Results 1 to 7 of 7

Thread: program restarts and nag is back after fake reg entries....can't even bypass the nag

  1. #1
    angelic_devil
    Guest

    program restarts and nag is back after fake reg entries....can't even bypass the nag

    hi,

    i m trying to crack this software for educational purpose only...i m a noob btw. thoug i went through lena's tutorials this one i couldn't figure out...it just seems to go over my head.

    this program on start up shows nag that allows to continue on trial for 20 days and has a registration option too. when i enter the registration key the program gives message "the program must be restarted now. click ok to restart it" but on restarting it doesn't bypass instead it shows the nag. i know the check is probably at the start i found a cmp line there altered its z flag it bypasses it once but next time it loops and pop comes the nag again....uhhhh! if it were human i would rip its head off.

    so far i was able to locate the license file name... created it in the folder and entered dummy values in it for check.

    the other method i tried was to bypass the nag screen totally and make the software run as full program but the calls are in some sort of loop and no matter how many times i tried i couldn't break out of the loop...there seem to be multiple checks and calls to the nag. i tried looking for the reference text "unregistered" but it seems even that is missing...its weird...can someone guide me what i m doing wrong in this

    thanx

    p.s i posted the screenshot of the startup code for reference.
    Attached Images Attached Images  
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    patch made in the debugger are 'in memory' and are lost when you close&restart.
    You need to save them into the executable, thing that you can do by right clicking and 'saving' them, in olly view.
    I want to know God's thoughts ...the rest are details.
    (A. Einstein)
    --------
    ..."a shellcode is a command you do at the linux shell"...

  3. #3
    angelic_devil
    Guest
    did save it as a exe with modifications still nag pops up...m i making the correction at correct place?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    angelic_devil
    Guest
    i was able to get rid of nag after lot of exploring...but after saving and reopening it gives error as critical download error

    here is what i did... in the image below
    http://i1208.photobucket.com/albums/cc367/littledevil05/solution.jpg

    i had put a breakpoint 006e4023 and found that

    when i made the z flag 0 for the JE SHORT 006E4032 and NOP the JNZ SHORT 006E4032 and press f9 the program bypassES the nag and loads the program in olly. but on saving it as executable and then playing it outside gives me the error "critical application error.please re-download and re-install the program" i observed this error is at opcode 006e4068.

    for patching i m replacing both the je and jz with nop.

    its so irritating to come this close and still mess up.

    someone plz guide.

    thanx in advance
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    reopen the patched version, place an hardware (read data) breakpoint where you changed the code, and run.
    99% you'll end up in a cycle that CRC-check your binary - or you end up in a winapi that verifies the exe crc.
    I want to know God's thoughts ...the rest are details.
    (A. Einstein)
    --------
    ..."a shellcode is a command you do at the linux shell"...

  6. #6
    angelic_devil
    Guest

    hi

    screenshot 1 is the modification i made i put the hardware break on execution above at cmp opecode 006e401c...saved it as exe with modifications. http://i1208.photobucket.com/albums/cc367/littledevil05/sol1.jpg

    then reopened the modified one and then put hardware break on executionat nop with opcode 006e4023. then when i run i the screenshot 2 error.http://i1208.photobucket.com/albums/cc367/littledevil05/sol2.jpg

    if instead of hardware break i put memory on access then i get screenshot 3 error.http://i1208.photobucket.com/albums/cc367/littledevil05/sol3.jpg

    on further depth checking i found that it goes into ntdll opcode 006e402b probably raises an exception as tht is the one that allows the nag to turn up or disappear. it seems to not raise an exception when altering the flags and testing ...but raises an exception with changing je and jnz to nop.

    what if i tell you the program name...maybe you can test it from your end and help me figure out what i m doing wrong.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    It may have more checks. Why not patch the function that affects the conditional rather than the conditional? ..that would be the smarter thing to do (imho)

Similar Threads

  1. Kaspersky - fake av.
    By Indy in forum Advanced Reversing and Programming
    Replies: 5
    Last Post: December 31st, 2013, 14:49
  2. Replies: 30
    Last Post: March 27th, 2011, 13:56
  3. TLS Callback with invalid entries
    By kickenchicken57 in forum Advanced Reversing and Programming
    Replies: 7
    Last Post: December 24th, 2008, 21:07
  4. Hardlock, fake or really implemented
    By OHPen in forum The Newbie Forum
    Replies: 2
    Last Post: April 15th, 2003, 13:30

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •