DEV Community

Gealber Morales
Gealber Morales

Posted on • Originally published at gealber.com

Challenge RE #30

#reverseengineering #assembly #c

I'll jump to challenge #30, the #29 is an obfuscated one, and I'll need more time to work on that. The #30 is a simple one and is in the format of finding the password. For the disassembly of this program I'll use Ida, from the one I've tried is honestly the more user-friendly.

Analysis

Let's analyze the main thread only, here is the code associated with it

; int __cdecl main(int, char **, char **) main proc near ; DATA XREF: start+17↑o ; __unwind { push ebp mov ebp, esp and esp, 0FFFFFFF0h sub esp, 0A0h mov eax, large gs:14h mov [esp+9Ch], eax xor eax, eax mov dword ptr [esp], offset aEnterPassword ; "enter password:" 1st argument, only one argument it's required call _puts lea eax, [esp+1Ch] mov [esp+4], eax mov dword ptr [esp], offset aS ; "%s" call ___isoc99_scanf cmp eax, 1 ;; number of items successfully matched jz short loc_8048539 mov dword ptr [esp], offset aNoPasswordSupp ; "no password supplied" call _puts loc_8048539: ; CODE XREF: main+3E↑j mov dword ptr [esp+4], offset aMetallica ; "metallica" lea eax, [esp+1Ch] mov [esp], eax call _strcmp test eax, eax jnz short loc_804855F ;; INCORRECT PASSWORD PRINT IT mov dword ptr [esp], offset aPasswordIsCorr ; "password is correct" call _puts jmp short loc_804856B ; --------------------------------------------------------------------------- loc_804855F: ; CODE XREF: main+62↑j mov dword ptr [esp], offset aPasswordIsNotC ; "password is not correct" call _puts loc_804856B: ; CODE XREF: main+70↑j mov edx, [esp+9Ch] xor edx, large gs:14h jz short locret_8048580 call ___stack_chk_fail locret_8048580: ; CODE XREF: main+8C↑j leave retn ; } // starts at 80484ED main endp
Enter fullscreen mode Exit fullscreen mode

In this code we have first a call to puts printing the text enter password:, we know that is this text thanks to Ida. What follows after that it's a call to scanf, for waiting for the input of the password. Nothing too hard here, so we need to look for the part of the code that validate this password. Right after the call to scanf we have the following code

 lea eax, [esp+1Ch] mov [esp+4], eax mov dword ptr [esp], offset aS ; "%s" call ___isoc99_scanf cmp eax, 1 ;; number of items successfully matched jz short loc_8048539
Enter fullscreen mode Exit fullscreen mode

After the call to scanf we check if the user supplied something, in positive case we jump to loc_8048539, that is where our validation it's present. Let's see how this password it's validated.

loc_8048539: ; CODE XREF: main+3E↑j mov dword ptr [esp+4], offset aMetallica ; "metallica" lea eax, [esp+1Ch] mov [esp], eax call _strcmp test eax, eax jnz short loc_804855F ;; INCORRECT PASSWORD PRINT IT mov dword ptr [esp], offset aPasswordIsCorr ; "password is correct" call _puts jmp short loc_804856B
Enter fullscreen mode Exit fullscreen mode

Easy! We have a comparison with strcmp to the text metallica, seems Denis is a fan of Metallica, and the printing of the text password is correct.

That's it.

Conclusion

I'm becoming better at this, some progress.

Top comments (0)