The Problem

I’m a bit late to the game, as this challenge was posted almost 7 months ago – but better late then never, right?

This was a very fun challenge. I initially looked at it a few weeks ago, but after a couple hours, I was unable to solve it. I decided to come back to it today with fresh eyes, and after about 40 minutes, I was able to solve it. You can download the binary at 0x00SEC. Here are the rules:

No hints... Hints are for wimps... there are no hints in real life...

Post at least 3 valid username/keys combination in the comments. Do not forget to use the spoiler tag

Write-ups are welcomed...

This is a keygen style binary. It asks for a username and a key. The key is based off of the username.

The Twisted Road to Despair
by p1co

Enter Username (min 10 char): AAAAAAAAAA
Enter Key: My_Key
Keep Trying
Binary MD5 Download Link
TRtD 77eac5b018e58cfe262244546cd633bb

The Solution

This “solution” is a bit dirty. I can generate an unlimited number of valid user/key combos, but in order for me to do so I need to run the binary in a debugger.

The first check takes the username and checks to see if it shorter than 10 bytes long. If the username is shorter than 10 bytes long, the program will print “Username too short…try again…” and then exits.

0x004001c2      4183fd09       cmp r13d, 9                           ; 9
0x004001c6      c6040400       mov byte [rsp + rax], 0
0x004001ca      7f16           jg 0x4001e2
0x004001cc      488b353d3e20.  mov rsi, qword [0x00604010]           ; [0x604010:8]=0x604020
0x004001d3      bfd92d4000     mov edi, str.Username_to_short..._try_again..._n ; 0x402dd9 ; "Username to short... try again...\n"

If the username is longer then 9 bytes long, we get taken to 0x4001e2.

   ; JMP XREF from 0x004001ca (fcn.00400150)
0x004001e2      4889e7         mov rdi, rsp
0x004001e5      e826010000     call fcn.00400310
0x004001ea      bffc2d4000     mov edi, str.Enter_Key:               ; 0x402dfc ; "Enter Key: "
0x004001ef      31c0           xor eax, eax
0x004001f1      e8390a0000     call fcn.00400c2f
0x004001f6      488b15733e20.  mov rdx, qword [0x00604070]           ; [0x604070:8]=0x604080
0x004001fd      be00040000     mov esi, 0x400                        ; 1024
0x00400202      4889ef         mov rdi, rbp
0x00400205      e83a080000     call fcn.00400a44
0x0040020a      4c89e1         mov rcx, r12
0x0040020d      4889ef         mov rdi, rbp
0x00400210      4488f0         mov al, r14b
0x00400213      f2ae           repne scasb al, byte [rdi]
0x00400215      4489ea         mov edx, r13d
0x00400218      4889e7         mov rdi, rsp
0x0040021b      4889ee         mov rsi, rbp
0x0040021e      48f7d1         not rcx
0x00400221      448d61fe       lea r12d, [rcx - 2]
0x00400225      4d63e4         movsxd r12, r12d
0x00400228      42c684240004.  mov byte [rsp + r12 + 0x400], 0
0x00400231      e84c000000     call fcn.00400282
0x00400236      85c0           test eax, eax
0x00400238      bf082e4000     mov edi, str.Well_Done__n             ; 0x402e08 ; "Well Done!\n"
0x0040023d      7405           je 0x400244

At the end of this code block (0x00400236) we can see “test eax, eax”. In order for the “Well Done!\n” message to be displayed (and not overwritten), EAX must be zero. Before this check, EAX gets set to either zero (good) or one (bad) in fcn.00400282.

┌ (fcn) fcn.00400282 141
│   fcn.00400282 ();
│    ; CALL XREF from 0x00400231 (fcn.00400150)
│ 0x00400282      4156           push r14
│ 0x00400284      31c0           xor eax, eax
│ 0x00400286      4883c9ff       or rcx, 0xffffffffffffffff
│ 0x0040028a      4155           push r13
│ 0x0040028c      4989fd         mov r13, rdi
│ 0x0040028f      4889f7         mov rdi, rsi
│ 0x00400292      4154           push r12
│ 0x00400294      4989f4         mov r12, rsi
│ 0x00400297      55             push rbp
│ 0x00400298      53             push rbx
│ 0x00400299      89d3           mov ebx, edx
│ 0x0040029b      4883ec10       sub rsp, 0x10
│ 0x0040029f      f2ae           repne scasb al, byte [rdi]
│ 0x004002a1      48f7d1         not rcx
│ 0x004002a4      8d41ff         lea eax, [rcx - 1]
│ 0x004002a7      b902000000     mov ecx, 2
│ 0x004002ac      99             cdq
│ 0x004002ad      f7f9           idiv ecx
│ 0x004002af      8d7801         lea edi, [rax + 1]                    ; 1
│ 0x004002b2      89c5           mov ebp, eax
│ 0x004002b4      4863ff         movsxd rdi, edi
│ 0x004002b7      e893010000     call fcn.0040044f
│ 0x004002bc      39dd           cmp ebp, ebx
│ 0x004002be      7539           jne 0x4002f9
│ 0x004002c0      4989c6         mov r14, rax
│ 0x004002c3      31db           xor ebx, ebx
│    ; JMP XREF from 0x004002f7 (fcn.00400282)
│ 0x004002c5      488d3c1b       lea rdi, [rbx + rbx]
│ 0x004002c9      4c01e7         add rdi, r12                          ; 'n'
│ 0x004002cc      39dd           cmp ebp, ebx
│ 0x004002ce      7e30           jle 0x400300
│ 0x004002d0      488d54240c     lea rdx, [rsp + 0xc]                  ; 12
│ 0x004002d5      31c0           xor eax, eax
│ 0x004002d7      be902d4000     mov esi, str._02x                     ; section..rodata ; 0x402d90 ; "%02x"
│ 0x004002dc      e8c8030000     call fcn.004006a9
│ 0x004002e1      8b54240c       mov edx, dword [rsp + 0xc]            ; [0xc:4]=-1 ; 12
│ 0x004002e5      410fbe441d00   movsx eax, byte [r13 + rbx]
│ 0x004002eb      4188141e       mov byte [r14 + rbx], dl
│ 0x004002ef      0fb6d2         movzx edx, dl
│ 0x004002f2      48ffc3         inc rbx
│ 0x004002f5      39c2           cmp edx, eax
│ 0x004002f7      74cc           je 0x4002c5
│    ; JMP XREF from 0x004002be (fcn.00400282)
│ 0x004002f9      b801000000     mov eax, 1
│ 0x004002fe      eb02           jmp 0x400302
│    ; JMP XREF from 0x004002ce (fcn.00400282)
│ 0x00400300      31c0           xor eax, eax
│    ; JMP XREF from 0x004002fe (fcn.00400282)
│ 0x00400302      4883c410       add rsp, 0x10
│ 0x00400306      5b             pop rbx
│ 0x00400307      5d             pop rbp
│ 0x00400308      415c           pop r12
│ 0x0040030a      415d           pop r13
│ 0x0040030c      415e           pop r14
└ 0x0040030e      c3             ret

First, this function checks the length of the key (0x004002bc). The key length must be 2*length of the username. If the length of the key is good, we then enter a loop at 0x004002c5. This loop compares each byte of the user inputted key to the correct key. Within the loop at 0x004002eb, if you check the value of “r13 + rbx,” the correct key will be shown. Here are three valid user/key combos:


The Twisted Road to Despair
by p1co

Enter Username (min 10 char): CarlosWasHere
Enter Key: 4f617260637755657f46697063
Well Done!

The key is generated off of the username in fcn.00401946. This is a huge and complicated function that I have not yet completely reversed. I’d be curious to read any write-ups that show the process of reversing this function.

Overall, this was a really fun challenge and I enjoyed working through it.