- The program calls GetUserNameA to get the logged on user's name.
- It converts the username into all capitalized letters.
- It generates a key by using each letter of the username as an index, based on its ascii code, against an offset pointer to a secret key string ("ThisIsAStringOfLength26MW2"). *It should be noted that, instead of being a normal sequence of bytes, each letter is offset by four bytes.*
- This aforementioned string begins at the hardcoded address .data.00421084 and is offset by the ascii code of the letter 'A' which is 0x41. Thus, the first letter of the string begins at .data.421000.
- This key is generated *after* the user is asked to provide a key of their own.
- If the user inputs the same key as the one that was generated, the program enters its success branch.
- It should be noted that the program does not take into account usernames that contain characters other than letters since the characters of the secret string correspond only to the ascii characters of the capitalized letters. Thus, any other character in the username would point to randomized memory *around* the secret string.
The program calls a function which generates the secret number. time(0) is called to get a seed for its pseudorandomizer algorithm. Then it performs a few simple calculations against the seed and converts it into a floating point number. It proceeds to perform some further calculations and returns and stores the number. The program then requests input from the user. Another function is called where the guess is converted into a floating point value. If the secret number and the user's guess are the same, as a truncated value, then the program ends up at the success branch whithin a separate "decision" function which prints the result.
The aforementioned solution, however, does not explain the strange number that is printed before the program exits. Out of curiosity I decided to investigate and found out that the program simply prints that address. Maybe an easter egg? 420... blaze it? 69... best position? 18... yeah...
There is a bug with the implementation of the second scanf used to get the user's comment due to it allowing an arbitraty amount of characters to be inputted.
This bug allows for a buffer overflow attack to be executed if the input is exactly 8 characters.
The input overwrites a value that decides whether the program will follow the success or failure branch.
Simply step through the program until a bunch of comparisons are performed at which point it is revealed that the password has been hardcoded in plain text and compared in an obfuscated (?) way against the user's input.