App 12

[UKCrack]

Hey there
Im kinda stuck. Im pretty sure how it selects the chars for the password, and I wonder if anyone could advise me in the right direction. [Edited by Defience] I believe it is a short word but need help. I do not want to post any more info incase
of violation of the rules.
Thanks

[Defience]

Hey there
Im kinda stuck. Im pretty sure how it selects the chars for the password, and I wonder if anyone could advise me in the right direction. [Edited by Defience] I believe it is a short word but need help. I do not want to post any more info incase
of violation of the rules.
Thanks

You seem to be on the right track. Have you tried entering your own password and seeing how it is stored? If that doesn't help and you are concerned that your questions might be spoilers, send me a pm.

[UKCrack]

Ok hint for anyone trying to solve this.
Firstly Smartcheck only works in XP or below, you will not get any use out of it otherwise.
This is solveable with olly, and is pretty easy to work it out.
Think on the lines of what that long string could be used for and then thick how would the program use it.
The last bit is pretty much the phonetical hint

[OnlyHuman]

I'm not sure if I'm just tired, or if it's the VB turned assembly that's really throwing me off on this one. But, I definitely have yet to fully understand how the verification is actually performed for this mission. The only thing I have to go on is a seemingly endless number of memory references that appear to ultimately do nothing. I've torn this thing apart with some of the best reverse engineering tools out there too. I've set breakpoints at nearly every string operation I could find, and every single function call imported from a Visual BASIC library. At some point, given the embedded magic string, I expected to see some sort of hashing operations performed, but the only thing I've witnessed, is a single character of my input string being replaced by another (withholding which character exactly in case it has something to do with completing the mission). I'm even fairly certain that I understand your phonetic hint as well UKCrack, but after several synonyms and antonyms, I still don't feel even remotely close to the solution. I'm tempted to perform a dictionary attack against the password submission page, just to get the mission accomplished. Could I possibly PM either of you, or get a nudge in the right direction from someone? I'll return the favor with other missions if I can offer the help.

EDIT: Nevermind, i got it finally. Here's a tip for anybody that seems to be stuck as well. Disregard everything I wrote previously. It's not really going to help much. Olly is all you need, but you have to watch the lower panels VERY closely. Don't be afraid to scroll up and down and make sure that you're looking at the application's entire memory range. Then just crawl through the program as slowly as needed. If you're watching closely, you should be able to spot what you need with little trouble.

[Wells]

I just did this using a standard debugger. It's pretty annoying at first because with VB code you have double pointers to everything, but you should be able to figure out the JMP that leads to the "Password is correct" and then you just need to look at the code above that.

EAX is used a lot to store pointers to VB strings that are used in various StrCat functions etc. You need to figure out where the actual string data is from that EAX pointer so you can see what is happening. Think of the pointer as pointing to a struct, and one of the members is a pointer to the actual string. Once you've done that you can figure out the manipulations done on your password and find the string that it is compared to it at the end. From there you should be able to guess what the word is like a crossword puzzle.