Point : 300
Why I make this write up again? Because I just want to implement my new way to solve this problem, and of course the better way. Reverse engineering. Haha.
So the challenge is to activate the notepad. We open the notepad, and try to activate the software with dummy input. And of course got "Try harder" since we don't know the real key.
Input
Output
So I just open the notepad with OllyDbg to study how the program works.
1) Search for referenced string, why I do this? Because I just want to search for weird/interesting strings that can help us to understand more this program.
We can see that there are strings that capture our attention especially the string "The flag is" and continue some word that like 1xxmak1xx.... So we know maybe that's our flag.
2) We double click at "Try harder" string to follow in disassembler, to get further information about the algorithm. At 0x0040373E is where the string "Try harder" is. So we just need to reverse the algorithm, to know how it jump to this address. At 0x00403733, see in Hint Pane here, it says "Jump from 00402C0F", yeah it's a good hint. We know where to go now. Set a breakpoint here, so that's easy for us to check later.
3) We go to the address 0x00402C0F by pressing Ctrl+G or Right click -> Go to -> Expressions, then input our addresss here which is 00402C0F. And here we jump to the address. I will set breakpoint at this address also.
JNZ BukuNota.00403733 instruction happened at this address, so by looking the above instruction, which is TEST EAX,EAX. TEST EAX,EAX instruction means if the value is not equal to 0, then Zero Flag will be 0, or else Zero Flag is set. JNZ instruction means jump if not equal to zero, so if the Zero Flag value is equal to 0, it will jump/lead to our "Try harder" section which is 00403733, else it will continue below instruction. Of course we want it continue to below instruction right?
4) So let us input again our dummy input, and when it arrive to our breakpoint at 0x00402C0F, we just change the Zero flag to 1.
I hope you understrand the arrow in the picture. Haha. Right arrow there where I just double click at the value Zero Flag to change it to 1 or we called it as Set. So we just click Run again, or F9.
But we still go to the "Try harder" section? Remember we made a breakpoint at the "Try harder" address which is 0x00403733? So there must be another condition that lead to "Try harder" address. We have to find it by click at 0x00403733 and see where the jump comes from the Hint Pane.
6) We input dummy data, and change Zero Flag value at (0x00402C0F) JNZ instruction to 1, (0x00402E4D) JZ to 0, for two times. I dont know why there is a loop. Haha.
So here we got our flag!
I know that my method so simple just by changing the Zero Flag, but it gets the job done right? And of course better than the method that I show in the previous post. After this maybe I will study the algorithm to get the real activation key.