easy keyg3nme Walkthrough

(Updated: )
,
reference ezman's easy keyg3nme

Use horsicq/Detect-It-Easy to identify the binary first:

Here I use two methods:

radare2

pdf @ main to print disassemble function main:

Address 0x55ee5b4f11b4 and 0x55ee5b4f11b4 need register eax to be 1 to go to address 0x55ee5b4f11b9.

pdf @ sym.validate_key:

Function validate_key:

validate_key
1
2
3
4
5
6
7
8
9
10
11
12
13
mov ecx, dword [var_4h] ; ecx = arg1
mov edx, 0x1acb0aad     ; edx = 0x1acb0aad
mov eax, ecx            ; eax = ecx
imul edx                ; edx:eax = eax * edx  ; arg1 * 0x1acb0aad     ; edx_new * (2**32) + eax_new = arg1 * 449514157
sar edx, 7              ; edx /= 2 ** 7
mov eax, ecx            ; eax = ecx
sar eax, 0x1f           ; eax /= 2 ** 31       ; eax = arg1 / (2**31)  ; mostly eax = 0
sub edx, eax            ; edx -= eax                                   ; mostly edx -= 0
mov eax, edx            ; eax = edx
imul eax, eax, 0x4c7    ; eax *= 0x4c7                                 ; mostly eax = edx * 0x4c7
sub ecx, eax            ; ecx -= eax                                   ; mostly ecx -= edx * 0x4c7
mov eax, ecx            ; eax = ecx                                    ; mostly eax = ecx - edx * 0x4c7
test eax, eax           ; zf = (eax == 0)                              ; mostly (ecx - edx * 0x4c7) == 0

I’ve not figured out what does it mean by edx_new * (2**32) + eax_new = arg1 * 449514157.

Try to set register edx to 1 after executing sar edx, 7, which leads register ecx to 0x4c7.

Verify imul edx:

0x80 is just 128.

Also set register edx to 2, which leads register ecx to 0x98e.

ghidra

Use ghidra is quite easy, thanks to the build-in decompiler.

Load the binary to ghidra, and navigate to Symbol Tree to enumerate existed functions:

Navigate to function validate_key:

Navigate to function main:

Function main:

  1. read variable local_14 from stdin
  2. pass variable local_14 to function validate_key, get result in variable iVal1
  3. check variable iVal1

proof