              +=================================================+
              + How to keygen The Official Mexelite Crackme 4.0 +
              +=================================================+

17/04/2000 By TSCube

"KEYGENING for lazy people"



+=================+
+ 1) DEAD LISTING +
+=================+


:0042DAD1 8D4000                  lea eax, dword ptr [eax+00]
:0042DAD4 55                      push ebp
[...]
:0042DB07 6A00                    push 00000000
:0042DB09 6A00                    push 00000000
:0042DB0B 684CF74200              push 0042F74C
:0042DB10 6848F74200              push 0042F748
:0042DB15 A144F74200              mov eax, dword ptr [0042F744]
:0042DB1A 50                      push eax -> address of volume serial number 
:0042DB1B 6A00                    push 00000000
:0042DB1D 6A00                    push 00000000
:0042DB1F 6A00                    push 00000000

* Reference To: kernel32.GetVolumeInformationA, Ord:0000h
                                  |
:0042DB21 E85E75FDFF              Call 00405084

BOOL GetVolumeInformation(
    LPCTSTR lpRootPathName,	// address of root directory of the file system 
    LPTSTR lpVolumeNameBuffer,	// address of name of the volume 
    DWORD nVolumeNameSize,	// length of lpVolumeNameBuffer 
    LPDWORD lpVolumeSerialNumber,	// address of volume serial number 
    LPDWORD lpMaximumComponentLength,	// address of system's maximum filename length
    LPDWORD lpFileSystemFlags,	// address of file system flags 
    LPTSTR lpFileSystemNameBuffer,	// address of name of file system 
    DWORD nFileSystemNameSize 	// length of lpFileSystemNameBuffer 
   );

:0042DB26 A144F74200              mov eax, dword ptr [0042F744]
:0042DB2B 8B00                    mov eax, dword ptr [eax]

:0042DB2D A350F74200              mov dword ptr [0042F750], eax -> initialisation of first magic value (#magic1)

:0042DB32 8D55FC                  lea edx, dword ptr [ebp-04]
:0042DB35 8B83E0010000            mov eax, dword ptr [ebx+000001E0]
:0042DB3B E8E8C6FEFF              call 0041A228
:0042DB40 837DFC00                cmp dword ptr [ebp-04], 00000000
:0042DB44 751A                    jne 0042DB60 -> next_1

:0042DB46 6A00                    push 00000000
:0042DB48 668B0D1CDD4200          mov cx, word ptr [0042DD1C]
:0042DB4F B202                    mov dl, 02

* Possible StringData Ref from Code Obj ->"Please typ in your name !!"
                                  |
:0042DB51 B828DD4200              mov eax, 0042DD28
:0042DB56 E8E5F2FFFF              call 0042CE40
:0042DB5B E990010000              jmp 0042DCF0

next_1
---------

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042DB44(C)
|
:0042DB60 8D55FC                  lea edx, dword ptr [ebp-04]
:0042DB63 8B83E0010000            mov eax, dword ptr [ebx+000001E0]
:0042DB69 E8BAC6FEFF              call 0041A228
:0042DB6E 8B45FC                  mov eax, dword ptr [ebp-04]
:0042DB71 E84A5CFDFF              call 004037C0
:0042DB76 83F806                  cmp eax, 00000006
:0042DB79 7D1A                    jge 0042DB95 -> next_2

:0042DB7B 6A00                    push 00000000
:0042DB7D 668B0D1CDD4200          mov cx, word ptr [0042DD1C]
:0042DB84 B202                    mov dl, 02

* Possible StringData Ref from Code Obj ->"Type at least 6 chars for your "
                                        ->"name! !"
                                  |
:0042DB86 B84CDD4200              mov eax, 0042DD4C
:0042DB8B E8B0F2FFFF              call 0042CE40
:0042DB90 E95B010000              jmp 0042DCF0

next_2
--------

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042DB79(C)
|
:0042DB95 8D55FC                  lea edx, dword ptr [ebp-04]
:0042DB98 8B83E4010000            mov eax, dword ptr [ebx+000001E4]
:0042DB9E E885C6FEFF              call 0041A228
:0042DBA3 837DFC00                cmp dword ptr [ebp-04], 00000000
:0042DBA7 751A                    jne 0042DBC3 -> next_3

:0042DBA9 6A00                    push 00000000
:0042DBAB 668B0D1CDD4200          mov cx, word ptr [0042DD1C]
:0042DBB2 B202                    mov dl, 02

* Possible StringData Ref from Code Obj ->"Please enter your serial !"
                                  |
:0042DBB4 B87CDD4200              mov eax, 0042DD7C
:0042DBB9 E882F2FFFF              call 0042CE40
:0042DBBE E92D010000              jmp 0042DCF0


next_3
--------

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042DBA7(C)
|
:0042DBC3 8BC7                    mov eax, edi
:0042DBC5 E87A59FDFF              call 00403544

:0042DBCA C70602000000            mov dword ptr [esi], 00000002 -> init counter


begin_loop_1
--------------

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042DBFF(C)
|
:0042DBD0 8D55FC                  lea edx, dword ptr [ebp-04]
:0042DBD3 8B83E0010000            mov eax, dword ptr [ebx+000001E0]
:0042DBD9 E84AC6FEFF              call 0041A228
:0042DBDE 8B45FC                  mov eax, dword ptr [ebp-04] -> name
:0042DBE1 8B16                    mov edx, dword ptr [esi]
:0042DBE3 0FB64410FF              movzx eax, byte ptr [eax+edx-01]
:0042DBE8 8D55F8                  lea edx, dword ptr [ebp-08]
:0042DBEB E88889FDFF              call 00406578
:0042DBF0 8B55F8                  mov edx, dword ptr [ebp-08]
:0042DBF3 8BC7                    mov eax, edi
:0042DBF5 E8CE5BFDFF              call 004037C8
:0042DBFA FF06                    inc dword ptr [esi]
:0042DBFC 833E07                  cmp dword ptr [esi], 00000007
:0042DBFF 75CF                    jne 0042DBD0 -> begin_loop_1

end_loop_1
----------

Hum... to tell you the truth, I don't quite understand what's happening between <begin_loop_1> 
and <end_loop_1> but when you keygen, you don't HAVE to understand every line of code you see.

Very often, you can understand what's happening by looking at the values of the registers or of
the memory BEFORE and AFTER the function you don't understand. 
Just imagine you have a black box in front of you : you look what comes in, you look what comes 
out and you try to guess what the black box do.

let's look at this exemple :
                                   +-------------+
                    "123456789" -> | black box   | -> 0x75BCD15
                                   +-------------+

as you know that 0x75BCD15 = 123456789, you can tell that this black box converts a string to
its decimal value.

:0042DC01 8D45F8                  lea eax, dword ptr [ebp-08]
:0042DC04 50                      push eax
:0042DC05 B903000000              mov ecx, 00000003
:0042DC0A BA01000000              mov edx, 00000001
:0042DC0F 8B07                    mov eax, dword ptr [edi] -> "836711798101"

OK, this is the output of the black box... let's try to guess what this string represents !

if name="TSCube" then eax points to "836711798101" which is the sum of the ASCII values of "SCube"
'S' = 0x83 'C' = 0x67 ... 'e' = 0x101

(I know that because I've learnt by heart the ASCII values of the letters of "TSCube" ;)

:0042DC11 E8AE5DFDFF              call 004039C4
:0042DC16 8B45F8                  mov eax, dword ptr [ebp-08] -> "836" (first 3 letters of previous string)

:0042DC19 E88A89FDFF              call 004065A8 -> this functions converts a string to its decimal value
:0042DC1E A358F74200              mov dword ptr [0042F758], eax -> initialisation of second magic value (#magic2)
:0042DC23 8BC7                    mov eax, edi
:0042DC25 E81A59FDFF              call 00403544
:0042DC2A 8BC3                    mov eax, ebx
:0042DC2C E8B3FCFFFF              call 0042D8E4 => FIRST MAGIC FUNCTION

:0042DC31 A150F74200              mov eax, dword ptr [0042F750]
:0042DC36 A350F74200              mov dword ptr [0042F750], eax
:0042DC3B 8BC3                    mov eax, ebx
:0042DC3D E8F2FCFFFF              call 0042D934 => SECOND MAGIC FUNCTION

:0042DC42 A158F74200              mov eax, dword ptr [0042F758]
:0042DC47 A358F74200              mov dword ptr [0042F758], eax
:0042DC4C 8BC3                    mov eax, ebx
:0042DC4E E835FDFFFF              call 0042D988 => THIRD MAGIC FUNCTION

:0042DC53 8BC3                    mov eax, ebx
:0042DC55 E87EFDFFFF              call 0042D9D8 => FOURTH MAGIC FUNCTION

:0042DC5A A158F74200              mov eax, dword ptr [0042F758]
:0042DC5F A358F74200              mov dword ptr [0042F758], eax
:0042DC64 8BC3                    mov eax, ebx
:0042DC66 E8B1FDFFFF              call 0042DA1C -> this does nothing (see code below)

	:0042DA1C A158F74200              mov eax, dword ptr [0042F758]
	:0042DA21 A358F74200              mov dword ptr [0042F758], eax
	:0042DA26 C3                      ret

:0042DC6B 8BC3                    mov eax, ebx
:0042DC6D E8B6FDFFFF              call 0042DA28 -> this does nothing

	:0042DA28 A150F74200              mov eax, dword ptr [0042F750]
	:0042DA2D A350F74200              mov dword ptr [0042F750], eax
	:0042DA32 C3                      ret

:0042DC72 A158F74200              mov eax, dword ptr [0042F758]
:0042DC77 A358F74200              mov dword ptr [0042F758], eax
:0042DC7C 8BC3                    mov eax, ebx
:0042DC7E E8B1FDFFFF              call 0042DA34 => FIFTH MAGIC FUNCTION

:0042DC83 8BC3                    mov eax, ebx
:0042DC85 E8F2FDFFFF              call 0042DA7C => SIXTH MAGIC FUNCTION


:0042DC8A 8BC3                    mov eax, ebx
:0042DC8C E80BFEFFFF              call 0042DA9C => SEVENTH MAGIC FUNCTION

:0042DC91 A150F74200              mov eax, dword ptr [0042F750]
:0042DC96 010558F74200            add dword ptr [0042F758], eax

true_serial = [0042F750] + [0042F758] = #magic1 + #magic2

:0042DC9C 8D55FC                  lea edx, dword ptr [ebp-04]       }
:0042DC9F 8B83E4010000            mov eax, dword ptr [ebx+000001E4] } not important
:0042DCA5 E87EC5FEFF              call 0041A228                     }

:0042DCAA 8B45FC                  mov eax, dword ptr [ebp-04] -> type "d eax" to see the serial you entered
:0042DCAD E8F688FDFF              call 004065A8 -> this converts our serial to hex value
:0042DCB2 A360F74200              mov dword ptr [0042F760], eax

type "? eax" to see your serial

:0042DCB7 A158F74200              mov eax, dword ptr [0042F758]
:0042DCBC 3B0560F74200            cmp eax, dword ptr [0042F760]

This compares the true_serial (? eax) with the one we entered

:0042DCC2 7517                    jne 0042DCDB -> fuck off

:0042DCC4 6A00                    push 00000000
:0042DCC6 668B0D1CDD4200          mov cx, word ptr [0042DD1C]
:0042DCCD B202                    mov dl, 02

* Possible StringData Ref from Code Obj ->"Good Serial, Thanks For trying "
                                        ->"this Crackme bY nIabI !"
                                  |
:0042DCCF B8A0DD4200              mov eax, 0042DDA0
:0042DCD4 E867F1FFFF              call 0042CE40
:0042DCD9 EB15                    jmp 0042DCF0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042DCC2(C)
|
:0042DCDB 6A00                    push 00000000
:0042DCDD 668B0D1CDD4200          mov cx, word ptr [0042DD1C]
:0042DCE4 B202                    mov dl, 02

* Possible StringData Ref from Code Obj ->"Bad Name Or Serial Number !!!!!"
                                  |
:0042DCE6 B8E0DD4200              mov eax, 0042DDE0
:0042DCEB E850F1FFFF              call 0042CE40






/////////////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////////


FIRST MAGIC FUNCTION
---------------------

* Referenced by a CALL at Address:
|:0042DC2C   
|
:0042D8E4 53                      push ebx
:0042D8E5 56                      push esi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042D870(C)
|
:0042D8E6 B958F74200              mov ecx, 0042F758
:0042D8EB BB50F74200              mov ebx, 0042F750
:0042D8F0 8B01                    mov eax, dword ptr [ecx]
:0042D8F2 03C0                    add eax, eax
:0042D8F4 8D0440                  lea eax, dword ptr [eax+2*eax]
:0042D8F7 8901                    mov dword ptr [ecx], eax
:0042D8F9 8B01                    mov eax, dword ptr [ecx] 

EAX_1 = (#magic2 * 4) + #magic2 * 2

:0042D8FB BE03000000              mov esi, 00000003
:0042D900 99                      cdq
:0042D901 F7FE                    idiv esi

EAX_2 = EAX_1 / 3

:0042D903 8901                    mov dword ptr [ecx], eax
:0042D905 830110                  add dword ptr [ecx], 00000010
:0042D908 8B01                    mov eax, dword ptr [ecx]

EAX_3 = EAX_2 + 0x10

:0042D90A 03C0                    add eax, eax

EAX_4 = 2*EAX_2

:0042D90C 8901                    mov dword ptr [ecx], eax
:0042D90E 8B01                    mov eax, dword ptr [ecx]
:0042D910 8D04C0                  lea eax, dword ptr [eax+8*eax]

EAX_5 = EAX_4 + 8*EAX_4

:0042D913 8901                    mov dword ptr [ecx], eax
:0042D915 833105                  xor dword ptr [ecx], 00000005

#magic1 = EAX_5 XOR 0x05

:0042D918 8B03                    mov eax, dword ptr [ebx]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042D8AB(C)
|
:0042D91A C1E002                  shl eax, 02
:0042D91D 8903                    mov dword ptr [ebx], eax
:0042D91F 8B03                    mov eax, dword ptr [ebx]

EAX_6 = #magic1 SHL 0x02

:0042D921 B903000000              mov ecx, 00000003
:0042D926 99                      cdq
:0042D927 F7F9                    idiv ecx

EAX_7 = EAX_6 / 0x03

:0042D929 8903                    mov dword ptr [ebx], eax
:0042D92B 833303                  xor dword ptr [ebx], 00000003
:0042D92E 830340                  add dword ptr [ebx], 00000040

#magic2 = EAX_7 = (EAX_7 XOR 0x03) + 0x40

:0042D931 5E                      pop esi
:0042D932 5B                      pop ebx
:0042D933 C3                      ret



conclusion
----------

EAX_1 = (#magic2 * 4) + #magic2 * 2
EAX_2 = EAX_1 / 3
EAX_3 = EAX_2 + 0x10
EAX_4 = 2*EAX_2
EAX_5 = EAX_4 + 8*EAX_4
#magic2 = EAX_5 XOR 0x05

EAX_6 = #magic1 SHL 0x02
EAX_7 = EAX_6 / 0x03
#magic1 = EAX_7 = (EAX_7 XOR 0x03) + 0x40


///////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////


SECOND MAGIC FUNCTION
----------------------


* Referenced by a CALL at Address:
|:0042DC3D   
|

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042D8C5(C)
|
:0042D934 53                      push ebx
:0042D935 B858F74200              mov eax, 0042F758
:0042D93A B950F74200              mov ecx, 0042F750
:0042D93F 8B10                    mov edx, dword ptr [eax]
:0042D941 03D2                    add edx, edx
:0042D943 8D1452                  lea edx, dword ptr [edx+2*edx]
:0042D946 8910                    mov dword ptr [eax], edx
:0042D948 8B10                    mov edx, dword ptr [eax]
:0042D94A D1FA                    sar edx, 1
:0042D94C 7903                    jns 0042D951
:0042D94E 83D200                  adc edx, 00000000

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042D94C(C)
|
:0042D951 8910                    mov dword ptr [eax], edx
:0042D953 83000D                  add dword ptr [eax], 0000000D
:0042D956 6B1036                  imul edx, dword ptr [eax], 00000036
:0042D959 8910                    mov dword ptr [eax], edx
:0042D95B 8B10                    mov edx, dword ptr [eax]
:0042D95D 8BDA                    mov ebx, edx
:0042D95F C1E205                  shl edx, 05
:0042D962 03D3                    add edx, ebx
:0042D964 8910                    mov dword ptr [eax], edx
:0042D966 833010                  xor dword ptr [eax], 00000010
:0042D969 8B01                    mov eax, dword ptr [ecx]
:0042D96B 03C0                    add eax, eax
:0042D96D 8D0440                  lea eax, dword ptr [eax+2*eax]
:0042D970 8901                    mov dword ptr [ecx], eax
:0042D972 8B01                    mov eax, dword ptr [ecx]
:0042D974 BB05000000              mov ebx, 00000005
:0042D979 99                      cdq
:0042D97A F7FB                    idiv ebx
:0042D97C 8901                    mov dword ptr [ecx], eax
:0042D97E 833125                  xor dword ptr [ecx], 00000025
:0042D981 830127                  add dword ptr [ecx], 00000027
:0042D984 5B                      pop ebx
:0042D985 C3                      ret



//////////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////


THIRD MAGIC FUNCTION
---------------------

* Referenced by a CALL at Address:
|:0042DC4E   
|
:0042D988 53                      push ebx
:0042D989 56                      push esi
:0042D98A B958F74200              mov ecx, 0042F758
:0042D98F BB50F74200              mov ebx, 0042F750
:0042D994 8B01                    mov eax, dword ptr [ecx]
:0042D996 03C0                    add eax, eax
:0042D998 8D0440                  lea eax, dword ptr [eax+2*eax]
:0042D99B 8901                    mov dword ptr [ecx], eax
:0042D99D 8B01                    mov eax, dword ptr [ecx]
:0042D99F BE03000000              mov esi, 00000003
:0042D9A4 99                      cdq
:0042D9A5 F7FE                    idiv esi
:0042D9A7 8901                    mov dword ptr [ecx], eax
:0042D9A9 83010D                  add dword ptr [ecx], 0000000D
:0042D9AC 8B01                    mov eax, dword ptr [ecx]
:0042D9AE 03C0                    add eax, eax
:0042D9B0 8D0440                  lea eax, dword ptr [eax+2*eax]
:0042D9B3 8901                    mov dword ptr [ecx], eax
:0042D9B5 6B0159                  imul eax, dword ptr [ecx], 00000059
:0042D9B8 8901                    mov dword ptr [ecx], eax
:0042D9BA 833109                  xor dword ptr [ecx], 00000009
:0042D9BD 8B03                    mov eax, dword ptr [ebx]
:0042D9BF 8D0480                  lea eax, dword ptr [eax+4*eax]
:0042D9C2 8903                    mov dword ptr [ebx], eax
:0042D9C4 8B03                    mov eax, dword ptr [ebx]
:0042D9C6 85C0                    test eax, eax
:0042D9C8 C1F800                  sar eax, 00
:0042D9CB 8903                    mov dword ptr [ebx], eax
:0042D9CD 833322                  xor dword ptr [ebx], 00000022
:0042D9D0 830303                  add dword ptr [ebx], 00000003
:0042D9D3 5E                      pop esi
:0042D9D4 5B                      pop ebx
:0042D9D5 C3                      ret



//////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////


FOURTH MAGIC FUNCTION
-----------------------

* Referenced by a CALL at Address:
|:0042DC55   
|
:0042D9D8 53                      push ebx
:0042D9D9 B858F74200              mov eax, 0042F758
:0042D9DE B950F74200              mov ecx, 0042F750
:0042D9E3 8B10                    mov edx, dword ptr [eax]
:0042D9E5 8910                    mov dword ptr [eax], edx
:0042D9E7 8B10                    mov edx, dword ptr [eax]
:0042D9E9 D1FA                    sar edx, 1
:0042D9EB 7903                    jns 0042D9F0
:0042D9ED 83D200                  adc edx, 00000000

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042D9EB(C)
|
:0042D9F0 8910                    mov dword ptr [eax], edx
:0042D9F2 830010                  add dword ptr [eax], 00000010
:0042D9F5 8B10                    mov edx, dword ptr [eax]
:0042D9F7 8910                    mov dword ptr [eax], edx
:0042D9F9 8B10                    mov edx, dword ptr [eax]
:0042D9FB 8D1452                  lea edx, dword ptr [edx+2*edx]
:0042D9FE 8910                    mov dword ptr [eax], edx
:0042DA00 833006                  xor dword ptr [eax], 00000006
:0042DA03 6B012B                  imul eax, dword ptr [ecx], 0000002B
:0042DA06 8901                    mov dword ptr [ecx], eax
:0042DA08 8B01                    mov eax, dword ptr [ecx]
:0042DA0A BB03000000              mov ebx, 00000003
:0042DA0F 99                      cdq
:0042DA10 F7FB                    idiv ebx
:0042DA12 8901                    mov dword ptr [ecx], eax
:0042DA14 833103                  xor dword ptr [ecx], 00000003
:0042DA17 830122                  add dword ptr [ecx], 00000022
:0042DA1A 5B                      pop ebx
:0042DA1B C3                      ret



///////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////


FIFTH MAGIC FUNCTION
---------------------

* Referenced by a CALL at Address:
|:0042DC7E   
|
:0042DA34 B858F74200              mov eax, 0042F758
:0042DA39 BA50F74200              mov edx, 0042F750
:0042DA3E 8B08                    mov ecx, dword ptr [eax]
:0042DA40 D1F9                    sar ecx, 1
:0042DA42 7903                    jns 0042DA47
:0042DA44 83D100                  adc ecx, 00000000

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042DA42(C)
|
:0042DA47 8908                    mov dword ptr [eax], ecx
:0042DA49 FF00                    inc dword ptr [eax]
:0042DA4B 8B0A                    mov ecx, dword ptr [edx]
:0042DA4D 8D0C49                  lea ecx, dword ptr [ecx+2*ecx]
:0042DA50 890A                    mov dword ptr [edx], ecx
:0042DA52 8B0A                    mov ecx, dword ptr [edx]
:0042DA54 85C9                    test ecx, ecx
:0042DA56 7903                    jns 0042DA5B
:0042DA58 83C103                  add ecx, 00000003

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042DA56(C)
|
:0042DA5B C1F902                  sar ecx, 02
:0042DA5E 890A                    mov dword ptr [edx], ecx
:0042DA60 8B08                    mov ecx, dword ptr [eax]
:0042DA62 03C9                    add ecx, ecx
:0042DA64 8D0C49                  lea ecx, dword ptr [ecx+2*ecx]
:0042DA67 8908                    mov dword ptr [eax], ecx
:0042DA69 8B08                    mov ecx, dword ptr [eax]
:0042DA6B C1E103                  shl ecx, 03
:0042DA6E 8908                    mov dword ptr [eax], ecx
:0042DA70 833006                  xor dword ptr [eax], 00000006
:0042DA73 833222                  xor dword ptr [edx], 00000022
:0042DA76 830204                  add dword ptr [edx], 00000004
:0042DA79 C3                      ret


////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////

SIXTH MAGIC FUNCTION
---------------------

* Referenced by a CALL at Address:
|:0042DC85   
|
:0042DA7C A150F74200              mov eax, dword ptr [0042F750]
:0042DA81 8D0440                  lea eax, dword ptr [eax+2*eax]
:0042DA84 A350F74200              mov dword ptr [0042F750], eax
:0042DA89 A150F74200              mov eax, dword ptr [0042F750]
:0042DA8E 85C0                    test eax, eax
:0042DA90 C1F800                  sar eax, 00
:0042DA93 A350F74200              mov dword ptr [0042F750], eax
:0042DA98 C3                      ret



/////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////

SEVENTH MAGIC FUNCTION
----------------------

* Referenced by a CALL at Address:
|:0042DC8C   
|
:0042DA9C B858F74200              mov eax, 0042F758
:0042DAA1 BA50F74200              mov edx, 0042F750
:0042DAA6 833002                  xor dword ptr [eax], 00000002
:0042DAA9 8B0A                    mov ecx, dword ptr [edx]
:0042DAAB 890A                    mov dword ptr [edx], ecx
:0042DAAD 8B0A                    mov ecx, dword ptr [edx]
:0042DAAF C1E102                  shl ecx, 02
:0042DAB2 890A                    mov dword ptr [edx], ecx
:0042DAB4 8B08                    mov ecx, dword ptr [eax]
:0042DAB6 8908                    mov dword ptr [eax], ecx
:0042DAB8 8B08                    mov ecx, dword ptr [eax]
:0042DABA 8908                    mov dword ptr [eax], ecx
:0042DABC 8B08                    mov ecx, dword ptr [eax]
:0042DABE 8908                    mov dword ptr [eax], ecx
:0042DAC0 8B0A                    mov ecx, dword ptr [edx]
:0042DAC2 890A                    mov dword ptr [edx], ecx
:0042DAC4 830204                  add dword ptr [edx], 00000004
:0042DAC7 8B10                    mov edx, dword ptr [eax]
:0042DAC9 03D2                    add edx, edx
:0042DACB 8D1452                  lea edx, dword ptr [edx+2*edx]
:0042DACE 8910                    mov dword ptr [eax], edx
:0042DAD0 C3                      ret







+=======================+
+ LET'S KEYGEN ALL THAT +
+=======================+

"Crackme 4.0 Implements code especially desing for creating a keygen i am gona tell you it's goin 
to be hard and confusing, but if you can make keygens this shouldn't be a problem."

Sure it's confusing : you have to deal with 7 magic functions which modify the 2 magic
values used by the algorithm.

BUT this won't be hard, because the true_serial appears in CLEAR at @42DCBC... that means we
don't really have to understand how the algorithm works.

why ? BECAUSE WE'LL DO THE KEYGEN IN ASM !!!
--------------------------------------------

ok, don't be scarry : we'll only use inline ASM, not a full ASM keygen.
We'll proceed like this :

1) use High-level langage to get name from user and to initialise the 2 magic values
2) use inline ASM to generate the correct serial
3) use High-level langage to display the correct serial


Now, the job is nearly over : just look at the source code, and you'll see I've just
cute & pasted the code of the MAGIC FUNCTIONS.
The ASM source code from the dead listing had to be modified a bit, the two major modifications
were :

1) adc edx,00000000 => adc edx, 00h

and

2) lea eax, int42F758 => mov eax, 0042F758



+=======================+
+     CONCLUSION        +
+=======================+

Protections using a comparison between the serial you entered and the true serial will always
be easily defeated : DON'T USE THEM !
I know you don't like tutorials like : " type d eax : it's you serial !!! job done !" ;)

I can hear people saying "what's the point of making an ASM keygen : you don't understand how
the protection works !". My answer is : "Why loosing time understanding a weak algo ?".
Anyway, you can make all the keygen in a High-level language, just look at the comments I made
in the first magic function and you'll see that it's not so hard.



If something is not clear, drop me a mail !



    ________     _______     _______
   /__   __/\   /  ____/\   /  ____/\
   \_/  /\_\/  /  /\___\/  /  /\___\/
    /  / /    /  /_/_     /  / / 
   /  / /    /____  /\   /  / /
  /  / /     \___/ / /  /  / /
 /  / /     ____/ / /  /  /_/_
/  / /     /_____/ /  /______/\
\__\/      \_____\/   \______\/ 17/04/2000

www.tscube.cjb.net
