Easy KeyGen
Last updated
Last updated
We will be solving the Easy_CrackMe challenge.
Download Location : Reversing.kr
Opening the binary in IDA shows the graph view of the entry function main
. The entry function is fairly simple.
As per static analysis of the binary by IDA, we notice that there are computations being done on the InputName
which is then later checked against InputSerial
via strcmp
function call.
As mentioned in the challenge, we need to find the input for Serial Key : 5B134977135E7D13
Noticing the for loop presents us with a problem where i
is made 0
by the if
condition inside the for
loop and later element in array of v7
is accessed at i-1
i.e -1
index which is not correct.
We now dive into the corresponding assembly code to understand if this was Decompiler issue.
The first thing to notice is in one of initialisations mov ecx,31h
instruction has been executed setting ecx to 0x31.
The above are the instructions that directly affect ecx and controls the jump to another address. The instruction or ecx,0xFFFFFFFFh
returns back 0xFFFFFFFFh
. Next instruction not ecx
performs bitwise NOT operation and sets ecx to 0
. Next instruction dec ecx
decrements ecx further and sets it to -1
. When test ecx,ecx
is executed, it is found that ecx is is signed int with ZF not set . Since ZF flag is not set, jle is not taken up and the next instructions gets executed.
The above instructions can be translated into
Also, as evident from movsx instructions, the decremented esi is directly used to reference variable and there is no external decrement of esi by 1. Hence v7[i-1]
shown by IDA should be v7[i]
.
This clearly means that the disassembled code by IDA was incorrect. The for loop could be therefore re-written as :-
IDA has been referencing v7
in the code for XOR operation with the supplied input implying there must be some hardcoded value to v7. As evident, v7 is an array of size 3. So we are looking for 3, 1 byte memory (movsx
instruction takes a BYTE) blocks with some initialised value.
Looking in the assembly code, we find that this array consists of 0x10
,0x20
and 0x30
.
The above script will fetch the input as K3yg3nm3
which is the correct input for passed serial number.