Hello! There is a code task (from the program of the problem). Two lines are entered into the program (login password \ serial). What should be the serial for the program to be successful?

Here is the part of the code where working with these strings occurs:

.text:004012F9 sub_4012F9 proc near ; CODE XREF: sub_401123+113 p .text:004012F9 push ebp .text:004012FA mov ebp, esp .text:004012FC push esi .text:004012FD push edi .text:004012FE lea esi, String .text:00401304 lea edi, String2 .text:0040130A xor eax, eax .text:0040130C xor ecx, ecx .text:0040130E mov bl, 1Ah .text:00401310 .text:00401310 loc_401310: ; CODE XREF: sub_4012F9+2F j .text:00401310 cmp byte ptr [esi], 0 .text:00401313 jz short loc_40132A .text:00401315 mov al, [esi] .text:00401317 add al, cl .text:00401319 xor al, cl .text:0040131B div bl .text:0040131D shr ax, 8 .text:00401321 add al, 41h .text:00401323 mov [edi], al .text:00401325 inc edi .text:00401326 inc esi .text:00401327 inc ecx .text:00401328 jmp short loc_401310 .text:0040132A ; --------------------------------------------------------------------------- .text:0040132A .text:0040132A loc_40132A: ; CODE XREF: sub_4012F9+1A j .text:0040132A mov byte ptr [edi], 0 .text:0040132D xor eax, eax .text:0040132F cmp ecx, 0 .text:00401332 jz short loc_40134E .text:00401334 push offset String2 ; lpString2 .text:00401339 push offset String1 ; lpString1 .text:0040133E call lstrcmpA .text:00401343 cmp eax, 0 .text:00401346 jz short loc_40134C .text:00401348 xor eax, eax .text:0040134A jmp short loc_40134E .text:0040134C ; --------------------------------------------------------------------------- .text:0040134C .text:0040134C loc_40134C: ; CODE XREF: sub_4012F9+4D j .text:0040134C mov eax, ecx

then if cmp eax, 0 serial is not true, otherwise it is correct.

For the first time I come across these things))) The task is easy ... But I am not an ace and I don’t really understand what is happening there ... Can you describe in general terms what happens during the serial check?

  • Hello! Maybe for this task to use OllyDBG, and IDA Pro is too bulky for her. After the comparison, this jz short loc_40134C should go, you can just replace it with an unconditional one)) Regarding the description of how the formation of the serial number takes place, you need to get everything under the debugger (as mentioned above better under Olly), it’s not very clear from this listing . Go step by step and watch the stack, set breakpoints and analyze - ghost rider
  • @ghost rider, patch is not a trud method. In this case, it is the same as disassembling the Rubik's cube for parts and then gluing it, or just taking the paint and painting each face in one color :) Regarding debugging, sometimes you need to be able to debug the code in your mind. - insolor
  • @insolor - I agree, you can debug the code in your mind, the main thing is that stackoverflow does not occur)) - ghost rider
  • Now getting the patch on Heshkod has become even easier! - istem

1 answer 1

At the input of the function we have the name (String1), the entered code (String), in the loop from the name we get the correct serial number (String2) and compare it with the entered one. Serial Generation Code (String2):

 // 4012FE char *esi = String; // lea esi, String char *edi = String2; // lea edi, String2 char al=0, cl=0, bl = 0x1A; // xor eax, eax; xor ecx, ecx; mov bl, 1Ah // loc_401310: while(*esi) // cmp byte ptr [esi], 0; jz short loc_40132A { al = *esi; // mov al, [esi] al += cl; // add al, cl al ^= cl; // xor al, cl al %= bl; // div bl; shr ax, 8 al += 0x41; // add al, 41h *edi = al; // mov [edi], al edi++; // inc edi esi++; // inc esi cl++; // inc ecx // упростил } // jmp short loc_401310 // loc_40132A: *edi = 0; // mov byte ptr [edi], 0 // Тут еще была проверка длины введенного имени, для упрощения опускаем if(strcmp(String1,String2)==0) ...; // push String1; Push String2; call lstrcmpA
  • It looks like I’m quite tight on this topic ... I don’t understand how you got the serial code generation code (the meaning of the cycle isn’t clear ... What is the general idea, is the generation code, and the name => how does the serial number follow from here? - Alerr
  • So this is all in assembler and written. Here is translated into pseudocode on si. - Aleksey Sonkin
  • @Alerr, now add comments to the lines. Translated manually. The idea of ​​the code is that the entered name is taken, some kind of manipulation is performed on each of its next character, and the next character of the serial is obtained. - insolor