We must think in terms of a higher programming language like C/C++ instead of a lower programming language like ASM to grasp what the program is doing in a timely fashion. Instead, it’s way better to have an abstract overview of what’s happening in the higher layer of the program. In order to test our reversing, we manually generate a password that fulfills all the conditions and see if it brings the desired results.When reverse engineering we must always keep a bigger picture in mind – if we would follow each instruction step by step trying to decipher what each instruction does, we would pretty soon get lost. The conditions that the password needs to comply with are the following: So we have now the first condition that our password has to fulfill, the first character should have an ASCII code above 0x47 (G).Ī similar analysis can be done with the rest of the characters, being aware that there are different types of jumps involved. At the end of both, we jump to the part of the code that loads the next character on the string.
In this case we can see that it increments EDX and then, if the current character value is not above ( JA, jump if above) 0x47 then we decrease the value of EDX, making the character effectively invalid, as it won’t count towards the final check. Understanding this is crucial to learn how the software checks for the end of the string, as it is slightly different than the usual checks, which imply checking against the NUL character. In this case, because we need to press enter to input the string, so the string contains 0x0D 0x0A at the end, which correspond, according to ASCII, to the carriage return ( CR) and the line feed ( LF), that represent the EOL (end of line) marker on Windows. Therefore we can do comparison checks against AL, which will contain the first character of the string and then the subsequent ones. Specifically, it loads the byte pointed by DS:ESI into AL, which is a part of the EAX register and then increments ESI to get ready to read the next byte, all in one instruction. LODSB is one of the mnemonics that represents an operation which uses the special ESI register. Strings are a series of bytes (in this case we forget Unicode) which are delimited in most cases by a terminator, which is usually the NUL byte of the ASCII table (0x00).
Said register is the “Extended Source Index” which is used to perform operations on indexed data, including strings. Then it proceeds to load the pointer to the string we input into the “special” ESI register.
What IDA identifies as “lpBuffer” is the buffer, or memory address, where the crackme stored whatever was input on the console.
0 kommentar(er)
