************************************************************************************************************************ CrackMe #2a 1 ************************************************************************************************************************ Author: n0p3x Protection: NAG URL: http://www.phrozencrew.co.uk/crackme2a1.zip Tools: W32Dasm V8.93 Hex-Editor ---> Intro... Welcome to my next Tutorial !!! A simple NAG with a nifty little trick (CRC) ;) ---> Let's Begin... Ok, well open the CrackMe and you'll see a NAG. This time it's not in a form of MessageBoxA. Why? You can see that because of the buttons, a Message Box can't display other buttons then "Ok, Cancel...". So the NAG is probably made by "DialogBoxParamA" or "CreateWindowExA". Let's disassemble the CrackMe in W32Dasm. Then click on "Imp Fn" (Imports) to see what kind of API's the CrackMe uses. You'll see these: KERNEL32.ExitProcess KERNEL32.GetModuleHandleA USER32.DialogBoxParamA USER32.EndDialog USER32.MessageBoxA Ok, so it doesn't use "CreateWindowExA" :) Now double click on "DialogBoxParamA" and you'll notice there are 2 (the NAG and the main window). The first one you'll get is the NAG, how do i know that ??? Simple, because you'll see just above "Program Entry Point" and the NAG has been called sooner then the main window :) The NAG window starts at Offset "0040100C" so we just simply gonna replace the "6A00" with "EB67". This means that it'll Jump to the main window and skips the NAG :) To know how much you need to fill behind the "EB" , just count ;) So change that in your Hex-Editor (I assume you know how to do that) and save the file and start the CrackMe. Oh no.... !!! A Message Box pops up saying: "ERROR: Program has detected tampering. Execution terminated" Hmmm... what's that ? Probably the CRC ;) So how are we going to solve this ??? Simple, just find the text in W32Dasm and see where it's called :) So open the CrackMe again in W32Dasm and now click on "Strn Ref" (String Data References). Then double click on "ERROR: Program has detected tampering.". And you'll see this: ------------------------------------------------------------------------------------------------------------------------ :004010DE 813D04204000697A0000 cmp dword ptr [00402004], 00007A69 <--- Weird Compare ;) :004010E8 7504 jne 004010EE <--- If not equal we Jump to the CRC Message Box :004010EA C9 leave :004010EB C21000 ret 0010 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004010E8(C) | :004010EE 6840100000 push 00001040 * Possible StringData Ref from Data Obj ->"ERROR" | :004010F3 68BD204000 push 004020BD * Possible StringData Ref from Data Obj ->"ERROR: Program has detected tampering. " ->"Execution terminated" | :004010F8 6881204000 push 00402081 :004010FD FF3500204000 push dword ptr [00402000] * Reference To: USER32.MessageBoxA, Ord:0000h | :00401103 E84B000000 Call 00401153 ------------------------------------------------------------------------------------------------------------------------ Notice the 2 instructions above, weird... ;) That "jne 004010EE" Jumps to the CRC Message Box. So what are we going to do ??? Very simple, because the value at Offset "00402004" needs to be "00007A69" but it isn't that value. So we're going to change the value "00007A69" into "00000000" and the program won't jump :) I assume you know how to change that in your Hex-Editor :) That's all. ---> Greetings... Everyone from TrickSoft (www.TrickSoft.net) Everyone from Cracking4Newbies (www.Cracking4Newbies.com) Everyone from Keygenning4Newbies (Keygenning4Newbies.cjb.net) And You... Don't trust the Outside, trust the InSiDe !!! Cya... CoDe_InSiDe Email: code.inside@home.nl