This challenge is easy enough to crack, but there is no password you'll get. You'll have to explain how you did it. That's the tricky part of this challenge.
The first part of the challenges calculates the 'sum' of the string:
r [ebp-8Ch], 1
.text:00402597 mov dword ptr [ebp-94h], 2
.text:004025A1 mov eax, [ebp-54h]
.text:004025A4 mov dword ptr [ebp-54h], 0
.text:004025AB mov [ebp-7Ch], eax
.text:004025AE mov dword ptr [ebp-84h], 8
.text:004025B8 lea edx, [ebp-94h]
.text:004025BE push edx
.text:004025BF lea eax, [ebp-30h]
.text:004025C2 push eax
.text:004025C3 call ds:__vbaI4Var
.text:004025C9 push eax
.text:004025CA lea ecx, [ebp-84h]
.text:004025D0 push ecx
.text:004025D1 lea edx, [ebp-0A4h]
.text:004025D7 push edx
.text:004025D8 call ebx ; rtcMidCharVar
.text:004025DA lea eax, [ebp-0A4h]
.text:004025E0 push eax
.text:004025E1 lea ecx, [ebp-58h]
.text:004025E4 push ecx
.text:004025E5 call ds:__vbaStrVarVal
.text:004025EB push eax
.text:004025EC call ds:rtcAnsiValueBstr
.text:004025F2 movsx edx, ax
.text:004025F5 add edx, edi
.text:004025F7 jo loc_402D64
.text:004025FD mov edi, edx
.text:004025FF lea ecx, [ebp-58h]
.text:00402602 call ds:__vbaFreeStr
.text:00402608 lea ecx, [ebp-6Ch]
.text:0040260B call ds:__vbaFreeObj
.text:00402611 lea eax, [ebp-0A4h]
.text:00402617 push eax
.text:00402618 lea ecx, [ebp-94h]
.text:0040261E push ecx
.text:0040261F lea edx, [ebp-84h]
.text:00402625 push edx
.text:00402626 push 3
.text:00402628 call ds:__vbaFreeVarList
.text:0040262E add esp, 10h
.text:00402631 lea eax, [ebp-170h]
.text:00402637 push eax
.text:00402638 lea ecx, [ebp-160h]
.text:0040263E push ecx
.text:0040263F lea edx, [ebp-30h]
.text:00402642 push edx
.text:00402643 call ds:__vbaVarForNext
.text:00402649 mov [ebp-184h], eax
.text:0040264F jmp loc_40253A
Example string "dddd" -> 'd' = dec. 100 -> 4*100 = 400;
The second part creates a checksum and compares the sum of the input string aganst it( checksum = 0x2DC dec. 732):
loc_402654: ; CODE XREF: .text:00402542j
.text:00402654 mov ecx, 65h
.text:00402659 mov eax, ecx
.text:0040265B mov edx, 52h
.text:00402660 add eax, edx
.text:00402662 jo loc_402D64
.text:00402668 mov edx, 76h
.text:0040266D add eax, edx
.text:0040266F jo loc_402D64
.text:00402675 add eax, ecx
.text:00402677 jo loc_402D64
.text:0040267D mov edx, 72h
.text:00402682 add eax, edx
.text:00402684 jo loc_402D64
.text:0040268A mov edx, 73h
.text:0040268F add eax, edx
.text:00402691 jo loc_402D64
.text:00402697 add eax, ecx
.text:00402699 jo loc_402D64
.text:0040269F cmp edi, eax
.text:004026A1 jnz loc_402B1A
The last part checks whether location 2, 4 and 7 are equal to 'e'.
.text:0040283F movsx ecx, ax
.text:00402842 xor edx, edx
.text:00402844 mov eax, 65h
.text:00402849 cmp ecx, eax
.text:0040284B setz dl
.text:0040284E neg edx
.text:00402850 lea eax, [ebp-0D4h]
.text:00402856 push eax
.text:00402857 lea ecx, [ebp-60h]
.text:0040285A push ecx
.text:0040285B mov [ebp-198h], edx
.text:00402861 call ebx ; __vbaStrVarVal
.text:00402863 push eax
.text:00402864 call edi ; rtcAnsiValueBstr
.text:00402866 movsx edx, ax
.text:00402869 xor eax, eax
.text:0040286B mov edi, 65h
.text:00402870 cmp edx, edi
.text:00402872 setz al
.text:00402875 neg eax
.text:00402877 mov ebx, [ebp-198h]
.text:0040287D and ebx, eax
.text:0040287F lea ecx, [ebp-0A4h]
.text:00402885 push ecx
.text:00402886 lea edx, [ebp-58h]
.text:00402889 push edx
.text:0040288A call ds:__vbaStrVarVal
.text:00402890 push eax
.text:00402891 call ds:rtcAnsiValueBstr
.text:00402897 movsx eax, ax
.text:0040289A xor ecx, ecx
.text:0040289C cmp eax, edi
.text:0040289E setz cl
.text:004028A1 neg ecx
Translated into c++:
#include
#include
#include
inline unsigned int StrValue(const std::string& s)
{
unsigned int ret = 0, i;
for(i = 0; i < s.length(); i++)
ret += s[i];
return ret;
}
int main(int argc, char *argv[])
{
const std::string CS = "abcdefghijklmnopqrstuvwxyz";
const unsigned int LEN = CS.length();
for(unsigned int xa = 0; xa < LEN; xa++)
for(unsigned int xb = 0; xb < LEN; xb++)
for(unsigned int xc = 0; xc < LEN; xc++)
for(unsigned int xd = 0; xd < LEN; xd++)
{
std::string s = "#e#e##e";
s[0] = CS[xa]; s[2] = CS[xb];
s[4] = CS[xc]; s[5] = CS[xd];
if(StrValue(s) == 0x2DC)
std::cout << "Serial: " << s << '\n';
}
system("PAUSE");
return EXIT_SUCCESS;
}
October 02, 2010, 03:28:27 PM
RSS: Extra extra: Now legal to jailbreak iPhone