Cracking MaxSpace - Removing a little nag -------------------------------------------------------------------------- [x] Easy [ ] Intermediate [ ] Tough Get MaxSpace at: Search the web :p Tools used: * Soft-ICE * HIEW MaxSpace is a programme for Borland Delphi/C++ Builder that turns object inspector or IDE toolbar into "auto-hide" windows, so that you can write code on a full screen. Since the protection is a nag, we know we are going to patch it, make a backup of the executable files (*.EXE, *.DLL, *.OCX) before trying to patch them. The protection of the programme is a nag, and we see the nag is some kind of message box, because we see it's a regular window with an information icon that has a single OK button, it's too simple and we can identify this as a message box. So we put a breakpoint on the three most probable procedures used to draw this window: :bpx MessageBoxA :bpx MessageBoxIndirectA :bpx MessageBoxExA No we run MaxSpace.. Surprise surprise! Soft-ICE breaks at the API function MessageBoxA.. Now we want to remove the CALL to this API function, so we press F11 - This will return to the programme's code (after you pressed the OK button) and then write down the position, which is 48A84B. Notice that we are not in MAXSPACE.EXE code, we are at MAXHOOK.DLL! Since we were executing the code, and not using a dead listing, we know that the address is not a regular address, it is a linear address, which is relocated upon loading of the programme. So we first must convert it to a virtual address, simply by subtracting the executable's image base which is in this case 400000, then we get a virtual offset: 8A84Bh. Take HIEW and edit MAXHOOK.DLL, we pass to disassemble mode (by using F4) and then we want to go to that address, so we use Goto option (F5) and type .8A84B (the dot is so HIEW will know that this is a virtual address) -- Error! "Section out file".. What do we do now? Now we need to get few bytes from near the message box call address and search them in the real file. Put a breakpoint on MessageBoxA and run MaxSpace. Press F11 to return to programme's code, then type this: :db cs:48A846 <- this is the CALL offset This will give you a list of bytes in the code position (cs - code segment) Write down the hexadecimal value of few bytes, I wrote down: E8 E9 BF FD FF 89 45 F8 33 C0 5A 59 59 64 Now, exit MaxSpace and load MAXHOOK.DLL in HIEW. Switch to disassembly mode then press F7 to search the file. Now go to HEX entry and type the hex values. Found! Search for another occurence by using CTRL+F7.. Not found, this means that this string is the nag code. Now, if you look at the API reference for MessageBox(A), you will see it receives 4 parameters: int MessageBox( HWND hWnd, /* handle of owner window */ LPCTSTR lpText, /* address of text in message box */ LPCTSTR lpCaption, /* address of title of message box */ UINT uType /* style of message box */ ); In assembly, every parameter/parameter offset have to be PUSHed before we call the function, so we scroll up till we see four PUSHes before the call, by the way, in assembly, the parameters are backwards, so it's like that: push ebx ; Message box style push edi ; Message box title's address push esi ; Message box text's address mov eax, [ebp][-0004] mov eax, [ebp][00024] push eax ; Owner window's handle call MessageBoxA ; Call function mov [ebp][-0008], eax ; Save return code Now we want to remove the Message box, there's a command in assembly that tells the computer to 'skip' to next instruction, it's called NOP (no operation), we'll use it. Since we don't want to give this parameters for nothing, we don't only NOP the call, we also NOP the parameter PUSHing.. Edit the file at the 'push ebx' offset, and type '90'. This will place 90h instead of the push (53h). You see that HIEW says 'nop'. NOP the other pushes as well.. Now we need to NOP the call, how do we do that? Simple, like the pushes, just that we NOP the whole call, not just one byte.. Count how much bytes the call is, it's 5 (every byte is two hexadecimal letters). So we need to press 90 five times. Do it. Now press F9 to update the file. The code shold look like this now: nop nop nop mov eax, [ebp][-0004] mov eax, [ebp][00024] nop nop nop nop nop nop mov [ebp][-0008], eax Now the programme should run just fine, we think we eliminated the nag.. Run MaxSpace.. NO NAG! It's magic :) However, sometimes the nag has few buttons, in this case we have to emulate the return code.. The return code that should be for this nag is IDOK (the user should press OK :).. IDOK is defined as 1.. So we put some more code instead of the NOPs: nop nop nop mov eax, [ebp][-0004] mov eax, [ebp][00024] mov eax, 1 nop mov [ebp][-0008], eax That's it! Now run the programme and enjoy! - DEATH