Archive for the ‘Chal1. Easy Crack Challenge’ Category

Chal1 – Easy Crack Challenge

Posted: January 26, 2016 in Chal1. Easy Crack Challenge
Tags:
4

Load target to OllyDBG and search all referenced text strings:

Krchal1

Figure 1

Double click on the “Congratulation  !!”, go here:

Krchal2

Figure 2

Scroll up a little bit and set a BP at GetDlgItemTextA:

Krchal3

Figure 3

Press F9 to run, input any key that you want:

004010B0    |.  807C24 05 61  cmp     byte ptr [esp+5], 61        ;  <- InputKey[1] = 'a'?
004010B5    |.  75 7E         jnz     short Easy_Cra.00401135     ;  <- If not, show incorrect!
004010B7    |.  6A 02         push    2
004010B9    |.  8D4C24 0A     lea     ecx, dword ptr [esp+A]
004010BD    |.  68 78604000   push    Easy_Cra.00406078           ;  ASCII "5y"
004010C2    |.  51            push    ecx
004010C3    |.  E8 88000000   call    Easy_Cra.00401150           ;  <- InputKey[2,3] = '5y'?
004010C8    |.  83C4 0C       add     esp, 0C
004010CB    |.  85C0          test    eax, eax
004010CD    |.  75 66         jnz     short Easy_Cra.00401135     ;  <- If not, show incorrect!
004010CF    |.  53            push    ebx
004010D0    |.  56            push    esi
004010D1    |.  BE 6C604000   mov     esi, Easy_Cra.0040606C      ;  ASCII "R3versing"
004010D6    |.  8D4424 10     lea     eax, dword ptr [esp+10]
004010DA    |>  8A10          /mov     dl, byte ptr [eax]
004010DC    |.  8A1E          |mov     bl, byte ptr [esi]
004010DE    |.  8ACA          |mov     cl, dl
004010E0    |.  3AD3          |cmp     dl, bl
004010E2    |.  75 1E         |jnz     short Easy_Cra.00401102
004010E4    |.  84C9          |test    cl, cl
004010E6    |.  74 16         |je      short Easy_Cra.004010FE
004010E8    |.  8A50 01       |mov     dl, byte ptr [eax+1]       ;  <-- This loop compare InputKey[4...] =  'R3versing'
004010EB    |.  8A5E 01       |mov     bl, byte ptr [esi+1]
004010EE    |.  8ACA          |mov     cl, dl
004010F0    |.  3AD3          |cmp     dl, bl
004010F2    |.  75 0E         |jnz     short Easy_Cra.00401102
004010F4    |.  83C0 02       |add     eax, 2
004010F7    |.  83C6 02       |add     esi, 2
004010FA    |.  84C9          |test    cl, cl
004010FC    |.^ 75 DC         \jnz     short Easy_Cra.004010DA
004010FE    |>  33C0          xor     eax, eax
00401100    |.  EB 05         jmp     short Easy_Cra.00401107
00401102    |>  1BC0          sbb     eax, eax
00401104    |.  83D8 FF       sbb     eax, -1
00401107    |>  5E            pop     esi
00401108    |.  5B            pop     ebx
00401109    |.  85C0          test    eax, eax
0040110B    |.  75 28         jnz     short Easy_Cra.00401135
0040110D    |.  807C24 04 45  cmp     byte ptr [esp+4], 45        ;  <-- InputKey[0] = 'E'?
00401112    |.  75 21         jnz     short Easy_Cra.00401135     ;  <- If not, show incorrect!

After tracing through this code, we can get the correct Input Key is: Ea5yR3versing

End.