Phox Crackme 3 -------------- This one wasn't so hard either, First off start the crackme and enter a junk serial, i entered '11223344' and set a breakpoint on MessageBoxA , press the OK button and you'll land here: :0040122E E852000000 CALL USER32!MessageBoxA :00401233 33C0 XOR EAX,EAX :00401235 5E POP ESI :00401236 5F POP EDI :00401237 5B POP EBX :00401238 C9 LEAVE :00401239 C21000 RET 0010 scroll up a bit and you'll see :0040118B 837D1020 CMP DWORD PTR [EBP+10],20 ; checks if the 'OK' button is pressed :0040118F 0F859E000000 JNZ 00401233 ; jump if not :00401195 56 PUSH ESI :00401196 6898204000 PUSH 00402098 :0040119B FF354C204000 PUSH DWORD PTR [0040204C] :004011A1 E8C7000000 CALL USER32!GetWindowTextA ; get our entered serial :004011A6 BB98204000 MOV EBX,00402098 ; EBX = our entered serial :004011AB FF354C204000 PUSH DWORD PTR [0040204C] :004011B1 E8C3000000 CALL USER32!GetWindowTextLengthA ; get the length of our entered serial :004011B6 8BF0 MOV ESI,EAX ; ESI = length of our serial :004011B8 83FE12 CMP ESI,12 ; compare ESI with 12h (18) :004011BB 755F JNZ 0040121C ; jump length isn't 18 chars :004011BD 803B46 CMP BYTE PTR [EBX],46 ; checks if the first char we entered is an 'F' :004011C0 755A JNZ 0040121C ; jump if not :004011C2 807B0169 CMP BYTE PTR [EBX+01],69 ; second char 'i' :004011C6 7554 JNZ 0040121C ; jump if not :004011C8 807B0372 CMP BYTE PTR [EBX+03],72 ; fourth char 'r' :004011CC 754E JNZ 0040121C ; jump if not :004011CE 807B0465 CMP BYTE PTR [EBX+04],65 ; fifth char 'e' :004011D2 7548 JNZ 0040121C ; jump if not :004011D4 807B0657 CMP BYTE PTR [EBX+06],57 ; seventh char 'W' :004011D8 7542 JNZ 0040121C ; jump if not :004011DA 807B076F CMP BYTE PTR [EBX+07],6F ; eigth char 'o' :004011DE 753C JNZ 0040121C ; jump if not :004011E0 807B0872 CMP BYTE PTR [EBX+08],72 ; nineth char 'r' :004011E4 7536 JNZ 0040121C ; jump if not :004011E6 807B0A78 CMP BYTE PTR [EBX+0A],78 ; eleventh char 'x' :004011EA 7530 JNZ 0040121C ; jump if not :004011EC 807B0C53 CMP BYTE PTR [EBX+0C],53 ; thirteenth char 'S' :004011F0 752A JNZ 0040121C ; jump if not :004011F2 807B0D75 CMP BYTE PTR [EBX+0D],75 ; fourteenth char 'u' :004011F6 7524 JNZ 0040121C ; jump if not :004011F8 807B1078 CMP BYTE PTR [EBX+10],78 ; sixteenth char 'x' :004011FC 751E JNZ 0040121C ; jump if not :004011FE 6A30 PUSH 30 :00401200 687F204000 PUSH 0040207F :00401205 688B204000 PUSH 0040208B :0040120A FF3548204000 PUSH DWORD PTR [00402048] :00401210 E870000000 CALL USER32!MessageBoxA ; good cracker msg box :00401215 5E POP ESI :00401216 5F POP EDI :00401217 5B POP EBX :00401218 C9 LEAVE :00401219 C21000 RET 0010 :0040121C 6A30 PUSH 30 :0040121E 68C0204000 PUSH 004020C0 :00401223 68D1204000 PUSH 004020D1 :00401228 FF3548204000 PUSH DWORD PTR [00402048] :0040122E E852000000 CALL USER32!MessageBoxA ; bad cracker msg box :00401233 33C0 XOR EAX,EAX :00401235 5E POP ESI :00401236 5F POP EDI :00401237 5B POP EBX :00401238 C9 LEAVE :00401239 C21000 RET 0010 ok, so now we know that it checks for Fi*re*Wor*x*Su**x* where the '*'s can be which char you like.. --- /Klefz