Get the program and put it in the PE to check that there is an Aspack shell
Use shelling software for shelling
Open the file, let us register, and enter it at will as shown in the figure:
I found a pop-up box, which is a very important clue. Open the breakpoint analysis under od:
After entering at will, it reaches the login failure pop-up window.
By analyzing the nearby assembly, it can be found that when the two values are not equal, always jump to 004012A1
I counted sixteen. It is roughly estimated that the correct format is to input 16 characters. Restart the program at 004012A4 and input 16 characters to start the analysis:
Pass[0]==B, this character is directly compared with 0x42, 0x42 is converted to ASCII and then converted to character B
Pass[15]==Y It can be seen that the character is stored in the eax register, and then 0x42 is added to equal 0x57, and the calculated and converted value is Y
Pass[1]==Z This time store the value in ecx, and then use the lea command, which means to store the value in ecx minus 3 into eax, and use 0x57 minus 3 to convert it to Z, which is roughly the same calculation method later , Note that the sorting method is from ebp-0x240 to ebp-0x231 for pass[0] to pass[15]
Pass[14]==A
Pass[2]==9
Pass[13]==b
Pass[3]==d
Pass[12]==7
Pass[4]==m
Pass[11]==G
Pass[5]==q
Pass[10]==9
Pass[6]==4
Pass[9]==g
Pass[7]==c
Pass[8]==8
After sorting, the required string is BZ9dmq4c8g9G7bAY, and the
mailbox input format is [email protected]. The
registration code is: BZ9dmq4c8g9G7bAY
flag{ BZ9dmq4c8g9G7bAY }