Reading Time : 2min
by running the application we get these results
This is a relatively easy crackme if you look “outside the box” as said in description
Here is Main function when open in IDA
Lets go to the end here we find these three references as conditioning code before is just garbage to waste your time.
Here i have renamed these according to their functionality
Here bear with me a little i will tell you why i renamed them like this.
but remember that Correct_Password is stored in ESI
and Wrong_Password is stored in EDI
This is whats inside Correct_Password
And this is how Wrong_Password looks like
And at last the Validation_Function
this is the only function that we need to look at to guess password algorithm
Inside validation function we get a few important information to determine overall shape and size of our password
As you can see at 0x410100 pointer to the given password is stored inside R8 register so R8 is representing first character of the typed in password “password”
Now look at 0x410107, 0x41010E and 0x410115 where fifth, tenth and sixth characters of password are being compared with letter ‘M’, Space ‘ ‘, and double quote ‘ ” ‘
ASCII values (IDA made it easy to understand) and if not equal the jnz value will take us to 0x410133 where we will be jumped again to “RDI” which is if you remember
Wrong_Password and you will get prompt of Wrong password!
take note here that 0x41011C ninth character is being compare with slash character ‘/’ but in this case we will jump if the letter matches so it should not be ‘/’
last two cmp instructions at 0x410123 and 0x41012A are again garbage code as these comparisons are not being checked
We also conclude that the password should be at least 10 characters long because of the [r8+9]
In the end this is what we are left
According to this formula all of these sample passwords will be valid
#each of these have single space at the end
'0000M"000 '
'asdfM"jkl '
'1234M"789 '