When decompiling the application using ILspy we find the following relevant code bits:
private byte[] Field_00 = new byte[] { 20, 0x16, 100, 0x17, 0x15, 0x63, 100, 0x67, 0x18, 0x18, 0x19, 0x60, 0x19, 0x67, 0x10, 0x15, 0x10, 0x18, 0x16, 0x11, 0x62, 0x67, 0x67, 0x10, 0x17, 0x12, 0x67, 0x18, 0x11, 0x63, 0x60, 0x12 }; private byte[] Field_01 = new byte[] { 0x61, 0x5d, 0x40, 0x40, 0x4b, 0x13, 0x12, 0x6b, 0x5d, 0x47, 0x12, 0x54, 0x53, 0x5b, 0x5e, 0x57, 0x56, 0x12, 0x4a, 0x62, 0x12, 0x12, 0x66, 0x40, 0x4b, 0x12, 0x73, 0x55, 0x53, 0x5b, 0x5c, 0x13 }; private void checkButton_Click(object A_0, EventArgs A_1) { int value = this.valueBar1.Value; int value2 = this.valueBar2.Value; int value3 = this.valueBar3.Value; int num = this.valueBar2.Value * this.valueBar3.Value; int num2 = value * 3; if (value + num - value2 + value * value * value2 - value3 == value2 * (value3 * 34 + (num2 - value)) + 7488 && value > 77) { MessageBox.Show(this.Method_05(value, value2, value3, (byte[])this.Field_00.Clone(), num, num2)); return; } MessageBox.Show(this.Method_06(value, value2, value3, (byte[])this.Field_00.Clone(), num, num2)); }
So in essence we need to pass some math evaluation in order to trigger the code that displays the OK string. Both the OK and FAIL strings are XOR-encoded to not give away anything.
Quick 'n dirty bruteforce tool:
<? for($v1=0; $v1 <= 0xff; $v1++) { for($v2=0; $v2 <= 0xff; $v2++) { for($v3=0; $v3 <= 0xff; $v3++) { $num = $v2 * $v3; $num2 = $v1 * 3; if ( $v1 + $num - $v2 + $v1 * $v1 * $v2 - $v3 == $v2 * ($v3 * 34 + ($num2 - $v1)) + 7488 && $v1 > 77 ) die("GOT IT: $v1,$v2,$v3\n"); } } } ?>
blasty@mekboek$ time php brute.php GOT IT: 89,144,233 real 0m2.586s user 0m2.549s sys 0m0.024s
Geen opmerkingen:
Een reactie posten