CDProW v2.3-by Kathras
Target: CDProW
v2.3
Purpose: To educate my peers on VB patching techniques without modifying
dll's.
Approach: Pure Logic Mr Spock. Hopefully after reading this essay
you will discover that VB is very logical in naming its api's. A little bit
of common sence is all that is really
needed
to kill nearly any VB nag screen.
Tools: Softice, Hiew
Difficulty: Beginner, with sufficent knowledge of Softice and its
internls.
Introduction
After several years of avoiding VB programs because of its different
structure, I finally decided to sit down and try to learn something. After
many hours of purely random Trial and Error, I stumbled upon a few tricks
that will allow me to reverse close to 90% of my targets.
After pondering what I had learned for a while, I noticed a strange logic
in what I had discoverd as far as api naming. Now after sitting on this a
while I am going to share this approach.
Procedure
To begin we must run our target to find out what we are up against. So after
running CDProW.exe we discover that instead of running the program as
we intended, we are presented with a nag screen that we must click OK to
close. Also, we notice that it appears we have a time limit to deal with.
First thing is first, we must remove the nag. The first thing we must do
is to figure out where to set a breakpoint in softice.To save hours of speculation
I will tell you exactly where to break. __vbanew2 is the magic api. Which
makes sense because the nag screen is a New object. So we set a breakpoint
in Softice:
bpx msvbvm50!__vbanew2
Now we run our program and we find ourself landing inside of msvbvm50.dll.
We don't want to mess with slopy dll editing today so lets F11 out of there.
Now we are inside of CDProW.exe and find ourself here
:00441AD1 A118814700
mov eax, dword ptr [00478118] <----- We break here
00441AD6 68B8C24100
push 0041C2B8
:00441ADB 56
push esi
:00441ADC 898560FFFFFF mov
dword ptr [ebp+FFFFFF60], eax
Now to me this bit of code doesn't look very interesting so les step down
through with F10 until we hit this line:
:00441B59 E86298FFFF
call 0043B3C0
When we try to step over this call, we get kicked out of Softice and that
annoying nag screen comes up. So we hit OK on the nag and poof, we are back
into softice on the line right below the call. We have found the call that
is exclusivly used for creating the nag screen! We could simply hex out this
call and that nag will be forever gone. But assuming that your reason for
reading this essay is to actually learn something, we are going to trace
a bit more. Lets clear our breakpoint in Softice on __vbanew2 and set a new
breakpoint on that call. So in Softice type:
bc *
bpx 441b59
Now lets exit Softice and restart our target program. And here we find ourself
breaking on that call. This time we will trace into the call with F8 nothing
really looks horribly interesting so lets continue to step down with F10
until we reach this line:
:0043B42E FF93B0020000
call dword ptr [ebx+000002B0]
This is 90% of the time the magic call for every nag screen. You will always
be able to recognize it by the call to the dword length code at (some register+000002B0).
In fact in most nag screen cases you can find this magic line by simply searching
for the string +000002B0 inside of w32dasm. You might find two or three other
locations where this type of structure is used but it shouldn't take you
long to find the one you are looking for. Now to remove the nag, you are
probably thing that we can simply hex out this call. Well if you do that,
you are gonna get a nasty little crash when you start the program. Why? you
ask... the reason is simple we need to fix the stack (so the program thinks
that function was executed) there is a nice big fat ret instruction a few
lines down from that call. When that ret is steped into with an incorrect
number in ESP, then your code returns to some strange memory address that
causes a not so pretty crash. This is easy to fix using the six bytes of
code that make up that magic call. The opcodes for that call are
FF93B0020000
We need to replace that with:
83C424EB0190
This will give us three seperate instructions:
:0043B42E 83C424 add esp,
24
:0043B431 EB01
jmp 0043B434
:0043B433 90
nop
As you can see we are fixing the value in ESP by adding 24h to it. You can
easilly obtain this value by subtracting the value of ESP after that call
is executed from the value of ESP before that call is executed.. The jmp
and the nop are simply there to avoid executing several nop instructions
in a row (not always a good idea and a pet peve of mine). Now we fix everything
nice and pretty in Hiew. And the nag is Nevermore said the raven. We, however,
aren't finished yet. We still have that aggrivating 30 day time limit to
defeat.
I am not going to go into a whole lot of detail on how to crack this time
limit, as it is not the primary focus of this essay. We notice after
setting our system date ahead by 31 days that our almost cracked program
ceases to function. It gives you a messagebox giving you the option to register
with a code or to cancel (since this essay is not about how to reg a vb program
we will ignore the registration part of this, this essay is about patching
pure and simple). The first thing we need to do is to set a breakpoint on
VB's messagebox function. This api is rtcmsgbox. So in Softice type:
bpx msvbvm50!rtcmsgbox
Now lets exit softice and start the program. Poof, back into Softice..Hitting
F11 to get out of the dll's code we find ourselves looking at our target
messagebox. So we hit cancel to get back to our programs code. After
we get back into Sotice inside of CDProW.exe we find ourself here:
:00441A74 FF1588134800
Call dword ptr [00481388] <------ the call to rtcmsgbox
:00441A7A 8BC8
mov ecx, eax <--- We break here
Simply removing the messagebox will not fix our problem. So we have to think
for a minute. Speculation leads you to the idea that there must be a check
above this piece of code that checks if the program is expired or not.. Lets
scroll up the code window in softice to see what we can find. A few pages
up we find what we are looking for:
:00441995 6681FEF401
cmp si, 01F4
:0044199A 0F8518010000
jne 00441AB8
Simply change that jne to a jmp and no more experation.
Summary
Sure we could have avoided everything explained in this essay just
by patching the jne just 5 lines above the jne we just edited, but tht is
not the point of this essay. The point I'm trying to explain is a generic
technique on how to remove nag screens from an application coded with Visual
Basic without editing the runtime dll's. This technique seems to be almost
univeral among all VB coded applications, whether it be a exe or an activex
control or dll. DLL patching can cause bad things to happen in unexpected
places in programs that don't need to be enhanced for evaluation purposes.
This is clean and straight to the point
Greets
Too many friends new and old to list. You know who you are.