Written by

Bjanes 

 

Date: 9th April 1999

Program name: PhoX's CrackMe v1.0

Program type: Win32 CrackMe 

Program location: Here

Program filename: phox_cm1.zip 

Program size: 1,6 Kb 

 

Tools required: 

Softice 3.2 - Debugger

Hiew 6.02 - Hex Editor

 

Difficult level: 

Easy ( X )  Medium (   )  Hard (    )  Pro (    ) 

Few words about crackme from the author...  

"This CrackMe maybe not so hard to crack. 
I made this in asm so the file is not so big...8 192 bytes 
When u cracked it send the patch to: 
phox@trust-me.com 
(with source if u coded it by urself...especially intrested if its a 
windowsprogram and if it coded in asm...)" 

Type of protection: Nag screen This is crackme has very basic nag screen. Nag screen is a simple messagebox which you must disable. Crackme is not packed/crypted so that's why it's easy You only must patch the call to MessageBoxA and crackme is cracked!   Text in the Nag Screen: "CrackMe 1.0 by PhoX Plz registrate this CrackMe... or crack it!! =) This CrackMe maybe not so hard crack. Ive made this in asm and its not my best language About CrackMe 1.0 Made by Phox"

First, open the crackme. You'll see the simple messagebox  
that pops up with some text in it. Press the ok and you'll see 
the window only with 'About' button, so here is nothing interesting. 
You can now close the crackme. 

Now, how to disable the Nag??...first you must know how to Nag is 
called. 'Coz the nag is a MessageBox you have to put the 
breakpoint at the "MessageBoxA", so type "bpx MessageBoxA"! 

Load the crackme again. Sice now breaks on execution of windows 
API MessageBoxA. Press "F11" once and click on the "OK" button 
agian to close the Nag. You'll now see where the Nag is called... 
 
015F:0040100C  6A30                  PUSH    30    <-- Parameter for MessageBoxA 
015F:0040100E  6879204000            PUSH    00402079   <-- Parameter for MessageBoxA 
015F:00401013  688D204000            PUSH    0040208D   <-- Parameter for MessageBoxA 
015F:00401018  FF3548204000          PUSH    DWORD PTR [00402048] <-- Parameter for MessageBoxA 
015F:0040101E  E8DA010000            CALL    USER32!MessageBoxA  <-- Call the Nag Screen 
015F:00401023  C7050020400003400000  MOV     DWORD PTR [00402000],00004003 <-- You land here 

You can pach this crackme on few different ways, but I'll explain only two! 
 

---------------------  First way  ---------------------   This one is better and I prefer it! We'll put a jump instead of first parameter at 40100C. 
That jump will jump over all other parameters and the call and you'll 
land at the line 401023! Load the Hiew, press "F4" and choice "Hex" mode! 
Now, we must find the line 40100C. So press "ALT+F1" untils "Local" is enabled, 
and you'll see same addresses like in Sice. Press "F5"(Goto) and type ".40100C"! 
You'll now see where in file the code we are looking for is stored. 
You'll see: 6A 30 68 79.... We must change only two bytes, so we'll only change first 
instruction("push 30"), all other will stay same! 

How to jump from 40100C to 401023??...take any HEX calculator(that can be one 
which you got with your copy of windows) and subtract line above the line where you 
want to jump from("40100E"), from the line wher you want to jump("401023"). 
Result of 401023-40100E is 15. Hex opcode for "JMP" is "EB", so change.... 
6A to EB, and... 30 to 15. Press "F9" to save the changes and "ESC" to quit the 
Hiew. Now run the crackme again. There is no Nag anymore!...We crack it! 
 

---------------------  Second way  ---------------------

Hope you have another one, uncracked copy of the crackme, if not download 
it again. Here, we will patch the call to MessageBoxA with "NOPs". 
Do all like in previous way. Load the Hiew, switch to "Hex" mode, "Local" mode, 
and goto("F5") line ".40101E". 

015F:0040101E  E8|DA|01|00|00            CALL    USER32!MessageBoxA 
                               1    2    3   4    5  <--- You can see that we must patch all 5 bytes 

Press "F3" to edit the file and put 5 nops("90 90 90 90 90") instead of "E8 DA 01 00 00"! 
By the way... NOP = 90h = No operation 
  
Press "F9" to save the changes, and "ESC" to exit the Hiew. Now run the crackme again 
and there will not be Nag!....We crack it again! 

If you still have some problems or questions you can mail us: ReFleXZ@fcmail.com

The Sandman for his great site(the best site for newbies) full of knowledge and for 
his cracking forum(also the best on the net)! 
Eternal Bliss, my GREAT 'virtual'  friend, for all what he done for me! 
MiZ, also the GREAT friend of mine. For all the time that I spent with you :) 
Iczelion, for his great Win32Asm tutorials, and all knowladge that he gave me! 
DnNuke, for link of GREAT mp3 site that he gave me :)) 

Torn@do, Carpathia, Zobel, MisterE, VisionZ, DecoderZ, Rhytm, noos, Ordoc... 
...and all there at #cracking4newbies and #Win32Asm(and #ReFleXZ99 too :) 

If I miss someone plz forgive me, and if you think that you must be on this list tell me!