

                     L                ZZZZZZ         RRRRR           SSSSS
                     L                    Z          R    R         S
                     L          aaa      Z      aaa  R    R  u   u  S
                     L            a     Z         a  RRRRR   u   u  SSSSS
               XX    L         aaaa    Z       aaaa  R    R  u   u       S
              XXXX   L        a   a   Z       a   a  R    R  u   u       S
             XXXXXX  LLLLLLL  aaaaa  ZZZZZZZ  aaaaa  R    R  uuuuu  SSSSSS
             XXXXXX       
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
       XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
             XXXXXX
             XXXXXX
              XXXX        proudly presents his 24.Cracking Tutorial (08.07.1999)
               XX                       tC's CrackMe [id:14]

I.    Introduction
II.   The essay
III.  BTW
IV.   All Tutorials by LaZaRuS

I.   Welcome to my 24st cracking tutorial.

I.1  HexWorkshop 2.54
     tC's CrackMe [id:14]
 
II.  The essay
     The goal of this CrackMe is to get rid of the nag-screen that is shown at the start of
     the CrackMe. At first I tried to get rid of it with the help of a deadlisting in W32Dasm.
     Somehow this didn't lead me somewhere. Then I remembered: tC? CrackMes? Must be Delphi!!!
     So let's head for a clean Delphi crack. You should know that the properties of every 
     component that is designed in Delphi (Buttons, ListBoxes, EditFields, Windows) are stored
     in plain text in the EXE file. So, we just have to find the references and edit them for
     our purposes :) You should know that a standard window is derived from the class TForm.
     So let's search for it in the hexeditor. You will find some references that are completely
     useless. The last one you find in the file is the declaration we search for. You can
     recognize it easily by looking at the "environment" of the TForm. You find strings like
     "Top", "Left", "Height"... which are properties of this window. We are completely right :)
     After some time spending to look at references that could be useful I suddenly saw:
     TAHMSplashScreen - Doesn't that look like a reference to the splash screen that we have to
     kill??? Thanx to tC for giving us a predefined Delphi component. This will make it easier.
     Currently I am talking about this passage:

     0005BF20 0010 5441 484D 5370 6C61 7368 5363 7265 ..TAHMSplashScre
     0005BF30 656E 0468 697A 610A 496D 6167 652E 4461 en.hiza.Image.Da
     0005BF40 7461 0ADA 3B00 00D6 3B00 0042 4DD6 3B00 ta..;...;..BM.;.
     0005BF50 0000 0000 0076 0000 0028 0000 002C 0100 .....v...(...,..
     0005BF60 0064 0000 0001 0004 0000 0000 0060 3B00 .d...........`;.
     0005BF70 0012 0B00 0012 0B00 0010 0000 0010 0000 ................
     0005BF80 0000 0000 0000 0080 0000 8000 0000 8080 ................
     0005BF90 0080 0000 0080 0080 0080 8000 00C0 C0C0 ................
     0005BFA0 0080 8080 0000 00FF 0000 FF00 0000 FFFF ................
     0005BFB0 00FF 0000 00FF 00FF 00FF FF00 00FF FFFF ................
     0005BFC0 0033 3333 3333 3333 3333 3333 3333 3333 .333333333333333
     0005BFD0 3333 3333 3333 3333 3333 3333 3333 3333 3333333333333333
     0005BFE0 3333 3333 3333 3333 3333 3333 3333 3333 3333333333333333
     0005BFF0 3333 3333 3333 3333 3333 3333 3333 3333 3333333333333333

     You will quite many 3333 here. They belong to the data for the image that is displayed at
     the splash screen. After them you will see this:

     0005FB20 FF0B 5370 6C61 7368 5769 6474 6803 0000 ..SplashWidth...
     0005FB30 0C53 706C 6173 6848 6569 6768 7402 000C .SplashHeight...
     0005FB40 4F6E 5370 6C61 7368 446F 6E65 0705 636C OnSplashDone..cl
     0005FB50 6F73 650B 4465 6C61 7949 6E4D 7365 6303 ose.DelayInMsec.
     0005FB60 0000 1649 6E73 6964 6546 7261 6D65 2E46 ...InsideFrame.F
     0005FB70 7261 6D65 5374 796C 6507 0C66 7261 6D65 rameStyle..frame
     0005FB80 4C6F 7765 7265 640B 426F 7264 6572 7769 Lowered.Borderwi
     0005FB90 6474 6802 0004 4C65 6674 0240 0354 6F70 dth...Left.@.Top

     Especially interesting seems the property "DelayInMsec". Something says to me that this
     is the time the nag is displayed. So change the two bytes at 5FB60 and 5FB61 to 0000 (do
     not change the byte at 5FB5F as the first byte after a property has nothing to do with the
     value of the property). Restart the CrackMe and see that the nag has disappeared. No, not
     really: It is displayed for only 0.01 seconds, but it has not completely vanished. Now we
     have to make it "invisible". Just change the SplashWidth and SplashHeight properties to 0000
     and the work is done. At the end it should look like this:

     0005FB20 FF0B 5370 6C61 7368 5769 6474 6803 0000 ..SplashWidth...
     0005FB30 0C53 706C 6173 6848 6569 6768 7402 000C .SplashHeight...
     0005FB40 4F6E 5370 6C61 7368 446F 6E65 0705 636C OnSplashDone..cl
     0005FB50 6F73 650B 4465 6C61 7949 6E4D 7365 6303 ose.DelayInMsec.
     0005FB60 0000 1649 6E73 6964 6546 7261 6D65 2E46 ...InsideFrame.F
     0005FB70 7261 6D65 5374 796C 6507 0C66 7261 6D65 rameStyle..frame
     0005FB80 4C6F 7765 7265 640B 426F 7264 6572 7769 Lowered.Borderwi
     0005FB90 6474 6802 0004 4C65 6674 0240 0354 6F70 dth...Left.@.Top

     Restart the CrackMe: The nag is gone - CrackMe solved :)

III. BTW
     
     Greets to: tKC, Ed!son, Moral Insanity, +Sandman, Fravia+ and everyone at #cracking4newbies,
     +Sandman's forum and Fravia+'s forum.

IV.  All tutorials by LaZaRuS
      
Since 4th of July I made 17854 left clicks, 619 right clicks, 2726 double clicks and 124428
key strokes. In this time my mouse moved more than 440 meters over the screen.
(reported by ToggleMouse; cracked by myself - of course ;)