Rule: Find the Name when the Serial is 76876-77776. This problem has several answers. Password is ***p
Figure 1
Scan this target with DIE (a PE detector), we have info:
Figure 2
After use IDA to analyze target, we will get all information related to the entire process of calculation and checking related to the Input Name that we entered.
signed int __stdcall sub_401740(int a1)
{
signed int k; // edi@1
char *v2; // ecx@2
signed int i; // esi@4
signed int j; // esi@8
__int16 v6; // bx@10
unsigned __int8 szName[0]; // al@15
unsigned __int8 iTemp1; // ST2C_1@15
unsigned __int8 szName[1]; // al@15
unsigned __int8 iTemp9; // bl@15
wchar_t *wcharBuf1; // eax@15
__int16 iBuf1; // di@15
__int16 szSerial[0]; // ax@15
wchar_t *wcharBuf2; // eax@16
__int16 szSerial[1]; // di@16
__int16 iBuf2; // ax@16
wchar_t *wcharBuf3; // eax@17
__int16 szSerial[2]; // di@17
__int16 iBuf3; // ax@17
wchar_t *wcharBuf4; // eax@18
__int16 szSerial[3]; // di@18
__int16 iBuf4; // ax@18
wchar_t *wcharBuf5; // eax@19
__int16 szSerial[4]; // di@19
__int16 iBuf5; // ax@19
unsigned __int8 szName[2]; // al@20
unsigned __int8 iTemp11; // ST2C_1@20
unsigned __int8 szName[3]; // al@20
unsigned __int8 iTemp19; // bl@20
wchar_t *wcharBuf6; // eax@20
__int16 szSerial[6]; // di@20
__int16 iBuf6; // ax@20
wchar_t *wcharBuf7; // eax@21
__int16 szSerial[7]; // di@21
__int16 iBuf7; // ax@21
wchar_t *wcharBuf8; // eax@22
__int16 szSerial[8]; // di@22
__int16 iBuf8; // ax@22
wchar_t *wcharBuf9; // eax@23
__int16 szSerial[9]; // di@23
__int16 iBuf9; // ax@23
wchar_t *wcharBuf10; // eax@24
__int16 szSerial[10]; // si@24
__int16 iBuf10; // ax@24
unsigned __int8 iTemp6; // [sp+10h] [bp-28h]@15
unsigned __int8 iTemp16; // [sp+10h] [bp-28h]@20
unsigned __int8 iTemp8; // [sp+11h] [bp-27h]@15
unsigned __int8 iTemp18; // [sp+11h] [bp-27h]@20
unsigned __int8 iTemp10; // [sp+13h] [bp-25h]@15
unsigned __int8 iTemp20; // [sp+13h] [bp-25h]@20
unsigned __int8 iTemp7; // [sp+14h] [bp-24h]@15
unsigned __int8 iTemp17; // [sp+14h] [bp-24h]@20
unsigned __int8 iTemp3; // [sp+19h] [bp-1Fh]@15
unsigned __int8 iTemp13; // [sp+19h] [bp-1Fh]@20
unsigned __int8 iTemp4; // [sp+1Ah] [bp-1Eh]@15
unsigned __int8 iTemp14; // [sp+1Ah] [bp-1Eh]@20
unsigned __int8 iTemp5; // [sp+1Bh] [bp-1Dh]@15
unsigned __int8 iTemp15; // [sp+1Bh] [bp-1Dh]@20
unsigned __int8 iTemp2; // [sp+1Ch] [bp-1Ch]@15
unsigned __int8 iTemp12; // [sp+1Ch] [bp-1Ch]@20
int szName; // [sp+20h] [bp-18h]@1
int szSerial; // [sp+24h] [bp-14h]@1
char buf; // [sp+28h] [bp-10h]@1
int iTemp; // [sp+34h] [bp-4h]@1
ATL::CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>::CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>(&szName);
k = 0;
iTemp = 0;
ATL::CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>::CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>(&szSerial);
ATL::CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>::CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>(&buf);
LOBYTE(iTemp) = 2;
CWnd::GetWindowTextW(a1 + 0x130, &szName);
if ( *(_DWORD *)(szName - 0xC) == 4 )
{
i = 0;
while ( (unsigned __int16)ATL::CSimpleStringT<wchar_t,1>::GetAt(&szName, i) >= 'a'
&& (unsigned __int16)ATL::CSimpleStringT<wchar_t,1>::GetAt(&szName, i) <= 'z' ) { ++i; if ( i >= 4 )
{
first_loop:
j = 0;
while ( 1 )
{
if ( k != j )
{
v6 = ATL::CSimpleStringT<wchar_t,1>::GetAt(&szName, j);
if ( (unsigned __int16)ATL::CSimpleStringT<wchar_t,1>::GetAt(&szName, k) == v6 )
goto EndCheck;
}
++j;
if ( j >= 4 )
{
++k;
if ( k < 4 )
goto first_loop;
CWnd::GetWindowTextW(a1 + 0x1A4, &szSerial);
if ( *(_DWORD *)(szSerial - 0xC) != 0xB
|| (unsigned __int16)ATL::CSimpleStringT<wchar_t,1>::GetAt(&szSerial, 5) != '-' )
goto EndCheck;
szName[0] = ATL::CSimpleStringT<wchar_t,1>::GetAt(&szName, 0);
iTemp1 = (szName[0] & 1) + 5;
iTemp2 = ((szName[0] >> 4) & 1) + 5;
iTemp3 = ((szName[0] >> 1) & 1) + 5;
iTemp4 = ((szName[0] >> 2) & 1) + 5;
iTemp5 = ((szName[0] >> 3) & 1) + 5;
szName[1] = ATL::CSimpleStringT<wchar_t,1>::GetAt(&szName, 1);
iTemp6 = (szName[1] & 1) + 1;
iTemp7 = ((szName[1] >> 4) & 1) + 1;
iTemp8 = ((szName[1] >> 1) & 1) + 1;
iTemp9 = ((szName[1] >> 2) & 1) + 1;
iTemp10 = ((szName[1] >> 3) & 1) + 1;
wcharBuf1 = (wchar_t *)ATL::CSimpleStringT<wchar_t,1>::GetBuffer(&buf);
itow_s(iTemp1 + iTemp9, wcharBuf1, 0xAu, 0xA);
iBuf1 = ATL::CSimpleStringT<wchar_t,1>::GetAt(&buf, 0);
szSerial[0] = ATL::CSimpleStringT<wchar_t,1>::GetAt(&szSerial, 0);
v2 = &buf;
if ( szSerial[0] == iBuf1 )
{
ATL::CSimpleStringT<wchar_t,1>::ReleaseBuffer(&buf, 0xFFFFFFFF);
wcharBuf2 = (wchar_t *)ATL::CSimpleStringT<wchar_t,1>::GetBuffer(&buf);
itow_s(iTemp5 + iTemp10, wcharBuf2, 0xAu, 0xA);
szSerial[1] = ATL::CSimpleStringT<wchar_t,1>::GetAt(&szSerial, 1);
iBuf2 = ATL::CSimpleStringT<wchar_t,1>::GetAt(&buf, 0);
v2 = &buf;
if ( szSerial[1] == iBuf2 )
{
ATL::CSimpleStringT<wchar_t,1>::ReleaseBuffer(&buf, 0xFFFFFFFF);
wcharBuf3 = (wchar_t *)ATL::CSimpleStringT<wchar_t,1>::GetBuffer(&buf);
itow_s(iTemp3 + iTemp7, wcharBuf3, 0xAu, 0xA);
szSerial[2] = ATL::CSimpleStringT<wchar_t,1>::GetAt(&szSerial, 2);
iBuf3 = ATL::CSimpleStringT<wchar_t,1>::GetAt(&buf, 0);
v2 = &buf;
if ( szSerial[2] == iBuf3 )
{
ATL::CSimpleStringT<wchar_t,1>::ReleaseBuffer(&buf, 0xFFFFFFFF);
wcharBuf4 = (wchar_t *)ATL::CSimpleStringT<wchar_t,1>::GetBuffer(&buf);
itow_s(iTemp4 + iTemp6, wcharBuf4, 0xAu, 0xA);
szSerial[3] = ATL::CSimpleStringT<wchar_t,1>::GetAt(&szSerial, 3);
iBuf4 = ATL::CSimpleStringT<wchar_t,1>::GetAt(&buf, 0);
v2 = &buf;
if ( szSerial[3] == iBuf4 )
{
ATL::CSimpleStringT<wchar_t,1>::ReleaseBuffer(&buf, 0xFFFFFFFF);
wcharBuf5 = (wchar_t *)ATL::CSimpleStringT<wchar_t,1>::GetBuffer(&buf);
itow_s(iTemp2 + iTemp8, wcharBuf5, 0xAu, 0xA);
szSerial[4] = ATL::CSimpleStringT<wchar_t,1>::GetAt(&szSerial, 4);
iBuf5 = ATL::CSimpleStringT<wchar_t,1>::GetAt(&buf, 0);
v2 = &buf;
if ( szSerial[4] == iBuf5 )
{
ATL::CSimpleStringT<wchar_t,1>::ReleaseBuffer(&buf, 0xFFFFFFFF);
szName[2] = ATL::CSimpleStringT<wchar_t,1>::GetAt(&szName, 2);
iTemp11 = (szName[2] & 1) + 5;
iTemp12 = ((szName[2] >> 4) & 1) + 5;
iTemp13 = ((szName[2] >> 1) & 1) + 5;
iTemp14 = ((szName[2] >> 2) & 1) + 5;
iTemp15 = ((szName[2] >> 3) & 1) + 5;
szName[3] = ATL::CSimpleStringT<wchar_t,1>::GetAt(&szName, 3);
iTemp16 = (szName[3] & 1) + 1;
iTemp17 = ((szName[3] >> 4) & 1) + 1;
iTemp18 = ((szName[3] >> 1) & 1) + 1;
iTemp19 = ((szName[3] >> 2) & 1) + 1;
iTemp20 = ((szName[3] >> 3) & 1) + 1;
wcharBuf6 = (wchar_t *)ATL::CSimpleStringT<wchar_t,1>::GetBuffer(&buf);
itow_s(iTemp11 + iTemp19, wcharBuf6, 0xAu, 0xA);
szSerial[6] = ATL::CSimpleStringT<wchar_t,1>::GetAt(&szSerial, 6);
iBuf6 = ATL::CSimpleStringT<wchar_t,1>::GetAt(&buf, 0);
v2 = &buf;
if ( szSerial[6] == iBuf6 )
{
ATL::CSimpleStringT<wchar_t,1>::ReleaseBuffer(&buf, 0xFFFFFFFF);
wcharBuf7 = (wchar_t *)ATL::CSimpleStringT<wchar_t,1>::GetBuffer(&buf);
itow_s(iTemp15 + iTemp20, wcharBuf7, 0xAu, 0xA);
szSerial[7] = ATL::CSimpleStringT<wchar_t,1>::GetAt(&szSerial, 7);
iBuf7 = ATL::CSimpleStringT<wchar_t,1>::GetAt(&buf, 0);
v2 = &buf;
if ( szSerial[7] == iBuf7 )
{
ATL::CSimpleStringT<wchar_t,1>::ReleaseBuffer(&buf, 0xFFFFFFFF);
wcharBuf8 = (wchar_t *)ATL::CSimpleStringT<wchar_t,1>::GetBuffer(&buf);
itow_s(iTemp13 + iTemp17, wcharBuf8, 0xAu, 0xA);
szSerial[8] = ATL::CSimpleStringT<wchar_t,1>::GetAt(&szSerial, 8);
iBuf8 = ATL::CSimpleStringT<wchar_t,1>::GetAt(&buf, 0);
v2 = &buf;
if ( szSerial[8] == iBuf8 )
{
ATL::CSimpleStringT<wchar_t,1>::ReleaseBuffer(&buf, 0xFFFFFFFF);
wcharBuf9 = (wchar_t *)ATL::CSimpleStringT<wchar_t,1>::GetBuffer(&buf);
itow_s(iTemp14 + iTemp16, wcharBuf9, 0xAu, 0xA);
szSerial[9] = ATL::CSimpleStringT<wchar_t,1>::GetAt(&szSerial, 9);
iBuf9 = ATL::CSimpleStringT<wchar_t,1>::GetAt(&buf, 0);
v2 = &buf;
if ( szSerial[9] == iBuf9 )
{
ATL::CSimpleStringT<wchar_t,1>::ReleaseBuffer(&buf, 0xFFFFFFFF);
wcharBuf10 = (wchar_t *)ATL::CSimpleStringT<wchar_t,1>::GetBuffer(&buf);
itow_s(iTemp12 + iTemp18, wcharBuf10, 0xAu, 0xA);
szSerial[10] = ATL::CSimpleStringT<wchar_t,1>::GetAt(&szSerial, 0xA);
iBuf10 = ATL::CSimpleStringT<wchar_t,1>::GetAt(&buf, 0);
v2 = &buf;
if ( szSerial[10] == iBuf10 )
{
ATL::CSimpleStringT<wchar_t,1>::ReleaseBuffer(&buf, 0xFFFFFFFF);
ATL::CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>::~CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>(&buf);
ATL::CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>::~CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>(&szSerial);
ATL::CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>::~CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>(&szName);
return 1;
}
}
}
}
}
}
}
}
}
}
goto end_check;
}
}
}
}
}
EndCheck:
v2 = &buf;
end_check:
ATL::CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>::~CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>(v2);
ATL::CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>::~CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>(&szSerial);
ATL::CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>::~CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>(&szName);
return 0;
}
szName[0] = ATL::CSimpleStringT<wchar_t,1>::GetAt(&szName, 0); iTemp1 = (szName[0] & 1) + 5; iTemp2 = ((szName[0] >> 4) & 1) + 5; iTemp3 = ((szName[0] >> 1) & 1) + 5; iTemp4 = ((szName[0] >> 2) & 1) + 5; iTemp5 = ((szName[0] >> 3) & 1) + 5; szName[1] = ATL::CSimpleStringT<wchar_t,1>::GetAt(&szName, 1); iTemp6 = (szName[1] & 1) + 1; iTemp7 = ((szName[1] >> 4) & 1) + 1; iTemp8 = ((szName[1] >> 1) & 1) + 1; iTemp9 = ((szName[1] >> 2) & 1) + 1; iTemp10 = ((szName[1] >> 3) & 1) + 1; szSerial[0] = 7 = iTemp1 + iTemp9 szSerial[1] = 6 = iTemp5 + iTemp10 szSerial[2] = 8 = iTemp3 + iTemp7 szSerial[3] = 7 = iTemp4 + iTemp6 szSerial[4] = 6 = iTemp2 + iTemp8 szName[2] = ATL::CSimpleStringT<wchar_t,1>::GetAt(&szName, 2); iTemp11 = (szName[2] & 1) + 5; iTemp12 = ((szName[2] >> 4) & 1) + 5; iTemp13 = ((szName[2] >> 1) & 1) + 5; iTemp14 = ((szName[2] >> 2) & 1) + 5; iTemp15 = ((szName[2] >> 3) & 1) + 5; szName[3] = ATL::CSimpleStringT<wchar_t,1>::GetAt(&szName, 3); iTemp16 = (szName[3] & 1) + 1; iTemp17 = ((szName[3] >> 4) & 1) + 1; iTemp18 = ((szName[3] >> 1) & 1) + 1; iTemp19 = ((szName[3] >> 2) & 1) + 1; iTemp20 = ((szName[3] >> 3) & 1) + 1; szSerial[6] = 7 = iTemp11 + iTemp19 szSerial[7] = 7 = iTemp15 + iTemp20 szSerial[8] = 7 = iTemp13 + iTemp17 szSerial[9] = 7 = iTemp14 + iTemp16 szSerial[10] = 6 = iTemp12 + iTemp18
Keygen source:
</pre>
#include <stdio.h>
#include <stdlib.h>
int main()
{
int szName0, szName1;
int iTemp1, iTemp2, iTemp3, iTemp4, iTemp5, iTemp6, iTemp7, iTemp8, iTemp9, iTemp10;
int i=0, j=0;
int szSerial[10] = {7,6,8,7,6,7,7,7,7,6};
for (i=0; i<2; i++)
{
for (szName0 = 0x61; szName0 <= 0x7a; szName0++)
{
for (szName1 = 0x61; szName1 <= 0x7a; szName1++)
{
iTemp1 = (szName0 & 1) + 5;
iTemp2 = ((szName0 >> 4) & 1) + 5;
iTemp3 = ((szName0 >> 1) & 1) + 5;
iTemp4 = ((szName0 >> 2) & 1) + 5;
iTemp5 = ((szName0 >> 3) & 1) + 5;
iTemp6 = (szName1 & 1) + 1;
iTemp7 = ((szName1 >> 4) & 1) + 1;
iTemp8 = ((szName1 >> 1) & 1) + 1;
iTemp9 = ((szName1 >> 2) & 1) + 1;
iTemp10 = ((szName1 >> 3) & 1) + 1;
if ((iTemp1 + iTemp9) == szSerial[j])
{
if ((iTemp5 + iTemp10) == szSerial[j+1])
{
if ((iTemp3 + iTemp7) == szSerial[j+2])
{
if ((iTemp4 + iTemp6) == szSerial[j+3])
{
if ((iTemp2 + iTemp8) == szSerial[j+4])
{
printf("%c %c\n", szName0, szName1);
}
}
}
}
}
}
}
printf("----------------------------\n");
j = 5;
}
return 0;
}
Result after execute keygen:
Figure 3
Figure 4
End.
0day in {REA_TEAM} 