*************************************************************************************************TITLE:
Cracking tutorial for NoAdware 2.0 with Windows XP using Point H method
*************************************************************************************************
BEST VIEWED:
Notepad with word wrap enabled, and in restored window mode
*************************************************************************************************
TOOLS USED:
Ollydbg v1.09d
*************************************************************************************************TARGET:
NoAdware.exe
*************************************************************************************************LOCATION OF TOOLS AND PROGRAM:
Ollydbg v1.09d http://www.grinders.withernsea.com/tools/Ollydbg/odbg109d.rar
NoAdware 2.0 http://www.grinders.withernsea.com/tools/noadware.rar
Point H tutorial by Ricardo Narvaja (optional) http://home.tiscali.cz:8080/robocop/files/punto_h_english.zip
Cruehead Crackme 2 (Optional)  http://www.woodmann.com/crackz/Archives/Crackmes.zip
*************************************************************************************************
CONTACT INFORMATION:
vinceandjane@hotmail.com
*************************************************************************************************
TUTORIAL WRITTEN:
21/04/2004
*************************************************************************************************
AUTHOR:
Pompeyfan
*************************************************************************************************

If you don't altready know it, you will need to first determine point H (XP equivalent of hmemcpy) for your computer, some excellent articles have been written on this, particularly by Ricardo Narvaja who is a member of both Exetools forum and the Ollydbg forum, I'll try and summarise how to find it as follows, if you want a more detailed explanation, then try this tutorial by Ricardo http://home.tiscali.cz:8080/robocop/files/punto_h_english.zip 

OKay, down to business,lets attack or target, open Olly, and if you haven't done so already, to make things easier for yourself, right click, select appearance/highlighting/jumps'n'calls, makes things so much easier to follow.

Open your target in Olly, and you land here:

0042BCC0 >/$ 55             PUSH EBP

Press F9 run

Click on Register/Register now, and enter your Username and fake serial, I'll use Pompeyfan and fill the other boxes with 7's, don't press enter yet.

Right click/go to/expression
Enter the address of point H for your computer, in my case 77D5DEBB, hit okay and you land here:

77D5DEBB   F3:A5            REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
77D5DEBD   8BC8             MOV ECX,EAX
77D5DEBF   83E1 03          AND ECX,3
77D5DEC2   F3:A4            REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
77D5DEC4   E8 04F9FFFF      CALL user32.77D5D7CD

Right click Breakpoint/memory on access

Now bring the registration screen back up again, and hit register button.

Olly breaks at the above address

Select follow address in dump for the EDI register, Click once on 77D5DEBB then press F8 down to the call,  and part of your fake serial will be loaded into the dump window, highlight it, right click/breakpoint/memory on access

Press F9 or run, and often you will land back in the programs code, but in this case we are in kernel32, so let us step over the code with F8 till we get back into NoAdware.exe, and eventually we get back into it here:

0043F4C7  |> 8B0E           MOV ECX,DWORD PTR DS:[ESI]

It should be remembered though, that you wont always come back into your main .exe first, sometimes the program may have many .exe files, sometimes you will come back into one of the programs .dll files first, but the beauty of this method is that it will often then tell you which file is responsible for the serial checking routine, as with all methods though don't expect it to always grab you a serial.

Now keep tracing with F8, and eventually we hit the error message here:

0041A065   > E8 F6B50200    CALL NoAdware.00445660                   ; \NoAdware.00445660

And we didn't see our valid serial, so what now, okay start pressing the minus button on your keyboard to backtrack a bit, just a few goes, now this bit looks interesting:

00419FAA   . E8 21E7FFFF    CALL NoAdware.004186D0
00419FAF   . 83C4 14        ADD ESP,14
00419FB2   . 85C0           TEST EAX,EAX
00419FB4   . 0F84 A2000000  JE NoAdware.0041A05C

Let us set a breakpoint on the call, so left click on that line once, then F2 to set your breakpoint, and Right click & remove your memory breakpoint so we will break at our new breakpoint straight away we re-enter our details.

Now, re-enter your fake details, then press F7 to step into the call, then step over the code with F8, once we get here we get stuck in some loops where the serial is calculated (I'll have to learn to Keygen soon):

004187A7   > 33C0           XOR EAX,EAX

To save time, set a breakpoint here:

00418833   . 8D85 7EFFFFFF  LEA EAX,DWORD PTR SS:[EBP-82]

Then press F9 (run), here you will see part of your valid serial appearing for the first time, now continue stepping over the code with F8, and when we get here:

00418A10   . 8BE5           MOV ESP,EBP

The whole serial is shown in the ESP register, with mine being KTXO0-N0VB2-ISWQT

Close Olly, start up NoAdware.exe, enter your Username and the serial you obtained using Olly, and voila! Well done cracker!!!

And remember, if you use the program, buy it ,software developers rely on the income from sales to keep going, if nobody buys, no new software would be developed.

*************************************************************************************************
SHOUTZ AND GREETZ:

To the AR Cracking team, exetools forum, tsrh forum, Ollydbg forum, Ricardo Narvaja, Kruger, Britedream, Satyric0n, R@dier, LaBBa, Nilrem & Ferarri whoose tuts have helped me more than any others , Ollydbg, and the authors of NoAdware .

*************************************************************************************************