I’ll jump to challenge #30, the #29 is an obfuscated one, and I’ll need more time to work on that. The #30 is a simple one and is in the format of finding the password. For the disassembly of this program I’ll use Ida, from the one I’ve tried is honestly the more user-friendly.
Analysis
Let’s analyze the main thread only, here is the code associated with it
; int __cdecl main(int, char **, char **)
main proc near ; DATA XREF: start+17↑o
; __unwind {
push ebp
mov ebp, esp
and esp, 0FFFFFFF0h
sub esp, 0A0h
mov eax, large gs:14h
mov [esp+9Ch], eax
xor eax, eax
mov dword ptr [esp], offset aEnterPassword ; "enter password:" 1st argument, only one argument it's required
call _puts
lea eax, [esp+1Ch]
mov [esp+4], eax
mov dword ptr [esp], offset aS ; "%s"
call ___isoc99_scanf
cmp eax, 1 ;; number of items successfully matched
jz short loc_8048539
mov dword ptr [esp], offset aNoPasswordSupp ; "no password supplied"
call _puts
loc_8048539: ; CODE XREF: main+3E↑j
mov dword ptr [esp+4], offset aMetallica ; "metallica"
lea eax, [esp+1Ch]
mov [esp], eax
call _strcmp
test eax, eax
jnz short loc_804855F ;; INCORRECT PASSWORD PRINT IT
mov dword ptr [esp], offset aPasswordIsCorr ; "password is correct"
call _puts
jmp short loc_804856B
; ---------------------------------------------------------------------------
loc_804855F: ; CODE XREF: main+62↑j
mov dword ptr [esp], offset aPasswordIsNotC ; "password is not correct"
call _puts
loc_804856B: ; CODE XREF: main+70↑j
mov edx, [esp+9Ch]
xor edx, large gs:14h
jz short locret_8048580
call ___stack_chk_fail
locret_8048580: ; CODE XREF: main+8C↑j
leave
retn
; } // starts at 80484ED
main endp
In this code we have first a call to puts printing the text enter password:, we know that is this text thanks to Ida. What follows after that it’s a call to scanf, for waiting for the input of the password. Nothing too hard here, so we need to look for the part of the code that validate this password. Right after the call to scanf we have the following code
lea eax, [esp+1Ch]
mov [esp+4], eax
mov dword ptr [esp], offset aS ; "%s"
call ___isoc99_scanf
cmp eax, 1 ;; number of items successfully matched
jz short loc_8048539
After the call to scanf we check if the user supplied something, in positive case we jump to loc_8048539, that is where our validation it’s present. Let’s see how this password it’s validated.
loc_8048539: ; CODE XREF: main+3E↑j
mov dword ptr [esp+4], offset aMetallica ; "metallica"
lea eax, [esp+1Ch]
mov [esp], eax
call _strcmp
test eax, eax
jnz short loc_804855F ;; INCORRECT PASSWORD PRINT IT
mov dword ptr [esp], offset aPasswordIsCorr ; "password is correct"
call _puts
jmp short loc_804856B
Easy! We have a comparison with strcmp to the text metallica, seems Denis is a fan of Metallica, and the printing of the text password is correct.
That’s it.
Conclusion
I’m becoming better at this, some progress.