Name      : Notepad

Version   : Microsoft Windows 98

Filesize  : 57,344 Byte

Editor    : Microsoft

Target    : notepad.exe

Tools     : W32Dasm
            Hiew
            Brain
            
Cracker   : LW2000

Tutorial  : No.36


---
DISCLAIMER
For educational purposes only!
I hold no responsibility of the mis-used of this material!
---


1.      Ok, this proggy annoyed me dozen of times! I tried to crack the
        filesize limit, but it confused me very much and i lost the
        overview. So i decided to remove the launch wordpad nag. To do
        this, i tried to open a 600kb file (think minor size had done it,
        too *g*, but i had this file in the same cracking folder and i'm
        lazy..) with notepad.

        *BOOM* Our nag pops up. Ok, let's launch W32Dasm and take a look
        at notepad.exe.


2.      Click the SDR button and take a look at the strings. Normally I
        would search for the msg text and/or caption or so, but the
        string wordpad.exe looked suspicious. So lets take a close look.

* Possible Reference to String Resource ID=00056: "wordpad.exe"
                                  |
:004033D5 6A38                    push 00000038
:004033D7 FF3540554000            push dword ptr [00405540]


3.      Now scroll up. Over the String Resource "wordpad.exe" you see
        a call for messageboxa. Mhmm, seems that we have found our nag.



* Reference To: KERNEL32.GetStartupInfoA, Ord:0140h
                                  |
:0040339F FF1590634000            Call dword ptr [00406390]

* Possible Reference to String Resource ID=00036: "&f"
                                  |
:004033A5 6A24                    push 00000024
:004033A7 A1B4504000              mov eax, dword ptr [004050B4]
:004033AC 56                      push esi
:004033AD 50                      push eax
:004033AE FF7508                  push [ebp+08]

* Reference To: USER32.MessageBoxA, Ord:01ACh
                                  |
:004033B1 FF15A8644000            Call dword ptr [004064A8]
:004033B7 83F806                  cmp eax, 00000006
:004033BA 0F85A7000000            jne 00403467
:004033C0 6804010000              push 00000104  <<--- here we must go!
:004033C5 8D858CFDFFFF            lea eax, dword ptr [ebp+FFFFFD8C]
:004033CB 837D1001                cmp dword ptr [ebp+10], 00000001
:004033CF 1BFF                    sbb edi, edi
:004033D1 50                      push eax
:004033D2 83C737                  add edi, 00000037

* Possible Reference to String Resource ID=00056: "wordpad.exe"
                                  |
:004033D5 6A38                    push 00000038
:004033D7 FF3540554000            push dword ptr [00405540]


4.      Ok, our exercise is to jump to :004033C0, over the msgbox, to
        run wordpad automatically. How to do this? Mhmm, easy!

* Possible Reference to String Resource ID=00036: "&f"
                                  |
:004033A5 6A24                    push 00000024  <-- note the offset
:004033A7 A1B4504000              mov eax, dword ptr [004050B4]
:004033AC 56                      push esi
:004033AD 50                      push eax
:004033AE FF7508                  push [ebp+08]


        We note the offset from 004033A5, instead of this shit
        we jump to 004033C0.

5.      Close the W32Dasm and open hiew with notepad.exe. Press F5 and
        goto offset 33A5. Press F3 to edit and F2 to enter ASM Commands.
        Then type:

        jmp 33C0  [Enter]

        [Esc] to close the screen. Save your work and exit Hiew.
        Now try to open the big file, again.



Congratulation! Wordpad opens it, without a nag!


FINISH! Easy, or?

cu LW2000
Any comments? Mail me LW2000@gmx.net !!!
----
tKC, thx for your tutors!
I started with tutor 1 and i still read them... they are the best!