View Full Version : Nasty Nag removal
Panemuckl
07-01-2004, 11:47 AM
Hi!
To practise, I'm currently working on some DSL driver software.
I've done so far:
- unpacking, full restore, imp fixing (unpacked version works fine)
- removed anti-debug (now OllyDBG is my friend)
- removed CRC (MD5) self-check (naggy "CRC failure" -> Terminate)
Now the app runs with all modifications without any problems,
but still a little NAG appears on start-up:
"Application out of date, please update"
[ OK ]
After pressing OK, the program executes normaly. So all I have
to do is removing that last nag screen. May sound stupid, but it's
not that easy after all...
My problem: I can't find the corresponding call to MessageBoxA!
If you wanna give it a try yourself, PM me for the modified executable.
Hopefully, some1 will teach me how to find the correspondig nag.
BTW: [ ALT+F1: BPX MessageBoxA ] ==>> "Not found"
SvensK
07-01-2004, 12:21 PM
PM me an url for the target and I'll have a look.
MaRKuS-DJM
07-01-2004, 01:06 PM
maybe MessageBoxW? try to use a BP instead a BPX
Panemuckl
07-01-2004, 01:19 PM
Tried it all:
BP User32.MessageBoxA
BP User32.CreateWindowExA
...
doesn't work. Really annoying.
naides
07-01-2004, 01:40 PM
Quote:
[Originally Posted by Panemuckl]Tried it all:
BP User32.MessageBoxA
BP User32.CreateWindowExA
|
Try braking on the message that gets sent when you click the OK button.
SvensK
07-01-2004, 03:23 PM
Weird app, it's constantly polling something it refers to as "magic value #1".
004172F4 |> 81BD 70FFFFFF 71187639 CMP DWORD PTR SS:[EBP-90],39761871
004172FE |. 74 1E JE SHORT removed.0041731E
If something is off with it, the Expire nag shows. If you load the app in Olly and start it, you can search for references to "Your evaluation period has expired. Order Name Deleted today!".
004174A1 |. 50 PUSH EAX
004174A2 |. 68 30964700 PUSH removed.00479630 ; UNICODE "Your evaluation period has expired. Order Name Deleted today!"
The above code is part of the polling code, I hope you can work your way through from here.
And another thing, if you leave the original .exe in the folder and run your patched exe as Crk.exe you don't have to patch the CRC check.
All you need to patch for the CRC check is EB at 17C32h.
Edit: If this still isn't enough for you, I might have another look at it later on.
Regards
SvensK
Panemuckl
07-01-2004, 05:22 PM
I noticed the "Magic value #1" stuff, but it it's not important to crack
the nag. Obviously, the author included various anti debugging stuff, but
thanks to your help I finally solved that issue.
1. Passing through the code, I noticed that the app is calling
User32.MessageBoxIndirectW, as you can see on the SS below
function MessageBoxIndirectW; external user32 name 'MessageBoxIndirectW';
{
Other BP worthy calls:
CreateDialogIndirectParamA / CreateDialogIndirectParam
CreateDialogParamA / CreateDialogParamW
DialogBox
DialogBoxIndirect
DialogBoxParam / DialogBoxParamA / DialogBoxParamW
EndDialog
MessageBeep
MessageBoxA / MessageBoxW
MessageBoxExA / MessageBoxExW
MessageBoxIndirect / MessageBoxIndirectA / MessageBoxIndirectW
}
2. having a look at the stack, I saw that there's a push of "expired" to it
3. passing some more lines of code, you will end up on the corresponding call
to User32.MessageBoxIndirectW
4. step 2-3 lines up and change the JE to JNE
5. Run -> Window still pops up
What's wrong? Apparently there's some more hidden checks, so
I took a closer look on the following lines of code. Et voila: Another call
to MessageBoxIndirectW. After patching the corresponding JE (same
procedure as above), the NAG has finaly gone...
So Winkler & Luders did a good job, but considering myself an intermideate, not good enough 
Thanks for your help though.
Panemuckl
07-01-2004, 05:43 PM
Quote:
| [Originally Posted by naides]Try braking on the message that gets sent when you click the OK button. |
How's that? You mean SoftIce?
Panemuckl and SvensK:
Our Forum rules clearly PROHIBIT the posting of target code which identifies a commercial target.
Both of you have violated this rule and I have edited your posts to remove the offending identifications.
Further violation of this rule will result in drastic consequences. Make sure you do not repeat this violation.
Regards,
naides
07-01-2004, 06:23 PM
Yes, I meant with softIce. I do not know if it is doable in OLLY, shame on me, I do not use Olly as often as I should.
You need to know the handle of the Nag, window etc that has the button.
You find that out with a SPY program (Ispy, Spy++ etc)
Then you place a breakpoint on message in SoftIce
bmsg Hwnd WM_LEFTBUTTONUP or WM_DESTROY, among others.
When you click the OK button in the NAG, SoftIce breaks and you are deep into USER32 code woods, but you can trace your way back (F12) into your app near the code that create and destroy your NAG. It works in a fair number of cases.
Panemuckl
07-01-2004, 06:41 PM
Dear Super Moderator,
Sorry, wasn't aware of that
Then please read the FAQ linked in the BIG RED LETTERS on the main page of the Forums to learn the rest of the do's and don'ts.
http://www.woodmann.com/fravia/rce-faq.htm
Regards,
u tried looking for the string "Application out of date, please update" and trace it?
vBulletin® v3.7.4, Copyright ©2000-2008, Jelsoft Enterprises Ltd.