L                ZZZZZZ         RRRRR           SSSSS
                     L                    Z          R    R         S
                     L          aaa      Z      aaa  R    R  u   u  S
                     L            a     Z         a  RRRRR   u   u  SSSSS
               XX    L         aaaa    Z       aaaa  R    R  u   u       S
              XXXX   L        a   a   Z       a   a  R    R  u   u       S
             XXXXXX  LLLLLLL  aaaaa  ZZZZZZZ  aaaaa  R    R  uuuuu  SSSSSS
             XXXXXX       
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
       XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
             XXXXXX
             XXXXXX
              XXXX        proudly presents his 19.Cracking Tutorial (04.07.1999)
               XX                   LaZaRuS' "Kick the nag" approach

I.    Introduction
I.1   Tools you need for my tutorial
II.   The "Kick the nag" approach
VI.   BTW
VII.  All Tutorials by LaZaRuS

I.   Welcome to my 19st cracking tutorial.
I.1  W32Dasm 8.9
     XTheme Manager 2.2 (www.vclxx.com/~kuan)
 
II.  The "Kick the nag" approach
     At first a word of warning. The method I show you is quite the opposite of "Zen" cracking.
     In fact it goes more into the brute force section and all "Zen" guys would shoot my head if
     they read this. But nevertheless, if every "standard" approaches to kill a nag-screen fail,
     this *might* help.
     As a target I have chosen XTheme Manager. No special reason, I just found it on a shareware
     CD. Actually you can easily find out the correct serial to register it and get rid of the
     nag-screen in this way. You can try it out later. This essay is about getting rid of the nag
     with a patch.

     Load XTM.EXE in W32Dasm. Now choose "debug" and then "Auto Step Over". Now wait until the
     nagscreen appears. At first the window appears and then it is filled with bitmaps and text.
     The first sign of a nag-screen appears around :004E0169. You cannot locate the correct call
     that makes the nagscreen appear immediately, because the instructions are executed to fast.
     So terminate the prog, set a breakpoint on :004E0169 and restart it. This time choose "Run".
     W32Dasm will break at :004E0169. Now "Step Over" slowly until the first part of the 
     nag-screen appears. This will be at :004E0199.
     You see this:

     :004E0169 B301                    mov bl, 01   ;; bl=1
     :004E016B 84DB                    test bl, bl  ;; bl=0 ?
     :004E016D 743C                    je 004E01AB  ;; if so, then jump beyond the nag
     :004E016F 8B0D04414E00            mov ecx, dword ptr [004E4104]
     :004E0175 8B09                    mov ecx, dword ptr [ecx]
     :004E0177 B201                    mov dl, 01
     :004E0179 A168C84900              mov eax, dword ptr [0049C868]
     :004E017E E8E985F6FF              call 0044876C
     :004E0183 A3D0654E00              mov dword ptr [004E65D0], eax
     :004E0188 33D2                    xor edx, edx
     :004E018A A1D0654E00              mov eax, dword ptr [004E65D0]
     :004E018F E880CAFBFF              call 0049CC14
     :004E0194 A1D0654E00              mov eax, dword ptr [004E65D0]
     :004E0199 E8E2C4F6FF              call 0044C680                   ;; calls the nag-screen
     :004E019E A1D0654E00              mov eax, dword ptr [004E65D0]
     :004E01A3 8B10                    mov edx, dword ptr [eax]
     :004E01A5 FF9284000000            call dword ptr [edx+00000084]

     * Referenced by a (U)nconditional or (C)onditional Jump at Address:
     |:004E016D(C)
     |
     :004E01AB B001                    mov al, 01
     :004E01AD E80EDBF9FF              call 0047DCC0
     :004E01B2 33C0                    xor eax, eax
     :004E01B4 55                      push ebp

     Something tells me, the jump at :004E016D is *never* taken, eh. Let's change that. You can
     either change the "mov bl, 01" to "mov bl, 00" or the "je 004E01AB" to "jmp 004E01AB". What-
     ever, the nag-screen will be gone :)


     As the last example was a little short, here comes one that shows my way of finding nags
     better. The target is ToggleMouse 4.4.7
     At the start the programs informs you how long you have left to test ToggleMouse. So
     disassemble ToggleMouse.exe and enter the debug mode. Disable all API functions as they only
     disturb. Choose "Auto step over" and wait until the nagscreen appears. Then the window that
     displays the instructions that are currently executed looks like this:

     :0041886D push [ebp-64]
     :00418870 push esi
     :00418871 push esi
     :00418872 call KERNEL32.GetModuleHandleA
     :00418878 push eax
     :00418879 call TOGGLEMOUSE.004230A0    // THIS LINE SHOULD BE ACTIVATED
     :0041887E mov dword ptr [ebp-60], eax
     :00418881 push eax
     :00418882 call TOGGLEMOUSE.0041B433
     :00418887 mov eax, dword ptr [ebp-14]
     :0041888A mov ecx, dword ptr [eax]

     So terminate ToggleMouse, set a breakpoint on line :00418879 and restart it. Choose F9 (Run)
     and W32Dasm should break here. Enter the call (F7) and choose "Auto step over" again. Wait
     until the nag-screen appears. Now you should see this:

     :0042309F int 03
     :004230A0 push [esp+10]
     :004230A4 push [esp+10]
     :004230A8 push [esp+10]
     :004230AC push [esp+10]
     :004230B0 call TOGGLEMOUSE.0042B617 // THIS LINE SHOULD BE ACTIVATED
     :004230B5 ret 10
     :004230B6 adc byte ptr [eax], al
     :004230B8 call TOGGLEMOUSE.0042E9D8
     :004230BD mov ecx, dword ptr [esp+04]
     :004230C1 test ecx, ecx

     And again: Terminate, set new breakpoint at this call, restart ToggleMouse, and enter the
     call. Then choose "Auto step over" until the nag-screen appears. This time you should see
     this:

     :0042B64D call dword ptr [eax+00000084]
     :0042B653 test eax, eax
     :0042B655 je 0042B680
     :0042B657 mov eax, dword ptr [esi]
     :0042B659 mov ecx, esi
     :0042B65B call TOGGLEMOUSE.00436F10 // THIS LINE SHOULD BE ACTIVATED
     :0042B65E test eax, eax
     :0042B660 jne 0042B677
     :0042B662 mov ecx, dword ptr [esi+1C]
     :0042B665 test ecx, ecx
     :0042B667 je 0042B66E

     Now it's getting interesting: Look, there's a jump at line :0042B665 that leads beyond the
     call that displays the nag. Let's change it in a hexeditor to jmp. Shit, the program doesn't
     start anymore. So we have to go on (I hope you always patch a copy of the original file, as
     you are not able to write to a file that is currently loaded in W32Dasm). Entering the call
     again and tracing through the code until the nag-screen appears. Here the code is:

     :0041237C xor eax, eax
     :0041237E jmp TOGGLEMOUSE.004123A5
     :00412380 cmp dword ptr [00443B70], 00000041
     :00412387 jg 0041236B
     :00412389 push 00000001
     :0041238B call TOGGLEMOUSE.004147CC  // THIS LINE SHOULD BE ACTIVATED
     :00412390 cmp eax, 00000001
     :00412393 pop ecx
     :00412394 jne 0041236B
     :00412396 mov ecx, ebx
     :00412398 call TOGGLEMOUSE.00412684

     Let's try again. There's another jump that leads beyond the call that displays the nag. 
     Let's change it to EB again and look what happens. The nag is gone, we have it :)
     Now it's your turn. Turn your system's clock 1 year ahead and restart ToggleMouse. There's
     another nag telling that the evaluation period has expired. Try to get rid of it using the
     method I described.

I.   BTW this tutorial is for educational purposes only. Make sure to get the full version
     legally. I withdraw myself from all responsibility, and trouble if you get into any.
     
     Greets to: Everyone in #cracking4newbies and +Sandman's forum

VII. All tutorials by LaZaRuS