cvega's Kill the Nag: An In-depth Dissection
Ok, here we go again! This is my solution for cvega's Kill the Nag challenge. Let's review the conditions.
Method: Patch
Difficulty: Easy
Restriction: Help->About action should remain function, killing the dialog from resource is prohibited.
You can see from the nag-screen from the screenshot, it says that the program expired from trial and it annoy you every 15 seconds by showing you the reminder nag-screen (hint!).
See the
attached program, and take your time it's not easy.
We have a couple of things we can use here.
- Killing the dialog using a resource editor is prohibited. Check!
- He said dialog, so chances are, the DialogBoxParam will be called somewhere at startup. Check!
- There is a timer, probably set by a SetTimer. Check!
Let's check out the target in its "untouched" form.
Very simple. We can do 2 approaches here. 1, destroy the dialog by skipping any DialogParam calls; 2, Destroy the timer (I mean, don't let it start).
APPROACH 1: Skip the DialogBoxParam call.
I'm assuming you already have OllyDbg. If you don't, please fetch it @ http://www.ollydbg.de, it's free.
Fire up Olly, load our target (manage.exe). let's search for a Dialog call. Look just a few lines after the line in which we landed, do you see the call. It might or might not be the call we want, but since we're already there, let's try it out.
There's a conditional instruction before the call, I don't know what it is (possibly the countdown? A little help here chris), so let's try our luck here. What we can do is instead of a conditional jump, will change it to a forced jump (JMP) to the RET instruction - fully avoiding the DialogBoxParam call. So, highlight the JNZ short line, then press the SpaceBar. Change it as I've changed it in the screenshot. What it does is what I just explained. LOL.
Run the program in the debugger. Did it work?!? It did for me! Solved!
But remember, any changes that you made are temporary. If you want it permanently changed, you must - right click on the CPU window, highlight "Copy to executable" then click "All modifications".
Then click "Copy all"...
A new window will pop, right click on it, click "Save file". Choose a new filename and your changes are permanent now.
Congratulations, you've just solved cvega's challenge!
APPROACH 2: Prevent the timer from starting.
Almost the same as approach 1, but this time, we will skip a call to the SetTimer. All you have to do is to find that call, a few page downs from the start of the code will lead you there, then just change the 1st push to a jmp to the line after the SetTimer call. I guess I don't have to fully illustrate each step here since as I've said, it is very similar to the first approach. So maybe I'll just drop a few screenies.
So there you have it, 2 approches for one problem. By the way, here's my fixed manage.exe. I know there are other ways to solve this, but you have to find those yourself! Until the next challenge! Bye!