What's wrong with my code for App 7?

[gregorian]

I know that the sum of the characters is calculated, it goes through some huge function and produces a value in EDX and at the stack at SS:[EBP-1C] which is then compared to a hexadecimal value to check if it's true. If I find the sum, I can deduce a set of characters from them. Looking around, I learned that I needed to brute force.

I've replaced the sum of characters code with a loop that produces a value for the sum and proceeds. In case the sum is invalid, it jumps back to the original position and increments the sum.

Code: Select all

0040103F   . BA 00000000    MOV EDX,0                          ; Executed only during the first time
00401044   . EB 08          JMP SHORT mod.0040104E       ; Executed only during the first time
00401046   > 61             POPAD
00401047   . 42             INC EDX
00401048   . 8955 E4        MOV DWORD PTR SS:[EBP-1C],EDX
0040104B   . 60             PUSHAD
0040104C   . EB 45          JMP SHORT mod.00401093      ; The part of the code that does the test
0040104E   > 60             PUSHAD

;4F till 63 are NOP

; Instead of printing invalid password, it jumps back to the loop
00401193    ^0F85 B4FEFFFF  JNZ app7win.00401046


I observe that [EBP-18] remains the same 11F regardless of the value of [EBP-1C], so that's why it doesn't work. I don't know why this happens.

Please don't consider this as a spoiler because it doesn't work.

EDIT: I've solved it. I made the mistake of assuming that PUSHAD would leave the system in the original state and I forgot to clear the values of [EBP-18] etc. Once I reset them back to 0, the answer appeared.

[Defience]

Problem solved