Tutorial for nOp3x v2a
by Sanhedrin

Tools
Wdasm


The quick 2 step method of cracking without softice.

Step 1

Disassemble the crackme and go to the program's entry point.  A few 
lines down you will notice:

* Reference To: USER32.DialogBoxParamA, Ord:0000h
                                  |
:0040101D E82B010000              Call 0040114D<---call the nag screen
:00401022 E911010000              jmp 00401138<---end program
:00401027 C8000000                enter 0000, 00
:0040102B 817D0C11010000          cmp dword ptr [ebp+0C], 00000111

So we can't just NOP the nag screen, because the next line will kick us out of the program.
Look a few lines further:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401065(C)
|
:0040106B 6A00                    push 00000000
:0040106D FF7508                  push [ebp+08]

* Reference To: USER32.EndDialog, Ord:0000h
                                  |
:00401070 E8E4000000              Call 00401159
:00401075 6A00                    push 00000000
:00401077 68BC104000              push 004010BC
:0040107C 6A00                    push 00000000
:0040107E 6A02                    push 00000002
:00401080 FF3500204000            push dword ptr [00402000]

* Reference To: USER32.DialogBoxParamA, Ord:0000h
                                  |
:00401086 E8C2000000              Call 0040114D
:0040108B 6A00                    push 00000000
:0040108D FF7508                  push [ebp+08]

The jump reference at 0040106B originates from the 'take the program for a test drive...' button
in the nag box.

Step 2

Therefore, just change the first call at 0040101D to jump to 0040106B and the NAG is gone.

0040101D	E82B010000	Call 0040114D

to

0040101D	EB4C	Jmp 0040106B
0040101F	90		NOP
00401020	90		NOP
00401021	90		NOP




Greets to tC and BJanes (sorry I haven't gotten back to you, work has been crazy lately)

Thanks to all of those coders that make these crackmes, and of course to Eternal Bliss.


Sanhedrin
stachi@geocities.com



