
       . . t h e ъ w h i z ъ k i d ъ p r o u d l y ъ p r e s e n t s . .

ЬЬЬЬЬЬ               ЬЬЬЫЯЯЯЯЫЬ     ЬЬЬЬЬ         ЬЬЬЬЬЬЬЬЬЬЬЬЬЬЬЬЬ
Я ЬЬ ЫЬ  ЬЫЯЯЯЯЫ  ЬЫЯЯ ЬЬ ЫЫЬ Ы   ЬЫЯ Ь ЯЫ     ЬЫЯЯ ЬІ ЯЯ ЬЬ ЯЯ Ь ЯЫЯЯЯЫЬ
ЯЫЫІЬ ЯЫ Ы ЬЫІ ЯЫ Ы ЬЫІЯ  ЫЫЫ Ы   Ы ЬІІЯ ЫЬЬЬЬЬЫ ЬЫЫЫЫ  ЯЯЫІЯ ЬІІЯ  ЬЫЬ ЯЫЬЬ
Ь ЯЫЫЫ ЯЫЫ ЫЫЫІ ЯЫЫ ЫЫЯ Ы ЫЫІ ЫЯЯЯЯЬ ЯЬ юЬЬЬЬЬЬЬ   ЫІЫ Я ЬІ  Ь ЯЬ  ЯЫЫЫЫЬЬ ЯЯЫЬ
ЯЫ ЯЫЫІ Я ЬЫЫЫЫІ Я ЬІЯ ЫЫ ЫЫІ  ЬЫЫЬ ЬЫЫЬ ЯЯЫЫЫЫ ЬЫ ЫЫЫЬЫЫЯ ЬЫ ЬЫЫЬ ЬЬ ЯЯЯЫЫІЬ Я
 ЯЫ ЯЫЫІ ЬІЯ ЫЫЫІ ЬІЯ ЫЯЫ ЫЫЫЬЫЯЫЫЫ  ЫЫЫ Ы  ЬІ ЬЫЫ ЫЫІЯЫЫЫ ЯЫЬ ЫЫІ Я ЬЫ Ь ЯЫЫІЯ
  ЯЫ ЯЫЫЬЫЯ Ь ЫЫЫЫЫІ ЫЯ Ы ЫЫІЯ Ь ЫІЬ ЫЫІ  ЬІЯ  ЯЯЫ ЫЫЫ  ЫЫІЬ Я ЫЫІ  ЫЫІ ЯЯ ЫІ Ь
   ЯЫ ЫЫЫЫ ЫЫЬ ЫЫЫІ ЬЫ  Ы ЫІ ЬЫЫ ІЫЯ ЫІЯ ЫЫЫЫЬЬЯ Ы ЫЫЯ Ь ЯЫЫІЬ ЫЫЯ  ЯЫЫЫЬЬЫЯ ЬЫ
    ЫЬ ЯЯ ЬЫ ЫЬ ЫЯ ЬЫ   Ы Ы ЬЫ Ы Я Ь Я Ь ЯЯЯЯЯ ЬЫЫ Я ЬЫЯЫ ЯЫЯ  Я ЬЫЫЬ ЯЯЯ ЬЬЫЯ
     ЯЯЯЯЯЯ   ЫЬЬЬЫЯ    ЫЬЬЬЫ  ЯЯЯЯЯЯЯЯЯЯЯЯЯЯЯЯЯ ЯЯЯЯЯ  ЯЫЬЬЬЫЯЯЯЯ  ЯЯЯЯЯЯЯ


Disabled Feature
----------------

Target: Ice's 2nd crackme
Protection: Disabled feature. our goal is to make the app fully 
functional by patching it.

Tools Used:
W32dasm
Havker's View

Essay:

Load up the crackme, u dont see nuthing. goto the File Menu, 
and u see there too sub-menus: Uncracked (Disabled), Exit.
What we actually need to do, is to make the disabled menu
enabled.

Open up w32dasm and load the crackme onto it. after its done,
Click on the strn ref button, better known as String Data Refrence.
Click on the "UnCracked" line, and you should
be here now:

 Possible StringData Ref from Data Obj ->"Uncracked"
                                  |
:00401072 6874504000              push 00405074
:00401077 68EA030000              push 000003EA
:0040107C 6A01                    push 00000001
:0040107E 56                      push esi
:0040107F FFD7                    call edi
:00401081 EB1C                    jmp 0040109F

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040106A(C)
|

* Reference To: USER32.AppendMenuA, Ord:0007h
                                  |
:00401083 8B3DCC404000            mov edi, dword ptr [004040CC]

* Possible StringData Ref from Data Obj ->"Cracked"
                                  |
:00401089 686C504000              push 0040506C       --> Remember this location
:0040108E 68EA030000              push 000003EA
:00401093 6A00                    push 00000000
:00401095 56                      push esi
:00401096 FFD7                    call edi
:00401098 C6051455400001          mov byte ptr [00405514], 01

Scroll up a bit until you see this:

* Reference To: KERNEL32.lstrcmpA, Ord:02FCh
                                  |
:00401062 FF1508404000            Call dword ptr [00404008]
:00401068 85C0                    test eax, eax
:0040106A 7517                    jne 00401083   --> Our Jump!

* Reference To: USER32.AppendMenuA, Ord:0007h
                                  |
:0040106C 8B3DCC404000            mov edi, dword ptr [004040CC]

U see that jne (= Jump if Not Equal) ? 
it says jump to the location where the cracked option is enabled.
So we'll have to change the JNE, to JE (Jump if Equal), so that
it will always jump to that location.
look at the status bar, and find the offset: 106Ah, 
but the 'h' only means 'HEX' so the offset is 106A.

Load up HIEW, and choose the crackme2.exe. goto DECODE mode,
Press F5 and write the offset. click F3 and change 75 to 74.

(75 = JNE, 74 = JE, 90 = NOP)

Press F9 to update and F10 to quit, and the app is uncrippled.


-WhizKiD