"Reverse" Level2_very_success writeup

Because the topic can also be done so do not put the name of the game, do a memo it ~

First on Ida, the first instruction in the previous 401000 skipped, repairing the stack balance.

And then found that the function of the validation is as follows, you can see here is mainly to inverse algorithm.

At that time, the roommate is also doing this problem, late 10 minutes to solve, stuck in my analysis of the place, I must remember what you see is the income.

The algorithm is smoothed, at the same time run with ollydbg, you can see the approximate clue of the algorithm.

----------------------------------Code------------------------------------------------

int __usercall [email protected]<eax> (int [email protected]<eax>, int v_0x11, int str, signed int Len) {  __int16 sum;//[email protected]  signed int lenval;//[email protected]  int ptr;//[E mail protected]  int v7; [email protected]  Char CHR; [email protected]  unsigned int v9; [email protected]  Char V10; [email protected]  Char v11; [email protected]  __int16 Tmprs; [email protected]  bool equal; [email protected]  int unuse; [email protected]  int result_2; [sp+0h] [bp-ch]@3  sum = 0;  Lenval = 37;  if (len >= PNS)                              //len > 37  {    ptr = str;   &NBSP ;                    //        V7 = + at first    V7 = v_0x11 + 36;    while (1)     {      LOWORD (Result) = 455;  & nbsp   Result_2 = result;      CHR = * (_byte *) ptr++;      V9 = __readeflags ();                      //pushf      v10 = __rol1__ (1, Sum & 3);      __writeeflags (v9);                        //popf      TMPRS = (UN Signed __int8) (V10 + v11 + (result_2 ^ chr));      sum + = tmprs;      equal = * (_byte *) V7 = = (_byte) Tmprs;    //key      Unuse = V7 + 1;      if (!equal)         Lowo RD (lenval) = 0;      result = result_2;      if (!lenval)         break ;      V7 = unuse-2;             &NBsp            //V7 = v7-1     --lenval;      if (!lenval) & nbsp       return result;   } }  return 0;}

-----------------------------------------Code---------------------------------

len=37

[Email protected]sum=0while (1) {CHR = str (PTR)Tmprs = (__rol1__ (1, Sum & 3) + xxxtmprs_low_bitxxx should be 1! + (455 ^ chr));sum + = Tmprs; We known the value of Tmprs and Sumif (*value! = Tmprs) break;value--ptr++ len--if (!j) return 1}

The next algorithm is good to write.

-------------------------------------Code--------------------------

SUMV = 0lenv = 37rolv = 1flag = 1result = "values = [0xa8,0x9a,0x90,0xb3,0xb6,0xbc,0xb4,0xab,0x9d,0xae,0xf9,0xb8,0x9d,0xb 8,0xaf,0xba,0xa5,0xa5,0xba,0x9a,0xbc,0xb0,0xa7,0xc0,0x8a,0xaa,0xae,0xaf,0xba,0xa4,0xec,0xaa,0xae,0xeb,0xad, 0xaa,0xaf,]for i in range (PNS): Rolv = (1 << (SUMV & 3))% code = (455 ^ (values[i]-rolv-flag)% 256 )%256 result = result + CHR (code) SUMV = sumv + values[i]print result

"Reverse" Level2_very_success writeup