I will provide a couple solutions to tutorial #9′s homework assignment. Keep in mind that there are an infinite amount of ways to crack this app, and this is only a small sample. If you found a way to do it on your own, congratulations. If not, don’t worry, we’ll be covering it all many times.

Solution #1

One of the easiest ways to patch the app is to simple NOP out the JNZ instruction at address 40129F:

This will force the app to fall through to the good message every time.


Solution #2

Another possibility is to make sure EAX always equals zero is simply replacing the call to check the password with a MOV EAX, 0:

This basically removes the entire call to check the password’s validity and always jumps to the good boy :) .


Solution #3

Following the same line of reasoning as #2 above, we could keep the call, but right after it returns we can then force EAX to always equal zero. Just replace the OR EAX,EAX with an XOR EAX, EAX:

I like this solution as there’s a certain irony to it (you’re only patching one byte and your only adding one letter :D ).


Extra Credit

I hope you didn’t fret too much about the extra credit problem. The simplest way to remove the restriction on the password length is just to replace the original jump if the password was too long and replace it with a jump directly to the good boy message.

This is rather hackish (and we’ll see in the next tutorial that there are far better ways) but it does work. This has the benefit of not only patching the app to always accept your password, but unlike the solutions above, it also removes any restrictions on what that password should be.