Artemis wants a copy of Windows, but she doesn’t feel like paying for it. She decided to hack Microsoft’s servers to generate a product key, and found their verification software, which runs on Linux for some reason. Can you get her a working product key (form ABCD-EFGH-IIJK-LMNO-PQRS-TUVW, each uppercase letter is a digit) using the email [email protected] and name Artemis Tosini?

Let’s start with analyzing the file.

It is an 64-bit ELF exeuctable file which is dynamically linked and not stripped. Let’s decompile it using IDA Pro.

It reads name, email, and product key from stdin respectively. Then, it calls verify_key function to check the serial key. Let’s decompile that function as well.

First, it splits the serial key using ‘-‘ as delimeter and it converts each part to integer. Then, it iterates through the email and adds padding from the pad array until its length is 32. Then, it does the same thing to the given name. However, instead of padding from the start of the pad array, it continues from where it left off.

After padding, it xors each byte of the name with 15 and it xors each byte of the email with 5.

Next, it calculates 6 numbers making summations of email and name arrays. Then, it multiplies the first value with 2, second value with 4, third value with 6, forth value with 8, fifth value with 7, and sixth value with 5. It also takes modulus 10000 after each multiplication and replaces the result with the original value.

Now, it has 6 numbers that are derived from email and name. Then, it starts doing some operations on the 6 numbers it derived from the serial key. These operations include value swapping and summation of arrays using the name and the email. After all these operations are completed, it compares the final 6 numbers to the 6 numbers that it found before. If they are all equal, then the serial key is valid.

Now, in order to find the serial we will first calculate the 6 numbers that it derived from email and name using the same algorithm. Then, we will apply the reverse operations the verification code applies to the serial key to these 6 values we calculated. As a result, we will have the serial key’s 6 parts as integers. Then, we can convert it to a string using ‘-‘ as the delimeter.

Here is the python script I created for the task.

Let’s execute the script and get the serial for Artemis.

Let’s check if it is the correct serial.

Yes! It is the correct serial. This time the flag is not in the flag format and it is the serial itself.

So, our flag is 3914-6104-4611-1711-1243-4699.