TO      : matias921@come.to

SUBJECT : 77CRACKME.EXE

OBJECT : Find the correct serial and when we find that, the NAG should
	 dissappear.

The program is packed with Aspack. Since it's not allowed to patch, there is
no need to unpack it...
I just dumped the code section with Iczdump

You may notice that the adresses are not the same as stepping with Soft-Ice.
That's because you have to add 4010000 (Entry Point) to these relative addresses.

Well here you see what Iczdump dumped to disk :



:00000000 6A00                    push 00000000
:00000002 6812104000              push 00401012 //Pointer to routine
:00000007 6A00                    push 00000000
:00000009 6A01                    push 00000001
:0000000B 6A00                    push 00000000
:0000000D E8D8000000              call 000000EA //Call DialogBoxParamA

:00000012 C8000000                enter 0000, 00 //Start routine
:00000016 817D0C11010000          cmp dword ptr [ebp+0C], 00000111 // WM_COMMAND ?
:0000001D 742A                    je 00000049	

:00000023 837D0C10                cmp dword ptr [ebp+0C], 00000010 //WM_CLOSE ?
:00000027 7409                    je 00000032	//goto Exit with nag

:0000002D EB13                    jmp 00000042	

:00000032 FF7510                  push [ebp+10]  
:00000035 FF7508                  push [ebp+08]
:00000038 E8B3000000              call 000000F0 //EndDialog
:0000003D EB6D                    jmp 000000AC  

:00000042 5F                      pop edi
:00000043 5E                      pop esi
:00000044 5B                      pop ebx
:00000045 C9                      leave
:00000046 C21000                  ret 0010 //End of routine...

:00000049 837D1002                cmp dword ptr [ebp+10], 00000002 //Button pressed?
:0000004D 7406                    je 00000055

:00000053 EBED                    jmp 00000042
:00000055 B443                    mov ah, 43 //Well known-softice detection
:00000057 CD68                    int 68
:00000059 663D86F3                cmp ax, F386
:0000005D 74E3                    je 00000042 // Jump to end-routine
:0000005F 6A41                    push 00000041
:00000061 6800204000              push 00402000
:00000066 6882000000              push 00000082
:0000006B FF7508                  push [ebp+08]
:0000006E E883000000              call 000000F6 //Get name-string
:00000073 83F805                  cmp eax, 00000005 //Need more than 5 digits
:00000076 7ECA                    jle 00000042
:00000078 6A41                    push 00000041
:0000007A 68A8204000              push 004020A8
:0000007F 6A69                    push 00000069
:00000081 FF7508                  push [ebp+08]
:00000084 E86D000000              call 000000F6 //Get serial-string
:00000089 83F805                  cmp eax, 00000005 //Need more than 5 digits
:0000008C 7EB4                    jle 00000042
:0000008E 33DB                    xor ebx, ebx 
:00000090 8B1D00204000            mov ebx, dword ptr [00402000] //Name moved to ebx
								//Only first 4 bytes r used!
:00000096 33D2                    xor edx, edx
:00000098 8B15A8204000            mov edx, dword ptr [004020A8] //Serial moved to edx
								//Only first 4 bytes r used!

:0000009E 03DA                    add ebx, edx //Serial check
:000000A0 33D3                    xor edx, ebx
:000000A2 3BD3                    cmp edx, ebx
:000000A4 743F                    je 000000E5  //If equal jump to exit without nag

:000000AA EB96                    jmp 00000042 // Jump to end-routine
:000000AC 6A00                    push 00000000
:000000AE 68BE104000              push 004010BE
:000000B3 6A00                    push 00000000
:000000B5 6A02                    push 00000002
:000000B7 6A00                    push 00000000
:000000B9 E82C000000              call 000000EA //Call DialogboxparamA for nag
:000000BE C8000000                enter 0000, 00 //Start of nag routine
:000000C2 817D0C11010000          cmp dword ptr [ebp+0C], 00000111  //WM_COMMAND ?
:000000C9 7410                    je 000000DB

:000000CF EB03                    jmp 000000D4

:000000D4 5F                      pop edi
:000000D5 5E                      pop esi
:000000D6 5B                      pop ebx
:000000D7 C9                      leave
:000000D8 C21000                  ret 0010


Ok, for those who don't understand what happens in the code yet, read the following
description :


If we press the check-button, we arrive at addr 49. First thing done, is an easy 
softice detection. (Frog's ice will disable it)
Next the name (addr 6E) and serial (addr 84) are read, if the length is lower
than 5 chars, nothing happens (DialogProc returns false).Next the crackme
moves the first 4 bytes of the name/serial to ebx/edx. Followed by a short
check routine. (addr 9E).

If edx and ebx are equal (not possible) we jump to the end of DialogProc, and 
leave the crackme without the nagscreen(addr A4).
If edx and ebx are not equal, we jump to the end of DialogProc (addr 42).
Now you can wonder where the NAG is. Well, when we end the program (press CLOSE)
(addr 23),we can see that another DialogProc is called ! (AC)
hmm! What does that mean? If the serial is correct, we leave the program 
without the nag (exit addr A4), otherwise nothing happens, and if we press
CLOSE, we exit (addr 38) and we jump to the NAG_DialogProc!
SO out of the above we can conclude that addr 9E - A4 is the serialroutine.

If you look at the serial calculation, you will soon understand that there is
no valid serial possible...
The only possible serial is 00h 00h 00h 00h (and some random numbers to have
more than 5 digits).


If you still have questions about this tutorial, feel free to mail me.
Greetings,

Detten
Detn@hotmail.com

