What's wrong with my code for App 7?

Learn to reverse engineer through some common application security methods.
Forum rules
DO NOT POST ANSWERS OR SPOILERS! [IE: Mission Links, Mission File Names/Pages, Scripts/Code, etc.]

Posting these will result in warnings/bans!

What's wrong with my code for App 7?

Post by gregorian on Fri Apr 09, 2010 1:14 pm
([msg=37944]see What's wrong with my code for App 7?[/msg])

I know that the sum of the characters is calculated, it goes through some huge function and produces a value in EDX and at the stack at SS:[EBP-1C] which is then compared to a hexadecimal value to check if it's true. If I find the sum, I can deduce a set of characters from them. Looking around, I learned that I needed to brute force.

I've replaced the sum of characters code with a loop that produces a value for the sum and proceeds. In case the sum is invalid, it jumps back to the original position and increments the sum.
Code: Select all
0040103F   . BA 00000000    MOV EDX,0                          ; Executed only during the first time
00401044   . EB 08          JMP SHORT mod.0040104E       ; Executed only during the first time
00401046   > 61             POPAD
00401047   . 42             INC EDX
00401048   . 8955 E4        MOV DWORD PTR SS:[EBP-1C],EDX
0040104B   . 60             PUSHAD
0040104C   . EB 45          JMP SHORT mod.00401093      ; The part of the code that does the test
0040104E   > 60             PUSHAD

;4F till 63 are NOP

; Instead of printing invalid password, it jumps back to the loop
00401193    ^0F85 B4FEFFFF  JNZ app7win.00401046


I observe that [EBP-18] remains the same 11F regardless of the value of [EBP-1C], so that's why it doesn't work. I don't know why this happens.

Please don't consider this as a spoiler because it doesn't work.

EDIT: I've solved it. I made the mistake of assuming that PUSHAD would leave the system in the original state and I forgot to clear the values of [EBP-18] etc. Once I reset them back to 0, the answer appeared.
gregorian
New User
New User
 
Posts: 10
Joined: Thu Mar 25, 2010 9:04 pm
Blog: View Blog (0)


Re: What's wrong with my code for App 7?

Post by Defience on Mon Apr 12, 2010 7:30 pm
([msg=38173]see Re: What's wrong with my code for App 7?[/msg])

Problem solved 8-)
User avatar
Defience
Addict
Addict
 
Posts: 1281
Joined: Thu Jun 12, 2008 3:16 pm
Blog: View Blog (0)



Return to Application

Who is online

Users browsing this forum: No registered users and 0 guests

cron