                (BEST VIEWED WITH WORDWRAP ENABLED & FONT= COURIER , SIZE =10)

         @$@$#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@@$@ @#$#$@
        @@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@  @#$#$#$@
         @@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#$@ @#$#$@
          @#$@                             
          @#$@       @$@$@$@$@ @$@$@ $@$@$ @$@$@ $@$@$   @#@#@#@#@@ @$@$@ $@$@$ @$#$#$#@
          @#$@      @#$#$#$#$@@ @#$#$#$#$#$ @#$#$#$#$#$ @$#$#$#$#@@@ @#$#$#$#$#$ @#$#$@
          @#$@    @ @#@#@#@#@#@ @#$@$#$#@@@ @#$@$#$#@@@ @#@@    @#$@ @#$@$#$#@@@  @$#@
          @#$@#$#$@ @#@#   #@#@ @#$@   @@@  @#$@   @@@  @$@     @#$@ @#$@   @@@   @$#@
          @#$@@#@#@ @#@#@#@#@#@ @#$@   @@   @#$@   @@         @#@#$@ @#$@   @@    @$#@   
          @#$@#$#$@ @$@$@$@$@$@ @#$@        @#$@         @@#@@#@#@#@ @#$@         @$#@
          @#$@    @ @$@#        @#$@        @#$@        @#$#$#$#$#$@ @#$@         @$#@
          @#$@      @$@#        @#$@        @#$@        @#$@    @#$@ @#$@         @$#@
          @#$@      @#@#@#@#@#@ @#$@        @#$@        @#$@#$#$#$#@ @#$@         @$#@
          @#$#@     @$@$@$@$@$@ @#$#@       @#$#@       @#$@#@#@#@#@ @#$#@       @#$#$@
        @#@#@#@#@    @#@#@#@#@ @#@#@#@     @#@#@#@       @#@#@#@#@# @#@#@#@     @$#$#$#@


                                                                                
                                     :-)---> ARTeam <---(-:
                            Visit:-http://cracking.accessroot.com
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$       APIS32        $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$     API Spy 2.5     $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$                     $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$@@@@@@@@@@@@@
@@@@@@@@@@@@@  AUTHOR         : FERRARI                                           @@@@@@@@@@@@@ 
@@@       @@@  PROTECTION     : Petite 1.2, NAG                                   @@@       @@@   @@ ferrari @@  TARGET FILE    : apis32.exe                                        @@ ferrari @@ 
@@@       @@@  TARGET URL     : http://grinders.withernsea.com/tools/apis3225.rar @@@       @@@   @@@@@@@@@@@@@  OS             : WINDOWS ALL                                       @@@@@@@@@@@@@   @@@@@@@@@@@@@  RELEASE DATE   : 5.03.2004                                         @@@@@@@@@@@@@
@@@@@@@@@@@@$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@                                TOOLS USED & TARGET SOFTWARE                                 @
@                                =============================                                @
@                                                                                             @
@ OllyDbg        :- http://grinders.withernsea.com/tools/odbg110b1.rar                        @
@ LordPE         :- http://grinders.withernsea.com/tools/LPE-DLX.rar                          @
@ PEiD           :- http://www.grinders.withernsea.com/tools/PEiD_v0.91.rar                   @
@ IMPrec         :- http://www.grinders.withernsea.com/tools/imprec_v1.6_final.rar            @
@ APIS32         :- http://grinders.withernsea.com/tools/apis3225.rar                         @  @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

===============================================================================================
                    STEP 1: UNPACKING THE TARGET PACKED WITH PETITE 1.2 
===============================================================================================
 This is my first tut on unpacking a packed 'EXE'. I followed a tut by R@dier on unpacking
 a 'unpackme' packed with Petite 2.2 So the method is similar. Okay dude so lets start ;-)
PEID hardcore scan shows that its packed with PEtite 1.2 
Open the target 'apis32.exe' in our favourite Debugger OllyDbg :-) You'll get an Entry Point Alert. So click OK. Now u will land here.We have to locate the OEP(Outside Entry Point.

00418000 > 66:9C            PUSHFW<----------------You are here
00418002   60               PUSHAD
00418003   E8 CA000000      CALL apis32.004180D2

Hit F7 twice to step into the CALL above. You will land here.

004180D2   58               POP EAX           ; apis32.00418008<------land here 
004180D3   2C 08            SUB AL,8
004180D5   50               PUSH EAX

Okay now again hit F7 twice and execute the above PUSH. Now note down the values of 'ESP' and 'EDI' in the right hand side 'Register(FPU)' window

EAX 00418000
ECX 0012FFB0
EDX 7FFE0304
EBX 7FFDF000
ESP 0012FFA2<----------------------------->Note down
EBP 0012FFF0
ESI FFFFFFFF
EDI 77D5B720 USER32.77D5B720<-------------->Note down

Now click in the HEX dump window at the bottom left hand side. Hit 'Ctrl G' and enter the ESP value-->0012FFA2 click OK.
          == == 
0012FFA2 |20 B7| D5 77 FF FF FF FF   w
          == ==
                                                                   ====
Now only select '20 B7' since u can see the last two of EDI = 77D5|B720| 
                                                                   ====
Okay now after selecting right click on it-->Breakpoint-->Hardware on Access-->Word. 
Now hit 'Shift+F9' and u will land here. We are now near the OEP :-)

004195D0   66:9D            POPFW
004195D2  -E9 89CDFEFF      JMP apis32.00406360<------This is our OEP
004195D7  -E9 5BE3FEFF      JMP apis32.00407937

You may ask how I know this is the OEP. Okay now while at 004195D0 if u Hit F7 and execute the JMP u will land here.

00406360     55             DB 55                                    ;  CHAR 'U'
00406361     8B             DB 8B
00406362     EC             DB EC
00406363     6A             DB 6A                                    ;  CHAR 'j'
00406364     FF             DB FF
00406365     68             DB 68                                    ;  CHAR 'h'

Hey what is this. Okay dude don't get excited Olly has not analyzed this code. So hit 'Ctrl A' to analyze and u should see this. 

00406360  /. 55             PUSH EBP<-------see this
00406361  |. 8BEC           MOV EBP,ESP<----see this
00406363  |. 6A FF          PUSH -1
00406365  |. 68 08924000    PUSH apis32.00409208
0040636A  |. 68 88624000    PUSH apis32.00406288                     ;  SE handler installation

OEP's are recognized by:
PUSH EBP
MOV EBP,ESP

Okay now get back to 004195D0   66:9D      POPFW by pressing the minus key.
While at this address minimize(don't close) Olly open LordPE. Scroll down and Select program-->right click-->Full Dump-->Save.

Now we have to fix the IAT(Import Allocation Table) of our dumped.exe 
So now run Imprec-->ImportREC.exe-->At the top u see Attach to Active Process-->Drop down menu and select our program.
Now at the bootom u see OEP. So enter this value in the box  OEP - Base = 406360-400000 = 6360
 Now click 'IAT AutoSearch' --> Get Imports. Now u see that all the Imported Functions are Valid so no invalid functions to fix here :-) .If there were any invalid functions u have to click 'Auto Trace' to fix them. But in this case there are none. So now click 'Fix Dump'-->Select our 'dumped.exe' that we dumped with LordPE-->Clcik Open-->It will be saved as 'dumped_.exe'-->Done :-)

Finally to reduce the dumped_.exe size you can use LordPE's rebuild PE feature.

Congrats your target is now unpacked. So lets move on to crack it ;-)


===============================================================================================
                    STEP 2: PATCHING OUR TARGET TO REMOVE REGISTER NAG
===============================================================================================

 
   Okay rename our packed target-->apis32.bak  and rename dumped_.exe -->apis32.exe
Load the target in Olly and this time no Entry Point messages :-) Ok now hit F9 to run the program. You see a Shareware reminder NAG screen. Ok we'll use the CALL Stack method. So back in olly hit F12 and then 'Alt K' You see this 



Call stack of main thread
Address    Stack      Procedure / arguments                                                                     Called from                   Frame
0012F728   77D43FBE   Includes 7FFE0304                                                                         USER32.77D43FBC               0012F75C
0012F72C   77D487A7   USER32.WaitMessage                                                                        USER32.77D487A2               0012F75C
0012F760   77D4F58C   USER32.77D48607                                                                           USER32.77D4F587               0012F75C
0012F788   77D6AAAE   USER32.77D4F4D8                                                                           USER32.77D6AAA9               0012F784
0012FA40   77D6AC40   ? USER32.SoftModalMessageBox                                                              USER32.77D6AC3B               0012F9C8
0012FB88   77D6ADCC   ? USER32.77D6AB06                                                                         USER32.77D6ADC7               0012FB10
0012FBDC   77D6AE8A   USER32.MessageBoxTimeoutW                                                                 USER32.77D6AE85               0012FBD8
0012FC10   77D6AE17   ? USER32.MessageBoxTimeoutA                                                               USER32.77D6AE12               0012FC0C
0012FC30   004012D2   ? USER32.MessageBoxExA                                                                    apis32.004012CC               0012FC2C
0012FC34   000401EE     hOwner = 000401EE ('APIS32  v. 2.5 - UNREGISTERED',class='#32770')
0012FC38   0040BD20     Text = "This  copy  of  APIS32  is

U N R E G I S T E R E D

Registration info can be...)
0012FC3C   0040A030     Title = "APIS32 "
0012FC40   00002040     Style = MB_OK|MB_ICONASTERISK|MB_TASKMODAL
0012FC44   00002409     LanguageID = 2409 (LANG_ENGLISH)


 We see that apis32.004012CC  called USER32.MessageBoxExA with our "This  copy  of  APIS32  is...." message

Ok back in CPU window hit 'Ctrl G' and type 004012CC-->Ok
Now scroll up till you see the following code. 

0040123C   . E8 8F110000    CALL apis32.004023D0          ; \apis32.004023D0
00401241   . 83C4 08        ADD ESP,8
00401244   > 8B4424 1C      MOV EAX,DWORD PTR SS:[ESP+1C]
00401248   . 8B4C24 18      MOV ECX,DWORD PTR SS:[ESP+18]
0040124C   . 8B7424 10      MOV ESI,DWORD PTR SS:[ESP+10]
00401250   . 50             PUSH EAX
00401251   . 51             PUSH ECX
00401252   . 56             PUSH ESI
00401253   . E8 F80E0000    CALL apis32.00402150
00401258   . 83C4 0C        ADD ESP,0C
0040125B   . 6A 01          PUSH 1                        ; /Erase = TRUE
0040125D   . 68 E0C64000    PUSH apis32.0040C6E0          ; |pRect = 0040C6E0 {246.,200.,554.,400.}
00401262   . 6A 00          PUSH 0                        ; |hWnd = NULL
00401264   . FF15 D8914000  CALL DWORD PTR DS:[<&USER32.I>; \InvalidateRect
0040126A   . 56             PUSH ESI                      ; /hWnd
0040126B   . FF15 DC914000  CALL DWORD PTR DS:[<&USER32.S>; \SetActiveWindow
00401271   . 6A 01          PUSH 1
00401273   . 56             PUSH ESI
00401274   . FF15 48C34000  CALL DWORD PTR DS:[40C348]    ;  USER32.SwitchToThisWindow
0040127A   . 56             PUSH ESI
0040127B   . FFD7           CALL EDI
0040127D   . 6A 1E          PUSH 1E
0040127F   . FFD3           CALL EBX
00401281   . 56             PUSH ESI                      ; /Arg1
00401282   . E8 091C0000    CALL apis32.00402E90          ; \apis32.00402E90
00401287   . 83C4 04        ADD ESP,4
0040128A   . B8 01000000    MOV EAX,1
0040128F   . 5F             POP EDI
00401290   . 5B             POP EBX
00401291   . 5E             POP ESI
00401292   . C2 1000        RETN 10
00401295   > 3D 11010000    CMP EAX,111
0040129A   . 74 3F          JE SHORT apis32.004012DB
0040129C   . 3D 65870000    CMP EAX,8765
004012A1   . 74 06          JE SHORT apis32.004012A9
004012A3   > 33C0           XOR EAX,EAX                   ;  Default case of switch 004011C5
004012A5   . 5E             POP ESI
004012A6   . C2 1000        RETN 10
004012A9   > 817C24 10 6587>CMP DWORD PTR SS:[ESP+10],876>;  Case 8765 of switch 004011C5
004012B1   . 75 3F          JNZ SHORT apis32.004012F2
004012B3   . 8B5424 14      MOV EDX,DWORD PTR SS:[ESP+14]
004012B7   . 8B4424 08      MOV EAX,DWORD PTR SS:[ESP+8]
004012BB   . 68 09240000    PUSH 2409                     ; /LanguageID = 2409 (LANG_ENGLISH)
004012C0   . 68 40200000    PUSH 2040                     ; |Style = MB_OK|MB_ICONASTERISK|MB_TASKMODAL
004012C5   . 68 30A04000    PUSH apis32.0040A030          ; |Title = "APIS32 "
004012CA   . 52             PUSH EDX                      ; |Text
004012CB   . 50             PUSH EAX                      ; |hOwner
004012CC   . FF15 64914000  CALL DWORD PTR DS:[<&USER32.M>; \MessageBoxExA

Now i remember Satyricon's tip-->"Always study the code in depth :-)" So therefore i see three CALLS in the above code viz.

0040123C   . E8 8F110000    CALL apis32.004023D0          ; \apis32.004023D0
.
.
.
00401253   . E8 F80E0000    CALL apis32.00402150
.
.
.
00401282   . E8 091C0000    CALL apis32.00402E90          ; \apis32.00402E90

So what i do is i select the address 0040123C and press "Enter" and land here. I scroll down till
address 0040249A.


004023D0  /$ 55             PUSH EBP<--------Land here
004023D1  |. 8BEC           MOV EBP,ESP
004023D3  |. 83EC 30        SUB ESP,30
004023D6  |. 53             PUSH EBX
004023D7  |. 56             PUSH ESI
004023D8  |. 57             PUSH EDI
004023D9  |. 8B45 0C        MOV EAX,DWORD PTR SS:[EBP+>
004023DC  |. 50             PUSH EAX                   ; /hWnd
004023DD  |. FF15 BC914000  CALL DWORD PTR DS:[<&USER3>; \GetDC
004023E3  |. 8945 E0        MOV DWORD PTR SS:[EBP-20],>
004023E6  |. 8B4D E0        MOV ECX,DWORD PTR SS:[EBP->
004023E9  |. 51             PUSH ECX                   ; /hDC
004023EA  |. FF15 38904000  CALL DWORD PTR DS:[<&GDI32>; \CreateCompatibleDC
004023F0  |. 8945 DC        MOV DWORD PTR SS:[EBP-24],>
004023F3  |. 6A 74          PUSH 74                    ; /RsrcName = 116.
004023F5  |. 8B15 44C34000  MOV EDX,DWORD PTR DS:[40C3>; |apis32.00400000
004023FB  |. 52             PUSH EDX                   ; |hInst => 00400000
004023FC  |. FF15 C0914000  CALL DWORD PTR DS:[<&USER3>; \LoadBitmapA
00402402  |. 8945 D4        MOV DWORD PTR SS:[EBP-2C],>
00402405  |. 8D45 E8        LEA EAX,DWORD PTR SS:[EBP->
00402408  |. 50             PUSH EAX                   ; /Buffer
00402409  |. 6A 18          PUSH 18                    ; |BufSize = 18 (24.)
0040240B  |. 8B4D D4        MOV ECX,DWORD PTR SS:[EBP->; |
0040240E  |. 51             PUSH ECX                   ; |hObject
0040240F  |. FF15 34904000  CALL DWORD PTR DS:[<&GDI32>; \GetObjectA
00402415  |. 8B55 D4        MOV EDX,DWORD PTR SS:[EBP->
00402418  |. 52             PUSH EDX                   ; /hObject
00402419  |. 8B45 DC        MOV EAX,DWORD PTR SS:[EBP->; |
0040241C  |. 50             PUSH EAX                   ; |hDC
0040241D  |. FF15 3C904000  CALL DWORD PTR DS:[<&GDI32>; \SelectObject
00402423  |. 8945 D4        MOV DWORD PTR SS:[EBP-2C],>
00402426  |. 6A 08          PUSH 8                     ; /Index = HORZRES
00402428  |. 8B4D E0        MOV ECX,DWORD PTR SS:[EBP->; |
0040242B  |. 51             PUSH ECX                   ; |hDC
0040242C  |. FF15 2C904000  CALL DWORD PTR DS:[<&GDI32>; \GetDeviceCaps
00402432  |. 2B45 EC        SUB EAX,DWORD PTR SS:[EBP->
00402435  |. 99             CDQ
00402436  |. 2BC2           SUB EAX,EDX
00402438  |. D1F8           SAR EAX,1
0040243A  |. 8B55 08        MOV EDX,DWORD PTR SS:[EBP+>
0040243D  |. 8902           MOV DWORD PTR DS:[EDX],EAX
0040243F  |. 6A 0A          PUSH 0A                    ; /Index = VERTRES
00402441  |. 8B45 E0        MOV EAX,DWORD PTR SS:[EBP->; |
00402444  |. 50             PUSH EAX                   ; |hDC
00402445  |. FF15 2C904000  CALL DWORD PTR DS:[<&GDI32>; \GetDeviceCaps
0040244B  |. 2B45 F0        SUB EAX,DWORD PTR SS:[EBP->
0040244E  |. 99             CDQ
0040244F  |. 2BC2           SUB EAX,EDX
00402451  |. D1F8           SAR EAX,1
00402453  |. 8B4D 08        MOV ECX,DWORD PTR SS:[EBP+>
00402456  |. 8941 04        MOV DWORD PTR DS:[ECX+4],E>
00402459  |. C745 D8 44A040>MOV DWORD PTR SS:[EBP-28],>;  ASCII " v. 2.5"
00402460  |. 68 2000CC00    PUSH 0CC0020               ; /ROP = SRCCOPY
00402465  |. 6A 00          PUSH 0                     ; |YSrc = 0
00402467  |. 6A 00          PUSH 0                     ; |XSrc = 0
00402469  |. 8B55 DC        MOV EDX,DWORD PTR SS:[EBP->; |
0040246C  |. 52             PUSH EDX                   ; |hSrcDC
0040246D  |. 8B45 F0        MOV EAX,DWORD PTR SS:[EBP->; |
00402470  |. 50             PUSH EAX                   ; |Height
00402471  |. 8B4D EC        MOV ECX,DWORD PTR SS:[EBP->; |
00402474  |. 51             PUSH ECX                   ; |Width
00402475  |. 8B55 08        MOV EDX,DWORD PTR SS:[EBP+>; |
00402478  |. 8B42 04        MOV EAX,DWORD PTR DS:[EDX+>; |
0040247B  |. 50             PUSH EAX                   ; |YDest
0040247C  |. 8B4D 08        MOV ECX,DWORD PTR SS:[EBP+>; |
0040247F  |. 8B11           MOV EDX,DWORD PTR DS:[ECX] ; |
00402481  |. 52             PUSH EDX                   ; |XDest
00402482  |. 8B45 E0        MOV EAX,DWORD PTR SS:[EBP->; |
00402485  |. 50             PUSH EAX                   ; |hDestDC
00402486  |. FF15 28904000  CALL DWORD PTR DS:[<&GDI32>; \BitBlt
0040248C  |. E8 AF2B0000    CALL apis32.00405040
00402491  |. EB 01          JMP SHORT apis32.00402494
00402493  |  B8             DB B8
00402494  |> 0AC0           OR AL,AL
00402496     74 02          JE SHORT apis32.0040249A
00402498  |. EB 09          JMP SHORT apis32.004024A3
0040249A  |> C745 D0 D4A040>MOV DWORD PTR SS:[EBP-30],>;  ASCII "UNREGISTERED"
004024A1  |. EB 61          JMP SHORT apis32.00402504
004024A3  |> BF 4CA04000    MOV EDI,apis32.0040A04C    ;  ASCII "Registered to "
004024A8  |. BA 20BD4000    MOV EDX,apis32.0040BD20    ;  ASCII "This  copy  of  APIS32  is

U N R E G I S T E R E D

Registration info can be found in file REGINFO.TXT"

Now this is interesting. I see another CALL at:
0040248C  |. E8 AF2B0000    CALL apis32.00405040

I select this address and press Enter. and land here

00405040  /$ 51             PUSH ECX
00405041  |. 53             PUSH EBX
00405042  |. 55             PUSH EBP
00405043  |. 56             PUSH ESI
00405044  |. 57             PUSH EDI
00405045  |. 6A 50          PUSH 50
00405047  |. 68 40B74000    PUSH apis32.0040B740
0040504C  |. 68 88A64000    PUSH apis32.0040A688        ;  ASCII "UserKey"
00405051  |. E8 1A030000    CALL apis32.00405370
00405056  |. 83C4 0C        ADD ESP,0C
00405059  |. 83F8 10        CMP EAX,10<-----------This means the User Key is 10 character long.
0040505C  |. 7D 08          JGE SHORT apis32.00405066
0040505E  |. 33C0           XOR EAX,EAX
00405060  |. 5F             POP EDI
00405061  |. 5E             POP ESI
00405062  |. 5D             POP EBP
00405063  |. 5B             POP EBX
00405064  |. 59             POP ECX
00405065  |. C3             RETN
00405066  |> 6A 2F          PUSH 2F
00405068  |. 68 C0C34000    PUSH apis32.0040C3C0
0040506D  |. 68 78A64000    PUSH apis32.0040A678         ;  ASCII "UserName"
00405072  |. E8 F9020000    CALL apis32.00405370
00405077  |. 83C4 0C        ADD ESP,0C
0040507A  |. 83F8 05        CMP EAX,5<-----------This means the User Name is 5 character long.
0040507D  |. 7D 08          JGE SHORT apis32.00405087
0040507F  |. 33C0           XOR EAX,EAX
00405081  |. 5F             POP EDI
00405082  |. 5E             POP ESI
00405083  |. 5D             POP EBP
00405084  |. 5B             POP EBX
00405085  |. 59             POP ECX
00405086  |. C3             RETN

Now if u see address 00405051 which CALL 00405370. Now goto 00405370 and u will see this

00405370  /$ 8B4424 0C      MOV EAX,DWORD PTR SS:[ESP+>
00405374  |. 68 20B74000    PUSH apis32.0040B720       ; /pHandle = apis32.0040B720
00405379  |. 68 19000200    PUSH 20019                 ; |Access = KEY_READ
0040537E  |. 6A 00          PUSH 0                     ; |Reserved = 0
00405380  |. 68 90A64000    PUSH apis32.0040A690       ; |Subkey = "SOFTWARE\APIS32"
00405385  |. 68 02000080    PUSH 80000002              ; |hKey = HKEY_LOCAL_MACHINE
0040538A  |. 894424 20      MOV DWORD PTR SS:[ESP+20],>; |
0040538E  |. FF15 08904000  CALL DWORD PTR DS:[<&advap>; \RegOpenKeyExA



This means it checks the registry for a valid UserKey and corrosponding UserName. It checks the key and name and then return to our earlier code i.e back to:

0040248C  |. E8 AF2B0000    CALL apis32.00405040
00402491  |. EB 01          JMP SHORT apis32.00402494
00402493  |  B8             DB B8
00402494  |> 0AC0           OR AL,AL
00402496     74 02          JE SHORT apis32.0040249A
00402498  |. EB 09          JMP SHORT apis32.004024A3
0040249A  |> C745 D0 D4A040>MOV DWORD PTR SS:[EBP-30],>;  ASCII "UNREGISTERED"
004024A1  |. EB 61          JMP SHORT apis32.00402504
004024A3  |> BF 4CA04000    MOV EDI,apis32.0040A04C    ;  ASCII "Registered to "
004024A8  |. BA 20BD4000    MOV EDX,apis32.0040BD20    ;  ASCII "This  copy  of  APIS32  is

U N R E G I S T E R E D

Registration info can be found in file REGINFO.TXT"

Okay at '00402494' it checks if the username and key are valid. If not valid then jumps to the bad message at '0040249A' orelse if valid jumps to good message at '004024A3'
 So now u know what to do ;-). You may be tempted to NOP that JE at '0040249A' like i was.
But i was bit curious about '00405040' where the registration check takes place 
 So just curious i selected '00402E96' in above code-->right click-->Find references to-->Call Destination.
And bull shit....banging my head....shiiiiiiiiiiiiiiiitttttt....why didn't i think of this earlier. I mean all the CALL addresses are there. 
 If we go to all these CALLS and NOP all the JE's the program will show registered but the limitation to log 20 entries in the log file is still there. In my original tutorial i had NOP'd the JE's. But that's just cosmetic. So the correct way to crack this program.
 
  Thanks to SatyricOn and R@dier

==>SatyricOn's suggestion:
 You would have seen earlier that you should not have patched the JEs following the CALLS to 405040, but you should instead have changed the code in 405040 so that when the function returned, AL would never == 0 (probably should == 1, as the return type of the function 405040 is probably bool).

Indeed, to use the same example as I used with Winamp, you could think of the function 405040 as having the prototype

bool IsAPIS32Registered();

where the return value is stored in AL.

==>R@dier's suggestion:

"For apis32 you do not need to patch all the places that are mentioned in the tut,all you need is to change the sub prog IsProgReged to return true (1)and all will work so before the sub prog ends we need to increment eax thus at 40505E needs to be changed to inc eax (4090h) BOOL IsProgReged() {return (1)}"

So this means just change

0040505E  |. 33C0           XOR EAX,EAX

to

0040505E  |. 40             INC EAX
0040505F  |. 90             NOP

Thats it!!! the program is now fully cracked :-)

Okay now time to make the changes permanent :-)
Right click/copy to executable/all
modifications/copy all, then right click on new box/save file, double click on
apis32.exe and select overwrite file.

Okay now close olly and run our program. Voila! product is registered and NAG killed. :-)


 
@@@@@@@@@@###########################################################################@@@@@@@@@@ 
@@@@@@@@@@#                          ---SHOUTZ AND GREETZ---                        #@@@@@@@@@@
@@@@  @@@@#                                                                         #@@@@  @@@@ 
@@@ H  @@@#            To Nilrem-->Merlin who's Tutorials helped me to use          #@@@ H  @@@   @@  O   @@#            Ollydbg for debugging. Thanks to Pompeyfan, el-kiwi          #@@  O   @@
@   R    @#            whose tutorials helped me too.Thanks to www.tech-arena.com   #@   R    @  
@@  S   @@#            staff, members for encouraging me to write these tutorials.  #@@  S   @@
@@@ E  @@@#            exetools.com,Sir JMI, SatyricOn,LaBBa, R@dier and others     #@@@ E  @@@
@@@@  @@@@#            who helped me alot.                                          #@@@@  @@@@
@@@@@@@@@@@@@$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$@@@@@@@@@@@@@ 
@@@@@@@@@@@@@                                                                     @@@@@@@@@@@@@
@@@       @@@                                                                     @@@       @@@
@@ ferrari @@             REMEMBER IF U USE THE PROGRAM THEN BUY IT ;-) !         @@ ferrari @@ 
@@@       @@@                                                                     @@@       @@@ 
@@@@@@@@@@@@@                                                                     @@@@@@@@@@@@@   @@@@@@@@@@@@@$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$@@@@@@@@@@@@@
   
                                
 