
				  .@@  @@     .@@.   @@  @@   .@@
				 @@    @@    @@  @@  @@  @@  @@
				 @@    @@    @@  @@  @@  @@  @@
				 @@@@  @@    @@@@'   @@  @@  @@
				 @@    @@    @@      @@  @@  @@
				 @@    @@    @@      @@  @@  @@
				 **    **    **      **  **  **
				 	'   '     ''   

				    	f   l	e   u	r   
________________________________________________________________________________________________
::::::::::::::::::::::::::::::::::: i n f o r m a t i o n s ::::::::::::::::::::::::::::::::::::

	 difficulty level : 2
	 tools used : softice, ida, masm
________________________________________________________________________________________________
::::::::::::::::::::::::::::::::::::::: t u t o r i a l ::::::::::::::::::::::::::::::::::::::::

	 i won't write a tutorial for this crackme, because the protection is easy to get, but
it's hard to explain how you get it. you have to go through the disassembly of the program some
times to get how the cpu emulator works, and what are all the datas linked to it. then you have
to write a disassembler, to disassemble the emulated code, and then figure out what this code
do. the emulator cycle starts around 00401d57. you'll also have to explore wndproc.

	 basically, the program loads data.bin, then decrypt it, check if the data isn't
corrupt, then emulates the code in it, then halt when the serial has been typed, and the 'ok'
button has been pressed. you can't break on particular apis for the crackme, because the edit
controls are directly controlled by the emulated code.

	 there are the source for the decrypter and the disassembler, the disassembler don't
disassemble properly the data part in the emulated code, because it doesn't recognize them, so
you have to decide yourself what is real code and what is data. there is a flag in the
disassembler source to toggle between text and html disassembly (html is more convenient because
it handles the jumps, you can use history to go backwards, and there is a bit of highlighting).
i included the final disassembly, obtained after commenting them, these are cpualgo.asm and
cpualgo.htm. you'll find quickly the checking algorithm, that only compares the serial with the
string 'Serial:'.

	 there is actually a bug in the emulator (see in notesloadops.txt), but the operand
that would corrupt the opcode flow isn't used in the protection.

	 my notes aren't really clear, but maybe it'll help you to figure out how the cpu
emulator works.
________________________________________________________________________________________________
:::::::::::::::::::::::::::::::::::: f i n a l   w o r d s :::::::::::::::::::::::::::::::::::::

	 this was a nice crackme, quite unusual, fun and interesting
________________________________________________________________________________________________
										      roy|fleur

