Permalink
Browse files

Update rev05.md

  • Loading branch information...
sampritipanda committed Aug 24, 2018
1 parent 2060523 commit 59492638383e2817b87140b5dbdd8878670db7de
Showing with 98 additions and 2 deletions.
  1. +98 −2 whitehat-grandprix-2018/rev05.md
@@ -10,7 +10,57 @@ This program is a keygen of a vendor. Many company (bkav,vtv,vtc,voz,vna,fpt,fis
Reversing the `ctfq.exe` binary, we notice the main function first calls `sub_401090`.
```c
<insert_code_here sub_401090>
SOCKET sub_4014A0()
{
DWORD v0; // eax
SOCKET v1; // edi
DWORD v2; // eax
DWORD v3; // eax
struct sockaddr name; // [esp+8h] [ebp-1A8h]
struct WSAData WSAData; // [esp+18h] [ebp-198h]
name.sa_family = 2;
*(_DWORD *)&name.sa_data[2] = inet_addr("66.42.55.226");
*(_WORD *)name.sa_data = htons(0x22B8u);
WSAStartup(0x202u, &WSAData);
v0 = GetLastError();
sub_401010("startup socket er %d ", v0);
v1 = socket(2, 1, 6);
v2 = GetLastError();
sub_401010("socket er %d ", v2);
connect(v1, &name, 16);
v3 = GetLastError();
sub_401010("connect er %d\n", v3);
if ( v1 == -1 )
sub_4052AB("Pause");
return v1;
}
int sub_401090()
{
v0 = sub_4014A0();
s = v0;
v1 = send(v0, "111|test|test|test\n", 19, 0);
if ( v1 == -1 || v1 != 19 )
sub_401010("\nsend error %x\n", v1);
v2 = s;
memset(&buf, 0, 0x800u);
Sleep(0x3E8u);
v3 = recv(v2, &buf, 2048, 0);
v4 = v3;
if ( v3 > 0 )
{
v5 = malloc(v3);
memmove(v5, &buf, v4);
}
else
{
v5 = 0;
}
if ( !strstr((const char *)v5, "Ok fine") )
exit(0);
return sub_401010("\n work ok\n");
}
```
This looks to be connecting to `66.42.55.226:8888` and sends `111|test|test|test` and waits
@@ -90,7 +140,53 @@ So, if we send the company name `fis`, we get back a code. If we reverse through
program, we will find a serial key generation routine in `sub_401310`.
```c
<insert_code_here sub_401310>
int sub_401310()
{
int v0; // ecx
unsigned int v1; // edi
unsigned int v2; // kr00_4
unsigned int v3; // kr04_4
char v4; // al
unsigned int v5; // esi
unsigned __int8 v6; // al
char v8[256]; // [esp+8h] [ebp-210h]
char v9[256]; // [esp+108h] [ebp-110h]
char v10[12]; // [esp+208h] [ebp-10h]
sub_401010("\n companyname:\n");
gets(v10);
sub_401010("\n secret key:\n");
memset(v8, 0, 0x100u);
gets(v9);
v0 = 0;
v1 = 0;
v2 = strlen(v9);
if ( v2 )
{
v3 = strlen(v10);
do
{
if ( v0 == v3 )
v0 = 0;
v4 = v10[v0++];
v8[v1++] = v4;
}
while ( v1 < v2 );
}
v5 = 0;
if ( v2 )
{
do
{
v6 = v9[v5];
if ( v6 >= 0x61u && v6 <= 0x7Au )
v9[v5] = ((unsigned __int8)v8[v5] + v6 - 192) % 27 + 96;
++v5;
}
while ( v5 < strlen(v9) );
}
return sub_401010("\nkey:%s\n", v9);
}
```
It takes in the parameters `company name` and `serial key` and uses a custom algorithm to generate

0 comments on commit 5949263

Please sign in to comment.