		-----------------------------------
			Duelist's Crackme #6
		Tutorial by Lucifer48, 25 june 1999
		-----------------------------------

===============
1. INTRODUCTION
===============

In the txt which is with the crackme, you can read this:
"this time i may have created a challenge that is too hard for most of the people, ..."
On the beginning, i was a little afraid, but one hour later i laugh :)
This crackme is in fact deadly easy! I apologize for my lame english.

============
2. THE ESSAY
============

The proctection consist of two loops:

XXXX:0040106B  MOV  EAX,36455544        ;"DUE6" inside out
XXXX:00401070  MOV  ECX,[00402121]      ;read the first four chars
XXXX:00401076  ROL  EAX,06
XXXX:00401079  XOR  AH,AL
XXXX:0040107B  ADD  AL,CL
XXXX:0040107D  DEC  ECX
XXXX:0040107E  JNZ  00401076
XXXX:00401080  CMP  EAX,04071885
XXXX:00401085  JNZ  004010D5            ;(jump)= bad cracker!

For the second loop, it is the same thing, just replace 36455544 by 43534952 ("CSIR") and
04071885 by 4B00D127.

The serial must have 8 chars. But how to find the first 4 chars of the serial ??
In fact, you must start from the end of the loop to the beginning. There is no unknow number
to find, you must find how many loops (=ecx) there are, to get the right result (04071885 for the
first loop, and 4B00D127 for the second loop). We must find the value of ECX.
The solution is just to 'turn up' the loop (going inside out). And in this loop, it is possible
to do that.
(example: i want to obtain 85h after a ADD AL,01 instruction; so AL=84h, it isn't more difficult
like that!). And we can find the "inverse" of each "function" (instruction).

DEC ECX    ===> INC ECX
ADD AL,CL  ===> SUB AL,CL
XOR AH,AL  ===> XOR AH,AL        ;a XOR b = c <=> c XOR b = a, NEVER FORGET THIS!
ROL EAX,06 ===> ROR EAX,06

Look at the source, it is very simple (don't forget to activate the int 3 detection into
soft-ice).

For the first loop, we find the following results:
	0DBD76F6
	34647369 <---- hehe :)
	C4E2A92A
For the second loop, we find a single solution:
	72657665

Serial/ isd4ever

Greetings: ID group, Eternal Bliss (wonderfull site), tC... (for his *big* crackme in delphi ),
           ACiD BuRN, and others i forgot.

Lucifer48
