Suninatas Game 11

Posted on Edited on In Views: Disqus: Word count in article: 375 Reading time ≈ 1 mins.

challenges

Game 11

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
❯ file Project1.exe
Project1.exe: PE32 executable for MS Windows 4.00 (GUI), Intel i386, 8 sections

check the string
CODE:0045041C	00000010	C	Congratulation!
CODE:00450434	0000000B	C	Authkey :
CODE:004504B8	00000009	C	2abbe4b6
CODE:004504CC	00000009	C	44536ca0
CODE:004504E0	00000009	C	81aae922
CODE:004504F4	00000009	C	e32fa0de

check reference
_TForm1_FormCreate proc near
push    ebx
mov     ebx, eax
lea     eax, [ebx+300h]
mov     edx, offset _str_2abbe4b6.Text
call    @System@@LStrAsg$qqrpvpxv ; System::__linkproc__ LStrAsg(void *,void *)
lea     eax, [ebx+304h]
mov     edx, offset _str_44536ca0.Text
call    @System@@LStrAsg$qqrpvpxv ; System::__linkproc__ LStrAsg(void *,void *)
lea     eax, [ebx+308h]
mov     edx, offset _str_81aae922.Text
call    @System@@LStrAsg$qqrpvpxv ; System::__linkproc__ LStrAsg(void *,void *)
lea     eax, [ebx+30Ch]
mov     edx, offset _str_e32fa0de.Text
call    @System@@LStrAsg$qqrpvpxv ; System::__linkproc__ LStrAsg(void *,void *)
push    dword ptr [ebx+300h]
push    dword ptr [ebx+308h]
push    dword ptr [ebx+304h]
push    dword ptr [ebx+30Ch]
lea     eax, [ebx+324h]
mov     edx, 4
call    @System@@LStrCatN$qqrv ; System::__linkproc__ LStrCatN(void)
pop     ebx
retn
_TForm1_FormCreate endp

get auth
2abbe4b681aae92244536ca0e32fa0de

or

check decompiled code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
int __fastcall TForm1_Button1Click(int a1)
{
  ...
  System::__linkproc__ LStrAsg(a1 + 784, &str_2V[1]);
  System::__linkproc__ LStrAsg(a1 + 788, &str_XS[1]);
  System::__linkproc__ LStrAsg(a1 + 792, &str_B6[1]);
  System::__linkproc__ LStrAsg(a1 + 796, &str_H1[1]);
  System::__linkproc__ LStrAsg(a1 + 800, &str_0F[1]); // get string

  System::__linkproc__ LStrCatN(
    a1 + 816,
    5,
    v2,
    *(_DWORD *)(a1 + 792),
    *(_DWORD *)(a1 + 796),
    *(_DWORD *)(a1 + 788),
    *(_DWORD *)(a1 + 800)); // rearrange
    ...
}

rearrange is odd check asm

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
lea     eax, [ebx+310h]
mov     edx, offset _str_2V.Text
call    @System@@LStrAsg$qqrpvpxv ; System::__linkproc__ LStrAsg(void *,void *)
lea     eax, [ebx+314h]
mov     edx, offset _str_XS.Text
call    @System@@LStrAsg$qqrpvpxv ; System::__linkproc__ LStrAsg(void *,void *)
lea     eax, [ebx+318h]
mov     edx, offset _str_B6.Text
call    @System@@LStrAsg$qqrpvpxv ; System::__linkproc__ LStrAsg(void *,void *)
lea     eax, [ebx+31Ch]
mov     edx, offset _str_H1.Text
call    @System@@LStrAsg$qqrpvpxv ; System::__linkproc__ LStrAsg(void *,void *)
lea     eax, [ebx+320h]
mov     edx, offset _str_0F.Text
call    @System@@LStrAsg$qqrpvpxv ; System::__linkproc__ LStrAsg(void *,void *)
push    dword ptr [ebx+310h] // 2V
push    dword ptr [ebx+318h] // B6
push    dword ptr [ebx+31Ch] // H1
push    dword ptr [ebx+314h] // XS
push    dword ptr [ebx+320h] // 0F

// get password 2VB6H1XS0F
// input and get auth