Rule: This MP3 Player is limited to 1 minutes. You have to play more than one minute. There are exist several 1-minute-check-routine. After bypassing every check routine, you will see the perfect flag.
Program is coded and compiled by MS Visual Basic 5.0-6.0. Execute file and play any mp3 file, we receive a message box when progress bar reach 1-minute:
Figure 1
Okay, load file to OllyDBG and search for all referenced text strings to find the string in the message box above, but can’t find any related information. So we have to set a BP to the MSVBVM60.rtcMsgBox API to find the code that displays the message box above. After place a breakpoint, press F9 to run the program and play mp3 file, we will reach here after play over 1 minute:
Figure 2
Go to 004045DE address, scroll up we’ll find the jump that by pass the call to rtcMsgBox:
Figure 3
Let’s patch this jump to unconditional jump like this:
Figure 4
Re-run program, play file again and see what’s happen:
Figure 5
Huh… Run time error! May be this program has another check, so we need to find the code section that make program crash. Restart OllyDBG, press F9 to run, then open and play mp3 file. Wait until the it plays file about 57 – 58 seconds, back to OllyDBG immediately and set BP at 0040456B . /0F8C 8D000000 jl Music_Pl.004045FE. Program will stop at BP like the picture bellow:
Figure 6
Patch to JMP to skip the call displays a message limited playing music file within 1 minute, continue trace over with F8, we’ll find the code that make program crash:
Figure 7
Scroll up and patch the jump to by pass this call above:
Figure 8
After patch two check location, press F9 to run program … we will see the flag at the caption:
Figure 9
Flag is : LIstenCare
End.
0day in {REA_TEAM} 