Hi,
today some short notes about:
'n0p3x CrackMe 2a'.
The aim is to destroy a NagScreen - so we will.

---
:0040100C   push 00000000------------>  Parameters
:0040100E   push 00401027		   >| for the
:00401013   push 00000000		   >| NagScreen
:00401015   push 00000001		   >|
:00401017   push dword ptr [00402000] -
:0040101D   Call 0040114D             ->NagScreen

At first the nag will be called. 
..
..
..

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040103B(C)
|
:0040104D C70504204000697A0000    mov dword ptr [00402004], 00007A69
:00401057 C9                      leave
:00401058 C21000                  ret 0010

If everything goes right with the nag then [402004] get the value 7A69h.
..
..
..


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401065(C)
|
:0040106B 6A00                    push 00000000
:0040106D FF7508                  push [ebp+08]

* Reference To: USER32.EndDialog, Ord:0000h
                                  |
:00401070 E8E4000000              Call 00401159
:00401075 6A00                    push 00000000 ------------> Parameters
:00401077 68BC104000              push 004010BC		   >| for the
:0040107C 6A00                    push 00000000		   >| MainScreen
:0040107E 6A02                    push 00000002		   >|
:00401080 FF3500204000            push dword ptr [00402000]>-                              
:00401086 E8C2000000              Call 0040114D ->MainScreen
:0040108B 6A00                    push 00000000
:0040108D FF7508                  push [ebp+08]

After having pushed the further-button we'll land here.

---
Important:
There's a permanent check weather [402004] has the right value!
If not then Error_Msg.
Ok, what to do?
At first let's bypass the nag with jumping over him.

---
:0040100C E95A000000              jmp 0040106B
---
After patching the program will go direkt to :0040106B.
But what's on with the check?
Well, the msg_box informs us that we'll have done something bad.
So let's change that.
At :0040106B we have a little space for a new instruction, because
these lines:
---
:0040106B 6A00                    push 00000000
:0040106D FF7508                  push [ebp+08]
:00401070 E8E4000000              Call 00401159
---
belonged to the nag-call - so they are useless.
Remember our msg_box...
let's put the needed instruction in here, so we change
the three lines to:
---
:0040106B C70504204000697A0000    mov dword ptr [00402004], 00007A69
---
Now, [402004] has the right value and we'll get through 
the permanent check.

That's all.
cya

greetz fly out 2: Bjanes, Duelist, DnNuke, EternalBliss and the CUG-Team.

(c)Terminal Cilla