----------------------[ Nag Screen Removal: NotePad - Date: 15/12/98 ]---------- -= Written By =- Number of pages: 5 ______ / ___ \ ______ ______ ______ ______ ______ _ _ ______ | / \| / ___ \ / __ \ / __ \ / ___ \ / __ \ / \ / \ / ___ \ | | | | / \| | / \ | | / \ | | / \| | / \ | | | | | | / \| | | | |_ | | \__/ | | \__/ | | |_ | | \__/ | | | | | | \____ | | | \ | __ / | __ / | \ | __ / | | | | \____ \ | | | | _/ | | / \ \ | / \ \ | _/ | | / \ \ | | | | \ | | \___/| | \___/| | | | | | \__/ | | \___/| | | | | | \__/ | |\___/ | \______/ \______/ \_/ \_/ \______/ \______/ \_/ \_/ \______/ \_____/ +---------- ---------+ How to get rid of the nasty Nag you get in Notepad when opening large files +---------- ---------+ My first tutorial. I want to crack Notepad. Yeah, I know, many before me did it. But they all did it with help of SoftIce, but I somehow knew that this wasn't necessary. So I started cracking. Required: * W32Dasm, I used version 8.9 <- Find it on the I-Net (f.e. Astalavista.box.sk) * HexView, I used version 5.84 <- Find it on the I-Net (f.e. Astalavista.box.sk) * FC (File Compare, standard in DOS) * Some programming experience * A BackUp of NotePad First of all you'll have to run Notepad and open a big file (> 32Kb). If it is OK, you'll see a message like this (Translated from Dutch, so the English version could be a little different!!): +--------------------------------------------------+ | File is too big and cannot be opened by Notepad. | | Do you want to run WordPad to read this file? | +--------------------------------------------------+ If you choose [NO], it doesn't run WordPad, but if you choose [YES], it'll run WordPad! Remember the message. It is always necessary that you write down or remember the shown message. You'll have to keep in mind that a messagebox was shown. We have everything we need to crack, so exit NotePad. Disassemble NotePad with W32Dasm. Click on "List and Search for String Data Referenced in Disassembly". The button is between [DLG Ref] and the Print Button, or you could select "String Data References" under the "Refs" menu. Find the Message in the list and double-click on it. Close the box. Click on "List and Search for Imported Modules and Functions". Between [Ret] and [Exp Fn] on the Toolbar or choose "Imports" in the "Functions" menu. Find in the list "USER32.MessageBoxA", the "32" and the "A" says it is 32-bit. Double-click on the item and close the dialog box. Why first the string search? Well, a messagebox is called often by the same program, so it is very unlikely that you get the right one immediately. We want the MessageBox which is shown after the text is initialised, therefore it has to be done this way! You see this: * Reference To: USER32.MessageBoxA, Ord:01ACh | :004033B1 FF15A8644000 Call dword ptr [004064A8] <-- The call to show the dialog box :004033B7 83F806 cmp eax, 00000006 <-- When [YES] is pressed, the dialog box sets eax to 6, but if [NO] is pressed, eax would be set to 7 :004033BA 0F85A7000000 jne 0040467 <-- Jump Not Equal (eax equal to 6. No? Then jump else don't jump) :004033C0 6804010000 push 00000104 :004033C5 8D858CFDFFFF lea eax, dword ptr [ebp+FFFFFD8C] :004033CB 837D1001 cmp dword ptr [ebp+10], 00000001 :004033CF 1BFF sbb edi, edi :004033D1 50 push eax :004033D2 83C737 add edi, 00000037 * Possible Reference to String Resource ID=00056: "wordpad.exe" | :004033D5 6A38 push 00000038 :004033D7 FF3540554000 push dword ptr [00405540] As you see, poorly protected. But why should it? Select the line: Call dword ptr [004064A8] On the statusbar you see "@Offset 000033B1h" Then select the line: jne 0040467 On the statusbar you see "@Offset 000033BAh" These are the offsets in the file NotePad.EXE, which we are going to use when patching it. Let's delete the call to the dialog box. You can do this with the NOP instruction, but programs which are checking itself, 'know' that it is a crack when it encounters about three NOP's in the program. NotePad doesn't check itself, but I show you how to avoid such checks anyway. We can increase a register and decrease it, so we don't have to use NOP and we don't change the progress. We're going to do the same thing with the conditional jump (jne). :004033B1 FF15A8644000 Call dword ptr [004064A8] \-> Bytes: FFh 15h A8h 64h 40h 00h Action Instruction Byte Offset =----= =---------= =--= =----= Increase ecx: inc ecx -> 41h 33B1h Increase edx: inc edx -> 42h 33B2h +1, because the instruction is 1 byte long Decrease ecx: dec ecx -> 49h 33B3h Decrease edx: dec edx -> 4Ah 33B4h Increase eax: inc eax -> 40h 33B5h Decrease eax: dec eax -> 48h 33B6h :004033BA 0F85A7000000 jne 0040467 \-> Bytes: OFh 85h A7h 00h 00h 00h Decrease eax: dec eax -> 48h 33BAh Increase eax: inc eax -> 40h 33BBh Increase ecx: inc ecx -> 41h 33BCh Decrease ecx: dec ecx -> 49h 33BDh Decrease edx: dec edx -> 4Ah 33BEh Increase edx: inc edx -> 42h 33BFh (You can also do other registers, as long as you make sure the registers doesn't have other values after the action!) Load HexView 5.84 with the only parameter $windowspath$\NOTEPAD.EXE - Press [F4] (Mode) and choose "Decode". Now you see the listing with at the left side the offset, then the bytes then the instruction. - Press [F5] (Goto) and input our first offset: 33B1h (you can omit the 'h'). - Press [F3] (Edit) and input the bytes which belong to that offset: 41 (Hexadecimal!) The instruction immediately changes to: inc ecx Repeat this routine until you did all the offsets. Beware of the offset 33B7h, this is a CoMPare, and we won't delete it. If you want to do this anyway you can use one NOP and an INCrease and an DECrease instruction. - Press [F9] (Update) - Press [F10] (Quit) Load NotePad and open a big file (> 32Kb). Yes, it's cracked!! Now create a patch and distribute it. Compare the BackUp and the cracked NotePad with: FC /B $backup$ NotePad.EXE > Crack.TXT When opening "Crack.TXT" you get: Offset Original Cracked ------ -------- ------- 000033B1: FF 41 000033B2: 15 42 000033B3: A8 49 000033B4: 64 4A 000033B5: 40 40 000033B6: 00 48 000033BA: 0F 48 000033BB: 85 40 000033BC: A7 41 000033BD: 00 49 000033BE: 00 4A 000033BF: 00 42 Source: BASIC ----- DEFINT A-Z CONST NumOffset = 12 ' Number of offsets CONST FileName = "NOTEPAD.EXE" ' Filename CONST True = -1 CONST False = 0 TYPE CrackType Offset AS INTEGER ' The offset Original AS INTEGER ' Original code ChangeTo AS INTEGER ' Change it to END TYPE DIM Crack(1 TO NumOffset) AS CrackType, Byte AS INTEGER RANDOMIZE TIMER SCREEN 0, 0, 0, 0 ' Draw logo COLOR 7, 0 CLS COLOR 14, 1 PRINT " " PRINT " -= Created By =- " PRINT " " PRINT " ______ " PRINT " / ___ \ ______ ______ ______ ______ ______ _ _ ______ " PRINT " | / \| / ___ \ / __ \ / __ \ / ___ \ / __ \ / \ / \ / ___ \ " PRINT " | | | | / \| | / \ | | / \ | | / \| | / \ | | | | | | / \| " PRINT " | | | |_ | | \__/ | | \__/ | | |_ | | \__/ | | | | | | \____ " PRINT " | | | \ | __ / | __ / | \ | __ / | | | | \____ \ " PRINT " | | | | _/ | | / \ \ | / \ \ | _/ | | / \ \ | | | | \ | " PRINT " | \___/| | \___/| | | | | | \__/ | | \___/| | | | | | \__/ | |\___/ | " PRINT " \______/ \______/ \_/ \_/ \______/ \______/ \_/ \_/ \______/ \_____/ " PRINT " " PRINT " cerberus_x@hotmail.com " PRINT " " COLOR 7, 0 FOR Count = 1 TO NumOffset ' Read DATA into Crack() READ Ofs, Ori, Cha Crack(Count).Offset = Ofs + 1 ' Offset Crack(Count).Original = Ori ' Original code Crack(Count).ChangeTo = Cha ' Change it to NEXT Count ON ERROR GOTO NotValid OPEN FileName FOR INPUT AS #1: CLOSE ON ERROR GOTO 0 OPEN FileName FOR BINARY AS #1 ' Open file FOR Count = 1 TO NumOffset ' Check if file Ofs = Crack(Count).Offset ' is a valid Notepad Ori = Crack(Count).Original Bytes$ = " " GET #1, Ofs, Bytes$ Byte = ASC(Bytes$) IF Byte <> Ori THEN GOTO NotValid ' If not, goto NotValid NEXT PRINT PRINT "Creating BackUp [NOTEPAD.CBS]..." SHELL "COPY NOTEPAD.EXE NOTEPAD.CBS > Null" ' Create BackUp GOSUB Pause PRINT PRINT "Patching..."; LOCATE CSRLIN - 1, 1 FOR Count = 1 TO NumOffset ' Apply patch Ofs = Crack(Count).Offset Cha = Crack(Count).ChangeTo Bytes$ = CHR$(Cha) PUT #1, Ofs, Bytes$ GOSUB Pause NEXT PRINT PRINT "NotePad successfully patched!" ' Message if OK GOTO Quit NotValid: PRINT PRINT "NotePad.EXE isn't valid!" ' Message if not OK BEEP Quit: CLOSE END Pause: ' This routine sets a t! = TIMER + RND / 6 ' delay, so it seems DO WHILE TIMER <= t!: LOOP ' as if it is a difficult RETURN ' task 'DATA acquired from the compare made with File Compare 'Offset, Original, Change the byte to DATA &H33B1, &HFF, &H41 DATA &H33B2, &H15, &H42 DATA &H33B3, &HA8, &H49 DATA &H33B4, &H64, &H4A DATA &H33B5, &H40, &H40 DATA &H33B6, &H00, &H48 DATA &H33BA, &H0F, &H48 DATA &H33BB, &H85, &H40 DATA &H33BC, &HA7, &H41 DATA &H33BD, &H00, &H49 DATA &H33BE, &H00, &H4A DATA &H33BF, &H00, &H42 If you want to E-Mail me, and you want to, mail to this address: cerberus_x@hotmail.com Cerberus --------------------------------------[ Einde ] --------------------------------------