Root Me: Cracking: PE - 0 protection
Since this challenge has 0 protection we can easily solve it by searching for the string in the strings window of IDA.
Select from the menu: View -> Open Subviews -> Strings then double click on the:
.rdata:00404053 0000000D C Gratz man :)
Now you should be in the .rdata section on the binary, while the string is still selected, right click on it and click on: Xrefs graph to... this will give you a nice graph that you can look at.
There should be 3 functions: Main -> SUB0 -> SUB1. Find the SUB1 function in the functions window and double click on it.
Here you can see a the following data:
[code]
.text:00401726 interrestingFunction2 proc near ; CODE XREF: interrestingFunction1+35↓p
.text:00401726
.text:00401726 Format = dword ptr -28h
.text:00401726 var_C = dword ptr -0Ch
.text:00401726 arg_0 = dword ptr 8
.text:00401726 arg_4 = dword ptr 0Ch
.text:00401726
.text:00401726 push ebp
.text:00401727 mov ebp, esp
.text:00401729 sub esp, 28h
.text:0040172C mov [ebp+var_C], 0
.text:00401733 cmp [ebp+arg_4], 7 ; The password is 7 characters long.
.text:00401737 jnz short loc_4017AA ; the wrong password location
.text:00401739 mov eax, [ebp+arg_0]
.text:0040173C movzx eax, byte ptr [eax]
.text:0040173F cmp al, 'S' ; Here's the begining of the password.
.text:00401741 jnz short loc_4017AA
.text:00401743 mov eax, [ebp+arg_0]
.text:00401746 add eax, 1
.text:00401749 movzx eax, byte ptr [eax]
.text:0040174C cmp al, 'P'
.text:0040174E jnz short loc_4017AA
.text:00401750 mov eax, [ebp+arg_0]
.text:00401753 add eax, 2
.text:00401756 movzx eax, byte ptr [eax]
.text:00401759 cmp al, 'a'
.text:0040175B jnz short loc_4017AA
.text:0040175D mov eax, [ebp+arg_0]
.text:00401760 add eax, 3
.text:00401763 movzx eax, byte ptr [eax]
.text:00401766 cmp al, 'C'
.text:00401768 jnz short loc_4017AA
.text:0040176A mov eax, [ebp+arg_0]
.text:0040176D add eax, 4
.text:00401770 movzx eax, byte ptr [eax]
.text:00401773 cmp al, 'I'
.text:00401775 jnz short loc_4017AA
.text:00401777 mov eax, [ebp+arg_0]
.text:0040177A add eax, 5
.text:0040177D movzx eax, byte ptr [eax]
.text:00401780 cmp al, 'o'
.text:00401782 jnz short loc_4017AA
.text:00401784 mov eax, [ebp+arg_0]
.text:00401787 add eax, 6
.text:0040178A movzx eax, byte ptr [eax]
.text:0040178D cmp al, 'S'
.text:0040178F jnz short loc_4017AA
.text:00401791 mov eax, offset aGratzMan ; "Gratz man :)" ; the password confirmation message
.text:00401796 mov [esp+28h+Format], eax ; Format
.text:00401799 call printf
.text:0040179E mov [esp+28h+Format], 0
.text:004017A5 call exit
We can see that arg_0 is a pointer to a bytes array, we can assume that arg_4 is the length of the array. Below you can see that arg_0 is compared to the password byte by byte. In order to convert to char from hex and back and forth, select the line and press the key R.
Thanks for reading, happy hacking!