You must be logged in to post a comment
trendcrusher on 10:45 AM 10/03/2025: Located comparison at 0x1400bd566 (cmp byte ptr [rbp-0x64], 0) followed by a conditional jump to the failure handler and replaced the conditional je instruction with two nop bytes (0x90 0x90) at file offset 0x00000000000BC5EA (772458) to disable the failure branch.
Thank you for task
miarey on 12:56 PM 10/03/2025: @trendcrusher Just getting "status: ok" doesn’t mean you’ve succeeded; there should be both "status: ok" and a generated license.
sekumane on 7:46 PM 10/03/2025: 0000000140001000 40 53 push ebx
0000000140001002 48 83 db 0x83
0000000140001004 ec db 0xec
0000000140001005 20 db 0x20
0000000140001006 48 8b d9 mov rbx, rcx
0000000140001009 48 8b c2 mov rax, rdx
000000014000100c 48 8d 0d 45 f3 0b 00 lea rcx, [0x1400c0358]
0000000140001013 0f 57 db 0xf, 0x57
0000000140001015 c0 db 0xc0
0000000140001016 48 8d 53 08 lea rdx, QWORD PTR [rbx+0x8]
000000014000101a 48 89 0b mov QWORD PTR [rbx], rcx
000000014000101d 48 8d 48 08 lea rcx, QWORD PTR [rax+0x8]
CashApp: @slyemane
lexx on 9:26 PM 10/03/2025: Hi
And what should happen after entering the correct or incorrect password?
The program freezes after the output "code:".
miarey on 9:32 PM 10/03/2025: @lexx example
license: 31
status: ok
code: DIDNWOSNWODWO28373O
karabatik on 9:55 AM 10/04/2025: Hey buddy, can you contact me on Discord? dc: karabatik
andreycha on 10:29 AM 10/04/2025: .text:00000001400B2830 imul esi, 83h ; 'ѓ'
.text:00000001400B2836 movzx eax, byte ptr [rdx]
.text:00000001400B2839 add esi, eax
.text:00000001400B283B inc rdx
.text:00000001400B283E cmp rdx, r8
.text:00000001400B2841 jnz short loc_1400B2830
uint32_t calculate_hash(const char* str) {
uint32_t hash = 0;
const char* ptr = str;
while (*ptr) {
hash = hash * 0x83 + (uint8_t)*ptr;
ptr++;
}
return hash;
}
.text:00000001400B287B cmp [rbx+30h], ecx //Check hash
andreycha on 10:31 AM 10/04/2025: If you try to restore the original data. You will see that this data includes non-printable characters. I.e. enter this data from the console will not work.
uint32_t target_hash = 0xFB59EA6E;
std::vector get_solve_bytes() {
std::vector result;
for(uint32_t h = target_hash; h; h = (h - h % 0x83) / 0x83)
result.insert(result.begin(), h % 0x83);
return result;
}
andreycha on 10:31 AM 10/04/2025: result={0x0E,0x29,0x69,0x0A,0x5E} //correct data for hash
andreycha on 10:32 AM 10/04/2025:
But we can patch the memory after reading the characters entered in the console into the intermediate buffer. Reading data into the intermediate buffer occurs here
.text:00000001400AE70E mov [rax+rcx], r9b // [rax+rcx] is a pointer at bufer
status: ok
code: NYITQLWNHU5P75J5RJQ7QJ3GRU6GK64NMMTTKYOMG6K24D2AYGHA
andreycha on 10:34 AM 10/04/2025: Did you intentionally make it impossible to enter the correct data for calculating the hash from the console?
@miarey
miarey on 1:05 PM 10/04/2025: @andreycha add me dc: themiarey
lexx on 9:55 PM 10/04/2025: license: lexx
status: ok
code: 3GMD4XLY2P5CGAXEGMYNQIIRT5W4EQ2T7SMBRNXXVOGVHOKYX7JQ
miarey on 10:56 PM 10/04/2025: @lexx discord?