In this task we are provided with a windows binary. We have to understand how it works and provide a valid registration name/serial number pair or write a keygen. This program simply asks for those two strings(name/serial) and if the serial code is wrong, it terminates.
Firstly we will look at the whole structure of the binary. It contains a lot of assembly. Let us find strings related to the process of checking serial number. We can see the string "Like!" among others. It should be place where we reached successful code flow. So let's find usages of it. There is one usage that is surrounded by calls to some functions. We can also rename links for other strings and clearly see blocks of code that are probably print strings and get our input. Let's use a debugger to see where our input is stored. After stepping binary you can see that it is located in input_reg_name1 and input_serial (See picture. I've renamed locations from unk_...)
Our input is stored in .rdata segment. It is layed out continuously, each of two buffers contains 12 bytes. After input was read there is a part of code that simply xores each byte from registration name with 0x19 value. Then each resulted byte is incremented by 1 and compared to the serial number. So all we need to do to get a valid serial number is xor each byte with 0x19 and add 1.
After each byte was compared, if count of valid bytes is equal to the length of strings, then "Like!!" is printed.
KeyGen:
Proof:
Firstly we will look at the whole structure of the binary. It contains a lot of assembly. Let us find strings related to the process of checking serial number. We can see the string "Like!" among others. It should be place where we reached successful code flow. So let's find usages of it. There is one usage that is surrounded by calls to some functions. We can also rename links for other strings and clearly see blocks of code that are probably print strings and get our input. Let's use a debugger to see where our input is stored. After stepping binary you can see that it is located in input_reg_name1 and input_serial (See picture. I've renamed locations from unk_...)
Our input is stored in .rdata segment. It is layed out continuously, each of two buffers contains 12 bytes. After input was read there is a part of code that simply xores each byte from registration name with 0x19 value. Then each resulted byte is incremented by 1 and compared to the serial number. So all we need to do to get a valid serial number is xor each byte with 0x19 and add 1.
After each byte was compared, if count of valid bytes is equal to the length of strings, then "Like!!" is printed.
KeyGen:
puts "Enter your registration name:" reg_name = gets().chomp! serial = "" reg_name.scan(/./).each do |ch| serial << ((ch.ord ^ 0x19) + 1).chr end puts "Your serial:" puts serial
Proof:
No comments:
Post a Comment