Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- //
- // Star Wars Galaxies : TestCenter 27 Oct 2009
- // CAPTCHA Analysis by eVc
- //
- ##################################
- The CAPTCHA Value Comparison
- - EAX=Userinput, PTR=CaptchaVal
- #################################
- Pseudo:
- if ( atoi(Str_UserInput) == iCaptchaVal )
- ApplyBuff();
- else
- Error("Incorrect confirmation code entered.");
- //Mini Tutorial:
- //atoi converts a string to integer (integer = a 4byte number on a 32bit operating system)
- //Example: The ascii String "8" in hex is 0x38 ("\x38\x00" to be precise because its a string, not a char). After atoi it becomes "\x08" (memory representation of 8 is: "\x08\x00\x00\x00")
- // so if iCaptchaVal is 45672, in memory it will look like this: "\x68\xB2\x00\x00"
- -------------------------
- 005D95D1 3B 05 34 14 BE 01 cmp eax, dword ptr byte_1BDF2C0+2174h
- 005D95D7 75 2E jnz short loc_5D9607 ; <------ Error (Disable by replacing 0x2E->0x00 so it jumps to next instruction, 2 nops will suffice)
- 005D95D9 53 push ebx
- ########################
- The CAPTCHA Prompt
- #######################
- Pseudo:
- if ( bCancelledPreviousCaptcha || RandomFunc() % 5 + 1 <= 2 )
- PromptCaptcha();
- else
- ApplyBuff();
- -------------------------
- 005D9BBA 3B 46 18 cmp eax, [esi+18h]
- 005D9BBD 0F 85 BC 01 00 00 jnz loc_5D9D7F
- 005D9BC3 80 3D 18 14 BE 01 00 cmp byte_1BDF2C0+2158h, 0
- 005D9BCA 75 3B jnz short loc_5D9C07 ; <------Prompt (Disable by replacing 0x75->0xEB and 0x3B->0x1B so it jumps to 0x005D9BE7, 2 nops will suffice)
- 005D9BCC 8B 0D 04 53 C7 01 mov ecx, dword_1C75304
- 005D9BD2 E8 79 27 9D 00 call sub_FAC350 ;RandomFunc
- 005D9BD7 99 cdq
- 005D9BD8 B9 05 00 00 00 mov ecx, 5
- 005D9BDD F7 F9 idiv ecx
- 005D9BDF 83 C2 01 add edx, 1
- 005D9BE2 83 FA 02 cmp edx, 2
- 005D9BE5 7E 20 jle short loc_5D9C07 ; <------Prompt (Disabled by previous bypass, although if you nop'd the last prompt condition, this will need to be nop'd too)
- 005D9BE7 6A 01 push 1
- 005D9BE9 8D 8E 60 FF FF FF lea ecx, [esi-0A0h]
- 005D9BEF E8 AC E8 FF FF call sub_5D84A0
- 005D9BF4 8B 4E 18 mov ecx, [esi+18h]
- 005D9BF7 6A 00 push 0
- 005D9BF9 C6 46 44 01 mov byte ptr [esi+44h], 1
- 005D9BFD E8 7E F7 17 00 call sub_759380
- 005D9C02 E9 52 02 00 00 jmp loc_5D9E59
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement