Sample: 3dd0d247d51df1e9c8ae594089c82608792f6bbc376e102aee52ad7c1baa91ab (PW: infected)
JugsOfBeer.exe: PE32+ executable for MS Windows (GUI) Mono/.Net assembly
This is a x64 Binary which is asking for a valid serial number.
So you need to find the function which is checking input. In order to find it, I always look for suspicious strings if applicable.
In IDA graph view, the function looks pretty confusing but you you just have to follow the paths and you will find a function which is responsible for the serial validation.
After finding the serial validation function you need to understand the algorithm. Here, the IDA decompiler helps a lot but for easier debugging I reimplemented the function in python to better understand what the algorithm does.
mask = [0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00]
v1 = 0
if(v4 < len(input)):
for a in range(10):
if(input[v4] == numbers[a]):
for b in range(10):
if (input[v4+1] == numbers[b]):
u = y * 4
v = x * 4
adding = mask[u] + mask[v]
if adding <= v1:
mask[u] = adding
mask[v] = 0
mask[v] = adding - v1
mask[u] = v1
I could see that there are some values swapped around but I still did not have any idea whats going one. A got a hint by someone that I should check the challenge description. After googling I found out that the algorithm is a variant of the quite popular Three Jugs Problem. Maybe you remember the movie Die Hard 3 where John and Zeus were also facing this kind of problem 😉
After that, everything was quite clear and I could solve the problem via pen & paper. You basically have three containers with a size of 7, 13 and 19. The 7 and 13 size containers are filled and the 19 size container is empty. What you need in the end is 10 in two containers (13 and 19).
After I wrote down the solution on paper I just had to run my python code and build a valid serial to fill the mask appropriately.