                         Phox Crackme #3 Tuturial 

                                 
                                                         ܲ
                                         ۲  
                                              
                               
         ۲    ۲      ۲    ۲
            ۲   ۲           ۲
 ܲ           ۲      
                    
    ޲  ݲ   ޲      
      ޲    ޲     ޲  ޲      ޲    
  ޲   ޲    ޲    ޲      ޲      
        ߲ ܲ  ޲  ߲ ܲ     ߲  
   ߲     ܲ          ܲ                   js
                   iNSiDE    
                            
                       

Tutor      : duelist
Data Wrote : April 6, 1999
Who        : Intermediate
Target     : CrackMe #3 by Phox
Size       : 4kb
Tools Used : w32dasm
Method     : Key Generator


			    -=* Protection *=-

In this crackme you've to insert a correct password... You should have no difficulty
at this one, you'll see. This time i'll use w32dasm, i don't have softice in background
at this time ;)

			   -=* Our Aproach *=-


1) Run w32dasm and do a deadlisting of the crackme exe

2) Go to the string data references menu, and search for compromising strings ;)

3) Whooa! I've found 'Nice Work', sounds good... Double click it and you will get
   near this part:

* Reference To: USER32.GetWindowTextA, Ord:0000h
                                  |
:004011A1 E8C7000000              Call 0040126D			       ; gets password
:004011A6 BB98204000              mov ebx, 00402098 		       ; stores it in ebx (?)
:004011AB FF354C204000            push dword ptr [0040204C]

* Reference To: USER32.GetWindowTextLengthA, Ord:0000h
                                  |
:004011B1 E8C3000000              Call 00401279                        ; gets password length
:004011B6 8BF0                    mov esi, eax	                       ; stores length at esi
:004011B8 83FE12                  cmp esi, 00000012                    ; is length = 12h (18)?
:004011BB 755F                    jne 0040121C 			       ; no? then, jump to bad cracker!
:004011BD 803B46                  cmp byte ptr [ebx], 46               ; is first char = F?
:004011C0 755A                    jne 0040121C 			       ; no? then, jump to bad cracker!
:004011C2 807B0169                cmp byte ptr [ebx+01], 69            ; is second char = i?
:004011C6 7554                    jne 0040121C 			       ; no? then, jump to bad cracker!
:004011C8 807B0372                cmp byte ptr [ebx+03], 72            ; is forth char = r?
:004011CC 754E                    jne 0040121C 			       ; no? then, jump to bad cracker!
:004011CE 807B0465                cmp byte ptr [ebx+04], 65            ; is fifth char = e?
:004011D2 7548                    jne 0040121C 			       ; no? then, jump to bad cracker!
:004011D4 807B0657                cmp byte ptr [ebx+06], 57            ; is seventh char = W?
:004011D8 7542                    jne 0040121C 			       ; no? then, jump to bad cracker!
:004011DA 807B076F                cmp byte ptr [ebx+07], 6F            ; is eighth char = o?
:004011DE 753C                    jne 0040121C 			       ; no? then, jump to bad cracker!
:004011E0 807B0872                cmp byte ptr [ebx+08], 72            ; is ninth char = r?
:004011E4 7536                    jne 0040121C 			       ; no? then, jump to bad cracker!
:004011E6 807B0A78                cmp byte ptr [ebx+0A], 78            ; is eleventh char = x?
:004011EA 7530                    jne 0040121C 			       ; no? then, jump to bad cracker!
:004011EC 807B0C53                cmp byte ptr [ebx+0C], 53            ; is thirteenth char = S?
:004011F0 752A                    jne 0040121C 			       ; no? then, jump to bad cracker!
:004011F2 807B0D75                cmp byte ptr [ebx+0D], 75            ; is fourteenth char = u?
:004011F6 7524                    jne 0040121C 			       ; no? then, jump to bad cracker!
:004011F8 807B1078                cmp byte ptr [ebx+10], 78            ; is seventeenth char = x?
:004011FC 751E                    jne 0040121C 			       ; no? then, jump to bad cracker!

			          -good cracker code here-

3) So you have 'Fi*re*Wor*x**Su**x*' has a pattern, where * is any char you want! Let's write
   a keygen to create a valid, random serial each time it is run!


 			    -=* Key Generator *=-

-------------- px-cm3.pas -------------------- cut here ------------------

var code: string;

function convert(x: integer): string;
begin
  if x = 0 then convert:='0';
  if x = 1 then convert:='1';
  if x = 2 then convert:='2';
  if x = 3 then convert:='3';
  if x = 4 then convert:='4';
  if x = 5 then convert:='5';
  if x = 6 then convert:='6';
  if x = 7 then convert:='7';
  if x = 8 then convert:='8';
  if x = 9 then convert:='9';
end;

begin
  writeln('Phox Crackme 3.0');
  writeln('Key Generator written April 6 1999, by Duelist [iSD]');
  writeln;
  randomize;
  code:='Fi' + convert(random(9)) + 're' + convert(random(9)) + 'Wor' +
  convert(random(9)) + 'x' + convert(random(9)) + 'Su' + convert(random(9)) +
  convert(random(9)) + 'x' + convert(random(9));
  writeln('  Your Serial:  ', code);
  writeln;
  halt(1);
end.

-------------- px-cm3.pas -------------------- cut here ------------------


  			    -=* Final Notes *=-
 
Eheh, here's the lesson: Even programs who don't require a name to be entered
and have a serial pattern should be key genned, because if you distribute only
one serial, the software company who owes the program will probably blacklist it!