So, what’s going on here? Well, basically…
cl is being used as an index, compared against a hardcoded value which increments each time (0,1,2..9) and
edx is being used in pairs of blocks where every time is either incremented or decremented by one then a hardcoded value is compared against
al’s content and it goes back to the start of the algorithm if the condition is met.
After reading the code we can conclude that each one of those blocks represents an individual check for each one of the characters the password has.
Here’s one of the block groups highlighted in white:
edx is being used as “checks counter” and
ecx is the index of the character from the password we are checking. If the check is passed
edx is incremented, otherwise, it’s decremented.
At the end of this chain of checks, there’s a final validation that controls if all 10 checks have been passed successfully and shows the “Password is correct :)” message if that’s the case.
The majority of the conditions in place are “open-ended” (less-or-equal to, greater-than, etc) so we can conclude that as this isn’t a one-solution puzzle, writing a keygen is the best option.
Using the list of conditions we gathered from the static analysis we can proceed to create a keygen using some python itertools magic. We just need to write down every check we saw and generate all the possible combinations for the given set of conditions. The overall logic should look similar to this:
password_template = [
]for p in itertools.product(*password_template):
If you are interested in the details here’s the GitHub link to the full script:
Using the script we can proceed to get some juicy valid codes with ease.
I hope you liked the writeup, until next time!