Bangggg … Today I am going to continue the crack challenge. The keygen that we are assessing is implementing so many conditions to trap. But now I am also including the decompilation code from the Ghidra plugin
Let follow one by one of the code. You can see the above assembly code that there are two comparisons in series which comparing the the result of two previous loops. The condition will check that CharCollected_2 = 465 where the code is cmp [ebp+CharCollected_2], 1D1h
The second loop start from 12 to 15
12 = ?
13 = ?
14 = ?
15 = ?
The sum of all the above shall be 465
The second check will validate that CharCollected_1 = 1011 where the assembly code is cmp [ebp+CharCollected_1], 3F3h
0 = Y = 89 ( CharCollected_1 =89)
1 = ?
2 = ?
3 = ?
4 = ?
5 = ?
6 = ?
7 = ?
8 = . = 46
9 = ?
The sum of all above shall be 1011
After we analyze that the there are two validation that requires us to pass in order to go further which related to the to the sum of CharCollected_2 and CharCollected_1
We can see from the decompiled code that it will be look like below code in C
The next assembly code that we are going to assess is below
mov edx, [ebp+CharCollected_2] is saving the value of CharCollected_2 (465) to edx. mov eax, [ebp+CharCollected_1] is saving the value of CharCollected_1 (1011) to eax. The next is to sub eax, edx which is substract the second operand (edx) from the first operand and save the result in the first operand like below
After the substration, The result of the subtration will be saved in the temporary variable called AccCheck with code mov [ebp+AccCheck], eax
Next code operation is to get the 15th element of the array and save it in var_38. Remember that every return if the function will be saved in eax. mov [ebp+var_38], eax –> will store the returned value to var_38
The next is to get the 14th element of the array and save it in edx
Here the code will check that if the value in ecx var_38 (element no 15) with the edx (element no 14). So the expectation is the value of element 14 and 15 must be the same in order to pass the check. Remember it use jnz (jump not zero)
We can see the above operation in the decompiled code as below that are highlighted.
OK… so in this tutorial we can conclude that the checks are following this sequences
1. First Loop result must be = 1011
2. Second Loop result must be = 465
3. 15th element and 14th element must be the same.
The above conclusion is highligthed below