New 2 Cracking
~~~~~~~~~~~~~~

Tutorial Type  : Tutorial
Tutorial Topic : How to pass the nags on FaNt0m's 2nd crackme
Written by     : ParaBytes
Date           : Feb. 4th, 2002.
Music          : None
Utilites       : W32Dasm/Hex Editor (i'll use HexWorkshop)
Remarks        : http://fant0m.cjb.net

Initilizing Tutorial, please wait...
Done.

Starting GUI.....
hmm, no GUI found, txt file will do...

Starting Tutorial....

ok, after the 'groove' strartup ;) lets review what and where we need to do...

1) get rid of a messagebox nag
2) get rid of a dialog nag (not hard as you may think :))
3) fix my name to ParaBytes and not Parabytes

ok, open the file in w32dasm, seek for the messagebox text,
well, we found it :

* Possible StringData Ref from Data Obj ->"Nag Nag Nag..."
                                  |
:004010D7 683E304000              push 0040303E
:004010DC 6A00                    push 00000000

* Reference To: USER32.MessageBoxA, Ord:01BBh
                                  |
:004010DE E8C5010000              Call 004012A8

as we can see, the program calls to a messagebox with our string,
so, what we need to do is take the offset of call and nop the damn call...

but, if you dont know, the address 004010DE is RVA (Relative Virtual Address)
and we need the file offset,

we can use RVA2OFFSET stuff, but we can also check out on the W32Dasm status bar,
we see :

Line:201 Pg 3 of 9 Code Data @:004010DE @Offset 000004DEh in File:CRACKME2.EXE

so, what we have here is the RVA and the offset, write down the offset (4DE) and the length of the 
call in bytes, (you can count every 2 digits (hex digits of course), 
or take the last 2 bytes of the next code and sub with hex calc with the last 2 bytes of our code,
either way you get 5 bytes) so we need to nop 5 bytes..

(nop is a command that do nothing, its usefull when you just want to make a code not executed, 
 the hex code for nop is 90h)

ok, kepp on looking, you see :

:004010E3 6A00                    push 00000000
:004010E5 6810124000              push 00401210
:004010EA FF75B0                  push [ebp-50]

* Possible StringData Ref from Data Obj ->"NAGDIALOG"
:004010ED 6829304000              push 00403029
:004010F2 FF356C304000            push dword ptr [0040306C]

* Reference To: USER32.DialogBoxParamA, Ord:0092h
                                  |
:004010F8 E887010000              Call 00401284

that code is executing the NAGDIALOG, you can understand it from the name, 
if you not sure, open your favorite resource hacker (ExESScope) and look on the data in the dialog...

anyway, we do the same thing here, 5 bytes to nop on 4F8h

so, open the Hex Editor,
goto location 4DEh and change the 5 bytes (should be as in w32dasm code) to 90
after that, goto 4F8h and change the 5 bytes to 90, now,
the best part...

goto find a string,
insert Parabytes
select ASCII or Unicode (unicode are strings that between each letter you have null byte)
found, unicode, on 1128h, go there, change the b (62h) to B (42h) save,
and quit the hexeditor...

bingo !!
my name is fixed, the nags went dead, and we are sexy bitches !

push 0
push 0
push TM_ENDING
push 0
call SendMessageA

Ending :
~~~~~~~~
we saw today that nags are not always hard, actually they can be very easy !
nag screens can be using also (except DialogBoxParamA)

CreateWindowExA
ShowWindow

and might use others (stuff that i dont remember :))
but always remember to find where the call is and remvoe it...
sometimes the call to the api can be used by many windows, in this case, 
you need to find the 1st call in the order, and nop it, because if you'll nop the main call,
the program just crash...

Greets :
~~~~~~~~
as usuall, krobar, tKC, Invoker, FaNt0m, Anvile, DarkMoon, Dawai, sinny, PhANt0m,
ThrawN, DR ppl, INSIGHT ppl, Extince, dCe, hackwizz, etc.. etc..
if you deserve to be here, you know it, i just cant remember you right now because
i'm dead tired...

Contact iNFO :
\=-=-=||=-=-=/

E-Mail : Lewsers@Hotmail.com
IRC    : EFNET / #New2Cracking
Here,

ParaBytes, "I'm rich and i'm dead sexy !"