How to USE nag screens
(Nagscreens and CRC checking show us the way)
(11 November 1997, snatched and slightly edited by Fravia+)
Courtesy of Fravia's page
of reverse engineering
Well, a 'snatched' essay... strangely enough ^pain^ never sent it to me... yet I find it interesting! Therefore I have decided to publish it nevertheless!
How to USE nag screens?
What I`m about to teach in this tutorial, is simply how to USE nag screens,
yeah yeah, it sounds ridiculous, and, I`m not sure that i`m not inventing
the Wheel here, but, I've never seen any tutorial about this issue...
I`ll assume you have some knowledge in:
1.SoftIce (Winice will be more percisive...).
2.cracking (ie, about 2-3 months of cracking..).
3.Nag Screens (How to kill'em - but, that's of course not what will be discussed
Tools you`ll need for this tutorial:
2.Hex Work Shop (ANY VERSION) / or any other good Hex Editor.
Programs that will be discussed in here:
1.DeskWipe v1.2 : URL - Http://Home.sol.no/Frankm
2.Idyle Phone Book Pro 97 V2.21 : URL - Http://www.idyle.com/
Some words for start
What we're going to be doing here, is to use the nag screens in order to
get to the registration routines, in programs that newbies usually find
hard to handle - The programs that have NO visible registration info...
Which means, programs without register boxes... etc..
Our basic method here, will be to set a break point on a messagebox , or
some other forms of nag screens that will be discussed here later,
then , after breaking in the nag screen routine, look back in the code,
and see what condition brought us to the nag screen, then, break point in that
condition (ie, je,jz,jnz etc....), and disable it... ;-)
Sounds like we`re just about to start our cracking here...... :)
The first program I'd like to discuss is one of the simplest...
DeskWipe 1.2 Cracking (Using nag screen).
OK, we're all set with SoftIce running?
great, lets start the program to see the actual protection scheme...
After launching DeskWipe 1.2 , quickly pops a nag screen, errrgh! sux!
Lets Exit the program , and set a bp on messageboxa, then, run it again...
oh, no ;`[ , we're lost, messageboxa wasn`t such a lucky guess,
Hmm..... Now, we can use our knowledge in nag screen (which is not too hard
to achieve btw...;), while we're in the nag screen, press CTRL+D, And,
type hwnd deskwipe...
You`ll see only one button , BMSG on it, (For me , it gave 0688...).
Now, press CTRL+D, and follow my instructions FULLY! (I'd really wish to
talk to you guys about these stuff, but, that's not for this tutorial,
and, it won`t serve my targets...).
1.After pressing CTRL+D , you`ll pop again in SICE, press F12 9 times.
2.press F10 several times, until you get to this instruction:
JZ 420940 / This one, you`ll have to NOP in order to pass the nag screen,
/ because, this is the condition, if the Button was pressed
/or wasn`t... (That was just a side comment).
NOP the JZ...
3.now, we can Continue pressing F12 7 more times...
until we're popped in this instruction:
Let's now press CTRL+UP several times, (to see the above code, that
brought us to this nag screen)
Until you get to this:
MOV EAX, / The initial value for the registration routine
CALL 425FFC / The registration routine itself!!! ;)
INC EAX / The Boolean identifier, that's used to determine if
JZ 426EA6 / The registration was successful...
I`ll leave you guys the job to Register this program (NOTE that in order
to crack this one with Patching, you`ll HAVE to change EAX's value INSIDE
the registration routine, But, it won`t be the BEST crack, for making the
BEST crack, you`ll have to make a license file... - I`ll leave this job to
you, I`m not trying here to teach how to do key files, I already assume
that you can handle the registration routine by yourself... ;)
Well , that's it for this program , Now , Let's move to some harder
Lets Crack Idyle Phone Book Pro 97 Now!!
Phone Book Pro 97 V2.21 Cracking!!!
I'd like to take this opportunity to GREET the author, Damien Rame, for a
GREAT interface: I've never seen a better phone book! If you use this program,
please send him money! he deserves that!
This one, is about to be harder to do than the previous one.
I`m about to do patching here , just to give you an example of a CRC checking
that's kicking ya from the program if it detects patching (this is usually
done by doing CheckSum to the EXE and comparing it with a Value that's
We're all set with our little SoftIce? :)
Lets launch the program...
press the About/Register button...
Hmm, interesting... the author seems to be pretty smart, look what he did,
he DIDN`T give ya ANY buttom to press in order to tell the program to check
the registration info that was entered!!!
How do we solve this problem?
Well, it's obvious that the program checks the registration info in REAL TIME
(ie, when you enter it in the dialog box).
OK, Let's try something here:
I entered Name :^pain^ '97
Reg Code: 9999999
Wait, Let's Press CTRL+D, and, set a bp in HMEMCPY,then , press CTRL+D again,
and, add another char to the reg code...
YES! we popped right next to the registration routine...
Let's press F12 now until we get to the program code, and, trace the code
until we get to this instruction (The registration routine itself):
Now, it's obvious what you should do: trace in the registration routine,
Set a bp on some code in the registration routine, and, restart the program.
(Don`t worry, I know what I`m doing...)
After we pop back in Sice...
Exit the routine, and ,do the patch OUTSIDE the routine!!! (VERY IMPORTANT!)
(ie, TEST AL,AL ===> OR AL,01)
Now, we're all set for the point I want to discuss... :)
Launch the program!
Oh my! Now Look what happens! This program does CRC checking! (Did I ever
say the author is a smart guy? ;-) Although, he did a stupid thing...
Left us a MSG TYPE ERROR BOX!!! (That says there was a CRC error, and that
the program will now be terminated!) Let's use this to our advantage! :)
Launch the program AGAIN!
when you get to the Error Button.
1.Type in Sice HWND.
2.BMSG on the ONLY button that PHONEBOOK uses.
4.Press F12 5 times.
5.Press F10 until you get to this instruction:
JZ 00430CE2 / Nop the JZ...
(Only a temporary change for passing the msg box).
6.Press F12 8 more times.
7.Press CTRL+UP some times, until you see this:
CALL 445570 / CRC Checking routine... :)
CMP EBX,-2 / Boolean Identifier.
Now, All you have to do, is to change the CMP EBX,-2 ==> MOV EBX,01
JNZ 459409 ==> JMP 459409
And , we're all set! ;)
simple eh? :)
After nopping it, patch the EXE and you will have a FULL crack! :)
NOTE that that's not how I did the crack, I did a better patch, but I really
don`t remember now what the cuckoo did I patch, and, it's not really important
for our discussion anyway ;) So, you`ll have to forgive me...
Well, I think that's it, I've cleared my point, and , I think it's time to
Hope you found this info interesting.....(I wouldn`t like to have spent my
time for nothing... ;-)
Ohhh...... almost forgotten, I'd like to greet the following dudes:
All the great guys in #cracking & #Cracking4newbies
And all the rest of you M$ fighters I've forgotten!
Signing off - ^pain^ [mEXELiTE] in the year of 1997 -
(c) ^pain^ 1997. All rights reversed
You are deep inside Fravia's page of reverse engineering,
choose your way out:
Is reverse engineering legal?