atom0s Moderator Reputation: 198
Joined: 25 Jan 2006 Posts: 8518 Location: 127.0.0.1
|
Posted: Sat Nov 16, 2013 2:56 pm Post subject: |
|
|
Get the user input password:
Code: | 011010BB |. 68 14211001 PUSH stage0.01102114 ; /format = "%30s"
011010C0 |. FF15 A4201001 CALL DWORD PTR DS:[<&MSVCR90.scanf>] ; \scanf |
Get the length of the input:
Code: | 011010C6 |. 8D8424 2802000>LEA EAX,DWORD PTR SS:[ESP+0x228]
011010CD |. 83C4 24 ADD ESP,0x24
011010D0 |. 8D50 01 LEA EDX,DWORD PTR DS:[EAX+0x1]
011010D3 |> 8A08 /MOV CL,BYTE PTR DS:[EAX]
011010D5 |. 40 |INC EAX
011010D6 |. 84C9 |TEST CL,CL
011010D8 |.^75 F9 \JNZ SHORT stage0.011010D3 |
Ensure the length is not 0:
Code: | 011010DA |. 2BC2 SUB EAX,EDX
011010DC |. 33C9 XOR ECX,ECX
011010DE |. 85C0 TEST EAX,EAX
011010E0 |. 7E 0D JLE SHORT stage0.011010EF |
Xor each input character with 0x57:
Code: | 011010E2 |> 80B40C 0402000>/XOR BYTE PTR SS:[ESP+ECX+0x204],0x57
011010EA |. 41 |INC ECX
011010EB |. 3BC8 |CMP ECX,EAX
011010ED |.^7C F3 \JL SHORT stage0.011010E2 |
Load string into EAX 'RealPassword':
Code: | 011010EF |> B9 30211001 MOV ECX,stage0.01102130 ; ASCII "45678"
011010F4 |. 8D8424 0401000>LEA EAX,DWORD PTR SS:[ESP+0x104]
011010FB |. EB 03 JMP SHORT stage0.l |
Compare 45678 to 'RealPassword':
Code: | 011010FD | 8D49 00 LEA ECX,DWORD PTR DS:[ECX]
l |> 8A10 /MOV DL,BYTE PTR DS:[EAX]
01101102 |. 3A11 |CMP DL,BYTE PTR DS:[ECX]
01101104 |. 75 1A |JNZ SHORT stage0.01101120
01101106 |. 84D2 |TEST DL,DL
01101108 |. 74 12 |JE SHORT stage0.0110111C
0110110A |. 8A50 01 |MOV DL,BYTE PTR DS:[EAX+0x1]
0110110D |. 3A51 01 |CMP DL,BYTE PTR DS:[ECX+0x1]
n |. 75 0E |JNZ SHORT stage0.01101120
01101112 |. 83C0 02 |ADD EAX,0x2
01101115 |. 83C1 02 |ADD ECX,0x2
01101118 |. 84D2 |TEST DL,DL
0110111A |.^75 E4 \JNZ SHORT stage0.l |
Test if password matched 'RealPassword':
Code: | 0110111C |> 33C0 XOR EAX,EAX
0110111E |. EB 05 JMP SHORT stage0.01101125
01101120 |> 1BC0 SBB EAX,EAX
01101122 |. 83D8 FF SBB EAX,-0x1
01101125 |> 85C0 TEST EAX,EAX
01101127 |. 75 22 JNZ SHORT stage0.0110114B
01101129 |. 68 38211001 PUSH stage0.01102138 ; ASCII "Wrong Password."
0110112E |. FFD6 CALL ESI
01101130 |. 83C4 04 ADD ESP,0x4
01101133 |. 33C0 XOR EAX,EAX
01101135 |. 5E POP ESI
01101136 |. 8B8C24 0003000>MOV ECX,DWORD PTR SS:[ESP+0x300]
0110113D |. 33CC XOR ECX,ESP
0110113F |. E8 25010000 CALL stage0.01101269
01101144 |. 81C4 04030000 ADD ESP,0x304
0110114A |. C3 RETN |
Test if our given password xor'd is 0x14 characters long:
Code: | 0110114B |> 8D8424 0402000>LEA EAX,DWORD PTR SS:[ESP+0x204]
01101152 |. 8D50 01 LEA EDX,DWORD PTR DS:[EAX+0x1]
01101155 |> 8A08 /MOV CL,BYTE PTR DS:[EAX]
01101157 |. 40 |INC EAX
01101158 |. 84C9 |TEST CL,CL
0110115A |.^75 F9 \JNZ SHORT stage0.01101155
0110115C |. 2BC2 SUB EAX,EDX
0110115E |. 83F8 14 CMP EAX,0x14
01101161 |. 74 22 JE SHORT stage0.01101185
01101163 |. 68 4C211001 PUSH stage0.0110214C ; ASCII "Wrong Password."
01101168 |. FFD6 CALL ESI
0110116A |. 83C4 04 ADD ESP,0x4
0110116D |. 33C0 XOR EAX,EAX
0110116F |. 5E POP ESI
01101170 |. 8B8C24 0003000>MOV ECX,DWORD PTR SS:[ESP+0x300]
01101177 |. 33CC XOR ECX,ESP
01101179 |. E8 EB000000 CALL stage0.01101269
0110117E |. 81C4 04030000 ADD ESP,0x304
01101184 |. C3 RETN |
Compare our xor'd password with another xor'd password stored in esp+4:
Code: | 01101185 |> 8D4C24 04 LEA ECX,DWORD PTR SS:[ESP+0x4]
01101189 |. 8D8424 0402000>LEA EAX,DWORD PTR SS:[ESP+0x204]
01101190 |> 8A10 /MOV DL,BYTE PTR DS:[EAX]
01101192 |. 3A11 |CMP DL,BYTE PTR DS:[ECX]
01101194 |. 75 1A |JNZ SHORT stage0.011011B0
01101196 |. 84D2 |TEST DL,DL
01101198 |. 74 12 |JE SHORT stage0.011011AC
0110119A |. 8A50 01 |MOV DL,BYTE PTR DS:[EAX+0x1]
0110119D |. 3A51 01 |CMP DL,BYTE PTR DS:[ECX+0x1]
011011A0 |. 75 0E |JNZ SHORT stage0.011011B0
011011A2 |. 83C0 02 |ADD EAX,0x2
011011A5 |. 83C1 02 |ADD ECX,0x2
011011A8 |. 84D2 |TEST DL,DL
011011AA |.^75 E4 \JNZ SHORT stage0.01101190
011011AC |> 33C0 XOR EAX,EAX
011011AE |. EB 05 JMP SHORT stage0.011011B5
011011B0 |> 1BC0 SBB EAX,EAX
011011B2 |. 83D8 FF SBB EAX,-0x1
011011B5 |> 85C0 TEST EAX,EAX
011011B7 |. 74 22 JE SHORT stage0.011011DB
011011B9 |. 68 60211001 PUSH stage0.01102160 ; ASCII "Wrong Password."
011011BE |. FFD6 CALL ESI
|
All of the starting compares are to make you think that the password is 'RealPassword'. The only check that matters is the size check for the password length.
At the end, ESP+4 holds the real password xor'd with 0x57:
Code: | CPU Dump
Address Hex dump ASCII
0043F978 01 32 25 2E|1B 38 39 30|07 36 24 24|20 38 25 33| 2%.8906$$ 8%3
0043F988 65 67 67 6E|00 00 00 00|00 00 00 00|00 00 00 00| eggn
|
Xor this and you get the real password: VeryLongPassword2009
And the resulting screen:
Code: |
Enter Pasword:
VeryLongPassword2009
Good Job!
Send email to [email protected] with subject: stage0_fd60d641dc9efb8f5b
79a9b5a75b006b.
Attach your resume. Good luck!
|
_________________
- Retired. |
|