TEXme v1.0
by Chafe/TEX99

Tutorial by Lucifer48 [Immortal Descendants]
(September 11th, 1999)


Another asm32 crackme. There are no validation button, i guess that there is a timer... I have a quick look at the imported functions: GetDlgItemInt and GetWindowTextA.
Let's go: 
XXXX:0040106B  PUSH 0040318C			;my name
XXXX:00401070  PUSH DWORD PTR [00403174]	;handle of edit box (because it isn't a dialog box)
XXXX:00401076  CALL USER32!GetWindowTextA
XXXX:0040107B  MOV  ECX,00000014		;will fill with 0 to arrive to 14 bytes
XXXX:00401080  SUB  ECX,EAX
Remark: This is the memory area: 
-----TEXME!.data+018C-----------------------------byte--------------PROT---(0)--
XXXX:0040318C 4C 75 63 69 66 65 72 34-38 00 00 00 00 00 00 00  Lucifer48.......
XXXX:0040319C 00 00 00 00                                      ...
-------------------------------------------------------------------------PROT32-
Now i put the other breakpoint: 
XXXX:0040147D  PUSH DWORD PTR [00403170]	;handle of window (created with CreateWindowEx)
XXXX:00401483  CALL USER32!GetDlgItemInt	;i thought it was only working with dialog boxes...
XXXX:00401488  MOV  [00403188], EAX		;important address
Put a BPM 00403188, and we will discover the algo: 
XXXX:00401376  MOV  EAX, [00403188]
...
XXXX:00401381  INC  EAX				; +1
...
XXXX:00401388  XOR  EAX,[EDI]			;*edi: my name
XXXX:0040138A  MOV  [00403188], EAX
It is in fact a loop, which will browse the string of the name (length: 14h). Let's assume that X is the value of my serial.

Example: For my name i have: 
((((((((((((X+1) XOR "icuL")+1) XOR "ficu")+1) XOR "efic")+1) XOR "refi")+1) ...)+1) XOR "8") = Y
Remark: Don't tell me that: (a+b) XOR c <=> (a XOR c) + (b XOR c). It is false! For example, take: a=1, b=3 and c=2.

And Y is compared to the right value: 
XXXX:0040149C  MOV  EAX, [00403188]
XXXX:004014A1  ADD  EAX, 09112478
XXXX:004014A6  TEST EAX, EAX
XXXX:004014A8  JNZ  004014B3			;jump = bad cracker
The goal is to get Y = F6EEDB88h. Let's reverse the algo ;)

Example: With my name: 
  F6EEDB88 XOR 00000000 = F6EEDB88	(dword ptr [0040319B])
  F6EEDB87 XOR 00000000 = F6EEDB87	(dword ptr [0040319A])
  F6EEDB86 XOR 00000000 = F6EEDB86
  F6EEDB85 XOR 00000000 = F6EEDB85
  F6EEDB84 XOR 00000000 = F6EEDB84
  F6EEDB83 XOR 00000000 = F6EEDB83
  F6EEDB82 XOR 00000000 = F6EEDB82
  F6EEDB81 XOR 00000038 = F6EEDBB9	   8
  F6EEDBB8 XOR 00003834 = F6EEE38C	  84
  F6EEE38B XOR 00383472 = F6D6D7F9	 84r
  F6D6D7F8 XOR 38347265 = CEE2A59D	84re
  CEE2A59C XOR 34726566 = FA90C0FA	4ref
  FA90C0F9 XOR 72656669 = 88F5A690	refi
  88F5A68F XOR 65666963 = ED93CFEC	efic
  ED93CFEB XOR 66696375 = 8BFAAC9E	(dword ptr [0040318D])
  8BFAAC9D XOR 6963754C = E299D9D1	and E299D9D1 - 1 = E299D9D0 = X
Dear reader, in your keygen, i want to see 16 loops... So:

Name/ Lucifer48
Serial/ 3801733584

YES! You found your serial!!


Greetings: All ID members (Volatility, Torn@do, ...), SiFLyiNG, Eternal Bliss, ACiD BuRN, Duelist, LaZaRuS, ... and Chafe (for this simple crackme).


(c) Lucifer48. All rights reserved & reversed