You can find the rest of the Crackme Challenge series here.
Part 6
The code for logical segment 6 is as follows:
0040181F |. B9 10000000 mov ecx,10 00401824 |. 8DB424 C0000000 lea esi,dword ptr ss:[esp+C0]sta 0040182B |. 8D7C24 10 lea edi,dword ptr ss:[esp+10] 0040182F |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds> 00401831 |. 8B75 10 mov esi,dword ptr ss:[ebp+10] 00401834 |. 33C0 xor eax,eax 00401836 |. 85F6 test esi,esi 00401838 |. 7E 1E jle short main.00401858 0040183A |. 8D9B 00000000 lea ebx,dword ptr ds:[ebx] 00401840 |> 8B55 0C /mov edx,dword ptr ss:[ebp+C] 00401843 |. 8A1410 |mov dl,byte ptr ds:[eax+edx] 00401846 |. 8BC8 |mov ecx,eax 00401848 |. 83E1 3F |and ecx,3F 0040184B |. 30540C 10 |xor byte ptr ss:[esp+ecx+10],dl 0040184F |. 8D4C0C 10 |lea ecx,dword ptr ss:[esp+ecx+10] 00401853 |. 40 |inc eax 00401854 |. 3BC6 |cmp eax,esi 00401856 |.^7C E8 jl short main.00401840
The [esp+C0] points to the address 0x0012 EB 08, which contains the whirlpool hash of the Name value plus ESETNOD32@ string, like this:
AAAAAAD32@ESETNOD32@ESETNOD32@ESETNOD32@ESETNOD32@ESETNOD32@ESETNOD32@ESETNOD32@
In the above code we're reading the whirlpool hash from [esp+C0] and writing it to the address [esp+10] with the rep instruction. The [ebp+10] stack value contains the length of the Key 1 value. We're clearing the eax register to zero testing whether the length of the Key 1 value is 0, which it isn't, so the jump isn't taken. Then we're moving the value of [ebx] into ebx, which contains exactly the Name input argument. The following instruction reads some memory address from stack and puts it into register edx:
00401840 |> 8B55 0C /mov edx,dword ptr ss:[ebp+C]
The ebp+C register constitutes the input argument that was passed to this function. If we look at the stack, we can see that function parameters were passed into the current function residing at address 0x00401760 from the addresses right before the address 0x00401 B 2 D. The stack memory that contains those values can be seen in the picture below:
The highlighted value is the memory address being passed to the function 0x00401760 when being called from the address 0x00401 B 2 B. The program execution is then returned to the address 0x00401 B 2 D. The important memory address on the above picture being passed into the function as a parameter is 0x00 B 98660. Thus the edx register will contain the address 0x00 B 98660 which we'll look into more detail.
Let's disassemble the instructions right before the address 0x00401 B 2 D:
00401AF8 . 52 push edx ; Arg1 00401AF9 . E8 04410F00 call main.004F5C02 ; Function Call 00401AFE . 8BD8 mov ebx,eax 00401B00 . 83C4 04 add esp,4 00401B03 . 85DB test ebx,ebx 00401B05 . 74 7C je short main.00401B83 00401B07 . 8BCB mov ecx,ebx 00401B09 . 8BD6 mov edx,esi 00401B0B . 8D85 F0FAFFFF lea eax,dword ptr ss:[ebp-510] 00401B11 . E8 AAF7FFFF call main.004012C0 00401B16 . 8B85 ECFAFFFF mov eax,dword ptr ss:[ebp-514] 00401B1C . 8B40 F4 mov eax,dword ptr ds:[eax-C] 00401B1F . 57 push edi 00401B20 . 53 push ebx 00401B21 . 50 push eax 00401B22 . 8D8D F0FEFFFF lea ecx,dword ptr ss:[ebp-110] 00401B28 . E8 33FCFFFF call main.00401760 00401B2D . 53 push ebx
We also need to disassemble the first few instructions at address 0x00401760:
00401760 /$ 55 push ebp 00401761 |. 8BEC mov ebp,esp 00401763 |. 83E4 F8 and esp,FFFFFFF8 00401766 |. 81EC FC000000 sub esp,0FC]
We can see that in the function 0x00401760 we're pushing another value onto the stack before we're taking care of the function frame. Therefore the value at [ebp+C] is exactly the value which is getting set by the push ebx instruction right before the function call at address 0x00401 B 20. The ebp register is set at the address 0x00401 AFE when eax is copied into it. And eax is set by the function call at address 0x004 F 5 C 02 that happens one instruction before.
The memory at the address returned by the function looks as follows:
00B98660 0D F0 AD BA 0D F0 AD BA 0D F0 AD BA 0D F0 AD BA 00B98670 0D F0 AD BA 0D F0 AD BA 0D F0 AD BA 0D F0 AD BA 00B98680 0D F0 AD BA 0D F0 AD BA 0D F0 AD BA 0D F0 AD BA 00B98690 0D F0 AD BA 0D F0 AD BA 0D F0 AD BA 0D F0 AD BA 00B986A0 0D F0 AD BA 0D F0 AD BA 0D F0 AD BA 0D F0 AD BA 00B986B0 0D F0 AD BA 0D F0 AD BA 0D F0 AD BA 0D F0 AD BA
But that memory region is changed in the duration of the program. The instruction at 0x00401840 memory region at address 0x00 B 98660 contains the following values:
00B98660 69 A6 9A 69 A6 9A 69 A6 9A 69 A6 9A 69 A6 9A 69 00B98670 A6 9A 69 A6 9A 69 A6 9A 69 A6 9A 69 A6 9A 69 A6 00B98680 9A 69 A6 9A 69 A6 9A 69 A6 9A 69 A6 9A 69 A6 9A 00B98690 69 A6 9A 69 A6 9A 69 A6 9A 69 A6 9A 69 A6 9A 69 00B986A0 A6 9A 69 A6 9A 69 A6 9A 69 A6 9A 00 0D F0 AD BA 00B986B0 0D F0 AD BA 0D F0 AD BA 0D F0 AD BA 0D F0 AD BA
We can quickly confirm that the computed values are in fact calculated with a function residing at the address 0x004012 C 0, which we've already encountered. The algorithm looks like this:
eax = [0x5414C0 + key1[i]] ebx = [0x5414C0 + key1[i+1]] al = al * 2 bl = bl shift right by 4 al = al * 2 al = al xor bl
The key1 is the value that was inputed into the field Key 1. But the length is not the same as with the previous algorithm, where the length was 64 bytes. The length of the computed values can be determined by looking at the following instructions:
00401348 . 3BF2 cmp esi,edx 0040134A .^7C 94 jl short main.004012E0
The esi register starts at 0 and increases by 4 each iteration, whereas the edx register is the argument into the function. The edx register contains the length of the Key 1 input value. By now we've figured out what the dl register at the end of the loop in the above code section should hold.
What follows is the xor instruction that computes the XOR of the whirlpool hash byte and the dl register one byte at a time. It writes the result into the address pointed to by [esp+10] where the copied whirlpool hash is. Afterwards we're increasing the eax register by 1 and comparing it to esi, which contains the length of the Key 1 value. Once the loop is finished the program execution can continue. Whirlpool hash is only 64 bytes long, so why are we copying the number of bytes that equal the length of the Key 1 input value? We don't know just yet.
But let's try to think for a minute. We're computing some 'random' values (we don't know if the values above have any meaning yet) on the stack. We're starting at stack address [esp+ecx+10] and continuing as many times as is the length of the Key 1 input value. The register ecx depends upon register eax, which starts with a value 0 and is being increased by 1 every loop. So the values in ecx are computed like this:
ecx = eax ecx = ecx AND 00111111
That is why the concrete values of ecx are known in advance, since only the last 6 bits are kept; the other bits are being rewritten to zero. The following section holds the representation of the values in eax and their appropriated counterpart values in ecx register.
EAX ECX 00000000 00000000 00000001 00000001 00000002 00000002 00000003 00000003 00111111 00111111 01000000 00000000 01000001 00000001 01111111 00111111
This is an effective algorithm to overwrite only the first 0x40 bytes from the address [esp+10] onwards. The whole scheme how the stack values are computed can be seen in the picture below:
We can see that first we're copying the whirlpool hash located at the address [esp+C0] into a temporary stack address H on the right: H0, H1, ..., H63. The stack addresses S: S0, S1, ..., S63 right below the stack addresses H: H0, H1, ..., H63 contain exactly the same value; they are present just for a clearer picture of what happens in each step. After the whirlpool hash is copied to the temporary stack address H or S (doesn't really matter, since they are the same), we're applying the algorithm in the frame box to it. The algorithm works by taking each byte from the Data Structure and xoring it with the copied whirlpool hash and saving the value in the temporary stack location where the whirlpool hash is located. The loop is repeated for each byte of the Key 1 input value. Since the whirlpool hash contains only 64 bytes, the stack addresses will be xored more than once if the length of the Key 1 input field is longer than that. Logical Code Segment 7**
The code for the logical segment 7 is presented below:
00401858 |> 33F6 xor esi,esi 0040185A |. 33C9 xor ecx,ecx 0040185C |. 8D6424 00 lea esp,dword ptr ss:[esp] 00401860 |> 8A5C34 10 /mov bl,byte ptr ss:[esp+esi+10] 00401864 |. 0FB6C3 |movzx eax,bl 00401867 |. 99 |cdq 00401868 |. BF 50000000 |mov edi,50 0040186D |. F7FF |idiv edi 0040186F |. 83C6 04 |add esi,4 00401872 |. 0FB64414 10 |movzx eax,byte ptr ss:[esp+edx+10] 00401877 |. 03C1 |add eax,ecx 00401879 |. 99 |cdq 0040187A |. 8BCF |mov ecx,edi 0040187C |. F7F9 |idiv ecx 0040187E |. 0FB6CA |movzx ecx,dl 00401881 |. 8A440C 10 |mov al,byte ptr ss:[esp+ecx+10] 00401885 |. 885C0C 10 |mov byte ptr ss:[esp+ecx+10],bl 00401889 |. 8A5C34 0D |mov bl,byte ptr ss:[esp+esi+D] 0040188D |. 884434 0C |mov byte ptr ss:[esp+esi+C],al 00401891 |. 0FB6C3 |movzx eax,bl 00401894 |. 99 |cdq 00401895 |. F7FF |idiv edi 00401897 |. 0FB64414 10 |movzx eax,byte ptr ss:[esp+edx+10] 0040189C |. 03C1 |add eax,ecx 0040189E |. 99 |cdq 0040189F |. 8BCF |mov ecx,edi 004018A1 |. F7F9 |idiv ecx 004018A3 |. 0FB6CA |movzx ecx,dl 004018A6 |. 8A440C 10 |mov al,byte ptr ss:[esp+ecx+10] 004018AA |. 885C0C 10 |mov byte ptr ss:[esp+ecx+10],bl 004018AE |. 8A5C34 0E |mov bl,byte ptr ss:[esp+esi+E] 004018B2 |. 884434 0D |mov byte ptr ss:[esp+esi+D],al 004018B6 |. 0FB6C3 |movzx eax,bl 004018B9 |. 99 |cdq 004018BA |. F7FF |idiv edi 004018BC |. 0FB64414 10 |movzx eax,byte ptr ss:[esp+edx+10] 004018C1 |. 03C1 |add eax,ecx 004018C3 |. 99 |cdq 004018C4 |. 8BCF |mov ecx,edi 004018C6 |. F7F9 |idiv ecx 004018C8 |. 0FB6CA |movzx ecx,dl 004018CB |. 8A440C 10 |mov al,byte ptr ss:[esp+ecx+10] 004018CF |. 885C0C 10 |mov byte ptr ss:[esp+ecx+10],bl 004018D3 |. 8A5C34 0F |mov bl,byte ptr ss:[esp+esi+F] 004018D7 |. 884434 0E |mov byte ptr ss:[esp+esi+E],al 004018DB |. 0FB6C3 |movzx eax,bl 004018DE |. 99 |cdq 004018DF |. F7FF |idiv edi 004018E1 |. 0FB64414 10 |movzx eax,byte ptr ss:[esp+edx+10] 004018E6 |. 03C1 |add eax,ecx 004018E8 |. 99 |cdq 004018E9 |. 8BCF |mov ecx,edi 004018EB |. F7F9 |idiv ecx 004018ED |. 0FB6CA |movzx ecx,dl 004018F0 |. 8A440C 10 |mov al,byte ptr ss:[esp+ecx+10] 004018F4 |. 885C0C 10 |mov byte ptr ss:[esp+ecx+10],bl 004018F8 |. 884434 0F |mov byte ptr ss:[esp+esi+F],al 004018FC |. 83FE 40 |cmp esi,40 004018FF |.^0F8C 5BFFFFFF jl main.00401860
First we're initializing registers esi and ecx to zero. The next lea instruction doesn't actually do anything, so we can skip it.
In the loop, we're reading the previously computed values from [esp+10] onwards into the register bl. We're interested in instructions that we can use to overwrite certain values on the stack. Those instructions are the following:
00401885 |. 885C0C 10 |mov byte ptr ss:[esp+ecx+10],bl 0040188D |. 884434 0C |mov byte ptr ss:[esp+esi+C],al 004018AA |. 885C0C 10 |mov byte ptr ss:[esp+ecx+10],bl 004018B2 |. 884434 0D |mov byte ptr ss:[esp+esi+D],al 004018CF |. 885C0C 10 |mov byte ptr ss:[esp+ecx+10],bl 004018D7 |. 884434 0E |mov byte ptr ss:[esp+esi+E],al 004018F4 |. 885C0C 10 |mov byte ptr ss:[esp+ecx+10],bl 004018F8 |. 884434 0F |mov byte ptr ss:[esp+esi+F],al
We are interested in instructions that can set the values at [esp+54] and [esp+5C]. The esi register can never reach values larger than 0x40, which dictates the number of loop iterations:
004018FC |. 83FE 40 |cmp esi,40 004018FF |.^0F8C 5BFFFFFF jl main.00401860
Therefore, only the following instructions are actually interesting to us:
00401885 |. 885C0C 10 |mov byte ptr ss:[esp+ecx+10],bl 004018AA |. 885C0C 10 |mov byte ptr ss:[esp+ecx+10],bl 004018CF |. 885C0C 10 |mov byte ptr ss:[esp+ecx+10],bl 004018F4 |. 885C0C 10 |mov byte ptr ss:[esp+ecx+10],bl
Let's mention again why are those two stack addresses are so important. Because if we overwrite those two addresses with correct values, we can solve the first challenge. The [esp+54] is so important because of what follows after the loop:
00401905 |. 817C24 54 0A0B0C0D cmp dword ptr ss:[esp+54],0D0C0B0A 0040190D |. 75 50 jnz short main.0040195F
Therefore the value in the [esp+54] must equal to 0x0 D 0 C 0 B 0 A for the jump not to be taken. The following code is what immediately follows:
0040190F |. 8D5424 70 lea edx,dword ptr ss:[esp+70] 00401913 |. 52 push edx 00401914 |. 8D4424 14 lea eax,dword ptr ss:[esp+14] 00401918 |. 50 push eax 00401919 |. 8D4F FC lea ecx,dword ptr ds:[edi-4] 0040191C |. C74424 6C CA8A5712 mov dword ptr ss:[esp+6C],12578ACA 00401924 |. C74424 70 78B6CAEF mov dword ptr ss:[esp+70],EFCAB678 0040192C |. C74424 74 78563412 mov dword ptr ss:[esp+74],12345678 00401934 |. E8 E7160000 call main.00403020 00401939 |. 8D47 BC lea eax,dword ptr ds:[edi-44] 0040193C |. 33C9 xor ecx,ecx 0040193E |. 8BFF mov edi,edi 00401940 |> 8B540C 70 /mov edx,dword ptr ss:[esp+ecx+70] 00401944 |. 3B540C 64 |cmp edx,dword ptr ss:[esp+ecx+64] 00401948 |. 75 1D |jnz short main.00401967 0040194A |. 83E8 04 |sub eax,4 0040194D |. 83C1 04 |add ecx,4 00401950 |. 83F8 04 |cmp eax,4 00401953 |.^73 EB jnb short main.00401940
Ok, we don't really need to understand this code as much. What we must acknowledge is that the cmp instruction at 00401944, which jumps directly to address 0x00401967, which in turn jumps to whatever value is contained on the stack at address [esp+5C]:
00401967 |> FF5424 5C call dword ptr ss:[esp+5C]
Therefore if we manage to somehow write the correct values on the stack addresses [esp+54] and [esp+5C] we would solve the first challenge. The value at [esp+54] must be 0x0 D 0 C 0 B 0 A and the value at [esp+5C] must contain an address 0x00401720, which would jump directly to the Congratulations message box.
Therefore we must inspect the loop a little bit further to cause it to write the correct values on the correct memory addresses. We must look at the register bf** in the mentioned mov** instruction that actually overwrites the stack with some value.Mov Instruction
The code for the first mov instruction is as follows:
00401860 |> 8A5C34 10 /mov bl,byte ptr ss:[esp+esi+10] 00401864 |. 0FB6C3 |movzx eax,bl 00401867 |. 99 |cdq 00401868 |. BF 50000000 |mov edi,50 0040186D |. F7FF |idiv edi 0040186F |. 83C6 04 |add esi,4 00401872 |. 0FB64414 10 |movzx eax,byte ptr ss:[esp+edx+10] 00401877 |. 03C1 |add eax,ecx 00401879 |. 99 |cdq 0040187A |. 8BCF |mov ecx,edi 0040187C |. F7F9 |idiv ecx 0040187E |. 0FB6CA |movzx ecx,dl 00401881 |. 8A440C 10 |mov al,byte ptr ss:[esp+ecx+10] 00401885 |. 885C0C 10 |mov byte ptr ss:[esp+ecx+10],bl 00401889 |. 8A5C34 0D |mov bl,byte ptr ss:[esp+esi+D] 0040188D |. 884434 0C |mov byte ptr ss:[esp+esi+C],al
We can immediately see that we're reading one value bl from the stack address 0x00401860 and writing it to another stack address 0x00401885; thus effectively permuting the values on the stack. Because we can influence the values on the stack from the previous code section and we're not changing them in this section, it's obvious that we have the total control of the stack values. We just need to figure out a way to actually permute the values.
Move the value in register bl into eax:
00401864 |. 0FB6C3 |movzx eax,bl
From 32-bit value make 64-bit value by sign extending the value in register eax into registers eax and edx (since values in eax are very small, this effectively sets edx register to all zeros):
00401867 |. 99 |cdq
Move a constant value of 0x50 into register edi:
00401868 |. BF 50000000 |mov edi,50
Divide the 64-bit value in registers edx:eax by the operand edi that contains a constant 0x50. The operand is put in register eax whereas the remainder is put in register edx.
0040186D |. F7FF |idiv edi
Move a byte value at [esp+0+10] into the register eax. This instruction doesn't have an effect since we're overwriting the value in eax register in the next instruction.
00401872 |. 0FB64414 10 |movzx eax,byte ptr ss:[esp+edx+10]
Add the value in ecx and eax together and save it in register eax. Then sign extend the value in eax into edx:eax. Copy the value in edi into ecx and delete the 64-bit value in edx:eax by ecx and put the operand in eax and remained in edx.
00401877 |. 03C1 |add eax,ecx 00401879 |. 99 |cdq 0040187A |. 8BCF |mov ecx,edi 0040187C |. F7F9 |idiv ecx
Save the remained of the divide operation into register ecx, which is later used to permute the stack values:
0040187E |. 0FB6CA |movzx ecx,dl
The whole code section can be truncated into the following formula:
ecx = (bl + ecx) % 80
At the end we have the following code:
00401881 |. 8A440C 10 |mov al,byte ptr ss:[esp+ecx+10] 00401885 |. 885C0C 10 |mov byte ptr ss:[esp+ecx+10],bl 00401889 |. 8A5C34 0D |mov bl,byte ptr ss:[esp+esi+D] 0040188D |. 884434 0C |mov byte ptr ss:[esp+esi+C],al
If we set the computed value in ecx a variable x, then we can write our equations as follows:
al = S[i+x] S[i+x] = bl bl = S[i+y+D] S[i+y+C] = al
Mov Instruction
The code is presented below:
00401891 |. 0FB6C3 |movzx eax,bl 00401894 |. 99 |cdq 00401895 |. F7FF |idiv edi 00401897 |. 0FB64414 10 |movzx eax,byte ptr ss:[esp+edx+10] 0040189C |. 03C1 |add eax,ecx 0040189E |. 99 |cdq 0040189F |. 8BCF |mov ecx,edi 004018A1 |. F7F9 |idiv ecx 004018A3 |. 0FB6CA |movzx ecx,dl 004018A6 |. 8A440C 10 |mov al,byte ptr ss:[esp+ecx+10] 004018AA |. 885C0C 10 |mov byte ptr ss:[esp+ecx+10],bl 004018AE |. 8A5C34 0E |mov bl,byte ptr ss:[esp+esi+E] 004018B2 |. 884434 0D |mov byte ptr ss:[esp+esi+D],al
This essentially does the same as the first mov instruction.
eax = S[i + bl % 80] eax = eax + x eax = eax / 80 ecx = eax % 80 al = S[i+x] S[i+x] = bl bl = S[i+y+E] S[i+y+D] = al
Mov Instruction
The code is presented below:
004018B6 |. 0FB6C3 |movzx eax,bl 004018B9 |. 99 |cdq 004018BA |. F7FF |idiv edi 004018BC |. 0FB64414 10 |movzx eax,byte ptr ss:[esp+edx+10] 004018C1 |. 03C1 |add eax,ecx 004018C3 |. 99 |cdq 004018C4 |. 8BCF |mov ecx,edi 004018C6 |. F7F9 |idiv ecx 004018C8 |. 0FB6CA |movzx ecx,dl 004018CB |. 8A440C 10 |mov al,byte ptr ss:[esp+ecx+10] 004018CF |. 885C0C 10 |mov byte ptr ss:[esp+ecx+10],bl 004018D3 |. 8A5C34 0F |mov bl,byte ptr ss:[esp+esi+F] 004018D7 |. 884434 0E |mov byte ptr ss:[esp+esi+E],al
The code is exactly the same as before, except that the constant F is used instead of the E. The rules are:
al = S[i+x] S[i+x] = bl bl = S[i+y+F] S[i+y+E] = al
Mov Instruction
The code is presented below:
004018DB |. 0FB6C3 |movzx eax,bl 004018DE |. 99 |cdq 004018DF |. F7FF |idiv edi 004018E1 |. 0FB64414 10 |movzx eax,byte ptr ss:[esp+edx+10] 004018E6 |. 03C1 |add eax,ecx 004018E8 |. 99 |cdq 004018E9 |. 8BCF |mov ecx,edi 004018EB |. F7F9 |idiv ecx 004018ED |. 0FB6CA |movzx ecx,dl 004018F0 |. 8A440C 10 |mov al,byte ptr ss:[esp+ecx+10] 004018F4 |. 885C0C 10 |mov byte ptr ss:[esp+ecx+10],bl 004018F8 |. 884434 0F |mov byte ptr ss:[esp+esi+F],al
Again, this is the same code as before, except that the following rules are used:
al = S[i+x] S[i+x] = bl S[i+y+F] = al
Part 7
At the end of the function there's only the following code left, which is located right after the previous permutation occurs.
00401905 |. 817C24 54 0A0B>cmp dword ptr ss:[esp+54],0D0C0B0A 0040190D |. 75 50 jnz short main.0040195F 0040190F |. 8D5424 70 lea edx,dword ptr ss:[esp+70] 00401913 |. 52 push edx 00401914 |. 8D4424 14 lea eax,dword ptr ss:[esp+14] 00401918 |. 50 push eax 00401919 |. 8D4F FC lea ecx,dword ptr ds:[edi-4] 0040191C |. C74424 6C CA8A>mov dword ptr ss:[esp+6C],12578ACA 00401924 |. C74424 70 78B6>mov dword ptr ss:[esp+70],EFCAB678 0040192C |. C74424 74 7856>mov dword ptr ss:[esp+74],12345678 00401934 |. E8 E7160000 call main.00403020 00401939 |. 8D47 BC lea eax,dword ptr ds:[edi-44] 0040193C |. 33C9 xor ecx,ecx 0040193E |. 8BFF mov edi,edi 00401940 |> 8B540C 70 /mov edx,dword ptr ss:[esp+ecx+70] 00401944 |. 3B540C 64 |cmp edx,dword ptr ss:[esp+ecx+64] 00401948 |. 75 1D |jnz short main.00401967 0040194A |. 83E8 04 |sub eax,4 0040194D |. 83C1 04 |add ecx,4 00401950 |. 83F8 04 |cmp eax,4 00401953 |.^73 EB jnb short main.00401940 00401955 C74424 5C 2017>mov dword ptr ss:[esp+5C],main.00401720 0040195D |. EB 08 jmp short main.00401967 0040195F |> C74424 5C 4017>mov dword ptr ss:[esp+5C],main.00401740 00401967 |> FF5424 5C call dword ptr ss:[esp+5C] 0040196B |. 8B8C24 0401000>mov ecx,dword ptr ss:[esp+104]
When permuting the values, we needed to set two stack variables:
- esp+54: which should contain the value 0x0 D 0 C 0 B 0 A for a jump at address 0x0040190 D not to be taken.
- esp+5C: which should contain the value 0x00401720, which would jump to the congratulations message box.
But in the above code we can see that it's trying to compare the values at addresses [esp+70] and [esp+64] to be equal. This means that the whole stack region needs to contain the same 4-byte values, which cannot happen in a real program. This is why we need to overwrite the address [esp+5C] with the address of the congratulations message box - 0x00401720. We know that the compare instruction at the address 0x00401944 will fail and program execution will be transferred to the address 0x00401967. At this point the value in the address [esp+5C] should contain the relevant stack address where the program execution will be redirected. In our case this is the congratulations message box.
The picture below presents the whole process of crackme.exe logic.
The steps presented in the above picture are as follows:
Copy the Name part of input value together with string ESETNOD32@ into the [esp+70] stack address region.
Calculate the whirlpool hash cryptographic value from the string contained in the [esp+70] and save it into the [esp+C0] stack address region.
Change the data region at [esp+70] with the specified algorithm; the input argument is the Key 1 input value.
Compare the memory regions at [esp+70] and [esp+C0], which must be the same.
Copy the hash from the address [esp+C0] into the [esp+10] stack memory region.
Change the data region at [0x00B985D8] with specified algorithm.
Change the data region at [esp+10] using the specified algorithm.
Permute the data region at [esp+10].
Two important values located at [esp+54] and [esp+5C] need to contain specific values after the permutation process. Those two values are marked with pink color in the picture above.
We've seen that we can control the whole stack the way we want. There are a lot of xor operations, hashing and permutations, but it can be done. There's quite a lot of mathematical background involved, but we've seen that since we can save arbitrary values into the stack, we can control what gets executed.
You may ask: how can we input arbitrary values onto the stack? The answer is quite simple, we can control all the important stack values that are used to guide the program through its execution with our input fields. Since we can put arbitrary input values into Name and Key 1, we can effectively control the whole stack and bypass the first stage.
Therefore we can continue with the second stage.
The Length of the Key 2
When running the code, we can quickly determine that the first problem is the following code:
00401CF2 . 83FA 0C cmp edx,0C 00401CF5 0F85 9D000000 jnz main.00401D98
The register edx contains the length of the input argument, which is compared to the value 0x0 C. If the values are not the same, we're jumping to the address 0x00401 D 98 that essentially displays our failure message box. This address holds the following code:
00401D98 > 57 push edi 00401D99 . 6A 30 push 30 00401D9B . 68 0C1A5400 push main.00541A0C 00401DA0 > E8 4B5C0000 call main.004079F0
First we're pushing three arguments to the stack:
- edi
- 0x30
- a pointer to a string "Invalid key value."
Afterwards we're calling the message box which displays the message "Invalid key value.". Ok, so we must avoid jumping to the address 0x00401D98. We can do that by entering exactly 12 characters into the input field. Thus we have our first predicate:
len(key2) = 0xC
The Allowed Characters in Key 2
Afterwards we stumble upon the code presented below:
00401D00 > 8A440C 24 mov al,byte ptr ss:[esp+ecx+24] 00401D04 . 3C 41 cmp al,41 00401D06 . 7C 04 jl short main.00401D0C 00401D08 . 3C 46 cmp al,46 00401D0A . 7E 10 jle short main.00401D1C 00401D0C > 3C 30 cmp al,30 00401D0E . 0F8C 84000000 jl main.00401D98 00401D14 . 3C 39 cmp al,39 00401D16 . 0F8F 7C000000 jg main.00401D98 00401D1C > 41 inc ecx 00401D1D . 83F9 0C cmp ecx,0C 00401D20 .^72 DE jb short main.00401D00
That code can be constructed into the following higher-level language:
i = 0;
while(i<12) {
if(a[i] < 0x41) {
goto label30;
}
else if(a[i] <= 0x46) {
goto end;
}
else if(a[i] < 0x30) {
label30:
printf("Incorrect Key 2. Try again.");
}
else if(a[i] > 0x39) {
printf("Incorrect Key 2. Try again.");
}
end:
i++;
}
We can see that what the code actually does, is take the input string of 12 characters, and compare each byte at a time with the constants: 0x41 = A, 0x46 = F, 0x30 = 0 and 0x39 = 9. This gives us five different options of formatting our input. We can enter the following characters:
- 0x29: Invalid.
- 0x38: Ok.
- 0x40: Invalid.
- 0x45: Ok.
- 0x47: Invalid.
Therefore only two ranges of numbers are allowed to be inputed: 0x30−0x39 = 1−9 and 0x41−0x46 = A − F. So if we enter twelve A's (0*x* 41) as input, this filter should let it through and not print an error.
How to Solve Stage 2
The rest of the code is as follows:
00401D7C . 50 push eax 00401D7D . E8 AE060000 call main.00402430 00401D82 . 6A 00 push 0 00401D84 . 6A 30 push 30 00401D86 . 85C0 test eax,eax 00401D88 . 74 07 je short main.00401D91 00401D8A . 68 201A5400 push main.00541A20 00401D8F . EB 0F jmp short main.00401DA0 00401D91 > 68 481A5400 push main.00541A48 00401D96 . EB 08 jmp short main.00401DA0 00401D98 > 57 push edi 00401D99 . 6A 30 push 30 00401D9B . 68 0C1A5400 push main.00541A0C 00401DA0 > E8 4B5C0000 call main.004079F0
Here, we're pushing the value in register eax to stack as an argument to the function at address 0x00402430. That function must return the value in eax that is not zero. This would set appropriate flags when the test eax,eax instruction is being executed, which would not jump on the je instruction. When the jump is not taken, the push 00541A20 is pushed onto the stack and a jump to an address 0x00401DA 0 is taken. On that address another function is called that displays the message box, either that we succeeded in solving the problem or that we failed. It depends on the argument pushed onto the stack. If the argument is 00541A20, then the message box should say that we succeeded in solving the problem. If the argument is 00541A48 then the message box will say that we failed.
Therefore we must convince the function called at the address 0x00402430 to save 1 into the register eax and not 0.
Part 8
First, the complete code of the function is in order. The code is presented below:
00402430 $ 55 push ebp 00402431 . 8BEC mov ebp,esp 00402433 . 83EC 28 sub esp,28 00402436 . 33C0 xor eax,eax 00402438 . 53 push ebx 00402439 . 56 push esi 0040243A . 8945 E0 mov dword ptr ss:[ebp-20],eax 0040243D . 8945 E4 mov dword ptr ss:[ebp-1C],eax 00402440 . 8945 F4 mov dword ptr ss:[ebp-C],eax 00402443 . 57 push edi 00402444 . B8 28015600 mov eax,main.00560128 00402449 > C645 FF 00 mov byte ptr ss:[ebp-1],0 0040244D . 8945 F8 mov dword ptr ss:[ebp-8],eax 00402450 . C745 F0 080000>mov dword ptr ss:[ebp-10],8 00402457 . EB 0A jmp short main.00402463 00402459 . 8DA424 0000000>lea esp,dword ptr ss:[esp] 00402460 > 8B45 F8 mov eax,dword ptr ss:[ebp-8] 00402463 > 8B18 mov ebx,dword ptr ds:[eax] 00402465 . 8B40 04 mov eax,dword ptr ds:[eax+4] 00402468 . C745 EC 010000>mov dword ptr ss:[ebp-14],1 0040246F . 33FF xor edi,edi 00402471 . 8945 DC mov dword ptr ss:[ebp-24],eax 00402474 > B8 01000000 mov eax,1 00402479 . 33D2 xor edx,edx 0040247B . 8BCF mov ecx,edi 0040247D . E8 3E840F00 call main.004FA8C0 00402482 . 8B75 DC mov esi,dword ptr ss:[ebp-24] 00402485 . 8BCB mov ecx,ebx 00402487 . 23C8 and ecx,eax 00402489 . 23F2 and esi,edx 0040248B . 0BCE or ecx,esi 0040248D . 74 0C je short main.0040249B 0040248F . 8B4D 08 mov ecx,dword ptr ss:[ebp+8] 00402492 . 2301 and eax,dword ptr ds:[ecx] 00402494 . 2351 04 and edx,dword ptr ds:[ecx+4] 00402497 . 0BC2 or eax,edx 00402499 . 74 0B je short main.004024A6 0040249B > 47 inc edi 0040249C . 83FF 40 cmp edi,40 0040249F .^7C D3 jl short main.00402474 004024A1 . 8A45 EC mov al,byte ptr ss:[ebp-14] 004024A4 . EB 02 jmp short main.004024A8 004024A6 > 33C0 xor eax,eax 004024A8 > 0045 FF add byte ptr ss:[ebp-1],al 004024AB . 8345 F8 08 add dword ptr ss:[ebp-8],8 004024AF . FF4D F0 dec dword ptr ss:[ebp-10] 004024B2 .^75 AC jnz short main.00402460 004024B4 . 0FB64D FF movzx ecx,byte ptr ss:[ebp-1] 004024B8 . 81E1 01000080 and ecx,80000001 004024BE . 79 05 jns short main.004024C5 004024C0 . 49 dec ecx 004024C1 . 83C9 FE or ecx,FFFFFFFE 004024C4 . 41 inc ecx 004024C5 > 84C9 test cl,cl 004024C7 . 74 15 je short main.004024DE 004024C9 . 8B4D F4 mov ecx,dword ptr ss:[ebp-C] 004024CC . B8 01000000 mov eax,1 004024D1 . 33D2 xor edx,edx 004024D3 . E8 E8830F00 call main.004FA8C0 004024D8 . 0945 E0 or dword ptr ss:[ebp-20],eax 004024DB . 0955 E4 or dword ptr ss:[ebp-1C],edx 004024DE > 8B45 F8 mov eax,dword ptr ss:[ebp-8] 004024E1 . FF45 F4 inc dword ptr ss:[ebp-C] 004024E4 . 3D 28115600 cmp eax,main.00561128 004024E9 .^0F8C 5AFFFFFF jl main.00402449 004024EF . 817D E0 32EFA0>cmp dword ptr ss:[ebp-20],23A0EF32 004024F6 . 75 17 jnz short main.0040250F 004024F8 . 817D E4 8EECBD>cmp dword ptr ss:[ebp-1C],55BDEC8E 004024FF . 75 0E jnz short main.0040250F 00402501 . B8 01000000 mov eax,1 00402506 . 5F pop edi 00402507 . 5E pop esi 00402508 . 5B pop ebx 00402509 . 8BE5 mov esp,ebp 0040250B . 5D pop ebp 0040250C . C2 0400 retn 4 0040250F > 5F pop edi 00402510 . 5E pop esi 00402511 . 33C0 xor eax,eax 00402513 . 5B pop ebx 00402514 . 8BE5 mov esp,ebp 00402516 . 5D pop ebp 00402517 . C2 0400 retn 4
This function takes one input argument at the address [ebp+8]. That address holds the value 0x0012 EF 70 that points to our [esp+18] and [esp+1C] values on the stack. Therefore the following code effectively loads and uses those values:
0040248F . 8B4D 08 mov ecx,dword ptr ss:[ebp+8] 00402492 . 2301 and eax,dword ptr ds:[ecx] 00402494 . 2351 04 and edx,dword ptr ds:[ecx+4]
The function must set the eax register to something that is not zero. This happens at the end of function when the following code is being executed:
004024EF . 817D E0 32EFA0>cmp dword ptr ss:[ebp-20],23A0EF32 004024F6 . 75 17 jnz short main.0040250F 004024F8 . 817D E4 8EECBD>cmp dword ptr ss:[ebp-1C],55BDEC8E 004024FF . 75 0E jnz short main.0040250F 00402501 . B8 01000000 mov eax,1 00402506 . 5F pop edi 00402507 . 5E pop esi 00402508 . 5B pop ebx 00402509 . 8BE5 mov esp,ebp 0040250B . 5D pop ebp 0040250C . C2 0400 retn 4 0040250F > 5F pop edi 00402510 . 5E pop esi 00402511 . 33C0 xor eax,eax 00402513 . 5B pop ebx 00402514 . 8BE5 mov esp,ebp 00402516 . 5D pop ebp 00402517 . C2 0400 retn 4
We need to force the program to execute the return statement at 0x0040250C. This must happen because a few commands back there's an instruction mov eax,1, which sets eax register to 1. If the latter retn instruction is called, it sets the register to 0 with xor eax, eax. This is why both compare conditions need to hold - the value at address [ebp-20] must hold 0x23A0EF32 and the [ebp-1C] must contain 0x55BDEC8E.
The bytes at addresses [esp-20] and [esp-1C] are set a few instructions before:
004024D3 . E8 E8830F00 call main.004FA8C0 004024D8 . 0945 E0 or dword ptr ss:[ebp-20],eax 004024DB . 0955 E4 or dword ptr ss:[ebp-1C],edx
And at the beginning of the function we're zeroing out those two addresses to start with a clean slate:
00402436 . 33C0 xor eax,eax 00402438 . 53 push ebx 00402439 . 56 push esi 0040243A . 8945 E0 mov dword ptr ss:[ebp-20],eax 0040243D . 8945 E4 mov dword ptr ss:[ebp-1C],eax
Afterwards there are two loops we need to take a look at. The inner loop is as follows:
00402474 > B8 01000000 mov eax,1 00402479 . 33D2 xor edx,edx 0040247B . 8BCF mov ecx,edi 0040247D . E8 3E840F00 call main.004FA8C0 00402482 . 8B75 DC mov esi,dword ptr ss:[ebp-24] 00402485 . 8BCB mov ecx,ebx 00402487 . 23C8 and ecx,eax 00402489 . 23F2 and esi,edx 0040248B . 0BCE or ecx,esi 0040248D . 74 0C je short main.0040249B 0040248F . 8B4D 08 mov ecx,dword ptr ss:[ebp+8] 00402492 . 2301 and eax,dword ptr ds:[ecx] 00402494 . 2351 04 and edx,dword ptr ds:[ecx+4] 00402497 . 0BC2 or eax,edx 00402499 . 74 0B je short main.004024A6 0040249B > 47 inc edi 0040249C . 83FF 40 cmp edi,40 0040249F .^7C D3 jl short main.00402474
We're setting the register eax to 1 and zeroing register edx. We're also incrementing the edi register from 0 to 64 that can be seen here:
0040246F . 33FF xor edi,edi 0040249B > 47 inc edi 0040249C . 83FF 40 cmp edi,40
Therefore the ecx register contains values from 0 to 63 when the loop is being executed. The next subsection contains a detailed explanation of that loop.
I haven't had the time to program the exact version of the high-level Python version of the function, but I've been able to come up with pretty close function definition. It still contains some bugs, as it doesn't return 0x1 in variable a as it should when the right input arguments are passed to it. The code is appended here:
# Local variables: # l0 = [ebp - 4] # l1 = [ebp - 8] # l2 = [ebp - C] # l3 = [ebp - 10] # l4 = [ebp - 14] # l5 = [ebp - 18] # l6 = [ebp - 1C] # l7 = [ebp - 20] # l8 = [ebp - 24] # l9 = [ebp - 28] def funct402430(s1, s2): a = 1 l7 = a l6 = a l2 = a a = 0x00560128 l0 = 0x10 # start loop: eax < 0x561128 while True: #mov byte ptr ss:[ebp-1],0 l0 = ((l0 << 2) >> 2) l1 = a l3 = 8 # start loop: 00402460 while l3 != 0: # read from [eax] in [eax+4] b = memory(a) a = memory(a+4) l4 = 1 di = 0 l8 = a temp = 0 for di in range(0,0x40): a = 1 d = 0 c = di a,c,d = funct4FA8C0(a,c,d) si = l8 c = b c = c & a si = si & d if c == si: t = 0 else: t = 1 c = c | si if t != 0: a = s1 d = s2 if a == d: t1 = 0 else: t1 = 1 a = a | d if t1 == 0: temp = 1 break # 004024A1 mov al,byte ptr ss:[ebp-14] if temp == 0: a = (a >> 8) << 8 t = (l4 << 24) >> 24 a = a + t else: a = 0 print "AAA: "+str(hex(a)) # add byte ptr ss:[ebp-1],al a1 = ((a << 24) & 0xFFFFFFFF) l0 = l0 + a1 print "L0: "+str(hex(l0)) l1 = l1 + 8 l3 = l3 - 1 # moved at the end from the start of the loop a = l1 # end loop: 00402460 # 004024B4: movzx ecx,byte ptr ss:[ebp-1] c = (l0 >> 24) # 0x004024BE t = c c = c & 0x80000001 if t == 0x80000001: c = c - 1 c = c | 0xFFFFFFFE c = c + 1 # 0x004024C5 else: c = l2 a = 1 d = 0 a,c,d = funct4FA8C0(a,c,d) print "ABC: "+str(hex(a))+" "+str(hex(c))+" "+str(hex(d)) l7 = l7 | a l6 = l6 | d print "LL: "+str(hex(l6))+" "+str(hex(l7)) # 0x004024DE a = l1 l2 = l2 + 1 # end loop: eax < 0x561128 if a >= 0x00561128: break # outside any loop if l7 == 0x23A0EF32 and l6 == 0x55BDEC8E: a = 1 else: a = 0 return a s1 = 0xFD7C0372 s2 = 0x19473B90 a = funct402430(s1, s2) print "A: "+str(hex(a))
Memory at Address 0x00560128
The relevant instructions that access the memory outside of the scope of the input arguments, input registers, or stack local variables are as follows:
00402444 . B8 28015600 mov eax,main.00560128 00402463 > 8B18 mov ebx,dword ptr ds:[eax] 00402465 . 8B40 04 mov eax,dword ptr ds:[eax+4] 004024E4 . 3D 28115600 cmp eax,main.00561128
From the above instructions we can see that we initialize the eax register to a value 0x00560128 and continue to increase its value until 0x00561128 after which the loop is terminated. While the loop is still executing, the values being accessed are on the addresses [eax] and [eax+4], which are the addresses in range: 0x00560128 − 0x00561128. This is why we need to introduce a new function that will hold all the static values of the described part of the memory and return the relevant value.
That part of the memory is presented here:
00560128 04 00 00 00 00 00 00 00 91 00 00 00 00 00 00 00 00560138 F9 00 00 00 00 00 00 00 48 00 00 00 00 00 00 00 ... 00561118 08 D1 B5 67 81 4B 64 0E E7 90 56 42 A6 FE CD 01 00561128 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
For simplicity's sake it would be best to keep the whole memory region in an array variable that can easily be accessed. The Python program that returns appropriate values of this array as seen in the function at address 0x00402430 is appended below:
arr = [ 0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x91, ... ] def memory(addr): index = addr - 0x560128 v = 0x0 v += arr[index+3] v = v << 8 v += arr[index+2] v = v << 8 v += arr[index+1] v = v << 8 v += arr[index] return v & 0xFFFFFFFF a = memory(0x560138) print hex(a)
We input the memory address on a range from 0x560138−0x561138 and the function memory will return a 4-byte value of memory residing at that location.
Input Arguments
The function takes 1 parameter as argument at address [ebp+8]. This can be concluded because of the retn 4 instruction at the end. But the following instruction in the function prologue also indicates that the function takes one parameter:
00401D78 > 8D4424 14 lea eax,dword ptr ss:[esp+14] 00401D7C . 50 push eax 00401D7D . E8 AE060000 call main.00402430
The [esp+14] resolves directly into the address 0x0012 EF 70 on the stack, which holds the value 0 xB 7780 FE 3. The function uses that value like this:
0040248F . 8B4D 08 mov ecx,dword ptr ss:[ebp+8] 00402492 . 2301 and eax,dword ptr ds:[ecx] 00402494 . 2351 04 and edx,dword ptr ds:[ecx+4] 00402497 . 0BC2 or eax,edx
We can see that it loads the address 0x0012 EF 70 into register ecx and reads the value 0 xB 7780 FE 3 from the stack into eax. Then it reads the value 0x3 B 47 E 4 E 1 from the stack address 0x0012 EF 74 into register edx. Afterwards the operation XOR is applied to registers eax and edx. The values 0 xB 7780 FE 3 and 0x3 B 47 E 4 E 1 are different regarding the inputed value Key 2. The above values were computed when we inputed 12 A's into the input field.
Therefore the function takes 1 parameter that constitutes of a 8-byte (64-bit) value accessible at address 0x0012 EF 70. But how are those two values computed? In the function that starts at address 0x00401 C 10 we can see that the values are first initialized to some predefined constants:
00401C52 . C74424 14 8077>mov dword ptr ss:[esp+14],B11B7780 00401C5A . C74424 18 71B4>mov dword ptr ss:[esp+18],7A83B471
Afterwards the only place those two values are changed is in those two functions:
00401D67 . E8 54060000 call main.004023C0 00401D6C . E8 9F040000 call main.00402210
Part 9
Function at Address 0x004023 *C* 0
The function at address 0x004023 C 0 has the following code:
004023C0 /$ 55 push ebp 004023C1 |. 8BEC mov ebp,esp 004023C3 |. 83EC 08 sub esp,8 004023C6 |. 53 push ebx 004023C7 |. 33DB xor ebx,ebx 004023C9 |. 57 push edi 004023CA |. BF 01000000 mov edi,1 004023CF |. 895D FC mov dword ptr ss:[ebp-4],ebx 004023D2 |> B8 01000000 /mov eax,1 004023D7 |. 33D2 |xor edx,edx 004023D9 |. 8BCB |mov ecx,ebx 004023DB |. E8 E0840F00 |call main.004FA8C0 004023E0 |. 2345 08 |and eax,dword ptr ss:[ebp+8] 004023E3 |. 2355 FC |and edx,dword ptr ss:[ebp-4] 004023E6 |. 8BCF |mov ecx,edi 004023E8 |. 0BC2 |or eax,edx 004023EA |. B8 01000000 |mov eax,1 004023EF |. 74 0E |je short main.004023FF 004023F1 |. 33D2 |xor edx,edx 004023F3 |. E8 C8840F00 |call main.004FA8C0 004023F8 |. 0906 |or dword ptr ds:[esi],eax 004023FA |. 0956 04 |or dword ptr ds:[esi+4],edx 004023FD |. EB 10 |jmp short main.0040240F 004023FF |> 33D2 |xor edx,edx 00402401 |. E8 BA840F00 |call main.004FA8C0 00402406 |. F7D0 |not eax 00402408 |. 2106 |and dword ptr ds:[esi],eax 0040240A |. F7D2 |not edx 0040240C |. 2156 04 |and dword ptr ds:[esi+4],edx 0040240F |> 83C7 1D |add edi,1D 00402412 |. 81E7 3F000080 |and edi,8000003F 00402418 |. 79 05 |jns short main.0040241F 0040241A |. 4F |dec edi 0040241B |. 83CF C0 |or edi,FFFFFFC0 0040241E |. 47 |inc edi 0040241F |> 43 |inc ebx 00402420 |. 83FB 10 |cmp ebx,10 00402423 |.^7C AD jl short main.004023D2 00402425 |. 5F pop edi 00402426 |. 5B pop ebx 00402427 |. 8BE5 mov esp,ebp 00402429 |. 5D pop ebp 0040242A . C2 0400 retn 4
We can see that this function accepts one parameter in [ebp+8], that is used only in bitwise and in operation at address 0x004023 E 0. It's also evident that the esi register isn't being initialized anywhere, but is used nevertheless. The esi register contains a value of 0x0012 EF 70, which points to our [esp+14] and [esp+18] stack address, which are being overwritten by the function.
We've written the following piece of code that essentially does the same as the above assembly piece of code. We're inputing the argument arg as the first and only parameter into the function. But we're also inputting arguments s1 and s2 that represent the [esi] and [esi+4] values accordingly. The code written in Python programming language is as follows:
#!/usr/bin/python def funct4FA8C0(a,c,d): #a = 1 #d = 0 if c >= 64: a = 0 d = 0 return a,c,d elif c >= 32: d = a a = 0 c = c & 31 d = d << c return a,c,d else: t1 = d t1 = t1 << c t2 = a t2 = t2 >> (32-c) d = t1|t2 a = a << c return a,c,d # arg = a value 0x12CC used for bitwise AND; s == pointer to our two stack addresses def funct4023C0(arg, s1, s2): b = 0 di = 1 # local var l = 0 for b in range(0,0x10): a = 1 d = 0 c = b # call 004FA8C0 a,c,d = funct4FA8C0(a,c,d) a = a & (arg & 0xFFFFFFFF) d = d & (l & 0xFFFFFFFF) c = di if a == d: t = 0 else: t = 1 a = a | d a = 1 # je short main.004023FF if t != 0: d = 0 a,c,d = funct4FA8C0(a,c,d) s1 = s1 | a s2 = s2 | d else: d = 0 a,c,d = funct4FA8C0(a,c,d) a = ~a & 0xFFFFFFFF s1 = s1 & a d = ~d & 0xFFFFFFFF s2 = s2 & d di = di + 0x1D t = di di = di & 0x8000003F if t == 0x8000003F: di = di - 1 di = di | 0xFFFFFFC0 di = di + 1 #b = b + 1 return s1,s2 s1 = 0xB11B7780 s2 = 0x7A83B471 arg = 0x12CC print "Input values : "+str(hex(s1))+" : "+str(hex(s2)) s1,s2 = funct4023C0(arg,s1,s2) print "Output values: "+str(hex(s1))+" : "+str(hex(s2))
We're loading the initialization values 0 xB 11 B 7780 and 0x7 A 83 B 471 into the stack values s1 and s2. We're also loading the init value 0x12 CC into the arg argument. Then calling the function funct4023C0, which does the same as the function in assembly that resides at address 0x004023 C 0. We're also printing the values before and after the function call. A successful function call looks like this:
Input values : 0xb11b7780 : 0x7a83b471 Output values: 0xb11b77c0 : 0x7a83b471
We can see that the input values of s1 and s2 were 0 xb 11 b 7780 and 0x7 a 83 b 471, which were then changed into the function to values 0 xb 11 b 77 c 0 and 0x7 a 83 b 471, which is correct. We can verify the correctness of the function with the pictures below. On the picture below, we can see that we're about to execute the function 0x004023 C 0.
The input argument arg has just been pushed to the stack and
contains the value 0x12 CC. The important stack values are
located at the stack addresses [esp+18] and [esp+1C] and contain our
input values 0 xb 11 b 7780 and 0x7 a 83 b 471.
Right after the function call, our EIP is located on the
call instruction to the function 0x00402210 like presented on the
picture below:
And the stack memory addresses at [esp+18] and [esp+1C] have been
changed into values 0xb11b77c0 and
0x7a83b471. We can see that on the picture below:
Thus we've verified that our function returned the correct values. If
we debug the program a little more, we can quickly see that the function
returns correct values throughout the application, whenever the function
at address 0x004023 C 0 is called.
Up until now, we've used the constant values we've inputted into our function, but in the program it isn't exactly like that. The used constants 0xB11B7780 and 0x7A83B471 are really constants and are initialized at the addresses 0x00401C52 and 0x00401C5A:
00401C52 . C74424 14 8077>mov dword ptr ss:[esp+14],B11B7780 00401C5A . C74424 18 71B4>mov dword ptr ss:[esp+18],7A83B471
The input argument arg that we've represented with a constant 0x12 CC is a different matter. This value isn't represented by some constant, but is calculated dynamically. The code below represents the instructions used to compute the value of arg:
00401D44 > 8D4424 14 lea eax,dword ptr ss:[esp+14] 00401D48 . E8 43050000 call main.00402290 00401D4D . BA 01000000 mov edx,1 00401D52 . 8ACB mov cl,bl 00401D54 . D3E2 shl edx,cl 00401D56 . 85D0 test eax,edx 00401D58 . 74 06 je short main.00401D60 00401D5A . F7D2 not edx 00401D5C . 23C2 and eax,edx 00401D5E . EB 02 jmp short main.00401D62 00401D60 > 0BC2 or eax,edx 00401D62 > 50 push eax
We can see that the stack address of [esp+14] is loaded into register eax and the function at address 0x00402290 is called. Let's take a look what the function at address 0x00402290 actually does.
Function at Address 0x00402290
This function is represented by the code below:
00402290 /$ 55 push ebp 00402291 |. 8BEC mov ebp,esp 00402293 |. 83EC 08 sub esp,8 00402296 |. 53 push ebx 00402297 |. 8B58 04 mov ebx,dword ptr ds:[eax+4] 0040229A |. 56 push esi 0040229B |. 57 push edi 0040229C |. 8B38 mov edi,dword ptr ds:[eax] 0040229E |. C745 FC 000000>mov dword ptr ss:[ebp-4],0 004022A5 |. BE 01000000 mov esi,1 004022AA |. C745 F8 020000>mov dword ptr ss:[ebp-8],2 004022B1 |> B8 01000000 /mov eax,1 004022B6 |. 33D2 |xor edx,edx 004022B8 |. 8BCE |mov ecx,esi 004022BA |. E8 01860F00 |call main.004FA8C0 004022BF |. 23C7 |and eax,edi 004022C1 |. 23D3 |and edx,ebx 004022C3 |. 0BC2 |or eax,edx 004022C5 |. 74 15 |je short main.004022DC 004022C7 |. 8B4D F8 |mov ecx,dword ptr ss:[ebp-8] 004022CA |. 83C1 FE |add ecx,-2 004022CD |. B8 01000000 |mov eax,1 004022D2 |. 33D2 |xor edx,edx 004022D4 |. E8 E7850F00 |call main.004FA8C0 004022D9 |. 0945 FC |or dword ptr ss:[ebp-4],eax 004022DC |> 83C6 1D |add esi,1D 004022DF |. 81E6 3F000080 |and esi,8000003F 004022E5 |. 79 05 |jns short main.004022EC 004022E7 |. 4E |dec esi 004022E8 |. 83CE C0 |or esi,FFFFFFC0 004022EB |. 46 |inc esi 004022EC |> B8 01000000 |mov eax,1 004022F1 |. 33D2 |xor edx,edx 004022F3 |. 8BCE |mov ecx,esi 004022F5 |. E8 C6850F00 |call main.004FA8C0 004022FA |. 23C7 |and eax,edi 004022FC |. 23D3 |and edx,ebx 004022FE |. 0BC2 |or eax,edx 00402300 |. 74 13 |je short main.00402315 00402302 |. 8B4D F8 |mov ecx,dword ptr ss:[ebp-8] 00402305 |. 49 |dec ecx 00402306 |. B8 01000000 |mov eax,1 0040230B |. 33D2 |xor edx,edx 0040230D |. E8 AE850F00 |call main.004FA8C0 00402312 |. 0945 FC |or dword ptr ss:[ebp-4],eax 00402315 |> 83C6 1D |add esi,1D 00402318 |. 81E6 3F000080 |and esi,8000003F 0040231E |. 79 05 |jns short main.00402325 00402320 |. 4E |dec esi 00402321 |. 83CE C0 |or esi,FFFFFFC0 00402324 |. 46 |inc esi 00402325 |> B8 01000000 |mov eax,1 0040232A |. 33D2 |xor edx,edx 0040232C |. 8BCE |mov ecx,esi 0040232E |. E8 8D850F00 |call main.004FA8C0 00402333 |. 23C7 |and eax,edi 00402335 |. 23D3 |and edx,ebx 00402337 |. 0BC2 |or eax,edx 00402339 |. 74 12 |je short main.0040234D 0040233B |. 8B4D F8 |mov ecx,dword ptr ss:[ebp-8] 0040233E |. B8 01000000 |mov eax,1 00402343 |. 33D2 |xor edx,edx 00402345 |. E8 76850F00 |call main.004FA8C0 0040234A |. 0945 FC |or dword ptr ss:[ebp-4],eax 0040234D |> 83C6 1D |add esi,1D 00402350 |. 81E6 3F000080 |and esi,8000003F 00402356 |. 79 05 |jns short main.0040235D 00402358 |. 4E |dec esi 00402359 |. 83CE C0 |or esi,FFFFFFC0 0040235C |. 46 |inc esi 0040235D |> B8 01000000 |mov eax,1 00402362 |. 33D2 |xor edx,edx 00402364 |. 8BCE |mov ecx,esi 00402366 |. E8 55850F00 |call main.004FA8C0 0040236B |. 23C7 |and eax,edi 0040236D |. 23D3 |and edx,ebx 0040236F |. 0BC2 |or eax,edx 00402371 |. 74 13 |je short main.00402386 00402373 |. 8B4D F8 |mov ecx,dword ptr ss:[ebp-8] 00402376 |. 41 |inc ecx 00402377 |. B8 01000000 |mov eax,1 0040237C |. 33D2 |xor edx,edx 0040237E |. E8 3D850F00 |call main.004FA8C0 00402383 |. 0945 FC |or dword ptr ss:[ebp-4],eax 00402386 |> 83C6 1D |add esi,1D 00402389 |. 81E6 3F000080 |and esi,8000003F 0040238F |. 79 05 |jns short main.00402396 00402391 |. 4E |dec esi 00402392 |. 83CE C0 |or esi,FFFFFFC0 00402395 |. 46 |inc esi 00402396 |> 8B45 F8 |mov eax,dword ptr ss:[ebp-8] 00402399 |. 83C0 04 |add eax,4 0040239C |. 8945 F8 |mov dword ptr ss:[ebp-8],eax 0040239F |. 83C0 FE |add eax,-2 004023A2 |. 83F8 10 |cmp eax,10 004023A5 |.^0F8C 06FFFFFF jl main.004022B1 004023AB |. 8B45 FC mov eax,dword ptr ss:[ebp-4] 004023AE |. 5F pop edi 004023AF |. 5E pop esi 004023B0 |. 5B pop ebx 004023B1 |. 8BE5 mov esp,ebp 004023B3 |. 5D pop ebp 004023B4 . C3 retn
The function again takes care of its own stack frame. It takes register eax as input value. Register eax contains the stack address 0x0012 EF 70, which points to our value 0 xB 11 B 7780 on the stack. The eax register is used to reference the values at stack addresses [esp+14] and [esp+18]. The function also reserves space for two local variables, which lie at l 0 = [ebp −4] and l 1 = [ebp −8].
The whole function can be reprogrammed into the following high-level python code:
def funct402290(s1,s2): b = s2 di = s1 l0 = 0 si = 1 l1 = 2 a = 0 while(a < 0x10): a = 1 d = 0 c = si a,c,d = funct4FA8C0(a,c,d) a = a & di d = d & b if a == d: t = 0 else: t = 1 a = a | d if t != 0: c = l1 c = c - 2 a = 1 d = 0 a,c,d = funct4FA8C0(a,c,d) l0 = l0 | a si = si + 0x1D t = si si = si & 0x8000003F if t == 0x8000003F: si = si - 1 si = si | 0xFFFFFFC0 si = si + 1 a = 1 d = 0 c = si a,c,d = funct4FA8C0(a,c,d) a = a & di d = d & b if a == d: t = 0 else: t = 1 a = a | d if t != 0: c = l1 c = c - 1 a = 1 d = 0 a,c,d = funct4FA8C0(a,c,d) l0 = l0 | a si = si + 0x1D t = si si = si & 0x8000003F if t == 0x8000003F: si = si - 1 si = si | 0xFFFFFFC0 si = si + 1 a = 1 d = 0 c = si a,c,d = funct4FA8C0(a,c,d) a = a & di d = d & b if a == d: t = 0 else: t = 1 a = a | d if t != 0: c = l1 a = 1 d = 0 a,c,d = funct4FA8C0(a,c,d) l0 = l0 | a si = si + 0x1D t = si si = si & 0x8000003F if t == 0x8000003F: si = si - 1 si = si | 0xFFFFFFC0 si = si + 1 a = 1 d = 0 c = si a,c,d = funct4FA8C0(a,c,d) a = a & di d = d & b if a == d: t = 0 else: t = 1 a = a | d if t != 0: c = l1 c = c + 1 a = 1 d = 0 a,c,d = funct4FA8C0(a,c,d) l0 = l0 | a si = si + 0x1D t = si si = si & 0x8000003F if t == 0x8000003F: si = si - 1 si = si | 0xFFFFFFC0 si = si + 1 a = l1 a = a + 4 l1 = a a = a - 2 a = l0 return a,c,d
The function takes stack values as input arguments, and computes the corresponding registers eax, ecx and edx. The value in the register eax is later used as an input into the function residing at address 0x004023 C 0.
We won't go into too much detail what the function actually does, since the Python code should be fairly readable; it does something mathematically expensive and complicated.
Part 10
The function at address 0x00402210 has the following code:
00402210 /$ 55 push ebp 00402211 |. 8BEC mov ebp,esp 00402213 |. 83EC 10 sub esp,10 00402216 |. 53 push ebx 00402217 |. 8B5E 04 mov ebx,dword ptr ds:[esi+4] 0040221A |. 57 push edi 0040221B |. 8B3E mov edi,dword ptr ds:[esi] 0040221D |. 897D F0 mov dword ptr ss:[ebp-10],edi 00402220 |. 895D F4 mov dword ptr ss:[ebp-C],ebx 00402223 |. 81E7 D13E72FB and edi,FB723ED1 00402229 |. 81E3 45C71A62 and ebx,621AC745 0040222F |. 33C0 xor eax,eax 00402231 |. 8945 F8 mov dword ptr ss:[ebp-8],eax 00402234 |. 8945 FC mov dword ptr ss:[ebp-4],eax 00402237 |> 8B4D FC /mov ecx,dword ptr ss:[ebp-4] 0040223A |. B8 01000000 |mov eax,1 0040223F |. 33D2 |xor edx,edx 00402241 |. E8 7A860F00 |call main.004FA8C0 00402246 |. 23C7 |and eax,edi 00402248 |. 23D3 |and edx,ebx 0040224A |. 0BC2 |or eax,edx 0040224C |. 74 03 |je short main.00402251 0040224E |. FF45 F8 |inc dword ptr ss:[ebp-8] 00402251 |> 8B45 FC |mov eax,dword ptr ss:[ebp-4] 00402254 |. 40 |inc eax 00402255 |. 8945 FC |mov dword ptr ss:[ebp-4],eax 00402258 |. 83F8 40 |cmp eax,40 0040225B |.^7C DA jl short main.00402237 0040225D |. 8B45 F0 mov eax,dword ptr ss:[ebp-10] 00402260 |. 8B4D F4 mov ecx,dword ptr ss:[ebp-C] 00402263 |. 0FA4C1 01 shld ecx,eax,1 00402267 |. 03C0 add eax,eax 00402269 |. 8906 mov dword ptr ds:[esi],eax 0040226B |. 8A45 F8 mov al,byte ptr ss:[ebp-8] 0040226E |. 24 01 and al,1 00402270 |. 0FB6C0 movzx eax,al 00402273 |. 99 cdq 00402274 |. 0906 or dword ptr ds:[esi],eax 00402276 |. 5F pop edi 00402277 |. 894E 04 mov dword ptr ds:[esi+4],ecx 0040227A |. 0956 04 or dword ptr ds:[esi+4],edx 0040227D |. 5B pop ebx 0040227E |. 8BE5 mov esp,ebp 00402280 |. 5D pop ebp 00402281 . C3 retn
We can immediately see that the function is talking care of its own stack frame all by itself. Apparently it doesn't take any input arguments, but uses the esi register that is inputted from an outer function. The esi register contains a value of 0x0012 EF 70, which points to our [esp+14] and [esp+18] stack address and changes them accordingly. From the instruction sub esp,10, it's evident that the function uses four local variables. Since the constant 0x10 in hexadecimal can be represented by 16 in decimal form, we can gather the function reserved 16 bytes for its use. Local variables can then be represented by variables l0, where l 0 = [ebp −4], l1, where l 1 = [ebp −8], l2, where l 2 = [ebp − C] and l3, where l 3 = [ebp − C].
We've written a python representation of the code that does exactly the same as the code above:
# Input arguments s1,a2 # Local arguments: l1 = [ebp-8], l2 = [ebp-C], l3 = [ebp-C] def funct402210(s1,s2): b = s2 di = s1 l3 = di l2 = b di = di & 0xFB723ED1 b = b & 0x621AC745 a = 0 l1 = a l0 = a # the loop while(a < 0x40): c = l0 a = 1 d = 0 a,c,d = funct4FA8C0(a,c,d) a = a & di d = d & b if a == d: t = 0 else: t = 1 a = a | d if t != 0: l1 = l1 + 1 a = l0 a = a + 1 l0 = a # after the loop a = l3 c = l2 # shld ecx,eax,1 t1 = c t1 = t1 << 1 t2 = a t2 = t2 >> 31 c = t1|t2 a = a + a s1 = a # mov al,byte ptr ss:[ebp-8] # and al,1 # movzx eax,al # cdq al = l1 al = al & 0x1 a = 0x00000011 a = a & al s1 = s1 | a s2 = c s2 = s2 | d # return only 32-bits, discard the overflow #return (s1 % 2**32),s2 return s1 & ((1<<32)-1), s2 & ((1<<32)-1) s1 = 0xb11b77c0 s2 = 0x7a83b471 print "Input values: "+str(hex(s1))+" : "+str(hex(s2)) s1,s2 = funct402210(s1,s2) print "Output values: "+str(hex(s1))+" : "+str(hex(s2))
When we run the program, we get the output below:
Input values: 0xb11b77c0 : 0x7a83b471 Output values: 0x6236ef80 : 0xf50768e3
The two values 0 xb 11 b 77 c 0 and 0x7 a 83 b 471 being inputted into the function are exactly the values that the function at address 0x004 FA 8 C 0 has calculated. To verify that the values are correct, let's take a look at the stack when the function is done executing. First we must ensure that we set a breakpoint on the instruction after the function call, like we can see in the picture below:
The corresponding stack is as follows:
The important values lie at the stack addresses [esp+14] and
[esp+18], which hold the values 0x6236 ef 80 and
0 xf 50768 e 3, which are also the same values that we've gotten
back from our function. Therefore, our function must calculate the
values correctly.
Complete Python Program
Complete Python program can be written with the following Python code (where the functions that were already presented in the previous article are accessible):
s1 = 0xB11B7780 s2 = 0x7A83B471 strr = "111111111111" s1, s2 = funct(strr, s1, s2) print "Input: "+strr+" | Output: ["+str(hex(s1))+" ,"+str(hex(s2))+"]"
Appropriate functions are named after their addresses in the crackme.exe program, so there is no confusion. The function named funct is the actual code that takes the Key 2 input value and uses it in computing the values at stack addresses [esp+18] and [esp+1C]. All the other functions are just helper function used to carry out the dirty work for the main function.
The Inner Loop
The function 0x00402430 calls this function, which contains the following instructions and effectively sets the registers eax and edx that are later saved into appropriate values [ebp-20] and [ebp-1C]:
004FA8C0 |$ 80F9 40 cmp cl,40 004FA8C3 |. 73 15 jnb short main.004FA8DA 004FA8C5 |. 80F9 20 cmp cl,20 004FA8C8 |. 73 06 jnb short main.004FA8D0 004FA8CA |. 0FA5C2 shld edx,eax,cl 004FA8CD |. D3E0 shl eax,cl 004FA8CF |. C3 retn 004FA8D0 |> 8BD0 mov edx,eax 004FA8D2 |. 33C0 xor eax,eax 004FA8D4 |. 80E1 1F and cl,1F 004FA8D7 |. D3E2 shl edx,cl 004FA8D9 |. C3 retn 004FA8DA |> 33C0 xor eax,eax 004FA8DC |. 33D2 xor edx,edx 004FA8DE . C3 retn**
This can be represented by the following code:
void function(char cl) {
if(cl >= '@') {
eax = 0
edx = 0
return
}
else if(cl >= ' ') {
edx = eax
eax = 0
and cl,00011111
shl edx,cl
return
}
else {
shld edx,eax,cl
shl eax,cl
return
}
}
The function uses eax, ecx and edx registers. It uses ecx register to determine what code block is being executed, and it sets the eax and edx registers effectively. The eax register inputted into the function always contains the value 1 and the edx register is always 0. And ecx register contains values from 0-63.
This is why we can write a program in python that can compute the same values as the function above. The python code for this function can be something like this:
#!/usr/bin/python def funct(c): a = 1 d = 0 if c >= 64: a = 0 d = 0 return a,c,d elif c >= 32: d = a a = 0 c = c & 31 d = d << c return a,c,d else: t1 = d t1 = t1 << c t2 = a t2 = t2 >> (32-c) d = t1^t2 a = a << c return a,c,d print "-------------------" print "COUNT: |EAX|ECX|EDX|" for c in range(0,64): a,b,d = funct(c) print str(c)+":|"+str(hex(a)[2:])+"|"+str(hex(b)[2:])+"|"+str(hex(d)[2:])+"|" print "-------------------"
When we run the program, we get the following output, which prints exact values as the assembly program above:
------------------- COUNT: |EAX|ECX|EDX| 0: |1|0|0| 1: |2|1|0| 2: |4|2|0| 3: |8|3|0| 4: |10|4|0| 5: |20|5|0| 6: |40|6|0| 7: |80|7|0| 8: |100|8|0| 9: |200|9|0| 10: |400|a|0| 11: |800|b|0| 12: |1000|c|0| 13: |2000|d|0| 14: |4000|e|0| 15: |8000|f|0| 16: |10000|10|0| 17: |20000|11|0| 18: |40000|12|0| 19: |80000|13|0| 20: |100000|14|0| 21: |200000|15|0| 22: |400000|16|0| 23: |800000|17|0| 24: |1000000|18|0| 25: |2000000|19|0| 26: |4000000|1a|0| 27: |8000000|1b|0| 28: |10000000|1c|0| 29: |20000000|1d|0| 30: |40000000|1e|0| 31: |80000000|1f|0| 32: |0|0|1| 33: |0|1|2| 34: |0|2|4| 35: |0|3|8| 36: |0|4|10| 37: |0|5|20| 38: |0|6|40| 39: |0|7|80| 40: |0|8|100| 41: |0|9|200| 42: |0|a|400| 43: |0|b|800| 44: |0|c|1000| 45: |0|d|2000| 46: |0|e|4000| 47: |0|f|8000| 48: |0|10|10000| 49: |0|11|20000| 50: |0|12|40000| 51: |0|13|80000| 52: |0|14|100000| 53: |0|15|200000| 54: |0|16|400000| 55: |0|17|800000| 56: |0|18|1000000| 57: |0|19|2000000| 58: |0|1a|4000000| 59: |0|1b|8000000| 60: |0|1c|10000000| 61: |0|1d|20000000| 62: |0|1e|40000000| 63: |0|1f|80000000| -------------------
We could use better formatting rules to make the output prettier, but the only thing that's important is that it works. In the first column we can see the ECX being increased from 0 to 63.Loop
The code that calculates the right stack values and uses all above functions is as follows:
00401D26 > 8A5C3C 24 mov bl,byte ptr ss:[esp+edi+24] 00401D2A . 8D4B BF lea ecx,dword ptr ds:[ebx-41] 00401D2D . 80F9 05 cmp cl,5 00401D30 . 77 05 ja short main.00401D37 00401D32 . 80EB 37 sub bl,37 00401D35 . EB 0D jmp short main.00401D44 00401D37 > 8D43 D0 lea eax,dword ptr ds:[ebx-30] 00401D3A . B2 09 mov dl,9 00401D3C . 3AD0 cmp dl,al 00401D3E . 1ADB sbb bl,bl 00401D40 . F6D3 not bl 00401D42 . 22D8 and bl,al 00401D44 > 8D4424 14 lea eax,dword ptr ss:[esp+14] 00401D48 . E8 43050000 call main.00402290 00401D4D . BA 01000000 mov edx,1 00401D52 . 8ACB mov cl,bl 00401D54 . D3E2 shl edx,cl 00401D56 . 85D0 test eax,edx 00401D58 . 74 06 je short main.00401D60 00401D5A . F7D2 not edx 00401D5C . 23C2 and eax,edx 00401D5E . EB 02 jmp short main.00401D62 00401D60 > 0BC2 or eax,edx 00401D62 > 50 push eax 00401D63 . 8D7424 18 lea esi,dword ptr ss:[esp+18] 00401D67 . E8 54060000 call main.004023C0 00401D6C . E8 9F040000 call main.00402210 00401D71 . 47 inc edi 00401D72 . 3B7C24 20 cmp edi,dword ptr ss:[esp+20] 00401D76 .^72 AE jb short main.00401D26
We can see that the loop is repeated 0 xC times, which is exactly the length of the Key 2 value. The edi register is used for iterating from value 0 to 12. At the end of the loop we're comparing edi to a value that is stored on the stack address [esp+20], which holds the length of the Key 2 - the value 0 xC.
The first instruction is used to iterate over the input value:
00401D26 > 8A5C3C 24 mov bl,byte ptr ss:[esp+edi+24]
The stack address at [esp+24] contains exactly 12 characters of the input key. The loop counter is used to iterate over certain values of the input key, therefore we're actually accessing values from [esp+24] to [esp+2F]. If we enter the key that contains exactly 12 A's into the Key 2 input field, the stack will look like the picture below:
Therefore we load the value of 0x41 into the bl register at
the start of each iteration in a loop. Then we're subtracting the value
of 0x41 from each of the input characters and storing the result
in register ecx:
00401D2A . 8D4B BF lea ecx,dword ptr ds:[ebx-41]
If the remained is greater than 0x5, the jump is taken. But since the input characters can only be in ranges from 0x30−0x39 and 0x41−0x46, the jump is taken on the input characters 0x30−0x39, since the subtraction gives us a negative number. When the character is from a range 0x41−0x46, only the sub bl,37 instruction is executed.
5. Bruteforcing the Values: Program Itself
I guess the first impression is that we can reverse engineer the entire logic of the function, instruction by instruction, but that would take considerably too much time and effort. Rather than doing that, we can bruteforce the right values the function is using as input. The function doesn't use traditional arguments being passed into the function; the arguments are not pushed onto the stack, which the function then reads out and uses in its computation logic. That is why we must determine what 'input' arguments the function does use. To do that, we can change various values on the stack right before the function is called on the address 0x00401 D 7 D:
00401D7D . E8 AE060000 call main_cal.00402430
We should also set a breakpoint on the following line in the function itself:
004024EF . 817D E0 32EFA0>cmp dword ptr ss:[ebp-20],23A0EF32
This should enable us to observe if the value at the address ebp-20 on the stack actually gets changed when we change arbitrary stack values before the function is called. If the value at address ebp-20 is changed, it should give us a clear indication that the value we changed and ebp-20 are correlated, revealing the input argument. The input arguments are located at values esp+14 and esp+18 before the function is called (and right before the push eax instruction). Therefore we change the code around the function call to repeatedly call the function with those two values being increased in each iteration. The code could look like this:
00401D5E . 33C0 xor eax,eax 00401D63 83F8 00 cmp eax,0 00401D66 75 2A jnz short main.00401D92 00401D68 834424 14 01 add dword ptr ss:[esp+14],1 00401D6D 90 nop 00401D6E 90 nop 00401D6F 90 nop 00401D70 90 nop 00401D71 . 47 inc edi 00401D72 83F8 00 cmp eax,0 00401D75 90 nop 00401D76 90 nop 00401D77 90 nop 00401D78 8D4424 14 lea eax,dword ptr ss:[esp+14] 00401D7C 50 push eax 00401D7D . E8 AE060000 call main.00402430 00401D82 8B5C24 14 mov ebx,dword ptr ss:[esp+14] 00401D86 83FB FF cmp ebx,-1 00401D89 ^75 D8 jnz short main.00401D63 00401D8B 834424 18 01 add dword ptr ss:[esp+18],1 00401D90 C74424 14 0000>mov dword ptr ss:[esp+14],0 00401D98 90 nop 00401D99 ^EB C8 jmp short main.00401D63 00401D9B 90 nop 00401D9C 90 nop 00401D9D 90 nop 00401D9E F4 hlt 00401D9F 90 nop
The beginning xor eax,eax is important to set the eax to 0 when we start with the loop, otherwise we're immediately finishing our loop, since the eax is not initialized to zero when the loop starts.
We're also setting the values at esp+14 and esp+18 at zero on the beginning. Then the loop should add 1 to the value stored at that address effectively bruteforcing the values that would return eax, which would not equal to 0. This is a nested loop whereas the value at esp+18 is changed first from 0x00000000 to 0 xFFFFFFFF, then set to zero back again. When the eax which is not equal to zero is returned, the loop should jump to hlt instruction, which should effectively stop the program execution. Then we could loop at the stack values esp+18 and esp+14 to see which values where used to invoke the right function return. We should also mention that this will take quite a long time to complete, so it's probably not the best solution - a way better solution would be to actually try to reverse engineer the mathematical algorithm used by the function itself.
But we can try to fasten the bruteforce by trying to use just one loop at a time, thus making the two values on the address esp+18 and esp+14 not dependent upon each other. This should decrease the input space dramatically, but is prone to errors - what if the two values calculated by the function are dependent upon each other? Then of course, this won't work. First we must fill the following two lines with nops to actually compare just the first value:
004024F8 . 817D E4 8EECBD>cmp dword ptr ss:[ebp-1C],55BDEC8E 004024FF . 75 0E jnz short main.0040250F
The first loop should be around in no time - it should take a couple of hours on a decent machine. This really isn't that long compared to what it would take if a nested loop would be used. After that we need to use the adapted version of a loop, like the assembly code below:
00401D60 83F8 00 cmp eax,0 00401D63 75 1F jnz short main.00401D84 00401D65 834424 14 01 add dword ptr ss:[esp+14],1 00401D6A 90 nop 00401D6B 90 nop 00401D6C 90 nop 00401D6D 90 nop 00401D6E 90 nop 00401D6F 90 nop 00401D70 90 nop 00401D71 90 nop 00401D72 90 nop 00401D73 90 nop 00401D74 90 nop 00401D75 90 nop 00401D76 90 nop 00401D77 90 nop 00401D78 > 8D4424 14 lea eax,dword ptr ss:[esp+14] 00401D7C . 50 push eax 00401D7D . E8 AE060000 call main.00402430 00401D82 ^EB DC jmp short main.00401D60 00401D84 F4 hlt 00401D85 90 nop
After the function returns a value 0x1 in register eax, the following code gets executed:
00401D86 . 85C0 test eax,eax 00401D88 74 07 je short main.00401D91 00401D8A . 68 201A5400 push main.00541A20 00401D8F . EB 0F jmp short main.00401DA0 00401D91 > 68 481A5400 push main.00541A48 00401D96 . EB 08 jmp short main.00401DA0
First, the test instruction on register eax is used to set the right flags in the eflags register. If the eax register contains a value 0, the first jump is taken, giving us the failure message. But if the eax contains a value 1, the second jump is taken, which displays the congratulations window, which we can see in the picture below:
To actually solve the challenge, we can use above Python program that bruteforces the right values on the stack that will cause the function to return the value 1 in register eax after it is called.
The values [esp+18] and [esp+1C] that force the function 0x00402430 to return the value 1 in register eax are the following:
ESP+18 > FD7C0372 ESP+1C > 19473B90
The bruteforcing of the values should be fairly long process, but at the end it's worth it. We've used the following program to bruteforce the actual values:
s1 = 0xB11B7780
s2 = 0x7A83B471
for item in itertools.product("123456789ABCDEF", repeat=12):
v1,v2 = funct(item, s1, s2)
if v1 == 0xfd7c0372 and v2 == 0x19473b90:
print "Value: "+item+" "+str(hex(v1))+"-"+str(hex(v2))
exit(1)
After the program finishes execution, it will find the input value that solves the secondary challenge.
We've looked at what the ESET NOD32 have prepared for us this year. We can see that the challenge was not as innocent as it may seem at a first glance, but we managed to describe it thoroughly. We can see that we didn't actually provide a program that would solve the first challenge, since we don't have the time just now, but we've presented the program that can be used to bruteforce the second challenge. We could have applied some intense mathematical logic to solve the secondary challenge, but that is outside of the reverse engineering scope - it should be for people with good mathematical background.
I think that ESET should not apply such intense mathematics into their challenges, because the challenge is to reverse engineer the program and not to solve its mathematical predicates. There should be less mathematics involved and more anti-reversing techniques that would complicate the reversing process considerably.
Comments