| This one was a LOT of fun. I'm not great at patching so learning how to make non destructive patches really upped my game. I suggest using ResourceHacker for any resource related changes.
| This was was neat. The packer was a trivial fix but I learned something about floating point representation lol. Only required a 2 byte patch.
"Congrats! This license is valid!" string easily found and xrefd only at 0xbf26c8
Analyzing the decomp for this function I see that:
len(license) % 0x3c must equal 3
license must be larger than 0x2a
license must be smaller than 0x48
This can be easily found with the following python:
for n in range(0x2a + 1, 0x48):
if n % 0x3c == 3: print(chr(n))
First thing I noticed was that "\nGood Job. You have cracked OldSoft's" xrefd in 0x402cc0
The function 0x401560 generates the serial
In that function we see that the format of the serial is %d-%d
The function iterates through each letter in the user input
However I wasn't really able to follow the logic well even though it's pretty simple
| U: iwonderhowitfeelstobeatimetraveler
size() compare of username input at 0x46EEFA requires a 0x22 (34) byte string
Shortly after successful 0x22 byte username input we find a string compare located at 0x1C1908
This string happens to be "iwonderhowitfeelstobeatimetraveler", this must be the username
We then find a password input compare of "heyamyspaceboardisbrokencanyouhelpmefindit?"
We can verify that this is the correct username and password
Additionally we could have just checked strings to find them in plaintext and fuzzed the binary for a solution
Break somewhere during normal execution then set eip to 0x401500
Then break directly after printf