Your probably wondering what the title refers to so i jump to point. My dad likes writing simple programs and securing it with ridiculous forms of security that are usually easily bypass. THis time however, tired of me making jokes of his "security" he's actually done something not easily bypassed and made a bet with me to try and crack it. My soda supply is at stake here guys, and what i assumed would be an easy task is much more difficult than i expected.
Ok, so here it is. I assumed my dad wrote the program in c (cuz he's an old fart), for which i thought i could use a decompiler such as boomerang to give me regular syntax. This time he used c++ and i believe there arent any decompilers for that (?). Here's where the ASM comes in, of which i know very very little, so i disassembled the file with IDA pro and am presented with the assembly code.
Knowing very little about assembly i think i've found some essential code that i can use to crack his key:
.text:004AA1D4 loc_4AA1D4: ; CODE XREF: sub_4AA050+159j
.text:004AA1D4 push 0Bh
.text:004AA1D6 mov ebx, 0Fh
.text:004AA1DB push offset aPasswrd ; "Passwrd"
.text:004AA1E0 lea ecx, [ebp+var_6C]
.text:004AA1E3 mov [ebp+var_54], ebx
.text:004AA1E6 mov [ebp+var_58], 0
.text:004AA1ED mov byte ptr [ebp+var_68], 0
.text:004AA1F1 call sub_405E90
.text:004AA1F6 mov byte ptr [ebp+var_4], 1
.text:004AA1FA push 0Bh
.text:004AA1FC xor edi, edi
.text:004AA1FE push offset aDrwssaP ; "DrwssaP"
.text:004AA203 lea ecx, [ebp+var_50]
.text:004AA206 mov [ebp+var_38], ebx
.text:004AA209 mov [ebp+var_3C], edi
.text:004AA20C mov byte ptr [ebp+var_4C], 0
.text:004AA210 call sub_405E90
.text:004AA215 mov byte ptr [ebp+var_4], 2
.text:004AA219 cmp [ebp+var_54], 10h
.text:004AA21D mov eax, [ebp+var_68]
.text:004AA220 jnb short loc_4AA225
.text:004AA222 lea eax, [ebp+var_68]im just learning asm so bare with me.
push offset aPasswrd ; "Passwrd" ; so its putting this offset to stack
so i jumped to the operand for aPasswrd and it gives me
.rdata:0054DCDC loc_54DCDC: ; DATA XREF: sub_4AA050+18Bo
.rdata:0054DCDC push ebx
.rdata:0054DCDD jns short near ptr aC9743f24b3d8b6+1Dh
.rdata:0054DCDF jz short near ptr aC9743f24b3d8b6+19h
.rdata:0054DCE1 imul esp, [ebp+79h], 73h
.rdata:0054DCE1 ; ---------------------------------------------------------------------------
.rdata:0054DCE5 db 69h ; i
.rdata:0054DCE6 db 61h ; a
.rdata:0054DCE7 db 0i have no idea wat value that produces so if someone could explain that it would be great. Would that possibly produce a the password?
alrite so ill disregard that crap, i wanna trigger an "unlock" event instead if i cant figure out his password.
.text:0049261E loc_49261E: ; CODE XREF: sub_492590+78j
.text:0049261E xor eax, eax
.text:00492620 push edi ; hMem
.text:00492621 mov [ebp+esi*2+0], ax
.text:00492626 call ds:GlobalUnlock
.text:0049262C pop esiim thinking that does it, but what of it? I can program in c++, c, and vb, but i have a very basic understanding of asm. How can i call the unlock function externally? ive read you can poke at a certain register but i havent the clue how.
THanks guys your help is reallly appreciated. Drinks (sodas) on me if you can help me out :)