API tools faq
paste
Advertisement
Guest User

eVc

a guest
Oct 27th, 2009
119
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.34 KB | None | 0 0
raw download clone embed print report
  1. //
  2. // Star Wars Galaxies : TestCenter 27 Oct 2009
  3. // CAPTCHA Analysis by eVc
  4. //
  5.  
  6.  
  7. ##################################
  8. The CAPTCHA Value Comparison
  9. - EAX=Userinput, PTR=CaptchaVal
  10. #################################
  11.  
  12. Pseudo:
  13.  
  14. if ( atoi(Str_UserInput) == iCaptchaVal )
  15. ApplyBuff();
  16. else
  17. Error("Incorrect confirmation code entered.");
  18.  
  19. //Mini Tutorial:
  20. //atoi converts a string to integer (integer = a 4byte number on a 32bit operating system)
  21. //Example: The ascii String "8" in hex is 0x38 ("\x38\x00" to be precise because its a string, not a char). After atoi it becomes "\x08" (memory representation of 8 is: "\x08\x00\x00\x00")
  22. // so if iCaptchaVal is 45672, in memory it will look like this: "\x68\xB2\x00\x00"
  23.  
  24.  
  25. -------------------------
  26. 005D95D1 3B 05 34 14 BE 01 cmp eax, dword ptr byte_1BDF2C0+2174h
  27. 005D95D7 75 2E jnz short loc_5D9607 ; <------ Error (Disable by replacing 0x2E->0x00 so it jumps to next instruction, 2 nops will suffice)
  28. 005D95D9 53 push ebx
  29.  
  30.  
  31. ########################
  32. The CAPTCHA Prompt
  33. #######################
  34.  
  35. Pseudo:
  36.  
  37. if ( bCancelledPreviousCaptcha || RandomFunc() % 5 + 1 <= 2 )
  38. PromptCaptcha();
  39. else
  40. ApplyBuff();
  41.  
  42.  
  43. -------------------------
  44. 005D9BBA 3B 46 18 cmp eax, [esi+18h]
  45. 005D9BBD 0F 85 BC 01 00 00 jnz loc_5D9D7F
  46. 005D9BC3 80 3D 18 14 BE 01 00 cmp byte_1BDF2C0+2158h, 0
  47. 005D9BCA 75 3B jnz short loc_5D9C07 ; <------Prompt (Disable by replacing 0x75->0xEB and 0x3B->0x1B so it jumps to 0x005D9BE7, 2 nops will suffice)
  48. 005D9BCC 8B 0D 04 53 C7 01 mov ecx, dword_1C75304
  49. 005D9BD2 E8 79 27 9D 00 call sub_FAC350 ;RandomFunc
  50. 005D9BD7 99 cdq
  51. 005D9BD8 B9 05 00 00 00 mov ecx, 5
  52. 005D9BDD F7 F9 idiv ecx
  53. 005D9BDF 83 C2 01 add edx, 1
  54. 005D9BE2 83 FA 02 cmp edx, 2
  55. 005D9BE5 7E 20 jle short loc_5D9C07 ; <------Prompt (Disabled by previous bypass, although if you nop'd the last prompt condition, this will need to be nop'd too)
  56. 005D9BE7 6A 01 push 1
  57. 005D9BE9 8D 8E 60 FF FF FF lea ecx, [esi-0A0h]
  58. 005D9BEF E8 AC E8 FF FF call sub_5D84A0
  59. 005D9BF4 8B 4E 18 mov ecx, [esi+18h]
  60. 005D9BF7 6A 00 push 0
  61. 005D9BF9 C6 46 44 01 mov byte ptr [esi+44h], 1
  62. 005D9BFD E8 7E F7 17 00 call sub_759380
  63. 005D9C02 E9 52 02 00 00 jmp loc_5D9E59
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!