Acid_Cool_178
presents he's
| #14 Tutorial |
| For Hellforge |
This Text Are Only Ment To Edcucational Purpose And Not To Be Used Illegaly, I Take No Response For Illegal Use Of This Text. Move On On Your Risc.
| Athour Information |
| acid_cool_178@hotmail.com | ||
| Age | 17 | |
| Web Page | http://acidcool.cjb.net/ | |
| Date | Febuary 2K | |
| Member in | Hellforge | Flying Horse Cracking Force |
| Groups Web Page | Hellforge Login | FHCF Login |
| Program Infromation |
| Name | Muad'Dib's Crackme #1 | |||
| mdcm1.exe | ||||
| Athour | Muad'Dib | |||
| Where to Downlaod | http://muad.cjb.net/ | |||
| Size | 5KB | |||
| Tools used | W32Dasm Hiew |
Downlaod At | ||
| 1. Player Tools | ||||
| 2. Programmer Tools | ||||
| What kind of a program | Crackme | Shareware | ||
| Skill | Easy | Not so easy | Hard | X-pert |
| Information about the Protection I |
This protection got one NAG when you are starting the program and one when you are closing the program. Lets remove those NAG'S
| Before we start |
NOP measn NO Operation!!
NOP are 90 in hex
In hiew, just edit the code if you want to nop.
Read my other text for learning some more about NOP'ing.
| The Process |
Run the program and note down the message at the NAG's (I noted "Please
register")
Open mdcm1.exe in W32Dasm and go to the "String Data References" , now, search
for your string "Please register" i founded "Please Register!"
Dubbleclick on that string and you can see this code.
* Referenced by a CALL at Addresses:
|:00401208 , :00401254
<-- Funny Calls
|
:004012BF 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"Please register!"
<-- The caption (Title) on the messagebox
|
:004012C1 682D304000 push 0040302D
<-- You will land here/ Movinc
the caption TO the messagebox
* Possible StringData Ref from Data Obj ->"I want your money! Please send "
->"me $20 to get rid of this screen!"
<-- the label on the nag
|
:004012C6 683E304000 push 0040303E
<-- Properties for the label
:004012CB 6A00 push 00000000
<-- Properties for the label
* Reference To: USER32.MessageBoxA, Ord:01BBh
|
:004012CD E842000000 Call 00401314
<-- This will show the NAG window
I tried to NOP out ahe call at 4012CD but thet was to no help for me. So tahe a look at
the "Funny Calls" and go to those adresses
:00401208 E8B2000000 call 004012BF
This is so cool, NOP out this call in hiew
:00401254 E866000000 call 004012BF
hehe, our seccond NAG, nop it out and all the NAG's are gone :)
| Ending |
well, one more NAG removed :)
| Information about the Protection II |
N/A
| Greetings |
LaZaRuS, Wajid, Borna Janes, ManKind, Eddie Van Camper, ACiD BuRN, KoRnFLeX, Eternal_Bliss, Potsmoke, DiABLO. Torn@do, ^AiX^ and all the other i have forgotten