			------------------------------
			CrackMe [id:14] coded by tC...
			Tutorial by Lucifer48, 17 june
			------------------------------

Protection: Name/Serial (Single licence / Worldwide license)

===============
1. INTRODUCTION
===============

A bpx hmemcpy allow us to enter into the code of the program (written in delphi).

XXXX:0043F6B9  CALL 00421960          ;we exit from here
XXXX:0043F6BE  MOV  EAX,[EBP-08]      ;d EAX: my name
XXXX:0043F6C1  CALL 00403A1C          ;gives the length of the name (in eax)
XXXX:0043F6C6  CMP  EAX,03
XXXX:0043F6C9  JL   0043F841          ;the name must be greater than 3 chars

we continue:

XXXX:0043F6F5  MOV  EAX,[EBP-08]      ;d EAX: my dummy serial
XXXX:0043F6F8  CALL 00403A1C          ;gives the length of the name (in eax)
XXXX:0043F6FD  CMP  ESI,EAX           ;ESI=length of name / EAX=length of serial
XXXX:0043F6FF  JNZ  0043F841          ;must have same length for the name and for the serial
...
delphi's code... not very interesting...
we arrive here:

XXXX:0043F7BE  CALL [EDX+00000B8]     ;<=> MOV AL,[EAX+000001F1]
XXXX:0043F7C4  TEST AL,AL             ;'Single licence' or 'Worldwide license'
XXXX:0043F7C6  JZ   0043F7CF          ;--\
XXXX:0043F7C8  CALL 0043F58C          ;  |  ---\
XXXX:0043F7CD  JMP  0043F7D4          ;  |     |
XXXX:0043F7CF  CALL 0043F5F0          ;<-/     |
XXXX:0043F7D4  CMP  DWORD PTR [0044192C],00  <-/
XXXX:0043F7DB  JNZ  0043F80A

We recognize here, the protection scheme, if we check Single licence' (AL=01), we go in the
call 0043F58C, if we check 'Worldwide license' (AL=00), we go in the call 0043F5F0.
In both cases, we must have [0044192C]=0.

=================================
2. SINGLE LICENCE (call 0043F58C)
=================================

The most important thing, in this call is this main loop:

XXXX:0043F5CC  MOV  EDX,0044182C     ;see remark (below)
XXXX:0043F5D1  MOV  ESI,[EAX]        ;*eax : a char of the serial
XXXX:0043F5D3  SUB  ESI,[EDX]        ;*edx : a char of the name
XXXX:0043F5D5  JZ   0043F5DD
XXXX:0043F5D7  ADD  [0044192C],ECX   ;don't forget that we must have [0044192C]=0 at the end
XXXX:0043F5DD  INC  ECX
XXXX:0043F5DE  ADD  EDX,04           ;next char
XXXX:0043F5E1  ADD  EAX,04           ;next char
XXXX:0043F5E4  DEC  EBX              ;count -1
XXXX:0043F5E5  JNZ  0043F5D1         ;LOOP

Remark: this is what we see in 0044182C (it's my name!)
-----CM_ID14!BSS+082C-----------------------------------------------PROT---(0)--
XXXX:0044182C 4C 00 00 00 75 00 00 00-63 00 00 00 69 00 00 00  L...u...c...i...
XXXX:0044183C 66 00 00 00 65 00 00 00-72 00 00 00 34 00 00 00  f...e...r...4...
XXXX:0044184C 38 00 00 00                                      8...
--------------------------------------------------------------------------------
The serial has the same disposition, but it is reversed.

  Name/ Lucifer48
RegNo./ 84reficuL

====================================
3. WORLDWIDE LICENCE (call 0043F5F0)
====================================

As above, still a loop, in this call.

XXXX:0043F631  MOV  EDX,0044182C
XXXX:0043F636  MOV  ESI,[EDX]       ;my name
XXXX:0043F638  ADD  ESI,08
XXXX:0043F63B  MOV  EDI,[EAX]       ;my dummy serial (in reverse order)
XXXX:0043F63D  SUB  EDI,ESI
XXXX:0043F63F  JZ   0043F647
XXXX:0043F641  ADD  [0044192C],ECX
XXXX:0043F647  INC  ECX
XXXX:0043F648  ADD  EDX,04          ;next char
XXXX:0043F64B  ADD  EAX,04          ;next char
XXXX:0043F64E  DEC  EBX             ;count -1
XXXX:0043F64F  JNZ  0043F636        ;LOOP

It looks like the previous loop... No need to tell more, the code is trivial.

  Name/ Lucifer48
RegNo./ @<zmnqk}T


Greetings Goes to: Torn@do, Volatility, tC, Eternal Bliss, ACiD BuRn,
                   and good french crackers.

Lucifer48
