About Challenge :
| Language | Platform | Difficulty | Quality | Arch |
|---|---|---|---|---|
| Assembler | Windows 2000/XP only | 1.0 | 4.0 | x86 |
Analysis :
when we run the Challenge and write any thing it will pop this
so we will search for this text in IDA pro we will see this function
in this function we can see it is comparing between to thing (0x40125c) and if not equal it will jump to the incorrect message so we will rename this function to (“check_algo”) and back to function that calling this function
the first screen to this function we will see in offset (4010A6) it checks if the field of user is empty or no we will assumption that the serial Depends on user name this is assumption we are not sure but let’s continue
after it check if empty or not it put user_name in offset we will call it offset_of user_name and then it push the len of user_name to function i named it before but you should go with code step by step so we will go to this function and see what it is make
this function starts by move pointer to offset_of user_name in esi and move offset (403100) to edi and then make loop with counter = 16 in dec and in every time it take byte from offset_of user_name and push it with the number of counter (ecx ) to function (0x4011A9) we will go to this function put before do this we can assumption this function take user_name and make some operation in it and after that compare it with serial but we will see what exactly what it do
we see some operations we don’t care about it because it doesn’t operate with any important data to us so we will focus from (4011E9) we see it take the byte we did push it and move it to eax and then add it to the counter of loop also we did push then check if the result is greater than 21h that in ascii equal to (!) if not add 21 and if true it will check if the result is lower than 7Bh which also equal to X and if not it sheft to right once and if true it will move the result to eax so summary of this i will give you example assumption the first char in your name is (“m”) which in ascii is (“6D”)
so in first it will add ecx which assumption in this time is 16 dec = 10 h
so result = 6Dh + 10h = 7Dh
then check 7D > 21
if false add 21
if true check
check for 7D < 7B
if true store it in eax
if false shift to right once and then store it
in our case it will shift so 7Dh after shift will 3Eh = (“>”)
and then back to function before this it will do it with every char in offset from offset_of user_name to offset_of user_name + 10h and store it in offset (403100) so this function convert every char but we don’t know exactly why so we will back again to this function
we see it take text in serial field and check if empty then push the serial text to check_algo function which check every char in serial with offset
(403100) which is converted user_name so our assumption is true the serial Depends on user name .
so user name = check // serial = swspw,+*)(‘&%$#”