Solution by: Jeu
Type of compiler: Visual C++/C
Difficulty: Medium
00401501 /$ 55 PUSH EBP
00401502 |. 89E5 MOV EBP,ESP
00401504 |. 83EC 48 SUB ESP,0x48
00401507 |. E8 D9FFFFFF CALL C_File_C.004014E5
0040150C |. 83F8 01 CMP EAX,0x1
0040150F |. 75 07 JNZ SHORT C_File_C.00401518
00401511 |. B8 01000000 MOV EAX,0x1
00401516 |. EB 4F JMP SHORT C_File_C.00401567
00401518 | C74424 04 835MOV DWORD PTR SS:[ESP+0x4],C_File_C.0040; ||||ASCII "rb"
00401520 |. C70424 765040MOV DWORD PTR SS:[ESP],C_File_C.00405076 ; ||||ASCII "password.bin"
00401527 |. E8 8C260000 CALL ; |||\fopen
0040152C |. 8945 F4 MOV DWORD PTR SS:[EBP-0xC],EAX ; |||
0040152F |. 8D45 D6 LEA EAX,DWORD PTR SS:[EBP-0x2A] ; |||
00401532 |. 894424 08 MOV DWORD PTR SS:[ESP+0x8],EAX ; |||
00401536 |. C74424 04 865MOV DWORD PTR SS:[ESP+0x4],C_File_C.0040; |||ASCII "%s"
0040153E |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-0xC] ; |||
00401541 |. 890424 MOV DWORD PTR SS:[ESP],EAX ; |||
00401544 |. E8 5F260000 CALL ; ||\fscanf
00401549 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-0xC] ; ||
0040154C |. 890424 MOV DWORD PTR SS:[ESP],EAX ; ||
0040154F |. E8 6C260000 CALL ; |\fclose
00401554 |. C74424 04 044MOV DWORD PTR SS:[ESP+0x4],C_File_C.0040; |ASCII "W269N-WFGWX-YVC9B-4J6C9-T83GX"
0040155C |. 8D45 D6 LEA EAX,DWORD PTR SS:[EBP-0x2A] ; |
0040155F |. 890424 MOV DWORD PTR SS:[ESP],EAX ; |
00401562 |. E8 01260000 CALL ; \strcmp
00401567 | C9 LEAVE
00401568 \. C3 RETN
Well, he is the part of the assembler code with the program uses apis and functions to compare your passwords.bin keyfile
to autentification...
Use the serial is the easy way but patching is hard.
You see cmp eax,1 and conditional jump down mov eax,1 this nopping conditional jump you patching the authentification
program algorithm. Remember XOR EAX,EAX to patch the algorithm of the program.
Just like that:
00401501 /$ 55 PUSH EBP
00401502 |. 89E5 MOV EBP,ESP
00401504 |. 83EC 48 SUB ESP,0x48
00401507 |. E8 D9FFFFFF CALL C_File_C.004014E5
0040150C |. 83F8 01 CMP EAX,0x1
0040150F 90 NOP
00401510 90 NOP
00401511 31C0 XOR EAX,EAX
00401513 90 NOP
00401514 90 NOP
00401515 90 NOP
00401516 |. EB 4F JMP SHORT C_File_C.00401567
00401518 | C74424 04 835MOV DWORD PTR SS:[ESP+0x4],C_File_C.0040; ||||ASCII "rb"
00401520 |. C70424 765040MOV DWORD PTR SS:[ESP],C_File_C.00405076 ; ||||ASCII "password.bin"
00401527 |. E8 8C260000 CALL ; |||\fopen
0040152C |. 8945 F4 MOV DWORD PTR SS:[EBP-0xC],EAX ; |||
0040152F |. 8D45 D6 LEA EAX,DWORD PTR SS:[EBP-0x2A] ; |||
00401532 |. 894424 08 MOV DWORD PTR SS:[ESP+0x8],EAX ; |||
00401536 |. C74424 04 865MOV DWORD PTR SS:[ESP+0x4],C_File_C.0040; |||ASCII "%s"
0040153E |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-0xC] ; |||
00401541 |. 890424 MOV DWORD PTR SS:[ESP],EAX ; |||
00401544 |. E8 5F260000 CALL ; ||\fscanf
00401549 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-0xC] ; ||
0040154C |. 890424 MOV DWORD PTR SS:[ESP],EAX ; ||
0040154F |. E8 6C260000 CALL ; |\fclose
00401554 |. C74424 04 044MOV DWORD PTR SS:[ESP+0x4],C_File_C.0040; |ASCII "W269N-WFGWX-YVC9B-4J6C9-T83GX"
0040155C |. 8D45 D6 LEA EAX,DWORD PTR SS:[EBP-0x2A] ; |
0040155F |. 890424 MOV DWORD PTR SS:[ESP],EAX ; |
00401562 |. E8 01260000 CALL ; \strcmp
00401567 | C9 LEAVE
00401568 \. C3 RETN
And you write this nops and xors you bypass the authetification and break the algorithm of the program because
the serial number is in strings reference and is the easy way, but patching not.
By Jeu.
|
==> |
The solution Patching inline is nopping one conditional jump and mov eax,1 set EAX is one.
And the program next in message correct! |
==> |