Closed zhouat closed 4 years ago
It should work if you start with a string 3 characters long. Then you should stop in this condition:
if (sum == 0x14f && passwd[2] > 's' && passwd[2] < 'u' && passwd[0] == 'z')
And invert it. Could you post here some screenshots about where are you trying to solve the condition?
Thanks!
hi 0ca ~ the log below is my operations:
env: os: win10 bin: 32bit
1. i set the arg to 'aaa' 2. first try:
(1)the debugger come to the ins here:
cmp [ebp+var_10], 14Fh
jnz short loc_4016B1
(2)it will go to nz branch
so i press Negate & inject
, get the log below:
[+] Solving formula...
[+] Solution found! Values:
- SymVar_0 (argc):0x000002
- SymVar_1 (argv[1][0]):0x6f (o)
- SymVar_2 (argv[1][1]):0x70 (p)
- SymVar_3 (argv[1][2]):0x70 (p)
- SymVar_4 (argv[1][3]):00 ( )
(3)then debugger come to new instructions:
mov eax, [ebp+arg_0]
add eax, 2
movzx eax, byte ptr [eax]
cmp al, 73h
jle short loc_4016B1
(4) this time , i cannot press ctrl+Shift+N (Negate & inject)
any more. the button become gray
3. second try
restore the snapshot
cmp [ebp+var_10], 14Fh
jnz short loc_4016B1
(1) debugger go to 'jz-branch' go on ...
mov eax, [ebp+arg_0]
add eax, 2
movzx eax, byte ptr [eax]
cmp al, 73h
jle short loc_4016B1
debugger will go to 'jle-branch'
(2)so i press Negate & inject
, get the log below:
[+] Solution found! Values:
- SymVar_0 (argc):0x000002
- SymVar_1 (argv[1][0]):0x2 ()
- SymVar_2 (argv[1][1]):0x5 ()
- SymVar_3 (argv[1][2]):0x7b ({)
- SymVar_4 (argv[1][3]):00 ( )
obviously, wrong answer!
(3) then ,i cannot press ctrl+Shift+N (Negate & inject)
any more. the button become gray
Looking forward to your reply,thks.
Can Ponce solve this kind of problems, now? I always get no solution. -_- !