Since I'm a newbiee in the great world of cracking, please let me know if I have misunderstood something, or if you just have some comments to this solution.
My Email: Doctor_Scoop@Hotmail.com
The target: AfKayAs Crackme #2
Url: http://crackmes.cjb.net (The best CrackMe-site)
Problem: Name/Serial an a NAG-screen
Tools used: Smartcheck v6.01 and Hiew v6.0
Here goes:
Part 1 - The Name/Serial
Since the program is made with VB my first chiose is to use Smartcheck which is a great crackertool, if you want to crack VB-apps.
Step 1 - Launch the taget from Smartcheck (Remember to set on "Show all Events" and Arguments)
If you don't know how to setup Smartcheck, then goto http://crackmes.cjb.net. Eternal Bliss has made a great tutorial about this subject.
Now the NAG will show for 7 sec. (don't worry, we will take care of that later, hehe) and then the Name/Serial part will pop up. I typed "Doctor Scoop" and "77777". When the "OK" is pressed a Bad guy-Msgbox will appear saying "You get Wrong - Try again" - Damn, not my lucky day :(
Hit the "CANCEL" to you will get back to Smartcheck.
Step 2 - Fish the serial from Smartcheck
Hit Ctrl-F to search for the entered name, I only searched for "Doctor"
Smartcheck now jumps to the place, where the calculation is beeing done.
Len(String:"Doctor Scoop") returns LONG:12
Asc(String:"Doctor Scoop") returns Integer:68
The first line returns the lenght of the entered name (12), the second line returs the ASCII-value of the first enteres letter (D = 68h)
I will only show some of the important lines
Regserial.text <-- "1066724" (String)
Regserial2.text <-- "1066726" (String)
Regserial3.text <-- "3200176" (String)
Regserial4.text <-- "3200191" (String)
A few lines below the Bad guy-Msgbox is launched.
Hmmm, now launch the program again.
Name = Doctor Scoop
Serial = 3200191
A new msgbox will appear "You Get It - KeyGen It Now".........Easy!!
Part 1.2 - Make KeyGen
Lets have a look again at the lines from above
Len(String:"Doctor Scoop") returns LONG:12
Asc(String:"Doctor Scoop") returns Integer:68
Regserial.text <-- "1066724" (String) : Value calculated from Name
I have never cracked a VB-NAG before, so this was for me the hard part. First I searched the net for tutorials about this subject....But I was unsuccesfull :(
Then I tried the Softice-way, but I didn't know where to set the breakpoint. I tried using "CreateCombatibleBitmap" and traced from there. I did find the where NAG was launched but I couldn't find where to patch. So i tried to put a bpx on SetTimer.........SetTimer, I think I saw that in Smartcheck. Try to search for Settimer in Smartcheck.
I was right, Smartcheck did give me some info on settimer...If you look at the right window you will see this very important info (and some useless info).
unsigned long uElapse = 7000 0x00001B58
This tells us that the NAG is shown in 7 sec. (7000). the 1B58 is the Hex-value of 7000.
Hmmmmm, the time (7000) must be hardcoded in the file.
Lets load the Crackme into Hiew.
Hit F4 to view i HEX
Hit F7 to search.....Search for "58 1B", which is 7000 in HEX pushed backwards.
They should be found at 00005B75.
Hit F3 to edit. Then change "58 1B" to "01 00" and then hit F9 to update.
Exit Hiew and run the Crackme.....The NAG is just on the screen for a splitsecond - It is killed.
To check if I just was lucky, I coded a NAG myself, and guess what. The method worked here to. :)
I know it is not a complete removal, but allllllmost.
IMPORTANT: Do NOT change the time to 0, then the NAG will never go away.
