home *** CD-ROM | disk | FTP | other *** search
/ Reverse Code Engineering RCE CD +sandman 2000 / ReverseCodeEngineeringRceCdsandman2000.iso / RCE / E_bliss / tc_nop3x2a_en.txt < prev    next >
Text File  |  2000-05-25  |  3KB  |  89 lines
  1. Hi,
  2. today some short notes about:
  3. 'n0p3x CrackMe 2a'.
  4. The aim is to destroy a NagScreen - so we will.
  5.  
  6. ---
  7. :0040100C   push 00000000------------>  Parameters
  8. :0040100E   push 00401027           >| for the
  9. :00401013   push 00000000           >| NagScreen
  10. :00401015   push 00000001           >|
  11. :00401017   push dword ptr [00402000] -
  12. :0040101D   Call 0040114D             ->NagScreen
  13.  
  14. At first the nag will be called. 
  15. ..
  16. ..
  17. ..
  18.  
  19. * Referenced by a (U)nconditional or (C)onditional Jump at Address:
  20. |:0040103B(C)
  21. |
  22. :0040104D C70504204000697A0000    mov dword ptr [00402004], 00007A69
  23. :00401057 C9                      leave
  24. :00401058 C21000                  ret 0010
  25.  
  26. If everything goes right with the nag then [402004] get the value 7A69h.
  27. ..
  28. ..
  29. ..
  30.  
  31.  
  32. * Referenced by a (U)nconditional or (C)onditional Jump at Address:
  33. |:00401065(C)
  34. |
  35. :0040106B 6A00                    push 00000000
  36. :0040106D FF7508                  push [ebp+08]
  37.  
  38. * Reference To: USER32.EndDialog, Ord:0000h
  39.                                   |
  40. :00401070 E8E4000000              Call 00401159
  41. :00401075 6A00                    push 00000000 ------------> Parameters
  42. :00401077 68BC104000              push 004010BC           >| for the
  43. :0040107C 6A00                    push 00000000           >| MainScreen
  44. :0040107E 6A02                    push 00000002           >|
  45. :00401080 FF3500204000            push dword ptr [00402000]>-                              
  46. :00401086 E8C2000000              Call 0040114D ->MainScreen
  47. :0040108B 6A00                    push 00000000
  48. :0040108D FF7508                  push [ebp+08]
  49.  
  50. After having pushed the further-button we'll land here.
  51.  
  52. ---
  53. Important:
  54. There's a permanent check weather [402004] has the right value!
  55. If not then Error_Msg.
  56. Ok, what to do?
  57. At first let's bypass the nag with jumping over him.
  58.  
  59. ---
  60. :0040100C E95A000000              jmp 0040106B
  61. ---
  62. After patching the program will go direkt to :0040106B.
  63. But what's on with the check?
  64. Well, the msg_box informs us that we'll have done something bad.
  65. So let's change that.
  66. At :0040106B we have a little space for a new instruction, because
  67. these lines:
  68. ---
  69. :0040106B 6A00                    push 00000000
  70. :0040106D FF7508                  push [ebp+08]
  71. :00401070 E8E4000000              Call 00401159
  72. ---
  73. belonged to the nag-call - so they are useless.
  74. Remember our msg_box...
  75. let's put the needed instruction in here, so we change
  76. the three lines to:
  77. ---
  78. :0040106B C70504204000697A0000    mov dword ptr [00402004], 00007A69
  79. ---
  80. Now, [402004] has the right value and we'll get through 
  81. the permanent check.
  82.  
  83. That's all.
  84. cya
  85.  
  86. greetz fly out 2: Bjanes, Duelist, DnNuke, EternalBliss and the CUG-Team.
  87.  
  88. (c)Terminal Cilla
  89.