====== CrackM3 ======
A telecharger ici : https://github.com/StHack/2014-Binaries-Forensics/
On ouvre l'executable, il nous demande de rentrer un mot de passe.
On le charge donc avec ollydbg (il y a quelques protections anti debug, comme des appels a "isDebuggerPresent", facilement contournables avec des plugins), et on regarde la partie du code qui affiche ce message, et ce qu'il y a autour :
004107E2 /. 55 PUSH EBP
004107E3 |. 8BEC MOV EBP,ESP
004107E5 |. 8B45 0C MOV EAX,DWORD PTR [EBP+C]
004107E8 |. 56 PUSH ESI
004107E9 |. 2D 10010000 SUB EAX,110 ; Switch (cases 110..111)
004107EE |. 74 29 JE SHORT CrackM3-.00410819
004107F0 |. 48 DEC EAX
004107F1 |. 75 22 JNZ SHORT CrackM3-.00410815
004107F3 |. 8B4D 10 MOV ECX,DWORD PTR [EBP+10] ; Case 111 of switch 004107E9
004107F6 |. 33F6 XOR ESI,ESI
004107F8 |. 46 INC ESI
004107F9 |. 66:3BCE CMP CX,SI
004107FC |. 74 06 JE SHORT CrackM3-.00410804
004107FE |. 66:83F9 02 CMP CX,2
00410802 |. 75 11 JNZ SHORT CrackM3-.00410815
00410804 |> 0FB7C9 MOVZX ECX,CX
00410807 |. 51 PUSH ECX ; /Result
00410808 |. FF75 08 PUSH DWORD PTR [EBP+8] ; |hWnd
0041080B |. FF15 38114100 CALL DWORD PTR [<&USER32.EndDialog>] ; \EndDialog
00410811 |. 8BC6 MOV EAX,ESI
00410813 |. EB 07 JMP SHORT CrackM3-.0041081C
00410815 |> 33C0 XOR EAX,EAX ; Default case of switch 004107E9
00410817 |. EB 03 JMP SHORT CrackM3-.0041081C
00410819 |> 33C0 XOR EAX,EAX ; Case 110 of switch 004107E9
0041081B |. 40 INC EAX
0041081C |> 5E POP ESI
0041081D |. 5D POP EBP
0041081E \. C2 1000 RET 10
00410821 /. 55 PUSH EBP
00410822 |. 8BEC MOV EBP,ESP
00410824 |. 83EC 50 SUB ESP,50
00410827 |. 8B45 0C MOV EAX,DWORD PTR [EBP+C]
0041082A |. 56 PUSH ESI
0041082B |. 57 PUSH EDI
0041082C |. 33F6 XOR ESI,ESI
0041082E |. 6A 0A PUSH 0A
00410830 |. 48 DEC EAX ; Switch (cases 2..111)
00410831 |. 59 POP ECX
00410832 |. 8975 F0 MOV DWORD PTR [EBP-10],ESI
00410835 |. 894D F4 MOV DWORD PTR [EBP-C],ECX
00410838 |. C745 F8 BE000>MOV DWORD PTR [EBP-8],0BE
0041083F |. C745 FC 64000>MOV DWORD PTR [EBP-4],64
00410846 |. 48 DEC EAX
00410847 |. 0F84 AB020000 JE CrackM3-.00410AF8
0041084D |. 83E8 0D SUB EAX,0D
00410850 |. 0F84 5C020000 JE CrackM3-.00410AB2
00410856 |. 2D F1000000 SUB EAX,0F1
0041085B |. 74 5F JE SHORT CrackM3-.004108BC
0041085D |. 83E8 11 SUB EAX,11
00410860 |. 74 0B JE SHORT CrackM3-.0041086D
00410862 |. FF75 14 PUSH DWORD PTR [EBP+14]
00410865 |. FF75 10 PUSH DWORD PTR [EBP+10]
00410868 |. FF75 0C PUSH DWORD PTR [EBP+C]
0041086B |. EB 17 JMP SHORT CrackM3-.00410884
0041086D |> 8B4D 10 MOV ECX,DWORD PTR [EBP+10] ; Case 111 (WM_COMMAND) of switch 00410830
00410870 |. 0FB7C1 MOVZX EAX,CX
00410873 |. 83E8 68 SUB EAX,68 ; Switch (cases 68..69)
00410876 |. 74 28 JE SHORT CrackM3-.004108A0
00410878 |. 48 DEC EAX
00410879 |. 74 17 JE SHORT CrackM3-.00410892
0041087B |. FF75 14 PUSH DWORD PTR [EBP+14] ; Default case of switch 00410873
0041087E |. 51 PUSH ECX
0041087F |. 68 11010000 PUSH 111
00410884 |> FF75 08 PUSH DWORD PTR [EBP+8] ; |hWnd; Default case of switch 00410830
00410887 |. FF15 54114100 CALL DWORD PTR [<&USER32.DefWindowProcA>>; \DefWindowProcA
0041088D |. E9 6F020000 JMP CrackM3-.00410B01
00410892 |> FF75 08 PUSH DWORD PTR [EBP+8] ; /hWnd; Case 69 ('i') of switch 00410873
00410895 |. FF15 58114100 CALL DWORD PTR [<&USER32.DestroyWindow>] ; \DestroyWindow
0041089B |. E9 5F020000 JMP CrackM3-.00410AFF
004108A0 |> 56 PUSH ESI ; /lParam; Case 68 ('h') of switch 00410873
004108A1 |. 68 E2074100 PUSH CrackM3-.004107E2 ; |DlgProc = CrackM3-.004107E2
004108A6 |. FF75 08 PUSH DWORD PTR [EBP+8] ; |hOwner
004108A9 |. 6A 67 PUSH 67 ; |pTemplate = 67
004108AB |. FF35 248B4100 PUSH DWORD PTR [418B24] ; |hInst = NULL
004108B1 |. FF15 5C114100 CALL DWORD PTR [<&USER32.DialogBoxParamA>; \DialogBoxParamA
004108B7 |. E9 43020000 JMP CrackM3-.00410AFF
004108BC |> 8B45 10 MOV EAX,DWORD PTR [EBP+10] ; Case 100 (WM_KEYDOWN) of switch 00410830
004108BF |. 83F8 4D CMP EAX,4D ; Switch (cases 20..5A)
004108C2 |. 0F87 0A010000 JA CrackM3-.004109D2
004108C8 |. 0F84 F8000000 JE CrackM3-.004109C6
004108CE |. 83F8 46 CMP EAX,46
004108D1 |. 0F87 9D000000 JA CrackM3-.00410974
004108D7 |. 0F84 8E000000 JE CrackM3-.0041096B
004108DD |. 83E8 20 SUB EAX,20
004108E0 |. 74 5D JE SHORT CrackM3-.0041093F
004108E2 |. 83E8 21 SUB EAX,21
004108E5 |. 74 4F JE SHORT CrackM3-.00410936
004108E7 |. 48 DEC EAX
004108E8 |. 74 43 JE SHORT CrackM3-.0041092D
004108EA |. 48 DEC EAX
004108EB |. 74 37 JE SHORT CrackM3-.00410924
004108ED |. 48 DEC EAX
004108EE |. 74 2B JE SHORT CrackM3-.0041091B
004108F0 |. 48 DEC EAX
004108F1 |. 75 19 JNZ SHORT CrackM3-.0041090C
004108F3 |. A1 208B4100 MOV EAX,DWORD PTR [418B20] ; Case 45 ('E') of switch 004108BF
004108F8 |. 83F8 03 CMP EAX,3
004108FB |. 74 51 JE SHORT CrackM3-.0041094E
004108FD |. 83F8 06 CMP EAX,6
00410900 |. 74 4C JE SHORT CrackM3-.0041094E
00410902 |. 83F8 0C CMP EAX,0C
00410905 |. 74 47 JE SHORT CrackM3-.0041094E
00410907 |. 83F8 13 CMP EAX,13
0041090A |> 74 42 JE SHORT CrackM3-.0041094E
0041090C |> C705 208B4100>MOV DWORD PTR [418B20],1 ; Default case of switch 004108BF
00410916 |. E9 E4010000 JMP CrackM3-.00410AFF
0041091B |> 833D 208B4100>CMP DWORD PTR [418B20],1D ; Case 44 ('D') of switch 004108BF
00410922 |. EB 28 JMP SHORT CrackM3-.0041094C
00410924 |> 833D 208B4100>CMP DWORD PTR [418B20],1F ; Case 43 ('C') of switch 004108BF
0041092B |. EB 1F JMP SHORT CrackM3-.0041094C
0041092D |> 833D 208B4100>CMP DWORD PTR [418B20],1E ; Case 42 ('B') of switch 004108BF
00410934 |. EB 16 JMP SHORT CrackM3-.0041094C
00410936 |> 833D 208B4100>CMP DWORD PTR [418B20],10 ; Case 41 ('A') of switch 004108BF
0041093D |. EB 0D JMP SHORT CrackM3-.0041094C
0041093F |> A1 208B4100 MOV EAX,DWORD PTR [418B20] ; Case 20 (' ') of switch 004108BF
00410944 |. 83F8 04 CMP EAX,4
00410947 |. 74 05 JE SHORT CrackM3-.0041094E
00410949 |. 83F8 0E CMP EAX,0E
0041094C |>^ 75 BE JNZ SHORT CrackM3-.0041090C
0041094E |> 56 PUSH ESI ; /Erase
0041094F |. 56 PUSH ESI ; |pRect
00410950 |. FF75 08 PUSH DWORD PTR [EBP+8] ; |hWnd
00410953 |. FF15 50114100 CALL DWORD PTR [<&USER32.InvalidateRect>>; \InvalidateRect
00410959 |. 6A 01 PUSH 1
0041095B |> 56 PUSH ESI ; |hUpdateRgn
0041095C |. 56 PUSH ESI ; |pRect
0041095D |. FF75 08 PUSH DWORD PTR [EBP+8] ; |hWnd
00410960 |. FF15 4C114100 CALL DWORD PTR [<&USER32.RedrawWindow>] ; \RedrawWindow
00410966 |. E9 94010000 JMP CrackM3-.00410AFF
0041096B |> 833D 208B4100>CMP DWORD PTR [418B20],1C ; Case 46 ('F') of switch 004108BF
00410972 |.^ EB D8 JMP SHORT CrackM3-.0041094C
00410974 |> 83E8 47 SUB EAX,47
00410977 |. 74 3C JE SHORT CrackM3-.004109B5
00410979 |. 48 DEC EAX
0041097A |. 74 30 JE SHORT CrackM3-.004109AC
0041097C |. 48 DEC EAX
0041097D |. 74 24 JE SHORT CrackM3-.004109A3
0041097F |. 48 DEC EAX
00410980 |. 74 18 JE SHORT CrackM3-.0041099A
00410982 |. 48 DEC EAX
00410983 |. 74 0C JE SHORT CrackM3-.00410991
00410985 |. 48 DEC EAX
00410986 |.^ 75 84 JNZ SHORT CrackM3-.0041090C
00410988 |. 833D 208B4100>CMP DWORD PTR [418B20],8 ; Case 4C ('L') of switch 004108BF
0041098F |.^ EB BB JMP SHORT CrackM3-.0041094C
00410991 |> 833D 208B4100>CMP DWORD PTR [418B20],5 ; Case 4B ('K') of switch 004108BF
00410998 |.^ EB B2 JMP SHORT CrackM3-.0041094C
0041099A |> 833D 208B4100>CMP DWORD PTR [418B20],1A ; Case 4A ('J') of switch 004108BF
004109A1 |.^ EB A9 JMP SHORT CrackM3-.0041094C
004109A3 |> 833D 208B4100>CMP DWORD PTR [418B20],1B ; Case 49 ('I') of switch 004108BF
004109AA |.^ EB A0 JMP SHORT CrackM3-.0041094C
004109AC |> 833D 208B4100>CMP DWORD PTR [418B20],2 ; Case 48 ('H') of switch 004108BF
004109B3 |.^ EB 97 JMP SHORT CrackM3-.0041094C
004109B5 |> A1 208B4100 MOV EAX,DWORD PTR [418B20] ; Case 47 ('G') of switch 004108BF
004109BA |. 3BC1 CMP EAX,ECX
004109BC |.^ 74 90 JE SHORT CrackM3-.0041094E
004109BE |. 83F8 0B CMP EAX,0B
004109C1 |.^ E9 44FFFFFF JMP CrackM3-.0041090A
004109C6 |> 833D 208B4100>CMP DWORD PTR [418B20],0F ; Case 4D ('M') of switch 004108BF
004109CD |.^ E9 7AFFFFFF JMP CrackM3-.0041094C
004109D2 |> 83C0 B2 ADD EAX,-4E
004109D5 |. 83F8 0C CMP EAX,0C
004109D8 |.^ 0F87 2EFFFFFF JA CrackM3-.0041090C
004109DE |. FF2485 090B41>JMP DWORD PTR [EAX*4+410B09]
004109E5 |> 833D 208B4100>CMP DWORD PTR [418B20],20 ; Case 4E ('N') of switch 004108BF
004109EC |.^ E9 5BFFFFFF JMP CrackM3-.0041094C
004109F1 |> 833D 208B4100>CMP DWORD PTR [418B20],9 ; Case 4F ('O') of switch 004108BF
004109F8 |.^ E9 4FFFFFFF JMP CrackM3-.0041094C
004109FD |> 833D 208B4100>CMP DWORD PTR [418B20],21 ; Case 50 ('P') of switch 004108BF
00410A04 |.^ E9 43FFFFFF JMP CrackM3-.0041094C
00410A09 |> 833D 208B4100>CMP DWORD PTR [418B20],22 ; Case 51 ('Q') of switch 004108BF
00410A10 |.^ E9 37FFFFFF JMP CrackM3-.0041094C
00410A15 |> A1 208B4100 MOV EAX,DWORD PTR [418B20] ; Case 52 ('R') of switch 004108BF
00410A1A |. 83F8 0D CMP EAX,0D
00410A1D |.^ 0F84 2BFFFFFF JE CrackM3-.0041094E
00410A23 |. 83F8 14 CMP EAX,14
00410A26 |.^ E9 DFFEFFFF JMP CrackM3-.0041090A
00410A2B |> 833D 208B4100>CMP DWORD PTR [418B20],11 ; Case 53 ('S') of switch 004108BF
00410A32 |.^ E9 15FFFFFF JMP CrackM3-.0041094C
00410A37 |> A1 208B4100 MOV EAX,DWORD PTR [418B20] ; Case 54 ('T') of switch 004108BF
00410A3C |. 33FF XOR EDI,EDI
00410A3E |. 47 INC EDI
00410A3F |. 3BC7 CMP EAX,EDI
00410A41 |. 74 10 JE SHORT CrackM3-.00410A53
00410A43 |. 83F8 12 CMP EAX,12
00410A46 |. 74 0B JE SHORT CrackM3-.00410A53
00410A48 |. 893D 208B4100 MOV DWORD PTR [418B20],EDI
00410A4E |. E9 AC000000 JMP CrackM3-.00410AFF
00410A53 |> 56 PUSH ESI ; /Erase
00410A54 |. 56 PUSH ESI ; |pRect
00410A55 |. FF75 08 PUSH DWORD PTR [EBP+8] ; |hWnd
00410A58 |. FF15 50114100 CALL DWORD PTR [<&USER32.InvalidateRect>>; \InvalidateRect
00410A5E |. 57 PUSH EDI
00410A5F |.^ E9 F7FEFFFF JMP CrackM3-.0041095B
00410A64 |> C705 208B4100>MOV DWORD PTR [418B20],24 ; Case 55 ('U') of switch 004108BF
00410A6E |.^ E9 DBFEFFFF JMP CrackM3-.0041094E
00410A73 |> C705 208B4100>MOV DWORD PTR [418B20],23 ; Case 56 ('V') of switch 004108BF
00410A7D |.^ E9 CCFEFFFF JMP CrackM3-.0041094E
00410A82 |> 833D 208B4100>CMP DWORD PTR [418B20],19 ; Case 57 ('W') of switch 004108BF
00410A89 |.^ E9 BEFEFFFF JMP CrackM3-.0041094C
00410A8E |> 833D 208B4100>CMP DWORD PTR [418B20],18 ; Case 58 ('X') of switch 004108BF
00410A95 |.^ E9 B2FEFFFF JMP CrackM3-.0041094C
00410A9A |> 833D 208B4100>CMP DWORD PTR [418B20],7 ; Case 59 ('Y') of switch 004108BF
00410AA1 |.^ E9 A6FEFFFF JMP CrackM3-.0041094C
00410AA6 |> 833D 208B4100>CMP DWORD PTR [418B20],17 ; Case 5A ('Z') of switch 004108BF
00410AAD |.^ E9 9AFEFFFF JMP CrackM3-.0041094C
00410AB2 |> FF05 208B4100 INC DWORD PTR [418B20] ; Case F (WM_PAINT) of switch 00410830
00410AB8 |. 8D45 B0 LEA EAX,DWORD PTR [EBP-50]
00410ABB |. 50 PUSH EAX ; /pPaintstruct
00410ABC |. FF75 08 PUSH DWORD PTR [EBP+8] ; |hWnd
00410ABF |. FF15 48114100 CALL DWORD PTR [<&USER32.BeginPaint>] ; \BeginPaint
00410AC5 |. 833D 208B4100>CMP DWORD PTR [418B20],15
00410ACC |. 6A 01 PUSH 1
00410ACE |. 8D4D F0 LEA ECX,DWORD PTR [EBP-10]
00410AD1 |. 51 PUSH ECX
00410AD2 |. 6A FF PUSH -1
00410AD4 |. 75 07 JNZ SHORT CrackM3-.00410ADD
00410AD6 |. 68 A05B4100 PUSH CrackM3-.00415BA0 ; ASCII "That's it buddy !"
00410ADB |. EB 05 JMP SHORT CrackM3-.00410AE2
00410ADD |> 68 B45B4100 PUSH CrackM3-.00415BB4 ; ASCII "Please enter Password"
00410AE2 |> 50 PUSH EAX ; |hDC
00410AE3 |. FF15 44114100 CALL DWORD PTR [<&USER32.DrawTextA>] ; \DrawTextA
00410AE9 |. 8D45 B0 LEA EAX,DWORD PTR [EBP-50]
00410AEC |. 50 PUSH EAX ; /pPaintstruct
00410AED |. FF75 08 PUSH DWORD PTR [EBP+8] ; |hWnd
00410AF0 |. FF15 40114100 CALL DWORD PTR [<&USER32.EndPaint>] ; \EndPaint
00410AF6 |. EB 07 JMP SHORT CrackM3-.00410AFF
00410AF8 |> 56 PUSH ESI ; /ExitCode; Case 2 (WM_DESTROY) of switch 00410830
00410AF9 |. FF15 3C114100 CALL DWORD PTR [<&USER32.PostQuitMessage>; \PostQuitMessage
00410AFF |> 33C0 XOR EAX,EAX
00410B01 |> 5F POP EDI
00410B02 |. 5E POP ESI
00410B03 |. C9 LEAVE
00410B04 \. C2 1000 RET 10
Ce qu'on remarque en premier, il y'a un switch qui couvre toutes les lettres de l'alphabet.
Ce switch est appelé quand une touche est pressée (004108BC : Case 100 (WM_KEYDOWN) of switch...)
Pour presque toutes les lettres, il y a une comparaison entre l'entier à l'addresse 00418B20 et un nombre qui va de 0 a une trentaine, puis un jump vers 0041094C, par exemple:
CMP DWORD PTR [418B20],10 ; Case 41 ('A') of switch 004108BF
JMP SHORT CrackM3-.0041094C
Si on suit le jump on arrive sur:
JNZ SHORT CrackM3-.0041090C
On pourrait continuer l'analyse, mais on peut déjà suposer que l'addresse 004108BF sert à compter les touches pressées, et que ces CMP servent donc a verifier que les touches du clavier ont bien été pressées dans l'ordre.
Il faudrait donc lire les valeurs des CMP pour savoir quelles sont les positions des lettres dans le mot de passe.
Si la mauvaise touche est pressée, PTR [418B20] est remis à 1 :
0041090C |> C705 208B4100>MOV DWORD PTR [418B20],1
On cherche donc pour quelle touche une comparaison à 1 est effectuée.
Pour le T:
00410A37 |> A1 208B4100 MOV EAX,DWORD PTR [418B20]
00410A3C |. 33FF XOR EDI,EDI ; EDI = 0
00410A3E |. 47 INC EDI ; EDI = 1
00410A3F |. 3BC7 CMP EAX,EDI ; On compare eax a 1
00410A41 |. 74 10 JE SHORT CrackM3-.00410A53 ; La touche est validé si T est pressée en 1er
00410A43 |. 83F8 12 CMP EAX,12 ; Mais aussi a 0x12
00410A46 |. 74 0B JE SHORT CrackM3-.00410A53 ; Donc il y a un T en 18ème position
00410A48 |. 893D 208B4100 MOV DWORD PTR [418B20],EDI ; Si les JE n'ont pas été suivis, alors T n'as pas été pressé au bon moment, PTR [418B20] reprend la valeur 1
00410A4E |. E9 AC000000 JMP CrackM3-.00410AFF
On peut commencer à remplir le mot de passe :
T________________T
004109AC |> 833D 208B4100>CMP DWORD PTR [418B20],2 ; Case 48 ('H') of switch 004108BF
TH_______________T
004108F3 |. A1 208B4100 MOV EAX,DWORD PTR [418B20] ; Case 45 ('E') of switch 004108BF
004108F8 |. 83F8 03 CMP EAX,3
004108FB |. 74 51 JE SHORT CrackM3-.0041094E
004108FD |. 83F8 06 CMP EAX,6
00410900 |. 74 4C JE SHORT CrackM3-.0041094E
00410902 |. 83F8 0C CMP EAX,0C
00410905 |. 74 47 JE SHORT CrackM3-.0041094E
00410907 |. 83F8 13 CMP EAX,13
0041090A |> 74 42 JE SHORT CrackM3-.0041094E
0041090C |> C705 208B4100>MOV DWORD PTR [418B20],1 ; Default case of switch 004108BF
00410916 |. E9 E4010000 JMP CrackM3-.00410AFF
THE__E_____E_____TE
0041093F |> A1 208B4100 MOV EAX,DWORD PTR [418B20] ; Case 20 (' ') of switch 004108BF
00410944 |. 83F8 04 CMP EAX,4
00410947 |. 74 05 JE SHORT CrackM3-.0041094E ; Si pressée en 4ème, saute vers l'incrémentation de PTR [418B20]
00410949 |. 83F8 0E CMP EAX,0E
0041094C |>^ 75 BE JNZ SHORT CrackM3-.0041090C ; Si n'est pas pressée en 14ème, saute vers la réinitialisation de PTR [418B20]
THE _E_____E_ ___TE
00410991 |> 833D 208B4100>CMP DWORD PTR [418B20],5 ; Case 4B ('K') of switch 004108BF
00410998 |.^ EB B2 JMP SHORT CrackM3-.0041094C
THE KE_____E_ ___TE
00410A9A |> 833D 208B4100>CMP DWORD PTR [418B20],7 ; Case 59 ('Y') of switch 004108BF
00410AA1 |.^ E9 A6FEFFFF JMP CrackM3-.0041094C
THE KEY____E_ ___TE
00410988 |. 833D 208B4100>CMP DWORD PTR [418B20],8 ; Case 4C ('L') of switch 004108BF
0041098F |.^ EB BB JMP SHORT CrackM3-.0041094C
THE KEYL___E_ ___TE
004109F1 |> 833D 208B4100>CMP DWORD PTR [418B20],9 ; Case 4F ('O') of switch 004108BF
004109F8 |.^ E9 4FFFFFFF JMP CrackM3-.0041094C
THE KEYLO__E_ ___TE
004109B5 |> A1 208B4100 MOV EAX,DWORD PTR [418B20] ; Case 47 ('G') of switch 004108BF
004109BA |. 3BC1 CMP EAX,ECX
004109BC |.^ 74 90 JE SHORT CrackM3-.0041094E
004109BE |. 83F8 0B CMP EAX,0B
004109C1 |.^ E9 44FFFFFF JMP CrackM3-.0041090A
THE KEYLOGGE_ ___TE
00410A15 |> A1 208B4100 MOV EAX,DWORD PTR [418B20] ; Case 52 ('R') of switch 004108BF
00410A1A |. 83F8 0D CMP EAX,0D
00410A1D |.^ 0F84 2BFFFFFF JE CrackM3-.0041094E
00410A23 |. 83F8 14 CMP EAX,14
00410A26 |.^ E9 DFFEFFFF JMP CrackM3-.0041090A
THE KEYLOGGER ___TER
004109C6 |> 833D 208B4100>CMP DWORD PTR [418B20],0F ; Case 4D ('M') of switch 004108BF
004109CD |.^ E9 7AFFFFFF JMP CrackM3-.0041094C
THE KEYLOGGER M__TER
00410936 |> 833D 208B4100>CMP DWORD PTR [418B20],10 ; Case 41 ('A') of switch 004108BF
0041093D |. EB 0D JMP SHORT CrackM3-.0041094C
THE KEYLOGGER MA_TER
00410A2B |> 833D 208B4100>CMP DWORD PTR [418B20],11 ; Case 53 ('S') of switch 004108BF
00410A32 |.^ E9 15FFFFFF JMP CrackM3-.0041094C
THE KEYLOGGER MASTER
Le mot de passe est donc "The keylogger master" ; il faut le rentrer assez vite pour voir apparaitre le goodboy.
--- //c4ffein//