X86 ASSEMBLY: CRACK CHALLENGE 1, STATIC Analyses

Bangggg … Today I am going to continue the crack challenge. The keygen that we are assessing is implementing so many conditions to trap. But now I am also including the decompilation code from the Ghidra plugin

Decompiled Code

Let follow one by one of the code. You can see the above assembly code that there are two comparisons in series which comparing the the result of two previous loops. The condition will check that CharCollected_2 = 465 where the code is cmp [ebp+CharCollected_2], 1D1h

The second loop start from 12 to 15

12 = ?
13 = ?
14 = ?
15 = ?
The sum of all the above shall be 465

Ctrl + ?

The second check will validate that CharCollected_1 = 1011 where the assembly code is cmp [ebp+CharCollected_1], 3F3h

0 = Y = 89 ( CharCollected_1 =89)
1 = ?
2 = ?
3 = ?
4 = ?
5 = ?
6 = ?
7 = ?
8 = . = 46
9 = ?
10=?
The sum of all above shall be 1011

Ctrl + ?

After we analyze that the there are two validation that requires us to pass in order to go further which related to the to the sum of CharCollected_2 and CharCollected_1

We can see from the decompiled code that it will be look like below code in C

The next assembly code that we are going to assess is below

mov edx, [ebp+CharCollected_2] is saving the value of CharCollected_2 (465) to edx. mov eax, [ebp+CharCollected_1] is saving the value of CharCollected_1 (1011) to eax. The next is to sub eax, edx which is substract the second operand (edx) from the first operand and save the result in the first operand like below

After the substration, The result of the subtration will be saved in the temporary variable called AccCheck with code mov [ebp+AccCheck], eax

Next code operation is to get the 15th element of the array and save it in var_38. Remember that every return if the function will be saved in eax. mov [ebp+var_38], eax –> will store the returned value to var_38

The next is to get the 14th element of the array and save it in edx

Here the code will check that if the value in ecx var_38 (element no 15) with the edx (element no 14). So the expectation is the value of element 14 and 15 must be the same in order to pass the check. Remember it use jnz (jump not zero)

We can see the above operation in the decompiled code as below that are highlighted.

OK… so in this tutorial we can conclude that the checks are following this sequences

1. First Loop result must be = 1011
2. Second Loop result must be = 465
3. 15th element and 14th element must be the same.

The above conclusion is highligthed below

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s