Tutorial Number 21

Written by Etenal Bliss
Email: Eternal_Bliss@hotmail.com
Website: http://crackmes.cjb.net
         http://surf.to/crackmes
Date written: 30th May 1999

Program Details:
Name: Crackme 2a
Author: n0p3x

Tools Used:
W32Dasm
HexEditor

Cracking Method:
Code Analysis

Viewing Method:
Use Notepad with Word Wrap switched on
Screen Area set to 800 X 600 pixels (Optional)

__________________________________________________________________________


                        About this protection system

This CrackMe produces a Nag whenever we run it. There is no other
registration method other than cracking it to remove the Nag.

What the author said:
"The previous programs have used message boxes called by the function
'MessageBoxA'. This program uses an alternative method to display it's nag"


_________________________________________________________________________


				W32Dasm

First, disassemble the CrackMe using W32Dasm. You do this by running W32Dasm,
then choose "Disassembler" -> "Open File To Disassemble".

Go to the little icon that says "Imp Fa". When your mouse is there, you
will see the word "Imports" popping up. Ok. We will take a look at the imports
to see what functions are used in the CrackMe. Hopefully find the one that
produces the Nag.

You will see a few "cw3220.__XXX" functions. These are utilised by the CrackMe
using the cw3220.dll file. They don't concern us.

Other functions include:
USER32.DialogboxParamA
USER32.EndDialog
USER32.MessageBoxA

Well, MessageBoxA is not used for the Nag. (The author told us that)

So, the most probable function will be DialogBoxParamA to produce the nag
and EndDialog to end the Nag...

Double click on the USER32.DialogBoxParamA to see where in the codes is
this function used...Do it a few times to make sure that we have covered 
every single location using this function.

You will get these locations...
004010AF, 0040114C, 004014EE

I've pasted the codes below...

USER32.DialogBoxParamA at 004010AF
=================================================================
* Possible Reference to Dialog: DialogID_0002 
                                  |
:00401098 6A02                    push 00000002
:0040109A FF7508                  push [ebp+08]

* Reference To: USER32.EndDialog, Ord:0000h
                                  |
:0040109D E858040000              Call 004014FA
:004010A2 6A00                    push 00000000
:004010A4 68DF104000              push 004010DF
:004010A9 6A00                    push 00000000

* Possible Reference to Dialog: DialogID_0001 
                                  |
:004010AB 6A01                    push 00000001
:004010AD 6A00                    push 00000000

* Reference To: USER32.DialogBoxParamA, Ord:0000h
                                  |
:004010AF E83A040000              Call 004014EE

* Possible Reference to Dialog: DialogID_0001 
                                  |
:004010B4 B801000000              mov eax, 00000001
:004010B9 EB20                    jmp 004010DB
=================================================================

USER32.DialogBoxParamA at 0040114C
=================================================================
:0040113B 55                      push ebp
:0040113C 8BEC                    mov ebp, esp
:0040113E 6A00                    push 00000000
:00401140 687C104000              push 0040107C
:00401145 6A00                    push 00000000

* Possible Reference to Dialog: DialogID_0002 
                                  |
:00401147 6A02                    push 00000002
:00401149 FF7508                  push [ebp+08]

* Reference To: USER32.DialogBoxParamA, Ord:0000h
                                  |
:0040114C E89D030000              Call 004014EE
:00401151 33C0                    xor eax, eax
:00401153 5D                      pop ebp
:00401154 C21000                  ret 0010
=================================================================

The last USER32.DialogBoxParamA at 004014EE doesn't concern us. 

Looking at these two pieces of codes, you will see "DialogID_0001" 
or "DialodID_0002" just before the DialogBoxParamA function. So, what
are the parameters for this function? We will have to refer to W32 API.
You can get this off the web easily...

int DialogBoxParam(

    HINSTANCE hInstance,	// handle to application instance
    LPCTSTR lpTemplateName,	// identifies dialog box template
    HWND hWndParent,		// handle to owner window
    DLGPROC lpDialogFunc,	// pointer to dialog box procedure  
    LPARAM dwInitParam 		// initialization value
);

Ok. You need 5 parameters before the function. I read somewhere that the 
parameters are always "fed" into the memory from back to front.
ie LPARAM dwInitParam will be pushed first and HINSTANCE hInstance will be
pushed last. So, in the disassembled codes, we see DialogID_000x in the 4th
push which means that it is the dialog box template...

Now, what is "DialogID_0001" and "DialodID_0002"?? Go all the way up to
the top of the disassembled codes... You will see

+++++++++++++++++ DIALOG INFORMATION ++++++++++++++++++

Number of Dialogs =    2 (decimal)

Name: DialogID_0001, # of Controls=009, Caption:"Crackme 2a - n0p3x", ClassName:""
     001 - ControlID:0002, Control Class:"BUTTON" Control Text:"E&xit" 
     002 - ControlID:0009, Control Class:"BUTTON" Control Text:"A&bout" 
     003 - ControlID:0065, Control Class:"EDIT" Control Text:"Nag Removal                                         The previous programs have" 
     004 - ControlID:0066, Control Class:"BUTTON" Control Text:"-=n0p3x=-" 
     005 - ControlID:FFFF, Control Class:"STATIC" Control Text:"Coded By n0p3x. 10th May 1999." 
     006 - ControlID:FFFF, Control Class:"STATIC" Control Text:"EMAIL: adminno1@yahoo.com" 
     007 - ControlID:FFFF, Control Class:"STATIC" Control Text:"WEB: http://cod3r.cjb.net" 
     008 - ControlID:FFFF, Control Class:"STATIC" Control Text:"If you suceed in killing this nag screen and write a tutorial on it then email" 
     009 - ControlID:FFFF, Control Class:"STATIC" Control Text:"Frame2" 
Name: DialogID_0002, # of Controls=004, Caption:"The deadly NAG!", ClassName:""
     001 - ControlID:FFFF, Control Class:"STATIC" Control Text:"This is a demonstration version of this program." 
     002 - ControlID:0065, Control Class:"BUTTON" Control Text:"Uhh, youv'e made me feel guilty now. Heres all my money." 
     003 - ControlID:0066, Control Class:"BUTTON" Control Text:"Take the program for a test drive before paying." 
     004 - ControlID:FFFF, Control Class:"STATIC" Control Text:"SOFTWARE PIRACY IS ILLEGAL" 
=================================================================

Now, if you had run the CrackMe, you will see the Nag with the caption 
"The deadly NAG!". So, the nag is DialogID_0002 and the main program is 0001.


Remember the "USER32.EndDialog" function we saw in the Imports as well? It
will close the corresponding Dialog depending on which DialogID is pushed as
the parameter... Ok. The basic introduction is over. 
Lets get down to cracking it...


Looking at the two pieces of codes earlier... I've commented on
what I know... (remember that I am a newbie too)

USER32.DialogBoxParamA at 004010AF
=================================================================
* Possible Reference to Dialog: DialogID_0002 		<<Nag ID
                                  |
:00401098 6A02                    push 00000002
:0040109A FF7508                  push [ebp+08]

* Reference To: USER32.EndDialog, Ord:0000h
                                  |
:0040109D E858040000              Call 004014FA		<<End the Nag!!
:004010A2 6A00                    push 00000000		<<1st parameter of
:004010A4 68DF104000              push 004010DF		  USER32.DialogBoxParamA
:004010A9 6A00                    push 00000000		  for main prog

* Possible Reference to Dialog: DialogID_0001 		<<Main Prog ID
                                  |
:004010AB 6A01                    push 00000001
:004010AD 6A00                    push 00000000

* Reference To: USER32.DialogBoxParamA, Ord:0000h	<<Show the prog
                                  |
:004010AF E83A040000              Call 004014EE

* Possible Reference to Dialog: DialogID_0001 
                                  |
:004010B4 B801000000              mov eax, 00000001
:004010B9 EB20                    jmp 004010DB
=================================================================

USER32.DialogBoxParamA at 0040114C
=================================================================
:0040113B 55                      push ebp
:0040113C 8BEC                    mov ebp, esp
:0040113E 6A00                    push 00000000		<<1st parameter of
:00401140 687C104000              push 0040107C		  USER32.DialogBoxParamA
:00401145 6A00                    push 00000000		  for Nag

* Possible Reference to Dialog: DialogID_0002 		<<Nag ID
                                  |
:00401147 6A02                    push 00000002
:00401149 FF7508                  push [ebp+08]

* Reference To: USER32.DialogBoxParamA, Ord:0000h	<<Show the Nag!!
                                  |
:0040114C E89D030000              Call 004014EE
:00401151 33C0                    xor eax, eax
:00401153 5D                      pop ebp
:00401154 C21000                  ret 0010
=================================================================

Well, looking at what I commented, do you understand what we must do?

If you are thinking of NOPing the 6 lines from 0040113E to 0040114C, you are
wrong. I tried it. The CrackMe crashes... 8P

So, if patching it that way doesn't work, there is one more way. Did you
think about jumping straight to the "Show Main Prog" codes, therefore 
bypassing the NagScreen? 8)

Ok. We must start patching at 0040113E so the the CrackMe will jump to
004010A2. Why 004010A2?? Well, from 00401098 to 0040109D is the codes to
end the Nag... If we were to stop the CrackMe producing a Nag, then we would
not need the End-Nag codes anymore right??? 8)

Simple? Now, we will need to find what codes to use to patch it so that the
CrackMe will jump to the Show Main Prog without showing and ending the Nag
Screen...

You can use Softice to do it. But because I have not loaded softice and
you still need to break into the CrackMe first before patching in Softice,
I have decided to use W32Dasm instead...
There is a debugger function in W32Dasm too.

What you need to do is this:
1) Go to "Debug", choose "Load Process"
2) You may get another prompt asking you something. Just click on "Load"
3) You will then see 3 seperate windows. Don't be afraid. 8P
4) Go to the right window (the one showing the words "Code Address ..."
5) Click on "Goto Address"
6) Fill in the offset which is 0040113E (remember we are jumping FROM here)
7) You will see the pushes exactly like what is in the disassembled file
8) Click on "Patch Code"
9) In the "Enter New Instruction Below" line, type in "jmp 004010A2" without
   quotes. (rememeber we are jumping TO here)
10) Hit "Enter" key. You will see in the 'Code Patch Listing" the required
    bytes to make the CrackMe jump to 004010A2...
11) It is E95FFFFFFF
12) Now, click on "Clear Patch" and answer "Yes" and then click "Close"
13) Back to the right window, click on "Terminate" because we have finished 
    our job here

Back to the main disassembled file, go to the location 0040113E
Look at the bottom of W32Dasm and you will see this:
Line:298 Pg 4 of 12 Code Data @:0040113E @Offset 0000073Eh in File:crackme2a.exe

What you need is the Offset which is 0000073E

Now, make a copy of the CrackMe and open it with a HexEditor. 
** You need to open the copy because you will not be able to patch 
   if W32Dasm is using the same file.

Using whatever Hexeditor you have, go to the offset 73E. You will see the bytes
as 6A 00 68 7C 10
** compare it to W32Dasm (they are the same)

Change them to E9 5F FF FF FF and save the patched file...

Now, run the patched file and see...

If you do everything correctly, you will be brought to the main program
without seeing the NagScreen.

CrackMe cracked!!


__________________________________________________________________________


                             Final Notes

This tutorial is dedicated to all the newbies like me.

And because I'm a newbie myself, I may have explained certain things wrongly
So, if that is the case, please forgive me. Email me if there is anything 
you are not clear about.


My thanks and gratitude goes to:-

All the writers of Cracks tutorials and CrackMes
and also to all the crackers that have been supporting my site and project forum.