Nagware
Cracking NWE404's Nag

3/12/01
by Vanapaha
Courtesy of Reverser's page of reverse engineering
slightly edited
by +Tsehp
There is a crack, a crack in everything That's how the light gets in
Rating
( )Beginner (X )Intermediate ( )Advanced ( )Expert

There are many ways to get rid of a nag...this is one of them. In a AFAIK un-documented way, at least for newbies like me.
Nagware
Cracking NWE404's Nag
Written by Vanapaha


Introduction 
When you can't N0P out the nag then try this method. AFAIK it should work
almost everywhere...i haven't had much chance to test it though. Even if
it doesn't work for the nag you're cracking it's still nice to know.
As you should already know there's code behind a window accepting
user input. Many cracks are based on the obvious..simulating user input.
But what if i don't simulate the input..what if i change the way the
input it handled? For example: User clicks button 'A' i crack the code
that handles input and the code for button 'B' executes though
button 'A' is clicked. You get the idea? Good..then read on.
Imagine a nag with a 'Continue' button..that you have to click.
Imagine that i've cracked the code behind the scenes that takes
care of the user input. And i've cracked it so that when 'Continue'
button is NOT clicked the code thinks that it IS. Lol, just
another user input simulation.


Tools required
SoftIce
Hiew (or any other hex-editor of your choice, for patching)

Target's URL/FTP
http://www.namo.com -- bloatware warning!
NWE404 - Namo Web Editor 4.04

Program History
It should be better than the previous version, but it's certainly bigger. Never used the program..and probably never will.
I run windoze just to crack it's programs...also the stuff doesn't run on linux, besides..i got vi.

Essay 
First things first, get rid of the time-trial. You may do it your way but 
this is how i did it.

Set bpx GetSystemTime and start the program. It'll soon trigger...get back
to the program what you're cracking before you continue. Once you're in 
and you're as paranoid as i'm you of course check every possible call.
Let's go then...
Take the first call,the another one(not !wsprintfA) it'll be
a RegOpen. Already in registry? Get out of this call and goto the next one.
Hmm..ReqQueryValueExA..so what's it checking. Look @ eax before the call to
RegQueryValueExA. It says something about time. Could this be the time
check..? Well go on..after it has called the RegQueryValueExA you'll see

test eax,eax
jnz take_this_trip

I had set my system time one year foward before i began cracking this so it
should say expired once i reach the nag. And since eax said something about
time before and this jump wasn't jumping i checked it out. It turns out that
if you take this trip then it'll think that you're on the first day of your
evaluation period. Just patch it so that this jump executes and you've 
cracked the time trial.

Now we still got that stupid nag. Like i said before we're using the window
input handling routine to get rid of it. The nag is obviously a Dialog so
bpx DialogBoxParamA should trigger. And it does. It'll show the nag..press
continue and get inside the program you're cracking. You should land right
after the DialogBoxParamA call. Check the SDK Reference about this call.

int DialogBoxParam(

    HINSTANCE hInstance,	// handle to application instance
    LPCTSTR lpTemplateName,	// identifies dialog box template
    HWND hWndParent,	// handle to owner window
    DLGPROC lpDialogFunc,	// pointer to dialog box procedure  
    LPARAM dwInitParam 	// initialization value
   );

Note that ASM passes variables in the reverse order. So the second push is
the pointer for dialog box procedure. It's soon after the call..
Coz i'm a newbie and don't understand exactly how this stuff works i just
tried to reverse every conditional jump. It was the first JNE jump.
If you reverse that to JE jump then it'll think that the 'Continue' button
was clicked and kill the nag! At least..that's what i think it's doing,lol.

Now when you try it out and want to close the program you'll see another nag.
This is more than a simple MessageBoxA nag. I'll leave some fun for you..
If you don't read the following, lol.

Set bpx MessageBoxA ,what did you expect? Now modify the document and try 
to close the document window..SoftIce will pop up,that's ok..trace it back 
to the source.You'll see that you came out of a call. What takes 
two parameters (two pushes before that). Wonder what would happen if i 
would replace the second push with push 00? Something very 
unexcpected happend. The nag was gone..


Final Notes 
I hope you understood what this all was about. It was about reversing 
the stuff behind the scenes..behind the obvious. Til next time..


Ob Duh
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell, don't come back.
You are deep inside reverser's page of reverse engineering, choose your way out:


redhomepage redlinks redsearch_forms red+ORC redhow to protect redacademy database
redreality cracking redhow to search redjavascript wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_reverser
redIs reverse engineering legal?