Chal4 – Easy Keygen Challenge

Posted: January 26, 2016 in Chal4. Easy Keygen Challenge
Tags:

Rule: Find the Name when the Serial is 5B134977135E7D13

With the above Serial, we can guess the Name will have 8 characters. Combine analysis target by both IDA and OllyDBG, we have the pseudo code is:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  signed int j; // ebp@1
  signed int i; // esi@1
  int result; // eax@6
  int v6; // [sp+0h] [bp-13Ch]@0
  int v7; // [sp+0h] [bp-13Ch]@1
  char defVal[3]; // [sp+Ch] [bp-130h]@1
  char szBuff; // [sp+10h] [bp-12Ch]@1
  char v10; // [sp+11h] [bp-12Bh]@1
  __int16 v11; // [sp+71h] [bp-CBh]@1
  char v12; // [sp+73h] [bp-C9h]@1
  char szCalSerial; // [sp+74h] [bp-C8h]@1
  char v14; // [sp+75h] [bp-C7h]@1
  __int16 v15; // [sp+139h] [bp-3h]@1
  char v16; // [sp+13Bh] [bp-1h]@1

  szBuff = 0;
  szCalSerial = 0;
  memset(&v10, 0, 0x60u);
  v11 = 0;
  v12 = 0;
  memset(&v14, 0, 0xC4u);
  v15 = 0;
  v16 = 0;
  defVal[0] = 0x10;
  defVal[1] = 0x20;
  defVal[2] = 0x30;
  sub_4011B9((int)"Input Name: ", v6);
  scanf("%s", &szBuff);
  j = 0;
  for ( i = 0; j < (signed int)strlen(&szBuff); ++i ) { if ( i >= 3 )
      i = 0;
    sprintf(&szCalSerial, "%s%02X", &szCalSerial, *(&szBuff + j++) ^ defVal[i]);
  }
  memset(&szBuff, 0, 0x64u);
  sub_4011B9((int)"Input Serial: ", v7);
  scanf("%s", &szBuff);
  if ( !strcmp(&szBuff, &szCalSerial) )
  {
    sub_4011B9((int)"Correct!\n", *(int *)defVal);
    result = 0;
  }
  else
  {
    sub_4011B9((int)"Wrong\n", *(int *)defVal);
    result = 0;
  }
  return result;
}

Very clearly, this code gets the Input Name to szBuff. Through the loop to convert the Input Name by using XOR operator with defVal array and finally store value at szCalSerial. After that it compares Input Serial with szCalSerial, so szCalSerial must equal “5B134977135E7D13”. Perform reverse the XOR calculations we’ll have the correct Input Name:

Input_Name[0] ^ 0x10 = 5B -> 4B K
Input_Name[1] ^ 0x20 = 13 -> 33 3
Input_Name[2] ^ 0x30 = 49 -> 79 y
Input_Name[3] ^ 0x10 = 77 -> 67 g
Input_Name[4] ^ 0x20 = 13 -> 33 3
Input_Name[5] ^ 0x30 = 5E -> 6E n
Input_Name[6] ^ 0x10 = 7D -> 6D m
Input_Name[7] ^ 0x20 = 13 -> 33 3
  • Right Input Name : K3yg3nm3

End.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s