home *** CD-ROM | disk | FTP | other *** search
- Cracking MaxSpace - Removing a little nag
- --------------------------------------------------------------------------
- [x] Easy [ ] Intermediate [ ] Tough
-
- Get MaxSpace at: Search the web :p
- Tools used:
- * Soft-ICE
- * HIEW
-
- MaxSpace is a programme for Borland Delphi/C++ Builder that turns object
- inspector or IDE toolbar into "auto-hide" windows, so that you can write
- code on a full screen.
-
- Since the protection is a nag, we know we are going to patch it, make a
- backup of the executable files (*.EXE, *.DLL, *.OCX) before trying to
- patch them.
-
- The protection of the programme is a nag, and we see the nag is some kind
- of message box, because we see it's a regular window with an information
- icon that has a single OK button, it's too simple and we can identify this
- as a message box. So we put a breakpoint on the three most probable
- procedures used to draw this window:
-
- :bpx MessageBoxA
- :bpx MessageBoxIndirectA
- :bpx MessageBoxExA
-
- No we run MaxSpace.. Surprise surprise! Soft-ICE breaks at the API
- function MessageBoxA.. Now we want to remove the CALL to this API
- function, so we press F11 - This will return to the programme's code
- (after you pressed the OK button) and then write down the position, which
- is 48A84B. Notice that we are not in MAXSPACE.EXE code, we are at
- MAXHOOK.DLL! Since we were executing the code, and not using a dead
- listing, we know that the address is not a regular address, it is a
- linear address, which is relocated upon loading of the programme. So we
- first must convert it to a virtual address, simply by subtracting the
- executable's image base which is in this case 400000, then we get a
- virtual offset: 8A84Bh.
- Take HIEW and edit MAXHOOK.DLL, we pass to disassemble mode (by using F4)
- and then we want to go to that address, so we use Goto option (F5) and
- type .8A84B (the dot is so HIEW will know that this is a virtual address)
- -- Error! "Section out file".. What do we do now?
-
- Now we need to get few bytes from near the message box call address and
- search them in the real file.
- Put a breakpoint on MessageBoxA and run MaxSpace. Press F11 to return to
- programme's code, then type this:
-
- :db cs:48A846 <- this is the CALL offset
-
- This will give you a list of bytes in the code position (cs - code segment)
- Write down the hexadecimal value of few bytes, I wrote down:
-
- E8 E9 BF FD FF 89 45 F8 33 C0 5A 59 59 64
-
- Now, exit MaxSpace and load MAXHOOK.DLL in HIEW. Switch to disassembly
- mode then press F7 to search the file. Now go to HEX entry and type the
- hex values. Found!
- Search for another occurence by using CTRL+F7.. Not found, this means that
- this string is the nag code.
-
- Now, if you look at the API reference for MessageBox(A), you will see it
- receives 4 parameters:
-
- int MessageBox(
- HWND hWnd, /* handle of owner window */
- LPCTSTR lpText, /* address of text in message box */
- LPCTSTR lpCaption, /* address of title of message box */
- UINT uType /* style of message box */
- );
-
- In assembly, every parameter/parameter offset have to be PUSHed before we
- call the function, so we scroll up till we see four PUSHes before the
- call, by the way, in assembly, the parameters are backwards, so it's like
- that:
-
- push ebx ; Message box style
- push edi ; Message box title's address
- push esi ; Message box text's address
- mov eax, [ebp][-0004]
- mov eax, [ebp][00024]
- push eax ; Owner window's handle
- call MessageBoxA ; Call function
- mov [ebp][-0008], eax ; Save return code
-
- Now we want to remove the Message box, there's a command in assembly that
- tells the computer to 'skip' to next instruction, it's called NOP (no
- operation), we'll use it.
-
- Since we don't want to give this parameters for nothing, we don't only NOP
- the call, we also NOP the parameter PUSHing.. Edit the file at the 'push
- ebx' offset, and type '90'. This will place 90h instead of the push (53h).
- You see that HIEW says 'nop'. NOP the other pushes as well..
-
- Now we need to NOP the call, how do we do that? Simple, like the pushes,
- just that we NOP the whole call, not just one byte.. Count how much bytes
- the call is, it's 5 (every byte is two hexadecimal letters). So we need to
- press 90 five times. Do it. Now press F9 to update the file.
-
- The code shold look like this now:
-
- nop
- nop
- nop
- mov eax, [ebp][-0004]
- mov eax, [ebp][00024]
- nop
- nop
- nop
- nop
- nop
- nop
- mov [ebp][-0008], eax
-
- Now the programme should run just fine, we think we eliminated the nag..
- Run MaxSpace.. NO NAG! It's magic :)
-
- However, sometimes the nag has few buttons, in this case we have to emulate
- the return code.. The return code that should be for this nag is IDOK (the
- user should press OK :).. IDOK is defined as 1.. So we put some more code
- instead of the NOPs:
-
- nop
- nop
- nop
- mov eax, [ebp][-0004]
- mov eax, [ebp][00024]
- mov eax, 1
- nop
- mov [ebp][-0008], eax
-
- That's it! Now run the programme and enjoy!
-
-
- - DEATH
- <ab4ds@hotmail.com>
-
