                         Phox Crackme #1 Tuturial 

                                 
                                                         ܲ
                                         ۲  
                                              
                               
         ۲    ۲      ۲    ۲
            ۲   ۲           ۲
 ܲ           ۲      
                    
    ޲  ݲ   ޲      
      ޲    ޲     ޲  ޲      ޲    
  ޲   ޲    ޲    ޲      ޲      
        ߲ ܲ  ޲  ߲ ܲ     ߲  
   ߲     ܲ          ܲ                   js
                   iNSiDE    
                            
                       

Tutor      : duelist
Data Wrote : April 6, 1999
Who        : Begginers
Target     : CrackMe #1 by Phox
Size       : 8kb (!)
Tools Used : SoftIce, Hiew (or any other hex editor)
Method     : Patch


			     -=* Welcome *=-

Well hi there. Although i've been cracking 'crackmes' for long time, i'd
never written a tuturial for one of those, and this will be my third one
due to a request from Eternal Bliss :)


			    -=* Protection *=-

This crackme is simple, you've to remove a nag that runs on the startup
(well it is actually a simple 'messagebox' eheh)


			   -=* Our Aproach *=-

Using softice, this should be an EASY work!

1) Switch to softice (Control + D) and "bpx messageboxa" (the nag is a message box
   so we can get RIGHT to it)

2) Start up the crackme executable and you'll break into softice right away:

   .0040100C: 6A30                         push      030                 ; message box style
   .0040100E: 6879204000                   push      000402079           ; message box title
   .00401013: 688D204000                   push      00040208D           ; message box caption
   .00401018: FF3548204000                 push      d,[000402048]       ; handle of owner window
   .0040101E: E8DA010000                   call     .0000011FD           ; USER32!MessageBoxA
-> .00401023: C7050020400003400000         mov       dword ptr [000402000],000004003   \
   .0040102D: C705042040003D114000         mov       dword ptr [000402004],00040113D   |  This section is not
   .00401037: C7050820400000000000         mov       dword ptr [000402008],000000000   |  important...
   .00401041: C7050C20400000000000         mov       dword ptr [00040200C],000000000   /

3) Well we will have to patch only the call to USER32!MessageBoxA and we'll get rid of the nag!
   Take note of the bytes and start up hiew.

4) Point it to 101E (using F5) and replace all the bytes in the call with nops (90h) so you would change

   E8 DA 01 00 00 
   
         to

   90 90 90 90 90

5) Save it and exit (F9, F10) and try to run the crackme... Bingooooooo! No nag! :)

  			    -=* Final Notes *=-
 
Well you should write a patcher for this one, and i don't include the source here because i don't
want to to become lazy! But, if you would like the source for any reason, ask me for it by sending
and email to duelist@beer.com. I hope you enjoyed this tuturial!	