atom0s Moderator Reputation: 198
Joined: 25 Jan 2006 Posts: 8517 Location: 127.0.0.1
|
Posted: Thu Mar 06, 2008 3:57 pm Post subject: |
|
|
Some more info on this one:
Code: | 0042CAA7 . 52 PUSH EDX
0042CAA8 . 50 PUSH EAX
0042CAA9 . 51 PUSH ECX
0042CAAA . FF15 18104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCa>; MSVBVM60.__vbaStrCat
0042CAB0 . 8BD0 MOV EDX,EAX
0042CAB2 . 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
0042CAB5 . FF15 90104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
0042CABB . 50 PUSH EAX
0042CABC . FF15 44104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCm>; MSVBVM60.__vbaStrCmp |
Break on the first push. EDX contains the value you have entered yourself. This is the first push for the compare. Next, ECX and EAX contain the first and second part of the real pin, they are joined together (appended) via strcat. strmove creates a new string to hold the new value returned by strcat, then is pushed into strcmps stack and compared.
When you break on the first push the register window of olly shows you the full answer:
Code: | EAX 00177E74 UNICODE "6964"
ECX 00177E0C UNICODE "0123"
EDX 00178164 UNICODE "7777777"
EBX 00000000
ESP 0013F384
EBP 0013F468
ESI 003A084C ASCII "HT9"
EDI 0016A698
EIP 0042CAA7 Bank_Car.0042CAA7
C 0 ES 0023 32bit 0(FFFFFFFF)
P 1 CS 001B 32bit 0(FFFFFFFF)
A 0 SS 0023 32bit 0(FFFFFFFF)
Z 1 DS 0023 32bit 0(FFFFFFFF)
S 0 FS 003B 32bit 7FFDF000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00000246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty +UNORM 038E 015D0000 0013FA54
ST1 empty +UNORM 038E 015D0000 0000137F
ST2 empty +UNORM 1F80 00000001 00000000
ST3 empty 0.0000000078275202060e-4933
ST4 empty +UNORM 10F0 0000003B A9557C38
ST5 empty +UNORM 003B 0013FDF0 00000000
ST6 empty -UNORM FDE8 00000202 0000001B
ST7 empty 4.4477983388301931520e-4932
3 2 1 0 E S P U O Z D I
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
FCW 137F Prec NEAR,64 Mask 1 1 1 1 1 1 |
_________________
- Retired. |
|