*************************************************************************************************
				How to crack Muad Dib's ReverseMe 1
				     Essay written by seifer666
					     05/26/2000
*************************************************************************************************




1)Introduction

Name : Muad Dib's ReverseMe 1
Author : Muad Dib
Level : easy
Protection : your aim is to redirect the task of a button
Tools needed : *WDasm 8.93
	       *HexEditor (I used HexWorkShop)	
Download location : www.immortaldescendants.org



2)The cracking of the death


	Run the Crackme and click on the exit button. A fucking messagebox appears, and explains
you your goal again. But, after clicking on the Ok button of the messagebox, the process doesn't
exit. So let's dasm it.
	Go in the String Data References and click on the text of the messagebox "Your job is to
make me work as", to locate quickly the problem. You'll arrive at : 

* Reference To: KERNEL32.ExitProcess, Ord:0075h
                                  |
:00401024 E843000000              Call 0040106C		;Calls ExitProcess when clicking on the Windows Exit Cross
:00401029 55                      push ebp
:0040102A 8BEC                    mov ebp, esp
:0040102C 817D0C11010000          cmp dword ptr [ebp+0C], 00000111
:00401033 751F                    jne 00401054
:00401035 8B4510                  mov eax, dword ptr [ebp+10]
:00401038 6683F864                cmp ax, 0064
:0040103C 752A                    jne 00401068
:0040103E 6A00                    push 00000000

* Possible StringData Ref from Data Obj ->"GOAL:"
                                  |
:00401040 682F304000              push 0040302F		;Text of the MessageBox

* Possible StringData Ref from Data Obj ->"Your job is to make me work as "
                                        ->"an exit button!"
                                  |
:00401045 6800304000              push 00403000		;Caption of the MessageBox
:0040104A FF7508                  push [ebp+08]		;Handle of the MessageBox

* Reference To: USER32.MessageBoxA, Ord:01BBh
                                  |
:0040104D E832000000            Call 00401080		;Calls the MessageBox, we will patch
:00401053 EB2A                  jmp 00401068		;those two lines !!!


	If we go to offset 40106C, which is called at 401024, we see : 

* Referenced by a CALL at Address:
|:00401024   	;Call 0040106C
|

* Reference To: KERNEL32.ExitProcess, Ord:0075h
                                  |
:0040106C FF2504204000            Jmp dword ptr [00402004]	;we will patch with this jump


	So if we replace the bytes at offsets 40104D and 401053 by those at offset 40106C, the 
shity prog will exit by clicking on the exit button and the fucking MessageBox won't appear 
anymore hehe. So I patched : 

:0040104D E832000000            Call 00401080
:00401053 EB2A                  jmp 00401068

by

:0040104D FF2504204000            Jmp dword ptr [00402004]	; = Call ExitProcess
:00401053 90                      nop				;just to make pretty ;)

And the prog exits now by clicking on the cross or the exit button, hehe. It was easy, but great.
We just had to know the ExitProcess API :).


3)Final words

	Well, I would like to thank ImmortalDescendants and Muad Dib for their very good work !!
I greet all my friends on caramail, #cracking4newbies, all the crackers in the world and every
people supporting me (there are ot a lot because I'm a newbie and not very known).
Excuse me for my lame english, it's not my mother's language.
seifer666
you can join me at seifer666@caramail.com or on ICQ : #61545376