
       . . t h e ъ w h i z ъ k i d ъ p r o u d l y ъ p r e s e n t s . .

ЬЬЬЬЬЬ               ЬЬЬЫЯЯЯЯЫЬ     ЬЬЬЬЬ         ЬЬЬЬЬЬЬЬЬЬЬЬЬЬЬЬЬ
Я ЬЬ ЫЬ  ЬЫЯЯЯЯЫ  ЬЫЯЯ ЬЬ ЫЫЬ Ы   ЬЫЯ Ь ЯЫ     ЬЫЯЯ ЬІ ЯЯ ЬЬ ЯЯ Ь ЯЫЯЯЯЫЬ
ЯЫЫІЬ ЯЫ Ы ЬЫІ ЯЫ Ы ЬЫІЯ  ЫЫЫ Ы   Ы ЬІІЯ ЫЬЬЬЬЬЫ ЬЫЫЫЫ  ЯЯЫІЯ ЬІІЯ  ЬЫЬ ЯЫЬЬ
Ь ЯЫЫЫ ЯЫЫ ЫЫЫІ ЯЫЫ ЫЫЯ Ы ЫЫІ ЫЯЯЯЯЬ ЯЬ юЬЬЬЬЬЬЬ   ЫІЫ Я ЬІ  Ь ЯЬ  ЯЫЫЫЫЬЬ ЯЯЫЬ
ЯЫ ЯЫЫІ Я ЬЫЫЫЫІ Я ЬІЯ ЫЫ ЫЫІ  ЬЫЫЬ ЬЫЫЬ ЯЯЫЫЫЫ ЬЫ ЫЫЫЬЫЫЯ ЬЫ ЬЫЫЬ ЬЬ ЯЯЯЫЫІЬ Я
 ЯЫ ЯЫЫІ ЬІЯ ЫЫЫІ ЬІЯ ЫЯЫ ЫЫЫЬЫЯЫЫЫ  ЫЫЫ Ы  ЬІ ЬЫЫ ЫЫІЯЫЫЫ ЯЫЬ ЫЫІ Я ЬЫ Ь ЯЫЫІЯ
  ЯЫ ЯЫЫЬЫЯ Ь ЫЫЫЫЫІ ЫЯ Ы ЫЫІЯ Ь ЫІЬ ЫЫІ  ЬІЯ  ЯЯЫ ЫЫЫ  ЫЫІЬ Я ЫЫІ  ЫЫІ ЯЯ ЫІ Ь
   ЯЫ ЫЫЫЫ ЫЫЬ ЫЫЫІ ЬЫ  Ы ЫІ ЬЫЫ ІЫЯ ЫІЯ ЫЫЫЫЬЬЯ Ы ЫЫЯ Ь ЯЫЫІЬ ЫЫЯ  ЯЫЫЫЬЬЫЯ ЬЫ
    ЫЬ ЯЯ ЬЫ ЫЬ ЫЯ ЬЫ   Ы Ы ЬЫ Ы Я Ь Я Ь ЯЯЯЯЯ ЬЫЫ Я ЬЫЯЫ ЯЫЯ  Я ЬЫЫЬ ЯЯЯ ЬЬЫЯ
     ЯЯЯЯЯЯ   ЫЬЬЬЫЯ    ЫЬЬЬЫ  ЯЯЯЯЯЯЯЯЯЯЯЯЯЯЯЯЯ ЯЯЯЯЯ  ЯЫЬЬЬЫЯЯЯЯ  ЯЯЯЯЯЯЯ


Patching a NAG
--------------

Target : Muad'Dib's (Man I like this NICK!!) NAG crackme. 

Tools: W32dasm, Hacker's View.
get them at protools.cjb.net.

Lets start. 
open up the crackme, you get a MessageBox saying:
"I want your money blah blah blah". click ok, and you see the greetz list. 
Close the crackme, and you get that messgae again.

Fire up w32dasm and load the crackme onto it. 
goto the StrnRef button, better known as String Data Refrence.
click on the string that says i want your money, and you should end up here:

* Referenced by a CALL at Addresses:
|:00401208   , :00401254   
|
:004012BF 6A00                    push 00000000

* Possible StringData Ref from Data Obj ->"Please register!"
                                  |
:004012C1 682D304000              push 0040302D

* Possible StringData Ref from Data Obj ->"I want your money!  Please send "
                                        ->"me $20 to get rid of this screen!"
                                  |
:004012C6 683E304000              push 0040303E
:004012CB 6A00                    push 00000000

Referenced by a call at two addresses? that must mean that the message 
appears in 2 address: 00401208, 00401254.

Scroll up until you get to the address of 00401208. you are here:

:00401208 E8B2000000              call 004012BF

OK, we have E8B2000000 which takes 5 bytes, so in that case we'll
have to nop it 5 times. look at the offset: 608.
open up HIEW, and goto the decode mode and press F5, and click the offset.
Now we are back in 00401208. Click F3 and press 90 (=nop) 5 times.
Press F9 to update, and F10 to exit. 

load the crackme again. NO NAG!!
Ok close it, and u get that shitty message again!!!
FUCK! what do i do now?
remember that there were 2 calls refrenced by this message?
one at the address: 00401208, and the other in 00401254.

So do the same like the first step but now with the address 00401254.
now you are in this line:
:00401254 E866000000              call 004012BF

needs to be nop'd 5 times aswell.

Open up the crackme, and close it again, and there is NO NAG!!

cya next time. 

-WhizKiD


p.s the time here is 00:17 in the night, and i am pissed because
i fought with my parents, so i am sorry for any think that isnt clear
in this text :)