd, 2004, 19:08
Doo-Dee-Duu-Daa; Doo-Dee-Duu-Daa. You are about to enter the Twilight Zone.

Regards,

Woodmann
July 23rd, 2004, 19:19
Ummmmmmmmmm...........

JMI.....You are already in the twilight zone

Lay off the weed, and dont give me the old "for medicinal purposes" bullshit.

Luv to my 'peeps,

Woodmann

JMI
July 23rd, 2004, 19:57
But I NEVER had sex with that woman... oh sorry... wrong story... I mean, I never inhaled." Cough, cough.

Regards,

Kayaker
July 23rd, 2004, 21:22
Quote:
[Originally Posted by Woodmann]Hi,
naides is a great choice for this job.
He spends enough time here, may as well make him work while he is here.
Woodmann


I think we should start paying Naides his due worth, what with all the monies we get from Compuware as a subsidiary Softice support forum, the percentage of advertising revenues we get from the Big Protectors, plus the kickbacks from... Oh wait, that wasn't supposed to get out was it?

Uradox
July 24th, 2004, 01:31
dont quote me on it but probely resource flags like u suggest for delphi or vb or one of those sorts of ide's
Used to do simular stuff years ago with delphi nags.
Dont really think its a good method if the program can run without the nag with registration. Lazy more or less but hey if it works i guess skys the limit

ksbrace
July 25th, 2004, 11:33
naides,
Thanks for the help. I have implemented the change and I am still getting the 2nd and 3rd nags. I will keep looking and try to find out where the other calls are being made and make a similar change as you have suggested. I have found this at the top of the disassembly:
Code:

001 - ControlID:FFFF, Control Class:"" Control Text:"You are able to evaluate the product for a trial period of 30 days."
This is part of the nag and this is the only place the You are able to evaluate the product for a trial period of 30 days. is located. I noticed the ControlID is FFFF. I was wondering if that is where the tutorials were always getting to look for FF FF 82??? Also, Here's the area where the 2nd nag seems to appearing(there is more text than the 'You are able....'
Code:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004295ED(U)
|

* Possible Reference to String Resource ID=00190: "Your trial period has expired."
|
:0042961F 68BE000000 push 000000BE
:00429624 8D4DF0 lea ecx, dword ptr [ebp-10]
:00429627 E83984FDFF call 00401A65

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042961D(U)
|
:0042962C FF75F0 push [ebp-10]

* Possible Reference to Dialog: DialogID_007B, CONTROL_ID:016C, "Your trial period expires in %d days."
|
:0042962F 686C010000 push 0000016C
:00429634 FF7604 push [esi+04]


Now I tried making the same changes as you had mentioned at address :0042961F and :0042962F but the nags still appeared.

The 3rd nag appears w/this text:You have successfully installed the licensed product. which is only located here:
Code:
001 - ControlID:FFFF, Control Class:"" Control Text:"You have successfully installed the licensed product."

the remaining text of the 3rd nag is:Click Finish to start the application
which is only located here:
Code:

002 - ControlID:FFFF, Control Class:"" Control Text:"Click Finish to start the application."
I'm still digging and reading info, but I have been spinning my wheels for a few days now. Thanks, for your help!