SRM (50 pts)

Question:

The flag is : The valid serial number

Write-Up:

Analyze the file by Trid.

-> trid_windows.exe RM.exe

TrID/32 - File Identifier v2.20 - (C) 2003-15 By M.Pontello
Definitions found:  5988
Analyzing...

Collecting data from file: RM.exe
 64.6% (.EXE) Win64 Executable (generic) (27646/36/4)
 15.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
 10.5% (.EXE) Win32 Executable (generic) (4508/7/1)
  4.6% (.EXE) Generic Win/DOS Executable (2002/3)
  4.6% (.EXE) DOS Executable Generic (2000/1)

So this is a Win64 PE. Analyze the file by ExeInfo for detecting file packer!

PE info.

The file is not Packed. Analyze the file by IDAPro! You can see strings in Ida.

PE strings in Ida pro

Find this string in code (Alt+T), perhaps we can find the validator function!

Validator function

We could find series of branch that seems it’s the validator function, lets reverse it. As you see below the first user input compared with C, and [the last user input] + 'C' compared with 155(9Bh), so the last input character must be X(155-'C'). You can get the others by a series of simple iterative work!

Get the valid key!

At the end the flag is CZ9dmq4c8g9G7bAX.