Acid_Cool_178
presents he's

This Text Are Only Ment To Edcucational Purpose And Not To Be Used Illegaly, I Take No Response For Illegal Use Of This Text. Move On On Your Risc.

Crackme 2
The crackme got one NAG in the beginning of the program and a field to enter your name and serial

Task 1.1  <-- The NAG
Task 1.2  <-- The Serial Sniffing

Task 1.1
Open crackme.exe in W32Dasm and in "String Data References" can you find this."NAG NAG NAG" Dubbleclick on that string and you can see this code.

* Possible StringData Ref from Data Obj ->"Nag Nag Nag!"                                     <-- Title of the NAG
|
:004011B6 688C214000 push 0040218C                                                                 <-- You will land here

* Possible StringData Ref from Data Obj ->"This is a shareware version, blah, "           <-- What the NAG contains
->"blah, please pay me, blah, blah"
|
:004011BB 6849214000 push 00402149
:004011C0 6A00 push 00000000

* Reference To: USER32.MessageBoxA, Ord:0000h                                                     <-- The real NAG are created here
|
:004011C2 E8DF030000 Call 004015A6                                                                     <-- Call the NAG to the screen
:004011C7 6A00 push 00000000

At location 004011C2 are the NAG called to the screen, now fint the @ Offset to that call wich are 7C2

Open crackme.exe in W32Dasm
Press enter twice og F4 and choose "Decode"
Goto (F5) 7C2 [ENTER]

Now you will stand at the call and you have to remove the call by using NOP wich means No OPeration. And NOP are  the number 90..

Press Edit (F3 ) the code and change E8DF030000 to 9090909090
Update the file by pressing F9 and exit by pressing Exc or F10

Well done. The NAG are in wonderland :)

Task 1.2
In "String Data References" can you see this string "Yeah!". Goto that string
* Possible StringData Ref from Data Obj ->"Yeah!"                                            <-- The name og the good messagebox
|
:004010BF 68B3204000 push 004020B3                                                             <-- You land here

* Possible StringData Ref from Data Obj ->"Well Done, maybe you can work "     <-- The label og the good messagebox
->"out the algorithm aswell?"
|
:004010C4 687B204000 push 0040207B
:004010C9 6A00 push 00000000

Now scroll some up and you can see this.

* Possible StringData Ref from Data Obj ->"999081"        <-- Serial ?
|
:00401099 6874204000 push 00402074
:0040109E 8D55F4 lea edx, dword ptr [ebp-0C]
:004010A1 52 push edx

* Reference To: cw3220._strcat, Ord:0000h
|
:004010A2 E8A5040000 Call 0040154C
:004010A7 83C408 add esp, 00000008
:004010AA 8D4DF4 lea ecx, dword ptr [ebp-0C]
:004010AD 51 push ecx
:004010AE FF750C push [ebp+0C]

* Reference To: KERNEL32.lstrcmpA, Ord:0000h
|
:004010B1 E8C0040000 Call 00401576
:004010B6 85C0 test eax, eax                                          <-- Compare routine
:004010B8 7518 jne 004010D2                                        <-- Jump if not valid code
:004010BA 6800100000 push 00001000

- Start he crackme and enter any serial as you want
- Open Soft Ice CTRL+D
- Bpx HmemCpy [ENTER]
- Exit Soft Ice CTRL+D
- Press on the "OK" Button
- You are in Soft Ice
- Press F12 9 Times
- G 004010A2 [ENTER]
- Press F12 9 Times
- G 004010A2 [ENTER]
- Trace into the call by pressing F10
- Trace through the code by pressing F10
- At Location 0041E9F do and D EAX [ENTER]
- See your code in the data window
- and that's all.

Crackme 2

As you can see so are the algo taking the lenght of your name and putting it infront of 999081
Crackme solved.

LaZaRuS, Wajid, Borna Janes, ManKind, Eddie Van Camper, ACiD BuRN, KoRnFLeX, Eternal_Bliss, Potsmoke, DiABLO. Torn@do, ^AlX^  and all the other i have forgotten