<name title="How to crack netfor2 v1.0" author="juicyfruit">
<font ns>
<font name verdana height 22 color 1>
<center>Crack NetFor2 v1.0 by juicyfruit^drn</center><br>

<font name verdana height 12 color 0>
The purpose of this tutorial is to teach you something about message
boxes.  NetFor2 is a good example of how to get around a message box.<br>
<br>

The problem in this program isn't the timer but the messagebox.
I won't spend much time explaining how I found the timer because it's 
not the purpose of this file, but I will show you where to find it and
skip it.<br>
<br>

I looked in WDASM 8.93 (windows disassembler) to see what they
used as a timer. Look under the IMPORT MODULES section. It uses the function 
'GetSystemTime' and it does what it says.<br>
<br>
Set a breakpoint on it and start NetFor2 and SoftIce will break then press
F5 once and then follow the code till you get to the last jump before the
last call to the error message. Then change the jump and it will skip the
timer. I patched it at 00401E22 and changed the jbe 00401E44 to jmp 00401E44
(just change the first byte to EB).<br>
<br>

The program also checks to see if you have set the time back after you
started your trial period.  Just find the error message in W32Dasm' 
string reference and scroll a little back to the first jump you see 
and reverse it.  I patched it at 00401D80 and changed the first byte to
EB.<br>
<br>

The messagebox in the beginning (the nagscreen) uses the same procedure
as the messagebox in the end.  The messagebox in the ending is a part of
the program and the messagebox in the beginning is the nagscreen.  
Not a part of the program if you're a cracker :).<br>
<br>

We can't just force the program to skip the messagebox because the
messagebox in the beginning and ending is different from each other.
You'll notice that almost all messageboxes look the same
in all windows programs.<br>
<br>

In programming each messagebox has it's own
standard code.  example, a messagebox with an OK button in it has the
code (?)48 and a messagebox with two buttons like OK and Cancel has the
code 78 or whatever.  Because of this, messageboxes uses the same procedure
as I'm about to explain (except if the messagebox is made specially but very
unlikely).<br>
<br>

The first messagebox (nagscreen) only have an OK button.
If you set a breakpoint on 'bpx MessageBoxa' before you
start the program and then run the program it will break into Softice.
Softice breaks on the messagebox in the memory where the code is currently
being executed. Notice the high memory address :BFF5412F or whatever it
is. We don't want to be here.  Press F11 to get to the real code (the caller).<br>
<br>

Usually the program will break right into the code where we want to be
but not when you are breaking on a messagebox because the messagebox expects
some input from the user (that's you).  Once you have pressed F11 the program
will exit Softice and pop the messagebox with the OK button and wait for your
input. If you press the OK button, Softice will pop up again because you
gave it some input.<br>
<br>

You should be looking at this code :<br>

<pre><font name terminal height 12 color 3>
* Reference To: USER32.MessageBoxA, Ord:0195h
                                  |
:00423AB5 FF15643A4800            Call dword ptr [00483A64] 
:00423ABB 5F                      pop edi   <== This is where you are
:00423ABC 5E                      pop esi
:00423ABD C20C00                  ret 000C
</pre><font name verdana height 12 color 0><br>

This function 'MessageBoxa' will put your input into the register EAX. Check
and see what the register EAX says.  EAX should be 1.  This means that when you
press the OK button EAX equals 1 and then the program can remove the messagebox.<br>
<br>

Now press F5 (or CTRL-D) and it will exit SoftIce.  Now if you exit NetFor2, 
SoftIce will break again because another messagebox will pop up.  Press F11
and the messagebox will pop up but this time with two options, Yes and No.
Press a button to get back into SoftIce.  Notice the memory address. The
address is the same as the messagebox before.<br>
<br>

Usually a program uses a new
messagebox for each message.  This is the reason why we cant just jump over
the messagebox. That would give an error message.  If you check EAX you can see
that it's different from the first messagebox. EAX is 6 if you pressed Yes
and 7 if you pressed No.<br>
<br>

What we want the program to do, is to skip the first messagebox (nagscreen) and 
let us choose if we want to exit the program in the second messagebox.
First thing to do, is to go a little back in the code. Just scroll up right
before the messagebox and you should be looking at this :<br>

<pre><font name terminal height 12 color 3>
:00423A8F 85FF                    test edi, edi
:00423A91 7508                    jne 00423A9B
:00423A93 E8C5400000              call 00427B5D
:00423A98 8B7810                  mov edi, dword ptr [eax+10]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00423A91(C)
|
:00423A9B E86A3D0000              call 0042780A
:00423AA0 85F6                    test esi, esi     <==== These are *
:00423AA2 7504                    jne 00423AA8      <==== the bytes *
:00423AA4 33C0                    xor eax, eax      <==== we are    *
:00423AA6 EB03                    jmp 00423AAB      <==== about to  *

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00423AA2(C)
|
:00423AA8 8B461C                  mov eax, dword ptr [esi+1C] <=== change *

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00423AA6(U)
|
:00423AAB FF742414                push [esp+14]
:00423AAF 57                      push edi
:00423AB0 FF742414                push [esp+14]
:00423AB4 50                      push eax

* Reference To: USER32.MessageBoxA, Ord:0195h
                                  |
:00423AB5 FF15643A4800            Call dword ptr [00483A64] 
:00423ABB 5F                      pop edi   <== This is where you are
:00423ABC 5E                      pop esi
:00423ABD C20C00                  ret 000C
</pre><font name verdana height 12 color 0><br>

I don't know exactly what the call at 00423A9B contains but it's probably
determine which of the messageboxes to show.<br>
<br>

It's not relevant to our problem, all we need to do is to change eax to 1
when it starts up and 0 when it closes.
As we found out in the beginning the program waits for the user to push
the button and when the OK button is pushed EAX is set to 1.
What I did (there are many ways to do this) was to look for a value in any of
the registers that were different when you closed the program, and when you
opened the program.<br>
<br>

I found ESI and EBX. TEST performs a logical AND of the two operands updating
the flags register without saving the result. Those bytes I marked with a * is 
the bytes I changed into this :<br>

<pre><font name terminal height 12 color 3>
:00423A9B E86A3D0000 call 0042780A
:00423AA0 85F6       test esi, esi <==> 33C0 xor EAX, EAX
:00423AA2 7504       jne 00423AA8  <==> 85F3 test EBX, ESI
:00423AA4 33C0       xor eax, eax  <==> 7505 jne 00423AAB
:00423AA6 EB03       jmp 00423AAB  <============> 83C001 add EAX, 00000001 
:00423AA8 8B461C mov eax, dword ptr [esi+1C] <==> 90     nop
						  90     nop
</pre><font name verdana height 12 color 0><br>

In WDASM it will look like this now :<br>

<pre><font name terminal height 12 color 3>
:00423A91 7508                    jne 00423A9B
:00423A93 E8C5400000              call 00427B5D
:00423A98 8B7810                  mov edi, dword ptr [eax+10]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00423A91(C)
|
:00423A9B E86A3D0000              call 0042780A
:00423AA0 33C0                    xor eax, eax      *1
:00423AA2 85F3                    test ebx, esi     *2
:00423AA4 7505                    jne 00423AAB      *3
:00423AA6 83C001                  add eax, 00000001 *4
:00423AA9 90                      nop               *5
:00423AAA 90                      nop               *6

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00423AA4(C)
|
:00423AAB FF742414                push [esp+14]
:00423AAF 57                      push edi
:00423AB0 FF742414                push [esp+14]
:00423AB4 50                      push eax
</pre><font name verdana height 12 color 0><br>

Now I'll explain what I did :<br>
*1 set EAX to 0<br>
*2 it checks to see if EBX is 0 or higher.<br>
*3 if EBX is 0 don't jump, if EBX is higher jump<br>
*4 add 1 to EAX (EAX + 1)<br>
*5 No operation (just to fill out the last bytes I didn't use)<br>
*6 No operation<br>
<br>

When the program starts up EBX is 0 and it will set EAX to 1 thus
skip the nagscreen.  When you close the program EBX is higher than 0, and it
will jump to 00423AAB and EAX is 0 thus wait for a reply from user.<br>
<br>

Everything I have said in this tutorial might as well have been done
another way. There is several different ways of doing this.
This isn't supposed to be a manual about cracking but a source of
inspiration (hopefully). This is the way I do it and I do it this way
because I think it's the easiest way. I change my opinion all the time
because I learn new stuff all the time. In a month I'll probably have
found an easier way to crack this.<br>
<br>

Have fun.<br>
<br>

Congrats partner you have read my tutorial :0)<br>
<br>

-JuicyFruit^dRN<br>
<br>
