App 7

by **sd668** on Fri Apr 25, 2008 6:06 am ([msg=1264]see App 7[/msg])

I am able to get a congratulations string dumped by using ollydbg but it does not work. Looks like it is still encrypted possibly ? any tips ?

by **sharpskater69** on Fri Apr 25, 2008 7:15 pm ([msg=1351]see Re: App 7[/msg])

That's because the buffer the password is in is based off your input. Try to follow the variables from where you give input. There is a certain sum you have to make, and you can see that value easily. The real question is what operations are done on your input and how is the sum generated to be checked against that number.

by **sd668** on Mon Apr 28, 2008 1:22 am ([msg=1587]see Re: App 7[/msg])

Thankyou. You have pointed me in the right direction.

Cheers
S.

by **int3grate** on Wed May 28, 2008 11:07 pm ([msg=3461]see Re: App 7[/msg])

That's because the buffer the password is in is based off your input. Try to follow the variables from where you give input. There is a certain sum you have to make, and you can see that value easily. The real question is what operations are done on your input and how is the sum generated to be checked against that number.

Yeah, this mission was a pain in the ass. Your basically going to have to find a valid key to put in that will make said sum, that will give you your password. Good luck!

Int3grate

by **hacksys1337** on Fri Aug 15, 2008 5:19 pm ([msg=9825]see Re: App 7[/msg])

Can anyone help im lost i kind of know where to start but im not familiar with ollydbg but i was able to find the message that states "the password is '%s'" and i try searching the code for %s and im not finding anything. Please help

thanks

by **SMK** on Sun Aug 17, 2008 7:25 am ([msg=9902]see Re: App 7[/msg])

Can somebody give my a hint on this?
I tried bruteforcing the pass, and currently it's at
the sum of chars=8197104
and still no result. This is insanely big. Should the actual pass be like this?

by **muller2008** on Sun Aug 17, 2008 8:25 am ([msg=9908]see Re: App 7[/msg])

Hi, you should have got something like this when you found the "Congratulations, The password is% s"

0040118C |. 817D E8 CA0D0> CMP DWORD PTR SS: [EBP-18], 0DCA
00401193 |. 75 13 JNZ SHORT app7win.004011A8
00401195 |. 8D4D EC LEA ECX, DWORD PTR SS: [EBP-14]
00401198 |. 51 PUSH ECX
00401199 |. 68 94804000 PUSH app7win.00408094; ASCII

"Congratulations, The password is'% s'"

0040119E |. E8 18000000 CALL app7win.004011BB
004011A3 |. 83C4 08 ADD ESP, 8

004011A6 |. EB 0D JMP SHORT app7win.004011B5
004011A8 |> 68 BC804000 PUSH app7win.004080BC; ASCII

What you are looking for to get is something like: 0x2F1
You need to find out its sum and work out the hex of the sum changing into ascii to give you something else.
When you find out this bit you will have the correct password to insert into the question: "Please Enter the Password:" and so on,,,,,,,,,,

by **SMK** on Mon Aug 18, 2008 1:04 am ([msg=9950]see Re: App 7[/msg])

lol, my bruteforcer had some problems, and I didn't clear the 0s :shock:

no wonder it never ended
The mission ended up being really easy

What you are looking for to get is something like: 0x2F1

I thought it was a hint, it's true

that might make the mission too easy :p

by **vivekn** on Mon Apr 20, 2009 9:10 pm ([msg=22178]see Re: App 7[/msg])

but the sum is not an ascii total,there is a different algorithm ,each character seems to have a code diff from its ascii one

by **struz** on Wed Jun 17, 2009 11:33 am ([msg=25481]see Re: App 7[/msg])

Wow. This one was pretty hard. The 0x2F1 hint is really *really* obvious but only after you finish. I ended up writing something that would brute-force the value once I knew how it was calculated and went from there.

I'm going to add a hint for other people who have trouble on this:
You don't need the real password to get the real password.