July 1998
"NET MEDIC V1.2.2"
( 'Giving First Aid to a Shareware program'  )
Win Code Reversing
by The Sandman 
Code Reversing For Beginners 
Program Details
Program Name: nn.exe
Program Type: Internet Utility
Program Location: Here 
Program Size: 1 MB 
Tools Used:
W32Dasm V8.9 - Disassembler
Hex Workshop32 or any other Hex Editor
Easy ( X )  Medium (  )  Hard (    )  Pro (    ) 
There is a crack, a crack in everything. That's how the light gets in.
Net Medic V1.2.2
( 'Giving First Aid to a Shareware Program'  )
Written by The Sandman
About Net Medic V1.2.1:

With the explosive growth of the Internet, travel on the information highway can be slow. Net.Medic helps you recognize and avoid many of the Internet roadblocks by:
Optimizing your online connections
Identifying many Internet ailments in seconds
Tracing the cause of these ailments to their source
Offering suggestions about how to solve the problems, and whenever possible automatically fixing them.

Net.Medic is an easy-to-use browser companion that animates your online connections, and tracks the vital signs of your online activity. It also provides clear and simple reports that can help you transform your online experience.

This is IMO, a very useful program for anyone with Internet access and well worth buying if you choose to use this program beyond it's evaluation period.  Highly Recommened so BUY IT!
About this protection system
The protection system used within this program is based on the fact that there is no registration screen for you the cracker, to break into. Once the 30 day evaluation is activated, the program will disable some of it's important functions after this period unless you register it.. Incidentally, the registration process is conducted online which on the face of it sounds like a tough program to *crack*.. Unless of course we know differently..:)
On installation Net Medic will create the following Keys in your System Registry File:

The One we're interested in is the \Email key, which contains the following values:-
SERIAL_NUM=   "Demo Version" ;You can place any sequence of numbers here!
YOUR_NAME=  "The Sandman"

Interestingly, the programmers, having made the program a 30 day demo either disabled or took out the serial number checking routines from their program so now anyone can type in any sequence of number/characters into the SERIAL_NUM entry and the program will use it without any problem.  In order to make good use of this we have to make the program into a fully 'Registered' version first, but at least when we do we won't have to worry about disabling the serial number checking routines because the programmers have already done this for us!. Gee thanks guys..:)
The Essay 
Right, since we can't attack the program via it's nonexistent Registration Screen we have to now concentrate our efforts in 'un-patching' a patched program so that it runs without disabling certain important functions after our 30 day trial period has ended.
Once Net Medic has been installed run it.  Select the menu option 'Window' then 'Call Log' function. Your greeted with a messagebox reminding you that you have 30 days evaluation period once you opt to start using the report functions within this program.. Select the 'OK' button..
Now exit Net Medic and change your computer's date so that it is about two months ahead of the present month your currently in.. So if your computer says your in the month of July then change this so that it now says September.

Now re-run Net Medic and again try and access the 'Call Log' function via the Window menu option. A nice message box appears telling you that this feature is no longer available.. This now applies to all the features accessible from the menu bar..
Don't change your pc's date back yet, this is the BEST time to *crack* a program, when it's been disabled because you've gone over your evaluation period..  It's now easier for us to see exactly what has been disabled and what we must do to correct this..
At this point we can create a 'Dead Listing' of Net Medic so that we can find out where the text message "The feature you have requested is available only in the retail version" is located so that we see how the program knows when the User goes past his evaluation period...
While in W32Dasm open up the 'String Data Resources' option and locate the text:
"The feature you have requested is available only in the retail version", once found double click on this text..  You will be taken to this section of code:-
:0043F273 E8A0BB0400       Call 0048AE18
:0043F278 8B45E8           mov eax, dword ptr [ebp-18]
:0043F27B C645FC01         mov [ebp-04], 01
:0043F27F 83B8C800000005   cmp dword ptr [eax+000000C8], 00000005
:0043F286 7550             jne 0043F2D8 ;jmp if eax+c8 <> 5

* Reference to String Resource ID=57882: "The feature you have requested is available only in the reta"
:0043F288 681AE20000       push 0000E21A

Basically, what this code snippet says is that if the comparison with eax+c8 does NOT equal '5' then User has full rights to access ALL the reports available within the program!.  However, should eax+c8 result in a value equaling 5 then the User has run out of time and therefore the reports are disabled.

Lets now test this out..
Fire up Net Medic then Start up Softice with Ctrl-D keys pressed together..
Type: bpx messageboxa  then x  to leave Softice. We should be back in Net Medic.
Make sure you do NOT have a Web Browser opened, if so CLOSE it now.

Right Click with your mouse on one of the information panels shown in Net Medic then select "Snap to Browser". Softice will now break..
Press 'F11' once, click on the 'OK' messagebox that now appears then follow this by pressing the 'F10' key THREE TIMES.

Softice should now be telling you that your now in Net Medic's code at:
:0044835B E89A2A0400              Call 0048ADFA
:00448360 6A01                    push 00000001
:00448362 8B0DCC864A00            mov ecx, dword ptr [004A86CC]
:00448368 E8D30BFCFF              call 00408F40
Now we need to create a new breakpoint on the section of code we suspect prevents us from accessing the reports if our evaluation period has expired.

First, lets clear away any previous Softice breakpoints we may still have active and set a new breakpoint:-
Type bc *
Type u 43F286
Type bpx 43F286
Type x  to leave Softice.
Now try and access one of the reports in Net Medic, or any feature that has been disabled by Net Medic.

Softice now breaks on our set breakpoint.
:0:0043F27F 83B8C800000005     cmp dword ptr [eax+000000C8], 00000005
:0043F286 7550                 jne 0043F2D8 ;Our Softice Breakpoint

* Possible Reference to String Resource ID=57882: "The feature you have requested is available only in the reta"
:0043F288 681AE20000           push 0000E21A
:0043F28D 8D4DF0               lea ecx, dword ptr [ebp-10]
:0043F290 E88FBB0400           Call 0048AE24
:0043F295 57                   push edi
:0043F296 8B45F0               mov eax, dword ptr [ebp-10]
:0043F299 50                   push eax
:0043F29A 8D4DEC               lea ecx, dword ptr [ebp-14]
:0043F29D 51                   push ecx
:0043F29E E82FBC0400           Call 0048AED2
:0043F2A3 83C40C               add esp, 0000000C
:0043F2A6 8B4DEC               mov ecx, dword ptr [ebp-14]
:0043F2A9 6A41                 push 00000041
:0043F2AB 68E0954A00           push 004A95E0
:0043F2B0 51                   push ecx
:0043F2B1 56                   push esi
:0043F2B2 FF15B4D64A00         Call USER32.MessageBoxA ;Display message
:0043F2B8 83F801               cmp eax, 00000001       ;User press OK?
:0043F2BB 753F                 jne 0043F2FC            ;No? then jump
:0043F2BD E87E01FEFF           call 0041F440     ;else give extra 30 days
:0043F2C2 8B45E8               mov eax, dword ptr [ebp-18]
:0043F2C5 C745E401000000       mov [ebp-1C], 00000001 ;tell rest of program
:0043F2CC C780C800000001000000 mov dword ptr [ebx+000000C8], 00000001
:0043F2D6 EB24                 jmp 0043F2FC
OK, if we now type r eip=43F288 you'll see softice ignore this jump and highlights the next line below the jne 0043F2D8 instruction.  Now press the x key to leave softice..
Now the program asks us if we want to have 30 more days to evaluate Net Medic!.  If we wanted to know how to keep the program alive after each 30 day period then this is how we would do it.   However, this is NOT what we want to do, we want everything the program has to offer when running as a fully registered copy so click on the CANCEL button.

Now once more try and access one of the disabled reports or features..
Softice once more breaks on our single breakpoint.
If you take a closer look at the lines of code below our single breakpoint you might notice that after the messagebox call there is a conditional jump instruction, then after that three lines of code that places a value of '1' into two memory locations. Think out it.. When we skipped over that jne 0043F2D8 instruction the program gave us the option to evaluate this software for a further 30 days, we could choose either the 'OK' or 'CANCEL' button.
So here's where we want our conditional jump that Softice breaks on to jump to, which will then skip over the message that the program shows and straight into telling the rest of the program that we have full access to all the functions within the program..:)

:0043F27F 83B8C800000005     cmp dword ptr [eax+000000C8], 00000005
:0043F286 EB35               jmp 0043F2BD ;Automatically enable ALL Reports
Is that it now?.. Well no, not really because if you select the 'About' screen you'll see some ugly looking Shareware type messages regarding 30 day trial period and where your serial number goes is the text "Demo Version" Yuck!..
It's time to go back to our Dead Listing again..
Search for the text "Your advanced feature trial license has expired."
Once you've found this location take a look a dozen or so lines above this text message and you will now see the follow code Snippet:-
:00406A13 83F801           cmp eax, 00000001
:00406A16 0F8555020000     jne 00406C71 ;Shareware mode? then jump
:00406A1C E87F870100       call 0041F1A0
:00406A21 8BF8             mov edi, eax
:00406A23 8D4DC4           lea ecx, dword ptr [ebp-3C]
:00406A26 E8ED430800       Call 0048AE18
:00406A2B C645FC03         mov [ebp-04], 03
:00406A2F 837DD800         cmp dword ptr [ebp-28], 00000000
:00406A33 0F8452010000     je 00406B8B ;Shareware mode? then jump
:00406A39 83FF01           cmp edi, 00000001
If you were *cracking* this yourself without help from an essay such as this then you would be testing this section of code to see how it works and what conditions make those two conditional jump 'active'.  However, since I've already done this for you I can tell you that we need to patch BOTH jumps in order that the About screen behaves just like in the registered version of Net Medic.

Here's what the above section of code SHOULD look like after we patched it..

:00406A13 83F801           cmp eax, 00000001
:00406A16 0F8500000000     jnz 00406A1C ;Jump to the next line instead of
                                        ;to the shareware message routine!
:00406A1C E87F870100       call 0041F1A0
:00406A21 8BF8             mov edi, eax
:00406A23 8D4DC4           lea ecx, dword ptr [ebp-3C]
:00406A26 E8ED430800       Call 0048AE18
:00406A2B C645FC03         mov [ebp-04], 03
:00406A2F 837DD800         cmp dword ptr [ebp-28], 00000000
:00406A33 E953010000       jmp 00406B8B ;Always jump away from showing days
:00406A39 83FF01           cmp edi, 00000001

Job Done.
The 'Crack' 
Here's how to 'patch' this target program so that it will be fully registered..:)
1. Open up REG-EDIT ( a Win'95 utility) and Search for "Demo Version".  Make sure when it's found that it is found here:

2. Change the text from "Demo Version" to anything that 'looks' like a serial No.
3.  Close REG-EDIT.
4. Load up netmedic.exe into your favorite Hex-Editor ( I prefer hexWorkshop-32) but just about any hexeditor will do..
Final Notes 
This program is well worth the time spent in learning how to Reverse Engineer it's code in order that we can disable the 'triggers' that in turn disable many of the functions this program uses.  Please don't steal this software if you intend to use it after the initial 30 days trial period.
My thanks and gratitude goes to:-
Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.
+ORC for showing me the light at the end of the tunnel.
Ob Duh 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to  produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.

 Next   Return to Essay Index   Previous 

Essay by:          The Sandman
Page Created: 19th July 1998