HOW TO REMOVE NAGSCREENS USING
EXESCOPE
Tools used:
Windasm
Target:
CDRipper 2.0 by MP3Developments
Some info:
Small tool to rip cd tracks from an audio cd and
convert them.
Protection:
Nagscreen
Level:
For
beginners
The Tutorial:
First of all let me remind you, that this programm can be cracked in several ways, but notice that this tutorial was written just to show you how EXESCOPE can be very handy for you.
Allright, after you installed the programm, make
sure you make a backup of the CDRIPPER.EXE file, just in case.
This little nagscreen gives us all the info we need, so watch it carefully.
Right, now exit the programm and fire up EXESCOPE. Now open the CDRIPPER.EXE file and you'll get the following screen showing these elements:
Click on Resource, followed by Dialog, and you'll notice a row of numbers under dialog. Now click on 230 and youll see text appear on the right hand side. If you look carefully you can identify this as beeing the ABOUT screen. You can push the 'test display' button to view the box, as shown below:
Now this is interesting for us... if we can see the about screen, we can also see the NAGSCREEN!!! When you search a little you notice that our nagscreen has the number 292! See below, it's without the text, but we can clearly recocnize it as beeing our nagscreen:
And this is all we need from exescope! As 292 is a decimal value, we need to convert it to hex, which gives the value 124. Remember this value!
Exit exescope and start windasm, make a deadlisting and search for: PUSH 00000124
REMEMBER: A messagebox is displayed by a PUSH followed by a CALL.
we land at 416f2f and we see:
a push and a call... good!! now, scroll up a little and you'll notice that this routine is called from adress 416948. Now, shift f12 and go to that location. we land here:
scroll up and you see that we are jumped to this part of the code. goto the location where it jumped from (4168f0) and notice the magic code...
yep... a CALL, a TEST and a JE... this is what we were searching for!! NOP out the JE command (or better use INC EAX, DEC EAX) and the Nagscreen is history. (BTW: this JE also triggers the timetrial routine. And as the call is only called from 1 adress, it's fully cracked. You can check this by setting your system date 15 days ahead!)
Anyway,i suppose you are capable of using a hexeditor and changing the value 74 0A into 90 90. If not, i suggest you first read some other tutorials, as there are plenty around to inform you about hexeditors.
Sempai^LasH