---------------------------------------------------
These informations are for educative purpose only!|
---------------------------------------------------


 ------------------------
 A lame tute by C_DKnight
 ^^^^^^^^^^^^^^^^^^^^^^^^

 Target: Classify 98 1.04
 Toolz: SICE, W32Dasm
 Level: 1
 Protection: Serial
 URL: www.trellian.com/classify
 
 Some words before we start

 W00p, it seems like we got some time to do this little crack before South Park's on TV. Let us be hasty
 this time :) But let's get to the biznezz shall we.. I fill the reg boxes with this stuff:

 Name: C_DKnight
 Serial: 22446688

 I try my favorite breakpoints of which GetDlgItemTextA seems to be the correct one

 BPX GetDlgItemTextA -> breaks twice coz of two reg boxes

 As always we're more interested on the second break than the first one (coz usually the serial is calc'ed
 during the second break, and the first break gets just the name)...

 NOTE! This is a pretty long code listing - yet easy to understand - so if you don't feel like cracking right
 now quit and come back later. Get some refreshments, c00l out your brains whatever
 Also I know the code below is very messy.. but I hope you can get the important parts out

 :0040EEAC FFD6                    call esi                    <-- this calls GetDlgItemTextA
 :0040EEAE 8D442410                lea eax, dword ptr [esp+10] <-- you are here (your serial in [esp+10]
 :0040EEB2 6A52                    push 00000052
 :0040EEB4 50                      push eax
 :0040EEB5 E806EB0000              call 0041D9C0
 :0040EEBA 59                      pop ecx
 :0040EEBB BEE0DB4200              mov esi, 0042DBE0
 :0040EEC0 85C0                    test eax, eax
 :0040EEC2 59                      pop ecx
 :0040EEC3 742E                    je 0040EEF3                 <-- this'll jump

 This is the usual start.. trace on til u get here:
 
 
 :0040EF17 E828080000              call 0040F744           <-- this is actually the call we're interested in
 :0040EF1C 83C410                  add esp, 00000010       <-- tidy up stack
 :0040EF1F 85C0                    test eax, eax           <-- test if valid reg
 :0040EF21 7544                    jne 0040EF67            <-- nope, it aint
 
 Very common piece of code. Call to serial calculation/checking. After it's done test it (test eax,eax)
 and jump (jne 0040EF67) according to the test. But the main interest is of course in behind the call
 which we have to trace: (I cut some code from the beginning)


 :0040F763 803E43                  cmp byte ptr [esi], 43             <-- compare 43h (C) to first char
 :0040F766 7512                    jne 0040F77A                       <-- jump if they dont match
 :0040F768 807E0145                cmp byte ptr [esi+01], 45          <-- compare 45h (E) to second char
 :0040F76C 750C                    jne 0040F77A                       <-- jump if they dont match
 :0040F76E C70560A4420001000000    mov dword ptr [0042A460], 00000001 <-- set flag for succesful start :)
 :0040F778 EB07                    jmp 0040F781

 Ok. This a little piece of the serial (in fact the beginning of it). First the routine will compare your
 serial's first char to 43 (43h = C) and jumps away if it doesnt' match. Another compare followed immediately
 but this time compare the second char to 45h = E. When the two checks are passed succesfully, flag is set
 and you'll jump out of the routine.

 You will jump here if the values matched:


 :0040F781 803E43                  cmp byte ptr [esi], 43             <-- confirm
 :0040F784 0F850D010000            jne 0040F897
 :0040F78A 8A4601                  mov al, byte ptr [esi+01]          <-- some more
 :0040F78D 3C57                    cmp al, 57                         <-- stuff
 :0040F78F 7408                    je 0040F799                        <-- which we
 :0040F791 3C45                    cmp al, 45                         <-- dont care about
 :0040F793 0F85FE000000            jne 0040F897
 :0040F799 6A2D                    push 0000002D                      <-- push "-"
 :0040F79B 56                      push esi                           <-- push the serial onto stack
 :0040F79C E85FE60000              call 0041DE00                      <-- do some checks
 :0040F7A1 59                      pop ecx
 :0040F7A2 59                      pop ecx
 :0040F7A3 85C0                    test eax, eax                      <-- check
 :0040F7A5 56                      push esi
 :0040F7A6 0F84EC000000            je 0040F898                        <-- yes good serial so far

 Ok, here goes another call at 40F79C which we're interested in. Notice push 2D.. But trace the call now:

 *Again some pieces cut* 

 :0041DE12 8A450C                  mov al, byte ptr [ebp+0C]          <-- [ebp+0C] holds "-", move it to al
 :0041DE15 FD                      std
 :0041DE16 F2                      repnz
 :0041DE17 AE                      scasb
 :0041DE18 47                      inc edi
 :0041DE19 3807                    cmp byte ptr [edi], al             <-- compare al to [edi]
 :0041DE1B 7404                    je 0041DE21                        <-- jump if the values match
 :0041DE1D 33C0                    xor eax, eax
 :0041DE1F EB02                    jmp 0041DE23

 As you can see the cmp syntax: compare al (-) to [edi] (C)
 If the values match (there has to be "-" in the serial after CE: CE-1234567890 eg.)
 you'll arrive here shortly:

 :0040F81D 8B5508                  mov edx, dword ptr [ebp+08]     <-- name to edx                       1.
 :0040F820 8A0A                    mov cl, byte ptr [edx]          <-- the current char to cl	          2.
 :0040F822 84C9                    test cl, cl                     <-- test if it matches	          3.
 :0040F824 7412                    je 0040F838                     <-- nope, dont jump			   4.
 :0040F826 33C0                    xor eax, eax                    <-- zero out eax			   5. 
 :0040F828 80C10C                  add cl, 0C                      <-- add 12 to the current char        6.
 :0040F82B 304C05F8                xor byte ptr [ebp+eax-08], cl   <-- xor 0 with [ebp+eax-8]		   7.
 :0040F82F 40                      inc eax                         <-- increase counter		          8.
 :0040F830 83F804                  cmp eax, 00000004               <-- all done?                         9.
 :0040F833 7CF6                    jl 0040F82B                     <-- not yet, loop                     10.
 :0040F836 EBE8                    jmp 0040F820                    <-- loop back to start (40F820)       11.

 This is the essential point when considering the serial, because it's generated here. Works somehow like 
 this:

 1. Move the name to edx
 2. Move the current character (1st, 2nd, 3rd etc.) from your name to cl
 3. Test if it's same with some other character
 4. No it's not (in our case), go on
 5. Zero out EAX -> means EAX becomes 0
 6. add 0Ch (12 in decimal) to the current char (which is in cl) eg. -> 43 (C) + 12 = 55
 7. Xor the character (55 eg.) with the value in [ebp+eax-08]
 8. Increase counter (first number done, second done, third done etc.) by one
 9. Compare 4 to EAX (EAX is the counter)
 10. If EAX is less than 4, jump back to 40F82B and go thru this routine until EAX is 4
 11. Move onto next character until all characters in your name are xor'ed.

 This is how the xoring happens with my name (C_DKnight)
 
 1. BD A1 BC B5 <-- this is the starting value in [ebp+eax-8]
 2. F2 EE F3 FA <-- you'll get these values after xoring C
 3. 99 85 98 91 <-- these after _
 4. C9 D5 C8 C1 <-- with D
 5. 9E 82 9F 96 <-- K
 6. E4 F8 E5 EC <-- etc.
 7. 91 8D 90 99
 8. E2 FE E3 EA
 9. 96 8A 97 9E

 =  16 0A 17 1E -> reverse this = 1E170A16
 
 Yeah, this is the serial generation routine. See it for yourself to fully understand it.
 You have to figure out the correct serial yourself.. but I can give ya few hints:

 1. You should find out the correct serial is 10 chars long
 2. Remember to add CE- in the beginning..

 Final Notes:

 Not a moment too early I could say, South Park's on TV any minute now and we're finished with this tute.
 I think I learnt alot from this app and I suggest you SHOULD TRACE IT TOO, not just read my notes.
 I guarantee you'll understand it much better than you do by looking at the code listing.
 This in fact my first tute in which I show the serial generation, yet i don't know if its correct
 but I'm satisfied with it :) if you feel/know I made a mistake somewhere plz let me know

  -C_DKnight, c_dknight@iobox.com

 I'd like to greet all my friends:

 AB4DS, r!SC, Dead-Mike, NrOC, Warezpup, Hutch, [yAtEs], [E_BLiss], [LaZaRuS], Doufas, SeKt0r, nchanta,
 Icecream, |Xmen|, LordOfLA, F0dder, Predator, aCiDHaC, ACiD BuRN, X-Calibre, DnNuke, noos, nu, Thesmurf,
 defiler, Sinn0r, ^tCM^, Norika, cTT, Weazel, MisterE, Dawai, RevX, Maybird, BlackBird, FireWorx,
 SheeP14o, extasy_, KaOsAuS, _zoltan, Torn@do, ByteBurn, Pincopall, Miscreant, croc, Br4t, [ViKiNg], N|Te,
 Phrekie, =Metal=, B|aze, Moredhel, Seffren, Dafoe, Speedsta, Rad|cal, [Daze], VisionZ, KaKTuZ, Stilgreen, 
 Kwazy Wabbit plus everyone else at #cdrinfo, #cracking4newbies and other chans.. and of course those
 whom I forgot, my deepest apologies