
                             
                    ܲ     
۲   ۲   ۲       ܲ    ۲ ܲ   
   ۲    ۲      ۲  ܲ      
 ۲  ۲  ܲ  ۲          ۲ 
  ۲ ܲ ۲ ܲ       ܲ  ۲  ۲    ۲
     ۲   ۲  ۲ ۲  ܲ     ۲  ۲  ۲  ۲ 
      ۲    ۲   ۲     ۲    
                             
                   

Heya all, and welcome to my craking tut. 
i will show you how to patch T0RN@DO's 2nd Crackme.
This tut is from a complete newbie to another.

Tools used:
Win32Dasm
Hacker's View (HIEW)


Ok lets start. 
Run the crackme (idcrkme20.exe), what do you see? 3 boxes. 
enter name/group/serial and click the check button. 
look down, and what you see? UNREGISTERED.
ok, fire up Win32Dasm and load the crackme. Goto the "Strn Ref" Button,
(Better known as String Data Refrence). There you will find the 
string "REGISTERED!". click on it. You should be here now :

* Possible StringData Ref from Data Obj ->"REGISTERED!"
                                  |
:0040150B 6870844000              push 00408470
:00401510 6800984000              push 00409800

This is where the label in the crackme says that it is registered.
Now we should scroll up a bit, to find the action that performs the 
registration routine. scroll until you see:

:00401509 7563                    jne 0040156E

Jne in asm means "Jump if Not Equal": If the entered serial is not EQUAL 
to the real serial, then jump. jump to where? to the Unregistered action.
Look at the Status Bar, and look for the offset:
Line 736 Pg 9 of 154 Code Data @:00401509 @Offset 00000909h in file:idcrackme20.exe

@Offstet 00000909h -- We dont need to use the 'h', so the offset is 
909 :D

hmm, but what do you need to do in order that it would jump when it
is not equal? we need to change that je, to JE (= Jump if Equal),
or we just nop it (nop = No OPereation).
I would teach you how to nop it now.

Open Hacker's View and select the crackme. Press F4 and choose Decode.
now we are in the asm code of the file. Press F5 and type our offset.
Now we are back in the line of the je.
JE takes 2 bytes, and NOP takes 1 byte, so we will have to nop it 2 
times. type F3 and type 9090 (90 means nop in hex and 9090 is 2 times).
Press F9 to Update the file and F10 to exit. run the crackme and enter any 
name/group/serial and the label says "REGISTERED!"

btw, if you REALLY want to change it to JE, change the 75 to 74.

Hope you understood something :)

Contact me: 
I am hooked to the EFnet network in the channel #cracking4newbies (c4n),
Email : halokshoorim@hotmail.com

-WhizKiD
