Removing a NAG and writing a patch for ClockWise v2.10a
Download [tutorial 2] and read it offline
Our target: "ClockWise"
ClockWise is a combined clock, calendar and scheduling utility with many very useful options not found in other applications. ClockWise features a count-down timer, a stopwatch, up to 5 alarms/reminders, and a powerful application scheduling interface that far surpasses that of many other popular applications. ClockWise allows you to schedule any program to be executed on your computer whenever you want, completely unattended. For example, you can schedule periodic system backups, anti-virus scanners or disk optimizers to run automatically while you're asleep or out of the office. Any application on your system can be run whenever you wish, and you can schedule up to 30 different events. ClockWise can also set your system clock automatically via the Internet (through NTP servers) or via modem and phone line using the NIST atomic clock.
[ClockWise v2.10a] [mirror]
Tools and help
The tools you will need for this session are W32Dasm v8.93, Hacker's View v6.00 and Base Calculator v1.3.
If you can't find these programs or versions by following one of my favourite links:
just perform a ftp search and look for the files w32dasm, hiew600 and bcalcns1.zip.
Unzip hiew600.zip and you'll obtain another zipped file, Hiew_600.zip. Unzip it, the only file you need in order to crack ClockWise is Hiew.exe. Place it wherever you want on your hard disk, but be sure that its path is in your autoexec.bat file.
Cracking the file
Install ClockWise v2.10a and examine this nice piece of software. You'll soon discover the following annoying things:
- An - UNREGISTERED SHAREWARE message is shown in the title bar.
- Select Options, Help and you see that awful REGISTER NOW, click on it and a NAG appears.
- Select Options, Help, About Clockwise... and you'll notice that THIS COPY IS UNREGISTERED SHAREWARE with Serial Number: 000000.
- Select Options, Help, About Clockwise..., "OK": damned, a NAG!
Select Options, Close, Exit ClockWise: damned, that same NAG again!
The NAG will also pop up after you opened the calendar a few times.
Let's begin, but first of all: copy ClockWise.exe to ClockWise.000, you never know what might happen, maybe this is your first cracking-experience!
Also very important: it's not possible to patch a file when the file is opened by another program and/or running.
- Removing the - UNREGISTERED SHAREWARE message.
Click on "Start", "Run..." and type "hiew". Enter.
OK, you're in Hacker's View now, go to the ClockWise directory and select CLOCKW~1.EXE (since Hacker's View is a DOS program, it won't accept long pathnames and long filenames).
Don't be frightened, it's not as bad as it looks!
Press F4 in order to select HEX-mode (F2).
Press F7, if you see "Backward" instead of "Forward" in the window, press F2 and if you see "Block" instead of "Full", just press F4.
Go to the ASCII line and fill in - UNREGISTERED SHARE.
Enter, and there you have - UNREGISTERED SHAREWARE. Let's replace the characters by spaces (hexadecimal value 20).
Press F3 and change:
2D 20 55 4E 52 45 47 49 53 54 45 52 45 44 20 53 48 41 52 45 57 41 52 45
into
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
Be aware that ClockWise is not running, otherwise you'll obtain an error message!
Press F9 to update the file.
Press F10 to leave Hacker's View and run ClockWise to check it. No reminder anymore!
There is still another approach to the problem and for that we need our disassembler (W32Dasm).
Disassemble ClockWise.000 now:
Disassembler, Open File to Disassemble.. and select ClockWise.000.
The file should be disassembled after a few moments.
The reason why I prefer to disassemble ClockWise.000 instead of ClockWise.exe is that it is not possible to patch ClockWise.exe if loaded in W32Dasm.
Now we're going to perform a search: Search, Find Text and fill in - UNREGISTERED SHAREWARE. Press a few times arrow-up untill you see the following piece of code:
...
:00411972 85C0 test eax, eax
:00411974 750D jne 00411983
* Possible StringData Ref from Data Obj ->"ClockWise - UNREGISTERED SHAREWARE"
|
:00411976 68F4E84400 push 0044E8F4
:0041197B 8B4DF0 mov ecx, dword ptr [ebp-10]
...
The test at address 00411972 will decide whether the - UNREGISTERED SHAREWARE message will appear or not. If the result of the test equals 1, there won't be a jump to the code at address 00411983 and that's the way it goes when the program isn't registered. However, we want the program to jump to address 00411983 in order to skip the bad code, so let's change jne (75) into je (74).
Move the cursor to address 00411974 and write down the offset address. You can find it at the bottom of the program window. It's 10D74.
Before patching, copy ClockWise.000 to ClockWise.exe in order to start with a clean file.
Open Hacker's View (click on "Start", "Run..." and type "hiew", enter).
Go to the ClockWise directory and select CLOCKW~1.EXE.
Press F4 in order to select HEX-mode (F2).
Press F5, fill in the offset address (10D74) and enter. You're now at offset address 10D74 (just press alt F1 if you don't see the real offset address and if there is a dot in front of each line).
Press F3 and change 75 into 74. Be aware that ClockWise is not running, otherwise you'll obtain an error message!
Press F9 to update the file and F10 to quit Hacker's View.
Run ClockWise to check what you have done. Looks nice.
You're wrong if you think you just removed the - UNREGISTERED SHAREWARE message permanently. Just give a click on the calendar and there you have it again!
Go back to W32Dasm and try to find the next - UNREGISTERED SHAREWARE string:
...
:00416B9F 85C0 test eax, eax
:00416BA1 7515 jne 00416BB8
* Possible StringData Ref from Data Obj ->"ClockWise - UNREGISTERED SHAREWARE"
|
:00416BA3 68F4E84400 push 0044E8F4
:00416BA8 8B4DF0 mov ecx, dword ptr [ebp-10]
...
Let's change jne (75) into je (74). Move the cursor to address 00416BA1 and write down the offset address. You can find it at the bottom of the program window. It's 15FA1.
Open Hacker's View (click on "Start", "Run..." and type "hiew", enter).
Go to the ClockWise directory and select CLOCKW~1.EXE.
Press F4 in order to select HEX-mode (F2).
Press F5, fill in the offset address (15FA1) and enter. You're now at offset address 15FA1 (just press alt F1 if you don't see the real offset address and if there is a dot in front of each line).
Press F3 and change 75 into 74. Be aware that ClockWise is not running, otherwise you'll obtain an error message!
Press F9 to update the file and F10 to quit Hacker's View.
Run ClockWise to check if it works, and sure it does, but .... what if you select Options, Help, About Clockwise..., "OK", "Maybe Later"? Oh no, not again!!!
A closer look at ClockWise by means of W32Dasm will teach you that there are still 2 - UNREGISTERED SHAREWARE messages left. The first one is at line 40652, but changing jne into je doesn't help us any further (try it if you don't believe me).
The last one (line 53217) is more interesting:
...
:0041DE2F 85C0 test eax, eax
:0041DE31 7507 jne 0041DE3A
* Possible StringData Ref from Data Obj ->"ClockWise"
|
:0041DE33 6818DC4400 push 0044DC18
:0041DE38 EB05 jmp 0041DE3F
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041DE31(C)
|
* Possible StringData Ref from Data Obj ->"ClockWise - UNREGISTERED SHAREWARE"
|
:0041DE3A 68F4E84400 push 0044E8F4
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041DE38(U)
|
:0041DE3F 8BCE mov ecx, esi
...
Let's change jne (75) into je (74). Move the cursor to address 0041DE31 and write down the offset address. You can find it at the bottom of the program window. It's 1D231.
Open Hacker's View (click on "Start", "Run..." and type "hiew", enter).
Go to the ClockWise directory and select CLOCKW~1.EXE.
Press F4 in order to select HEX-mode (F2).
Press F5, fill in the offset address (1D231) and enter. You're now at offset address 1D231 (just press alt F1 if you don't see the real offset address and if there is a dot in front of each line).
Press F3 and change 75 into 74. Be aware that ClockWise is not running, otherwise you'll obtain an error message!
Press F9 to update the file and F10 to quit Hacker's View.
Run ClockWise to check this experiment. It works!
Both methods have the same result, the only difference is the amount of bytes to patch.
Copy ClockWise.exe to ClockWise.111.
- Removing the REGISTER NOW menu item.
Click on "Start", "Run..." and type "hiew". Enter.
Go to the ClockWise directory and select CLOCKW~1.EXE.
Press F4 in order to select HEX-mode (F2).
Remember: what was the second annoying thing? Yes, REGISTER NOW. Let's do a search!
Press F7, if you see "Backward" instead of "Forward" in the window, press F2 and if you see "Block" instead of "Full", just press F4.
Go to the ASCII line.
Press R, arrow-down, 00, arrow-up, E, arrow-down, 00, arrow-up, G, and so on till you have:
R E G I S T E R N
52 00 45 00 47 00 49 00 53 00 54 00 45 00 52 00 20 00 4E
Since ClockWise is a 32 bit program, it will use 00 between each character.
Move the cursor to the Hex-line an press enter. Bingo!
Now you can change REGISTER NOW in let's say Registered.
Let's try it! You only have to change the HEX-values (take a look at the ASCII table in order to find the right values).
Press F3 and change:
52 00 45 00 47 00 49 00 53 00 54 00 45 00 52 00 20 00 4E 00 4F 00 57 00
into
52 00 65 00 67 00 69 00 73 00 74 00 65 00 72 00 65 00 64 00 20 00 20 00
Be aware that ClockWise is not running, otherwise you'll obtain an error message!
Press F9 to update the file.
Press F10 to leave Hacker's View and run ClockWise to check it. Fine it works, but we still have the NAG when we click on "Registered". Go to section 4. to learn how to remove the NAG or read on to find out how to remove REGISTER NOW completely.
In order to remove REGISTER NOW completely, we have to use our disassembler (W32Dasm) again.
Disassemble ClockWise.000 (if it's not done yet):
Disassembler, Open File to Disassemble.. and select ClockWise.000.
The file should be disassembled after a few moments.
Now we're going to perform a search: Search, Find Text and fill in REGISTER NOW. There are 2 REGISTER NOW strings (in capitals), but only the second is important for us. Press a few times arrow-up untill you see the following piece of code:
...
:0040BF04 85C0 test eax, eax
:0040BF06 7411 je 0040BF19
:0040BF08 6A00 push 00000000
:0040BF0A 8B4604 mov eax, dword ptr [esi+04]
* Possible Ref to Menu: MenuID_00A6, Item: "REGISTER NOW"
|
:0040BF0D 685D800000 push 0000805D
:0040BF12 50 push eax
* Reference To: USER32.DeleteMenu, Ord:0080h
|
:0040BF13 FF1568EB4600 Call dword ptr [0046EB68]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040BF06(C)
|
:0040BF19 5F pop edi
...
Dependent on the result of the test at address 0040BF04 there will or there won't be a jump to address 0040BF19. This is a good jump because it skips the code producing the REGISTER NOW message. This jump will only occur when we register the program or... when we change je (74) into jne (75), in other words, we force the program to jump to the right code.
Move the cursor to address 0040BF06 and write down the offset address. You can find it at the bottom of the program window. It's B306.
It's time again to use Hacker's View in order to patch the file, but first of all copy ClockWise.111 to ClockWise.exe in order to start with a clean file.
Click on "Start", "Run..." and type "hiew". Enter.
Go to the ClockWise directory and select CLOCKW~1.EXE.
Press F4 in order to select HEX-mode (F2).
Press F5, fill in the offset address (B306) and enter.
Press F3 and change 74 into 75. Be aware that ClockWise is not running, otherwise you'll obtain an error message!
Press F9 to update ClockWise.exe and press F10 to leave Hacker's View.
Check what you have done. Got it?
Copy ClockWise.exe to ClockWise.222.
- Removing THIS COPY IS UNREGISTERED SHAREWARE with Serial Number: 000000.
We are going to patch this message too and yes ... start Hacker's View and load CLOCKW~1.EXE.
Press F4, F2.
Let's search for 000000:
Press F7, if you see "Backward" in the window, press F2 and if you see "Block", just press F4.
Go to the ASCII line and fill in 000000, enter.
Serial Number: 000000 doesn't look very credible so let's change it in whatever you want, for instance 587469. You will need an ASCII table to convert ASCII values to hexadecimal values, but first, write down the offset addresses of the bytes you're going to change. If you see a dot in front of each line, press alt F1. Patching starts at 4D2AF and ends at 4D2B4.
Press F3 and change:
30 30 30 30 30 30
into
35 38 37 34 36 39
Press F9 to update the file.
Press F10 to leave Hacker's View and run ClockWise to check it.
So far so good. Exit ClockWise, start Hacker's View, load CLOCKW~1.EXE and try to find THIS COPY IS UNREGISTERED SHAREWARE.
I'm sure you're able to find it on your own, but if not, here you are:
Press F4, F2, F7, if you see "Backward" in the window, press F2 and if you see "Block", just press F4.
Go to the ASCII line and fill in THIS COPY, enter.
Press alt F1 if you see a dot in front of each line and write down the offset addresses of the bytes you're going to change (4D2B8 ... 4D2DA). You're free to change THIS COPY IS UNREGISTERED SHAREWARE in whatever you want, but you shouldn't exceed the actual length, in this case 35 characters. If your chosen message is shorter than 35 characters, then use hexadecimal value 20 to patch the unused space.
In my patch I changed THIS COPY IS UNREGISTERED SHAREWARE into THANK YOU FOR REGISTERING THIS COPY.
Press F3 in order to patch the file and change:
54 48 49 53 20 43 4F 50 59 20 49 53 20 55 4E 52 45 47 49 53 54 45 52 45 44 20 53 48 41 52 45 57 41 52 45
into
54 48 41 4E 4B 20 59 4F 55 20 46 4F 52 20 52 45 47 49 53 54 45 52 49 4E 47 20 54 48 49 53 20 43 4F 50 59
Some characters don't light up because they correspond with the values of the original message.
Press F9 to update the file and leave Hacker's View (F10).
Run ClockWise, select Options, Help, About Clockwise.... Nice, isn't it?
Copy ClockWise.exe to ClockWise.333.
- Removing the NAG.
Exit ClockWise. When leaving ClockWise, a NAG appears. Note the words "Unregistered Shareware" in the title bar. Click on "Maybe Later".
Start Hacker's View again and load CLOCKW~1.EXE.
Press F4, F2.
Remember the words "Unregistered Shareware". Let's do a search!
Press F7, if you see "Backward" in the window, press F2 and if you see "Block", just press F4.
Go to the ASCII line.
Press U, arrow-down, 00, arrow-up, n, arrow-down, 00, arrow-up, r, and so on till you have:
U n r e g i s t e r
55 00 6E 00 72 00 65 00 67 00 69 00 73 00 74 00 65 00 72
Move the cursor to the Hex-line and press enter. Bingo!
Now take your magnifying-glass to find FF FF FF FF 82. This code will generate dialogs.
At offset address 00059CD4, you'll find that particular string.
Again, if you see a dot in front of each line, just press alt F1.
Now go to offset address 00059CD8, press F3 and change 82 into 7E. Press F9.
Press F10 to leave Hacker's View an run ClockWise.
select Options, Help, About Clockwise..., "OK": no NAG anymore!!!!!!
select Options, Close, Exit ClockWise: no NAG anymore!!!!!!
Writing a patch
You should have written down the offset address of the bytes you changed:
| Hexadecimal offset address | Decimal offset address | Old value | New value |
| 10D74 | 68980 | 750D | 740D |
| 15FA1 | 90017 | 7515 | 7415 |
| 1D231 | 119345 | 7507 | 7407 |
| B306 | 45830 | 7411 | 7511 |
| 4D2AF | 316079 | 3030 | 3538 |
| 4D2B1 | 316081 | 3030 | 3734 |
| 4D2B3 | 316083 | 3030 | 3639 |
| 4D2B8 | 316088 | 5448 | 5448 |
| 4D2BA | 316090 | 4953 | 414E |
| 4D2BC | 316092 | 2043 | 4B20 |
| 4D2BE | 316094 | 4F50 | 594F |
| 4D2C0 | 316096 | 5920 | 5520 |
| 4D2C2 | 316098 | 4953 | 464F |
| 4D2C4 | 316100 | 2055 | 5220 |
| 4D2C6 | 316102 | 4E52 | 5245 |
| 4D2C8 | 316104 | 4547 | 4749 |
| 4D2CA | 316106 | 4953 | 5354 |
| 4D2CC | 316108 | 5445 | 4552 |
| 4D2CE | 316110 | 5245 | 494E |
| 4D2D0 | 316112 | 4420 | 4720 |
| 4D2D2 | 316114 | 5348 | 5448 |
| 4D2D4 | 316116 | 4152 | 4953 |
| 4D2D6 | 316118 | 4557 | 2043 |
| 4D2D8 | 316120 | 4152 | 4F50 |
| 4D2DA | 316122 | 4500 | 5900 |
| 59CD8 | 367832 | 8200 | 7E00 |
Now you can write a small program. I wrote and compiled my patch with [Microsoft QuickBASIC v4.5].
Run Base Calculator to translate the hexadecimal offset address to a decimal one. Select "Hex", select "32 bits" and fill in 10D74. Select "Dec" now and write down the decimal value (68980). Do the same for the other offset addresses.
Attention! QuickBASIC patches the file "backwards". Therefore you should use offset address + 1 in the program. Here it is:
ON ERROR GOTO Oops
FILES "clockw~1.exe"
GOSUB Title
OPEN "clockw~1.exe" FOR BINARY AS #1 LEN = 1
READ Addr&, OldByte%, NewByte%
DO
GET #1, Addr&, GetByte%
IF GetByte% <> OldByte% THEN GOTO WrongVersion
READ Addr&, OldByte%, NewByte%
LOOP UNTIL Addr& = -1
RESTORE
READ Addr&, OldByte%, NewByte%
DO
PUT #1, Addr&, NewByte%
READ Addr&, OldByte%, NewByte%
LOOP UNTIL Addr& = -1
PRINT " File successfully patched !"
CLOSE #1
END
Oops:
GOSUB Title
SELECT CASE ERR
CASE 53
PRINT " File 'clockwise.exe' not found !"
PRINT " Run this program in the 'ClockWise directory' !"
END
END SELECT
Title:
CLS
PRINT " / ,"
PRINT " /\ \|/ /\"
PRINT " |\\_;=._//|"
PRINT " \." "./"
PRINT " //^\ /^\\"
PRINT " .'``",/ |0| |0| \,"``'."
PRINT " / , `'\.---./'` , \"
PRINT " /` /`\,."( )".,/`\ `\"
PRINT " /` ( '.'-.-'.' ) `\"
PRINT " /"` "._ : _." `"\"
PRINT " `/.'`"=.,_``=``_,.="`'.\`"
PRINT " .-"-. ) ( .-"-."
PRINT "+-------{'. '`}-----~ ~-----{'. '`}-------+"
PRINT "| `"---"` `"---"` |"
PRINT "| NAG removing patch for ClockWise v2.10a |"
PRINT "| http://www.rjsoftware.com |"
PRINT "| |"
PRINT "| By Snowcat |"
PRINT "+-------------------------------------------+"
PRINT
RETURN
WrongVersion:
GOSUB Title
PRINT " This is not the correct ClockWise version,"
PRINT " or maybe it is,"
PRINT " but the file has been patched already."
END
DATA 068981,&H0D75,&H0D74
DATA 090018,&H1575,&H1574
DATA 119346,&H0775,&H0774
DATA 045831,&H1174,&H1175
DATA 316080,&H3030,&H3835
DATA 316082,&H3030,&H3437
DATA 316084,&H3030,&H3936
DATA 316089,&H4854,&H4854
DATA 316091,&H5349,&H4E41
DATA 316093,&H4320,&H204B
DATA 316095,&H504F,&H4F59
DATA 316097,&H2059,&H2055
DATA 316099,&H5349,&H4F46
DATA 316101,&H5520,&H2052
DATA 316103,&H524E,&H4552
DATA 316105,&H4745,&H4947
DATA 316107,&H5349,&H5453
DATA 316109,&H4554,&H5245
DATA 316111,&H4552,&H4E49
DATA 316113,&H2044,&H2047
DATA 316115,&H4853,&H4854
DATA 316117,&H5241,&H5349
DATA 316119,&H5745,&H4320
DATA 316121,&H5241,&H504F
DATA 316123,&H0045,&H0059
DATA 367833,&H0082,&H007E
DATA -1,-1,-1
Download the [source code]
Download the [crack]
Conclusion
In this session, you've learned to remove a NAG and to write a patch. There is a huge amount of shareware on the Net, but please, don't be a simple Usenet visitor to get your cracks. Just practise, write your own patches and you'll feel much more satisfied!
| SNOWCAT |
 |
Tutorial created by Snowcat
Tutorial created: 7th November 1998
Last updated: 31th December 1998 |