Removing a NAG and writing a patch for ClockWise v2.20a
| Version 1.32 |
Download [tutorial 2] and read it offline |
 |
Our target: "ClockWise"
ClockWise is a combined clock, calendar and scheduling utility with many very useful options not found in other applications. ClockWise features a count-down timer, a stopwatch, up to 5 alarms/reminders, and a powerful application scheduling interface that far surpasses that of many other popular applications. ClockWise allows you to schedule any program to be executed on your computer whenever you want, completely unattended. For example, you can schedule periodic system backups, anti-virus scanners or disk optimizers to run automatically while you're asleep or out of the office. Any application on your system can be run whenever you wish, and you can schedule up to 30 different events. ClockWise can also set your system clock automatically via the Internet (through NTP servers) or via modem and phone line using the NIST atomic clock.
[ClockWise v2.20a]
Tools and help
I used W32Dasm v8.93, Hacker's View v6.02 and Base Calculator v1.3, but previous or later versions should do the job too.
If you can't find these programs at the Programmer TOOLS page:
just perform a ftp search and look for the strings w32dasm, hiew and bcalcns1.zip.
Unzip the hiew archive and you'll obtain another zipped file. Unzip it, the only file you need in order to crack ClockWise is Hiew.exe. Place it wherever you want on your hard disk, but be sure that its path is in your autoexec.bat file.
Cracking the file
Install ClockWise v2.20a and examine this nice piece of software. You'll soon discover the following annoying things:
- An - UNREGISTERED SHAREWARE message is shown in the title bar.
- Select Options, Help and you see that awful REGISTER NOW, click on it and a NAG appears.
- Select Options, Help, About Clockwise... and you'll notice that THIS COPY IS UNREGISTERED SHAREWARE with Serial Number: 000000.
- Select Options, Help, About Clockwise..., "OK": damned, a NAG!
Select Options, Close, Exit ClockWise: damned, that same NAG again!
The NAG will also pop up after you opened the calendar a few times.
Let's begin, but first of all: copy ClockWise.exe to ClockWise.000, you never know what might happen, maybe this is your first cracking-experience!
Also very important: it's not possible to patch a file when the file is opened by another program and/or running.
- Removing the - UNREGISTERED SHAREWARE message.
Click on "Start", "Run..." and type "hiew". Enter.
OK, you're in Hacker's View now, go to the ClockWise directory and select CLOCKW~1.EXE (since Hacker's View is a DOS program, it won't accept long pathnames and long filenames).
Don't be frightened, it's not as bad as it looks!
Press F4 in order to select HEX-mode (F2).
Press F7, if you see "Backward" instead of "Forward" in the window, press F2 and if you see "Block" instead of "Full", just press F4.
Go to the ASCII line and fill in - UNREGISTERED SHARE.
Enter, and there you have - UNREGISTERED SHAREWARE. Let's replace the characters by spaces (hexadecimal value 20).
Press F3 and change:
2D 20 55 4E 52 45 47 49 53 54 45 52 45 44 20 53 48 41 52 45 57 41 52 45
into
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
Be aware that ClockWise is not running, otherwise you'll obtain an error message!
Press F9 to update the file.
Press F10 to leave Hacker's View and run ClockWise to check it. No reminder anymore!
There is still another approach to the problem and for that we need our disassembler (W32Dasm).
Disassemble ClockWise.000 now:
Disassembler, Open File to Disassemble.. and select ClockWise.000.
The file should be disassembled after a few moments.
The reason why I prefer to disassemble ClockWise.000 instead of ClockWise.exe is that it is not possible to patch ClockWise.exe while loaded in W32Dasm.
Now we're going to perform a search: Search, Find Text and fill in - UNREGISTERED SHAREWARE. Press a few times arrow-up untill you see the following piece of code:
...
:00412456 85C0 test eax, eax
:00412458 750D jne 00412467
* Possible StringData Ref from Data Obj ->"ClockWise - UNREGISTERED SHAREWARE"
|
:0041245A 68D80A4500 push 00450AD8
:0041245F 8B4DF0 mov ecx, dword ptr [ebp-10]
...
The test at address 00412456 will decide whether the - UNREGISTERED SHAREWARE message will appear or not. If the result of the test equals 1, there won't be a jump to the code at address 00412467 and that's the way it goes when the program isn't registered. However, we want the program to jump to address 00412467 in order to skip the bad code, so let's change jne (75) into je (74).
Move the cursor to address 00412458 and write down the offset address. You can find it at the bottom of the program window. It's 11858.
Before patching, copy ClockWise.000 to ClockWise.exe in order to start with a clean file.
Open Hacker's View (click on "Start", "Run..." and type "hiew", enter).
Go to the ClockWise directory and select CLOCKW~1.EXE.
Press F4 in order to select HEX-mode (F2).
Press F5, fill in the offset address (11858) and enter. You're now at offset address 11858 (just press alt F1 if you don't see the real offset address and if there is a dot in front of each line).
Press F3 and change 75 into 74. Be aware that ClockWise is not running, otherwise you'll obtain an error message!
Press F9 to update the file and F10 to quit Hacker's View.
Run ClockWise to check what you have done. Looks nice.
You're wrong if you think you just removed the - UNREGISTERED SHAREWARE message permanently. Just give a click on the calendar and there you have it again!
Go back to W32Dasm and try to find the next - UNREGISTERED SHAREWARE string:
...
:00417BE5 85C0 test eax, eax
:00417BE7 7515 jne 00417BFE
* Possible StringData Ref from Data Obj ->"ClockWise - UNREGISTERED SHAREWARE"
|
:00417BE9 68D80A4500 push 00450AD8
:00417BEE 8B4DF0 mov ecx, dword ptr [ebp-10]
...
Let's change jne (75) into je (74). Move the cursor to address 00417BE7 and write down the offset address. You can find it at the bottom of the program window. It's 16FE7.
Open Hacker's View (click on "Start", "Run..." and type "hiew", enter).
Go to the ClockWise directory and select CLOCKW~1.EXE.
Press F4 in order to select HEX-mode (F2).
Press F5, fill in the offset address (16FE7) and enter. You're now at offset address 16FE7 (just press alt F1 if you don't see the real offset address and if there is a dot in front of each line).
Press F3 and change 75 into 74. Be aware that ClockWise is not running, otherwise you'll obtain an error message!
Press F9 to update the file and F10 to quit Hacker's View.
Run ClockWise to check if it works, and sure it does, but .... what if you select Options, Help, About Clockwise..., "OK", "Maybe Later"? Oh no, not again!!!
A closer look at ClockWise by means of W32Dasm will teach you that there are still 2 - UNREGISTERED SHAREWARE messages left. The first one is at line 42662, but changing jne into je doesn't help us any further (try it if you don't believe me).
The last one (line 55965) is more interesting:
...
:0041F4EF 85C0 test eax, eax
:0041F4F1 7507 jne 0041F4FA
* Possible StringData Ref from Data Obj ->"ClockWise"
|
:0041F4F3 6828FC4400 push 0044FC28
:0041F4F8 EB05 jmp 0041F4FF
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041F4F1(C)
|
* Possible StringData Ref from Data Obj ->"ClockWise - UNREGISTERED SHAREWARE"
|
:0041F4FA 68D80A4500 push 00450AD8
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041F4F8(U)
|
:0041F4FF 8BCE mov ecx, esi
...
Let's change jne (75) into je (74). Move the cursor to address 0041F4F1 and write down the offset address. You can find it at the bottom of the program window. It's 1E8F1.
Open Hacker's View (click on "Start", "Run..." and type "hiew", enter).
Go to the ClockWise directory and select CLOCKW~1.EXE.
Press F4 in order to select HEX-mode (F2).
Press F5, fill in the offset address (1E8F1) and enter. You're now at offset address 1E8F1 (just press alt F1 if you don't see the real offset address and if there is a dot in front of each line).
Press F3 and change 75 into 74. Be aware that ClockWise is not running, otherwise you'll obtain an error message!
Press F9 to update the file and F10 to quit Hacker's View.
Run ClockWise to check this experiment. It works!
Both methods have the same result, the only difference is the amount of bytes to patch.
Copy ClockWise.exe to ClockWise.111.
- Removing the REGISTER NOW menu item.
Click on "Start", "Run..." and type "hiew". Enter.
Go to the ClockWise directory and select CLOCKW~1.EXE.
Press F4 in order to select HEX-mode (F2).
Remember: what was the second annoying thing? Yes, REGISTER NOW. Let's do a search!
Press F7, if you see "Backward" instead of "Forward" in the window, press F2 and if you see "Block" instead of "Full", just press F4.
Go to the ASCII line.
Press R, arrow-down, 00, arrow-up, E, arrow-down, 00, arrow-up, G, and so on till you have:
R E G I S T E R N
52 00 45 00 47 00 49 00 53 00 54 00 45 00 52 00 20 00 4E
Since ClockWise is a 32 bit program, it will use 00 between each character.
Move the cursor to the Hex-line and press enter. Bingo!
Now you can change REGISTER NOW in let's say Registered.
Let's try it! You only have to change the HEX-values (take a look at the ASCII table in order to find the right values).
Press F3 and change:
52 00 45 00 47 00 49 00 53 00 54 00 45 00 52 00 20 00 4E 00 4F 00 57 00
into
52 00 65 00 67 00 69 00 73 00 74 00 65 00 72 00 65 00 64 00 20 00 20 00
Be aware that ClockWise is not running, otherwise you'll obtain an error message!
Press F9 to update the file.
Press F10 to leave Hacker's View and run ClockWise to check it. Fine it works, but we still have the NAG when we click on Registered. Go to section 4. to learn how to remove the NAG or read on to find out how to remove REGISTER NOW completely.
In order to remove REGISTER NOW completely, we have to use our disassembler (W32Dasm) again.
Disassemble ClockWise.000 (if it's not done yet):
Disassembler, Open File to Disassemble.. and select ClockWise.000.
The file should be disassembled after a few moments.
Now we're going to perform a search: Search, Find Text and fill in REGISTER NOW. There are 2 REGISTER NOW strings (in capitals), but only the second is important for us. Press a few times arrow-up untill you see the following piece of code:
...
:0040C4B8 85C0 test eax, eax
:0040C4BA 740D je 0040C4C9
:0040C4BC 6A00 push 00000000
:0040C4BE 8B4604 mov eax, dword ptr [esi+04]
* Possible Ref to Menu: MenuID_00A6, Item: "REGISTER NOW"
|
:0040C4C1 685D800000 push 0000805D
:0040C4C6 50 push eax
:0040C4C7 FFD7 call edi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040C4BA(C)
|
:0040C4C9 5F pop edi
...
Dependent on the result of the test at address 0040C4B8 there will or there won't be a jump to address 0040C4C9. This is a good jump because it skips the code producing the REGISTER NOW message. This jump will only occur when we register the program or... when we change je (74) into jne (75), in other words, we force the program to jump to the right code.
Move the cursor to address 0040C4BA and write down the offset address. You can find it at the bottom of the program window. It's B8BA.
It's time again to use Hacker's View in order to patch the file, but first of all copy ClockWise.111 to ClockWise.exe in order to start with a clean file.
Click on "Start", "Run..." and type "hiew". Enter.
Go to the ClockWise directory and select CLOCKW~1.EXE.
Press F4 in order to select HEX-mode (F2).
Press F5, fill in the offset address (B8BA) and enter.
Press F3 and change 74 into 75. Be aware that ClockWise is not running, otherwise you'll obtain an error message!
Press F9 to update ClockWise.exe and press F10 to leave Hacker's View.
Check what you have done. Got it?
Copy ClockWise.exe to ClockWise.222.
- Removing THIS COPY IS UNREGISTERED SHAREWARE with Serial Number: 000000.
We are going to patch this message too and yes ... start Hacker's View and load CLOCKW~1.EXE.
Press F4, F2.
Let's search for 000000:
Press F7, if you see "Backward" in the window, press F2 and if you see "Block", just press F4.
Go to the ASCII line and fill in 000000, enter.
Serial Number: 000000 doesn't look very credible so let's change it in whatever you want, for instance 587469. You will need an ASCII table to convert ASCII values to hexadecimal values, but first, write down the offset addresses of the bytes you're going to change. If you see a dot in front of each line, press alt F1. Patching starts at 4F2AB and ends at 4F2B0.
Press F3 and change:
30 30 30 30 30 30
into
35 38 37 34 36 39
Press F9 to update the file.
Press F10 to leave Hacker's View and run ClockWise to check it.
So far so good. Exit ClockWise, start Hacker's View, load CLOCKW~1.EXE and try to find THIS COPY IS UNREGISTERED SHAREWARE.
I'm sure you're able to find it on your own, but if not, here you are:
Press F4, F2, F7, if you see "Backward" in the window, press F2 and if you see "Block", just press F4.
Go to the ASCII line and fill in THIS COPY, enter.
Press alt F1 if you see a dot in front of each line and write down the offset addresses of the bytes you're going to change (4F2B4 ... 4F2D6). You're free to change THIS COPY IS UNREGISTERED SHAREWARE in whatever you want, but you shouldn't exceed the actual length, in this case 35 characters. If your chosen message is shorter than 35 characters, then use hexadecimal value 20 to patch the unused space.
In my patch I changed THIS COPY IS UNREGISTERED SHAREWARE into THANK YOU FOR REGISTERING THIS COPY.
Press F3 in order to patch the file and change:
54 48 49 53 20 43 4F 50 59 20 49 53 20 55 4E 52 45 47 49 53 54 45 52 45 44 20 53 48 41 52 45 57 41 52 45
into
54 48 41 4E 4B 20 59 4F 55 20 46 4F 52 20 52 45 47 49 53 54 45 52 49 4E 47 20 54 48 49 53 20 43 4F 50 59
Some characters don't light up because they correspond with the values of the original message.
Press F9 to update the file and leave Hacker's View (F10).
Run ClockWise, select Options, Help, About Clockwise.... Nice, isn't it?
Copy ClockWise.exe to ClockWise.333.
- Removing the NAG.
Exit ClockWise. When leaving ClockWise, a NAG appears. Note the words "Unregistered Shareware" in the title bar. Click on "Maybe Later".
Start Hacker's View again and load CLOCKW~1.EXE.
Press F4, F2.
Remember the words "Unregistered Shareware". Let's do a search!
Press F7, if you see "Backward" in the window, press F2 and if you see "Block", just press F4.
Go to the ASCII line.
Press U, arrow-down, 00, arrow-up, n, arrow-down, 00, arrow-up, r, and so on till you have:
U n r e g i s t e r
55 00 6E 00 72 00 65 00 67 00 69 00 73 00 74 00 65 00 72
Move the cursor to the Hex-line and press enter. Bingo!
Now take your magnifying-glass to find FF FF FF FF 82. This code will generate dialogs.
At offset address 0005C01C, you'll find that particular string.
Again, if you see a dot in front of each line, just press alt F1.
Now go to offset address 0005C020, press F3 and change 82 into 7E. Press F9.
Press F10 to leave Hacker's View an run ClockWise.
select Options, Help, About Clockwise..., "OK": no NAG anymore!!!!!!
select Options, Close, Exit ClockWise: no NAG anymore!!!!!!
Writing a patch
You should have written down the offset address of the bytes you changed:
| Hexadecimal offset address | Decimal offset address | Old value | New value |
| 11858 | 71768 | 750D | 740D |
| 16FE7 | 94183 | 7515 | 7415 |
| 1E8F1 | 125169 | 7507 | 7407 |
| B8BA | 47290 | 740D | 750D |
| 4F2AB | 324267 | 3030 | 3538 |
| 4F2AD | 324269 | 3030 | 3734 |
| 4F2AF | 324271 | 3030 | 3639 |
| 4F2B4 | 324276 | 5448 | 5448 |
| 4F2B6 | 324278 | 4953 | 414E |
| 4F2B8 | 324280 | 2043 | 4B20 |
| 4F2BA | 324282 | 4F50 | 594F |
| 4F2BC | 324284 | 5920 | 5520 |
| 4F2BE | 324286 | 4953 | 464F |
| 4F2C0 | 324288 | 2055 | 5220 |
| 4F2C2 | 324290 | 4E52 | 5245 |
| 4F2C4 | 324292 | 4547 | 4749 |
| 4F2C6 | 324294 | 4953 | 5354 |
| 4F2C8 | 324296 | 5445 | 4552 |
| 4F2CA | 324298 | 5245 | 494E |
| 4F2CC | 324300 | 4420 | 4720 |
| 4F2CE | 324302 | 5348 | 5448 |
| 4F2D0 | 324304 | 4152 | 4953 |
| 4F2D2 | 324306 | 4557 | 2043 |
| 4F2D4 | 324308 | 4152 | 4F50 |
| 4F2D6 | 324310 | 4500 | 5900 |
| 5C020 | 376864 | 8200 | 7E00 |
Now you can write a small program. I wrote and compiled my patch with [Microsoft QuickBASIC v4.5].
Run Base Calculator to translate the hexadecimal offset address to a decimal one. Select "Hex", select "32 bits" and fill in 11858. Select "Dec" now and write down the decimal value (71768). Do the same for the other offset addresses.
Attention! QuickBASIC patches the file "backwards". Therefore you should use offset address + 1 in the program. Here it is:
ON ERROR GOTO Oops
FILES "clockw~1.exe"
GOSUB Title
OPEN "clockw~1.exe" FOR BINARY AS #1 LEN = 1
READ Addr&, OldByte%, NewByte%
DO
GET #1, Addr&, GetByte%
IF GetByte% <> OldByte% THEN GOTO WrongVersion
READ Addr&, OldByte%, NewByte%
LOOP UNTIL Addr& = -1
RESTORE
READ Addr&, OldByte%, NewByte%
DO
PUT #1, Addr&, NewByte%
READ Addr&, OldByte%, NewByte%
LOOP UNTIL Addr& = -1
PRINT " File successfully patched !"
CLOSE #1
END
Oops:
GOSUB Title
SELECT CASE ERR
CASE 53
PRINT " File 'clockwise.exe' not found !"
PRINT " Run this program in the 'ClockWise directory' !"
END
END SELECT
Title:
CLS
PRINT " / ,"
PRINT " /\ \|/ /\"
PRINT " |\\_;=._//|"
PRINT " \." "./"
PRINT " //^\ /^\\"
PRINT " .'``",/ |0| |0| \,"``'."
PRINT " / , `'\.---./'` , \"
PRINT " /` /`\,."( )".,/`\ `\"
PRINT " /` ( '.'-.-'.' ) `\"
PRINT " /"` "._ : _." `"\"
PRINT " `/.'`"=.,_``=``_,.="`'.\`"
PRINT " .-"-. ) ( .-"-."
PRINT "+-------{'. '`}-----~ ~-----{'. '`}-------+"
PRINT "| `"---"` `"---"` |"
PRINT "| NAG removing patch for ClockWise v2.20a |"
PRINT "| http://www.rjsoftware.com |"
PRINT "| |"
PRINT "| By Snowcat |"
PRINT "+-------------------------------------------+"
PRINT
RETURN
WrongVersion:
GOSUB Title
PRINT " This is not the correct ClockWise version,"
PRINT " or maybe it is,"
PRINT " but the file has been patched already."
END
DATA 071769,&H0D75,&H0D74
DATA 094184,&H1575,&H1574
DATA 125170,&H0775,&H0774
DATA 047291,&H0D74,&H0D75
DATA 324268,&H3030,&H3835
DATA 324270,&H3030,&H3437
DATA 324272,&H3030,&H3936
DATA 324277,&H4854,&H4854
DATA 324279,&H5349,&H4E41
DATA 324281,&H4320,&H204B
DATA 324283,&H504F,&H4F59
DATA 324285,&H2059,&H2055
DATA 324287,&H5349,&H4F46
DATA 324289,&H5520,&H2052
DATA 324291,&H524E,&H4552
DATA 324293,&H4745,&H4947
DATA 324295,&H5349,&H5453
DATA 324297,&H4554,&H5245
DATA 324299,&H4552,&H4E49
DATA 324301,&H2044,&H2047
DATA 324303,&H4853,&H4854
DATA 324305,&H5241,&H5349
DATA 324307,&H5745,&H4320
DATA 324309,&H5241,&H504F
DATA 324311,&H0045,&H0059
DATA 376865,&H0082,&H007E
DATA -1,-1,-1
Download the [source code]
Download the [crack]
Conclusion
In this session, you've learned to remove a NAG and to write a patch. There is a huge amount of shareware on the Net, but please, don't be a simple Usenet visitor to get your cracks. Just practise, write your own patches and you'll feel much more satisfied!
SNOWCAT
Click here when you think this tutorial is OK |
 |
Tutorial created by Snowcat
Tutorial created: 7th November 1998
Version 1.32, last updated: 6th August 1999 |