Cracking NWE404's Nag
Courtesy of Fravia's page of reverse engineering
There is a crack, a crack in everything That's how the light gets in
( )Beginner (X )Intermediate ( )Advanced ( )Expert
There are many ways to get rid of a nag...this is
one of them. In a AFAIK un-documented way, at least for newbies like me.
Cracking NWE404's Nag
Written by Vanapaha
When you can't N0P out the nag then try this method. AFAIK it should work
almost everywhere...i haven't had much chance to test it though. Even if
it doesn't work for the nag you're cracking it's still nice to know.
As you should already know there's code behind a window accepting
user input. Many cracks are based on the obvious..simulating user input.
But what if i don't simulate the input..what if i change the way the
input it handled? For example: User clicks button 'A' i crack the code
that handles input and the code for button 'B' executes though
button 'A' is clicked. You get the idea? Good..then read on.
Imagine a nag with a 'Continue' button..that you have to click.
Imagine that i've cracked the code behind the scenes that takes
care of the user input. And i've cracked it so that when 'Continue'
button is NOT clicked the code thinks that it IS. Lol, just
another user input simulation.
Hiew (or any other hex-editor of your choice, for patching)
http://www.namo.com -- bloatware warning!
NWE404 - Namo Web Editor 4.04
It should be better than the previous version, but it's certainly bigger. Never used the program..and
probably never will.
I run windoze just to crack it's programs...also the stuff doesn't
run on linux, besides..i got vi.
First things first, get rid of the time-trial. You may do it your way but
this is how i did it.
Set bpx GetSystemTime and start the program. It'll soon trigger...get back
to the program what you're cracking before you continue. Once you're in
and you're as paranoid as i'm you of course check every possible call.
Let's go then...
Take the first call,the another one(not !wsprintfA) it'll be
a RegOpen. Already in registry? Get out of this call and goto the next one.
Hmm..ReqQueryValueExA..so what's it checking. Look @ eax before the call to
RegQueryValueExA. It says something about time. Could this be the time
check..? Well go on..after it has called the RegQueryValueExA you'll see
I had set my system time one year foward before i began cracking this so it
should say expired once i reach the nag. And since eax said something about
time before and this jump wasn't jumping i checked it out. It turns out that
if you take this trip then it'll think that you're on the first day of your
evaluation period. Just patch it so that this jump executes and you've
cracked the time trial.
Now we still got that stupid nag. Like i said before we're using the window
input handling routine to get rid of it. The nag is obviously a Dialog so
bpx DialogBoxParamA should trigger. And it does. It'll show the nag..press
continue and get inside the program you're cracking. You should land right
after the DialogBoxParamA call. Check the SDK Reference about this call.
HINSTANCE hInstance, // handle to application instance
LPCTSTR lpTemplateName, // identifies dialog box template
HWND hWndParent, // handle to owner window
DLGPROC lpDialogFunc, // pointer to dialog box procedure
LPARAM dwInitParam // initialization value
Note that ASM passes variables in the reverse order. So the second push is
the pointer for dialog box procedure. It's soon after the call..
Coz i'm a newbie and don't understand exactly how this stuff works i just
tried to reverse every conditional jump. It was the first JNE jump.
If you reverse that to JE jump then it'll think that the 'Continue' button
was clicked and kill the nag! At least..that's what i think it's doing,lol.
Now when you try it out and want to close the program you'll see another nag.
This is more than a simple MessageBoxA nag. I'll leave some fun for you..
If you don't read the following, lol.
Set bpx MessageBoxA ,what did you expect? Now modify the document and try
to close the document window..SoftIce will pop up,that's ok..trace it back
to the source.You'll see that you came out of a call. What takes
two parameters (two pushes before that). Wonder what would happen if i
would replace the second push with push 00? Something very
unexcpected happend. The nag was gone..
I hope you understood what this all was about. It was about reversing
the stuff behind the scenes..behind the obvious. Til next time..
I wont even bother explaining you that you should BUY this target
program if you intend to use it for a longer period than the allowed one. Should
you want to STEAL this software instead, you don't need to crack its protection
scheme at all: you'll find it on most Warez sites, complete and already regged,
farewell, don't come back.
You are deep inside Fravia's page of reverse engineering, choose
your way out:
homepage links search_forms
+ORC how to protect
antismut CGI-scripts mail_Fravia
Is reverse engineering