Nag Removal Using Softice and Hiew

Crackme 2 by Acid Burn

By Krobar / Dec 1999

It time for the nag to die!!

When we click on this crackme, we are greeted with a message box. We dont want it, so what we gonna do?? We want to find out what makes the nag happen, so what we really want is for softice to break when that message box is called, so we can have a look at the code.

Fortunately, there are breakpoints that we can use to make this happen. The obvious one is to set a breakpoint on messagebox to which we add an A at the end because it is a 32 bit program. Study the documents and tuts available on this site to learn more about all this.

All we got to know is that we gonna use the breakpoint bpx messageboxa and see if we can get softice to break when this function is called.

So Ctrl D softice up and type bpx messageboxa then push enter.

Now double click the crackme (to open it), and yeah softice springs to life. Push F11 and you'll be greeted with the crackme nag. Click ok (on the nag) and pow, back into softice, and you'll see that we in the program if you look between the bottom two windows.

We see this:


xxxx:0042A1A9 E8FAB5FDFF   CALL USER32!MessageBoxA
xxxx:0042A1AE 8945FC       MOV  [EBP-04]-EAX<-we land here

Now if you look at the line above where we land, you'll see a call to USER32! MessageBoxA. Hmmm...with a bit of thought we could come to the conclusion that if that call did not happen, then the message box would not appear.

We gonna try it. We discussed nop previously, but for those of you who have just jumped in without starting at the beginning, I'll explain it one more time. Nop means no operation and causes the program to do nothing for that particular line. The hex for nop is 90 and each nop is equal to one byte. So two numbers equals one byte. If you look above to the call, at the hex instruction for the call ( E8FAB5FDFF ) you see ten numbers...so it equals five bytes. When we nop out this call, we gotta make sure it five bytes.

Nopping out the call should mean that the message box never happens and therefore no nag.

Lets give it a go! Take a note of the whole line
xxxx:0042A1A9 E8FAB5FDFF CALL USER32!MessageBoxA
, and especially the address
0042A1A9
, then F5 out of softice.

I not going to explain what to do with Hiew...you'll just have to go back and read previous tuts if you dont know, but, I will remind you to make a backup copy of the PATCHED crackme2 (in case the changes we make are wrong).

Load one of the copies into hiew, then push F4 and select HEX mode. Push enter to go into Hex mode, then F5, and enter the address .0042A1A9 remembering to put the full stop BEFORE the number. If you lost, it means you havent read the previous tuts so tough matey, catch up later.

We nearly there. You should land on the hex instruction that comes after the address. That is you should land here: E8FAB5FDFF, of course surrounded by lots of other numbers/letters. The white cursor square should be on the E8.

If you dont end up here, you may have to push Alt/F1 and try again. Toggling this enables us to put an address we found in softice straight into hiew, but I not sure which is the default setting. One of them will get you to where you want to be anyway.

When we there, push F3 (edit), make sure the cursor square is highlighting the E8 then enter 90. The E8 will be replaced by 90. You remember how may times we have to add 90?? Five! So enter 90 four more times, and you'll observe the white square cursor moving along as we make our changes. When you done it, push F9 to update the crackme.exe, push F10, or Esc, and we outa Hiew.

Click on the crackme you changed....and.....hey no nag. Test it out to make sure it functions how it supposed to, and we done it.

But...what this?? When we click on 'Check it Baby' we dont get any box telling us we right or wrong. Oops...I think as well as nopping out the nag, we also got rid of the correct/incorrect messagebox...so we havent done it after all!!!

What can we do now. First we either change back the version we patched, or delete it and go back to the original patched one...making another backup of course.

Ok...lets give it another go.

We know what a debugger is?? We been using one, and thats softice. Allows us to enter a programs code while the program is running. Well W32dasm also has a debugger included, and we going to give that a go.

So start W32dasm and select crackme2 to disassemble (the patched one).

When it has finished disassembling click on 'Debug' from the menu bar along the top, then select 'Load Process' from the drop down menu.

A few boxes will pop up while it loads and you should end up with three...one to the left of the page; one to the right, and the disassembler window at the top.

Now I not going to go into the ins and outs of the debugger side of W32dasm, (you'll find good tuts about it on this site) coz, hehe, I'm a newer than newbie cracker myself, and it a bit like the blind leading the blind, so I just tell you what I did.

We interested in the right hand window. Along the bottom of this window you'll see...from the left: Autostep Into F5; AutoStep Over F6; Step Into F7; Step Over F8; pause; Run F9; then above Run: Terminate; patch Code; and Goto Address.

Okay, so what we gonna do is F8..Step Over...coz we want the nag to appear and we want to see the address where this happens. As we step over, if you look up at the diassembler window, you'll see the address changing as we execute each line of code. Try it. Push F8. The code moves down one line. Keep doing it until the nag appears.

You might notice that when the nag first appears, it happens at address :0042FD97 Call 00429F8C. Actually it wont appear until we go to the next line because we have to step off the line to execute it. This may be interesting because the call that we nopped out previously was at address 0042A1A99 (meaning that we now got a new address to try changing). Hmmm, I wonder if this might do it...we gonna try.

It wise, when using W32dasm, to have another copy to use thats the same as the one you going to patch. This is because you cant change the code in Hiew, if the program is in use by W32dasm. What this means is everytime you want to make a change with hiew, you got to exit W32dasm, and then load up again if the changes dont work.

You know the address we going to, but you'll have to look at the top window (disassembler) to see the bytes to change...the hex instruction (E8F0A1FFFF).See it??? Anyway, exit W32dasm (or minimise it if you got an exact copy to patch), and load up Hiew.

You know what to do. F4 HEX mode; F5 goto address .0042FD97; F3 change the 5 bytes to 9090909090; F9 to update; F10 (Esc) to exit.

Start crackme and check it out.

Hmmmm...half worked. No nag, but we go straight to the name/serial part of the crackme, with no option to go to just the serial part.
Try again I think. Delete that version, or undo the changes, and go back to the debugger in W32dasm. This time make backups (if you havent already) of the patched version...one to load in W32dasm, and one to load in Hiew.

Ok, redo what we did before, and F8 to the call we just nopped out, and then carry on F8ing to the next call at address 0042FDAF. Reload in Hiew and nop out this....nothing....Bummer.

Well I think what we gonna do is step into the call where the nag first appears, because somewhere in that call is where the nag comes from. I guess this might be getting confusing (hehe, I certainly confused) but stay with it...we nearly there.

So reload the patched version of crackme2 into W32dasm, start debugger as before, and F8 (step over) to the original call where the nag appears...0042FD97. If you already had crackme loaded, you can restart it by clicking on Terminate, then click Load process (from the debug drop down menu) again.

When you get to this address, push F7 (step into), and you'll go into this call. Now F8 (Step Over) to the next call where the nag appears.
This is address 00429FC2. You wont know that the nag is going to appear until you step past, but then you have to reload again, so just take my word for it, and step into this call (Press F7 when you're on this call) and then keep clicking F8 till you get to address 0042563D. If you step past this call (F8) the nag will appear, so just stop on this address and look at the disassembler window at the top. You'll see

:0042563D  FF93CC010000   call dword ptr  [ebx+000001CC]

Take note of the address...0042563D, and the hex instruction...FF93CC010000. Notice that the hex has 12 letters/numbers, so is 6 bytes. This means we got to replace it with 6 bytes...six nops, or 909090909090.

We know what to do.

  • Load crackme in Hiew.
  • F4..hex mode/enter
  • F5..go to address .0042563D/enter (remember the dot BEFORE the address).
  • F3...replace FF93CC010000 with 909090909090.
  • F9...update.
  • F10 (Esc) to exit Hiew.

Now check it.

Yeah!!! Works. We now got a crackme that we can enter any serial/name in, and we killed the nag. All we gotta do now is make a little crack and we finished with this crackme!

That for next tut.