How to USE nag screens
(Nagscreens and CRC checking show us the way)

by ^pain^

(11 November 1997, snatched and slightly edited by fravia+)


Courtesy of fravia's page of reverse engineering

Well, a 'snatched' essay... strangely enough ^pain^ never sent it to me... yet I find it interesting! Therefore I have decided to publish it nevertheless!

8/24/97           
How to USE nag screens? =======================
Introduction ------------ What I`m about to teach in this tutorial, is simply how to USE nag screens, yeah yeah, it sounds ridiculous, and, I`m not sure that i`m not inventing the Wheel here, but, I've never seen any tutorial about this issue... I`ll assume you have some knowledge in: 1.SoftIce (Winice will be more percisive...). 2.cracking (ie, about 2-3 months of cracking..). 3.Nag Screens (How to kill'em - but, that's of course not what will be discussed here). Tools you`ll need for this tutorial: 1.SoftIce 3.00/01. 2.Hex Work Shop (ANY VERSION) / or any other good Hex Editor. Programs that will be discussed in here: 1.DeskWipe v1.2 : URL - Http://Home.sol.no/Frankm 2.Idyle Phone Book Pro 97 V2.21 : URL - Http://www.idyle.com/ Some words for start ---------------------- What we're going to be doing here, is to use the nag screens in order to get to the registration routines, in programs that newbies usually find hard to handle - The programs that have NO visible registration info... Which means, programs without register boxes... etc.. Our basic method here, will be to set a break point on a messagebox , or some other forms of nag screens that will be discussed here later, then , after breaking in the nag screen routine, look back in the code, and see what condition brought us to the nag screen, then, break point in that condition (ie, je,jz,jnz etc....), and disable it... ;-) Sounds like we`re just about to start our cracking here...... :) The first program I'd like to discuss is one of the simplest... DeskWipe 1.2 Cracking (Using nag screen). --=========================================-- OK, we're all set with SoftIce running? great, lets start the program to see the actual protection scheme... After launching DeskWipe 1.2 , quickly pops a nag screen, errrgh! sux! Lets Exit the program , and set a bp on messageboxa, then, run it again... oh, no ;`[ , we're lost, messageboxa wasn`t such a lucky guess, Hmm..... Now, we can use our knowledge in nag screen (which is not too hard to achieve btw...;), while we're in the nag screen, press CTRL+D, And, type hwnd deskwipe... You`ll see only one button , BMSG on it, (For me , it gave 0688...). Now, press CTRL+D, and follow my instructions FULLY! (I'd really wish to talk to you guys about these stuff, but, that's not for this tutorial, and, it won`t serve my targets...). 1.After pressing CTRL+D , you`ll pop again in SICE, press F12 9 times. 2.press F10 several times, until you get to this instruction: ... MOV EAX,[EBP-04] MOV EAX,[EAX+00000128] TEST EAX,EAX JZ 420940 / This one, you`ll have to NOP in order to pass the nag screen, / because, this is the condition, if the Button was pressed /or wasn`t... (That was just a side comment). ... NOP the JZ... 3.now, we can Continue pressing F12 7 more times... until we're popped in this instruction: ... CALL 00425728 POP ECX POP ECX ... Let's now press CTRL+UP several times, (to see the above code, that brought us to this nag screen) Until you get to this: MOV EAX,[429664] / The initial value for the registration routine CALL 425FFC / The registration routine itself!!! ;) INC EAX / The Boolean identifier, that's used to determine if JZ 426EA6 / The registration was successful... ... I`ll leave you guys the job to Register this program (NOTE that in order to crack this one with Patching, you`ll HAVE to change EAX's value INSIDE the registration routine, But, it won`t be the BEST crack, for making the BEST crack, you`ll have to make a license file... - I`ll leave this job to you, I`m not trying here to teach how to do key files, I already assume that you can handle the registration routine by yourself... ;) Well , that's it for this program , Now , Let's move to some harder Job... ;) Lets Crack Idyle Phone Book Pro 97 Now!! Phone Book Pro 97 V2.21 Cracking!!! --===================================-- I'd like to take this opportunity to GREET the author, Damien Rame, for a GREAT interface: I've never seen a better phone book! If you use this program, please send him money! he deserves that! This one, is about to be harder to do than the previous one. I`m about to do patching here , just to give you an example of a CRC checking that's kicking ya from the program if it detects patching (this is usually done by doing CheckSum to the EXE and comparing it with a Value that's kept somewhere...) We're all set with our little SoftIce? :) great! Lets launch the program... press the About/Register button... Hmm, interesting... the author seems to be pretty smart, look what he did, he DIDN`T give ya ANY buttom to press in order to tell the program to check the registration info that was entered!!! How do we solve this problem? Well, it's obvious that the program checks the registration info in REAL TIME (ie, when you enter it in the dialog box). OK, Let's try something here: I entered Name :^pain^ '97 Reg Code: 9999999 Wait, Let's Press CTRL+D, and, set a bp in HMEMCPY,then , press CTRL+D again, and, add another char to the reg code... YES! we popped right next to the registration routine... Let's press F12 now until we get to the program code, and, trace the code until we get to this instruction (The registration routine itself): ... MOV EDX,EBX MOV EAX,EBX CALL 49616C TEST AL,AL JZ 004968B4 ... Now, it's obvious what you should do: trace in the registration routine, Set a bp on some code in the registration routine, and, restart the program. (Don`t worry, I know what I`m doing...) After we pop back in Sice... Exit the routine, and ,do the patch OUTSIDE the routine!!! (VERY IMPORTANT!) (ie, TEST AL,AL ===> OR AL,01) Now, we're all set for the point I want to discuss... :) Launch the program! Oh my! Now Look what happens! This program does CRC checking! (Did I ever say the author is a smart guy? ;-) Although, he did a stupid thing... Left us a MSG TYPE ERROR BOX!!! (That says there was a CRC error, and that the program will now be terminated!) Let's use this to our advantage! :) Launch the program AGAIN! when you get to the Error Button. 1.Type in Sice HWND. 2.BMSG on the ONLY button that PHONEBOOK uses. 3.Press CTRL+D 4.Press F12 5 times. 5.Press F10 until you get to this instruction: ... Mov EAX,[EAX+00000150] TEST EAX,EAX JZ 00430CE2 / Nop the JZ... (Only a temporary change for passing the msg box). ... 6.Press F12 8 more times. 7.Press CTRL+UP some times, until you see this: CALL 445570 / CRC Checking routine... :) CMP EBX,-2 / Boolean Identifier. JNZ 459409 Now, All you have to do, is to change the CMP EBX,-2 ==> MOV EBX,01 JNZ 459409 ==> JMP 459409 And , we're all set! ;) simple eh? :) After nopping it, patch the EXE and you will have a FULL crack! :) NOTE that that's not how I did the crack, I did a better patch, but I really don`t remember now what the cuckoo did I patch, and, it's not really important for our discussion anyway ;) So, you`ll have to forgive me... Well, I think that's it, I've cleared my point, and , I think it's time to Sign off... Hope you found this info interesting.....(I wouldn`t like to have spent my time for nothing... ;-) Ohhh...... almost forgotten, I'd like to greet the following dudes: Acp,Niabi,JosephCo,_rANDOM,|KAIRN|,Razzi,Yoshi,GrimL0ck,kOUGER,Odin, [J0B],Qapla,Leddy,TeRaPhY!, All the great guys in #cracking & #Cracking4newbies And all the rest of you M$ fighters I've forgotten! Signing off - ^pain^ [mEXELiTE] in the year of 1997 -
(c) ^pain^ 1997. All rights reversed
You are deep inside fravia's page of reverse engineering, choose your way out:

redhomepage redlinks redanonymity +ORC redstudents' essays redacademy database
redtools redcocktails redantismut CGI-scripts redsearch_forms redmail_fravia
redIs reverse engineering legal?