-----------------------------------------------------+
These informations are for educational purposes only!|
-----------------------------------------------------+

                   Cracking MaxSpace - Removing a little nag
--------------------------------------------------------------------------
                      [x] Easy [ ] Intermediate [ ] Tough

Get MaxSpace at: Search the web :p
Tools used:
    * Soft-ICE
    * HIEW

MaxSpace is a programme for Borland Delphi/C++ Builder that turns object
inspector or IDE toolbar into "auto-hide" windows, so that you can write
code on a full screen.

Since the protection is a nag, we know we are going to patch it, make a
backup of the executable files (*.EXE, *.DLL, *.OCX) before trying to
patch them.

The protection of the programme is a nag, and we see the nag is some kind
of message box, because we see it's a regular window with an information
icon that has a single OK button, it's too simple and we can identify this
as a message box. So we put a breakpoint on the three most probable
procedures used to draw this window:

:bpx MessageBoxA
:bpx MessageBoxIndirectA
:bpx MessageBoxExA

No we run MaxSpace.. Surprise surprise!  Soft-ICE breaks at the API
function MessageBoxA.. Now we want to remove the CALL to this API
function, so we press F11 - This will return to the programme's code
(after you pressed the OK button) and then write down the position, which
is 48A84B. Notice that we are not in MAXSPACE.EXE code, we are at
MAXHOOK.DLL! Since we were executing the code, and not using a dead
listing, we know that the address is not a regular address, it is a
linear address, which is relocated upon loading of the programme. So we
first must convert it to a virtual address, simply by subtracting the
executable's image base which is in this case 400000, then we get a
virtual offset: 8A84Bh.
Take HIEW and edit MAXHOOK.DLL, we pass to disassemble mode (by using F4)
and then we want to go to that address, so we use Goto option (F5) and
type .8A84B (the dot is so HIEW will know that this is a virtual address)
-- Error! "Section out file".. What do we do now?

Now we need to get few bytes from near the message box call address and
search them in the real file.
Put a breakpoint on MessageBoxA and run MaxSpace. Press F11 to return to
programme's code, then type this:

:db cs:48A846                   <- this is the CALL offset

This will give you a list of bytes in the code position (cs - code segment)
Write down the hexadecimal value of few bytes, I wrote down:

E8 E9 BF FD FF 89 45 F8 33 C0 5A 59 59 64

Now, exit MaxSpace and load MAXHOOK.DLL in HIEW. Switch to disassembly
mode then press F7 to search the file. Now go to HEX entry and type the
hex values. Found!
Search for another occurence by using CTRL+F7.. Not found, this means that
this string is the nag code.

Now, if you look at the API reference for MessageBox(A), you will see it
receives 4 parameters:

    int MessageBox(
        HWND  hWnd,         /* handle of owner window           */
        LPCTSTR  lpText,    /* address of text in message box   */
        LPCTSTR  lpCaption, /* address of title of message box  */
        UINT  uType         /* style of message box             */
    );

In assembly, every parameter/parameter offset have to be PUSHed before we
call the function, so we scroll up till we see four PUSHes before the
call, by the way, in assembly, the parameters are backwards, so it's like
that:

    push ebx                            ; Message box style
    push edi                            ; Message box title's address
    push esi                            ; Message box text's address
    mov eax, [ebp][-0004]
    mov eax, [ebp][00024]
    push eax                            ; Owner window's handle
    call MessageBoxA                    ; Call function
    mov [ebp][-0008], eax               ; Save return code

Now we want to remove the Message box, there's a command in assembly that
tells the computer to 'skip' to next instruction, it's called NOP (no
operation), we'll use it.

Since we don't want to give this parameters for nothing, we don't only NOP
the call, we also NOP the parameter PUSHing.. Edit the file at the 'push
ebx' offset, and type '90'. This will place 90h instead of the push (53h).
You see that HIEW says 'nop'. NOP the other pushes as well..

Now we need to NOP the call, how do we do that? Simple, like the pushes,
just that we NOP the whole call, not just one byte.. Count how much bytes
the call is, it's 5 (every byte is two hexadecimal letters). So we need to
press 90 five times. Do it. Now press F9 to update the file.

The code shold look like this now:

    nop
    nop
    nop
    mov eax, [ebp][-0004]
    mov eax, [ebp][00024]
    nop
    nop
    nop
    nop
    nop
    nop
    mov [ebp][-0008], eax

Now the programme should run just fine, we think we eliminated the nag..
Run MaxSpace.. NO NAG! It's magic :)

However, sometimes the nag has few buttons, in this case we have to emulate
the return code.. The return code that should be for this nag is IDOK (the
user should press OK :).. IDOK is defined as 1.. So we put some more code
instead of the NOPs:

    nop
    nop
    nop
    mov eax, [ebp][-0004]
    mov eax, [ebp][00024]
    mov eax, 1
    nop
    mov [ebp][-0008], eax

That's it! Now run the programme and enjoy!


                                                - DEATH