L ZZZZZZ RRRRR SSSSS L Z R R S L aaa Z aaa R R u u S L a Z a RRRRR u u SSSSS XX L aaaa Z aaaa R R u u S XXXX L a a Z a a R R u u S XXXXXX LLLLLLL aaaaa ZZZZZZZ aaaaa R R uuuuu SSSSSS XXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXX XXXXXX XXXX proudly presents his 19.Cracking Tutorial (04.07.1999) XX LaZaRuS' "Kick the nag" approach I. Introduction I.1 Tools you need for my tutorial II. The "Kick the nag" approach VI. BTW VII. All Tutorials by LaZaRuS I. Welcome to my 19st cracking tutorial. I.1 W32Dasm 8.9 XTheme Manager 2.2 (www.vclxx.com/~kuan) II. The "Kick the nag" approach At first a word of warning. The method I show you is quite the opposite of "Zen" cracking. In fact it goes more into the brute force section and all "Zen" guys would shoot my head if they read this. But nevertheless, if every "standard" approaches to kill a nag-screen fail, this *might* help. As a target I have chosen XTheme Manager. No special reason, I just found it on a shareware CD. Actually you can easily find out the correct serial to register it and get rid of the nag-screen in this way. You can try it out later. This essay is about getting rid of the nag with a patch. Load XTM.EXE in W32Dasm. Now choose "debug" and then "Auto Step Over". Now wait until the nagscreen appears. At first the window appears and then it is filled with bitmaps and text. The first sign of a nag-screen appears around :004E0169. You cannot locate the correct call that makes the nagscreen appear immediately, because the instructions are executed to fast. So terminate the prog, set a breakpoint on :004E0169 and restart it. This time choose "Run". W32Dasm will break at :004E0169. Now "Step Over" slowly until the first part of the nag-screen appears. This will be at :004E0199. You see this: :004E0169 B301 mov bl, 01 ;; bl=1 :004E016B 84DB test bl, bl ;; bl=0 ? :004E016D 743C je 004E01AB ;; if so, then jump beyond the nag :004E016F 8B0D04414E00 mov ecx, dword ptr [004E4104] :004E0175 8B09 mov ecx, dword ptr [ecx] :004E0177 B201 mov dl, 01 :004E0179 A168C84900 mov eax, dword ptr [0049C868] :004E017E E8E985F6FF call 0044876C :004E0183 A3D0654E00 mov dword ptr [004E65D0], eax :004E0188 33D2 xor edx, edx :004E018A A1D0654E00 mov eax, dword ptr [004E65D0] :004E018F E880CAFBFF call 0049CC14 :004E0194 A1D0654E00 mov eax, dword ptr [004E65D0] :004E0199 E8E2C4F6FF call 0044C680 ;; calls the nag-screen :004E019E A1D0654E00 mov eax, dword ptr [004E65D0] :004E01A3 8B10 mov edx, dword ptr [eax] :004E01A5 FF9284000000 call dword ptr [edx+00000084] * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004E016D(C) | :004E01AB B001 mov al, 01 :004E01AD E80EDBF9FF call 0047DCC0 :004E01B2 33C0 xor eax, eax :004E01B4 55 push ebp Something tells me, the jump at :004E016D is *never* taken, eh. Let's change that. You can either change the "mov bl, 01" to "mov bl, 00" or the "je 004E01AB" to "jmp 004E01AB". What- ever, the nag-screen will be gone :) As the last example was a little short, here comes one that shows my way of finding nags better. The target is ToggleMouse 4.4.7 At the start the programs informs you how long you have left to test ToggleMouse. So disassemble ToggleMouse.exe and enter the debug mode. Disable all API functions as they only disturb. Choose "Auto step over" and wait until the nagscreen appears. Then the window that displays the instructions that are currently executed looks like this: :0041886D push [ebp-64] :00418870 push esi :00418871 push esi :00418872 call KERNEL32.GetModuleHandleA :00418878 push eax :00418879 call TOGGLEMOUSE.004230A0 // THIS LINE SHOULD BE ACTIVATED :0041887E mov dword ptr [ebp-60], eax :00418881 push eax :00418882 call TOGGLEMOUSE.0041B433 :00418887 mov eax, dword ptr [ebp-14] :0041888A mov ecx, dword ptr [eax] So terminate ToggleMouse, set a breakpoint on line :00418879 and restart it. Choose F9 (Run) and W32Dasm should break here. Enter the call (F7) and choose "Auto step over" again. Wait until the nag-screen appears. Now you should see this: :0042309F int 03 :004230A0 push [esp+10] :004230A4 push [esp+10] :004230A8 push [esp+10] :004230AC push [esp+10] :004230B0 call TOGGLEMOUSE.0042B617 // THIS LINE SHOULD BE ACTIVATED :004230B5 ret 10 :004230B6 adc byte ptr [eax], al :004230B8 call TOGGLEMOUSE.0042E9D8 :004230BD mov ecx, dword ptr [esp+04] :004230C1 test ecx, ecx And again: Terminate, set new breakpoint at this call, restart ToggleMouse, and enter the call. Then choose "Auto step over" until the nag-screen appears. This time you should see this: :0042B64D call dword ptr [eax+00000084] :0042B653 test eax, eax :0042B655 je 0042B680 :0042B657 mov eax, dword ptr [esi] :0042B659 mov ecx, esi :0042B65B call TOGGLEMOUSE.00436F10 // THIS LINE SHOULD BE ACTIVATED :0042B65E test eax, eax :0042B660 jne 0042B677 :0042B662 mov ecx, dword ptr [esi+1C] :0042B665 test ecx, ecx :0042B667 je 0042B66E Now it's getting interesting: Look, there's a jump at line :0042B665 that leads beyond the call that displays the nag. Let's change it in a hexeditor to jmp. Shit, the program doesn't start anymore. So we have to go on (I hope you always patch a copy of the original file, as you are not able to write to a file that is currently loaded in W32Dasm). Entering the call again and tracing through the code until the nag-screen appears. Here the code is: :0041237C xor eax, eax :0041237E jmp TOGGLEMOUSE.004123A5 :00412380 cmp dword ptr [00443B70], 00000041 :00412387 jg 0041236B :00412389 push 00000001 :0041238B call TOGGLEMOUSE.004147CC // THIS LINE SHOULD BE ACTIVATED :00412390 cmp eax, 00000001 :00412393 pop ecx :00412394 jne 0041236B :00412396 mov ecx, ebx :00412398 call TOGGLEMOUSE.00412684 Let's try again. There's another jump that leads beyond the call that displays the nag. Let's change it to EB again and look what happens. The nag is gone, we have it :) Now it's your turn. Turn your system's clock 1 year ahead and restart ToggleMouse. There's another nag telling that the evaluation period has expired. Try to get rid of it using the method I described. I. BTW this tutorial is for educational purposes only. Make sure to get the full version legally. I withdraw myself from all responsibility, and trouble if you get into any. Greets to: Everyone in #cracking4newbies and +Sandman's forum VII. All tutorials by LaZaRuS