App 12

Learn to reverse engineer through some common application security methods.
Forum rules
DO NOT POST ANSWERS OR SPOILERS! [IE: Mission Links, Mission File Names/Pages, Scripts/Code, etc.]

Posting these will result in warnings/bans!

App 12

Post by UKCrack on Mon Mar 22, 2010 4:41 pm
([msg=37196]see App 12[/msg])

Hey there
Im kinda stuck. Im pretty sure how it selects the chars for the password, and I wonder if anyone could advise me in the right direction. [Edited by Defience] I believe it is a short word but need help. I do not want to post any more info incase
of violation of the rules.
Thanks
Basic: Complete
Realistic: Complete
Application: 1,2,3,4,5,6,7,8,9,10,11,12,14,15,16,17,18
Programming: 1,2,4,11,12
Javascript: Complete
Irc: 1
Extbasic: 1,2,3,4,5,6,7,8,9,10,12,13
Stego: 1,2,3,4,6,7,8,13
UKCrack
New User
New User
 
Posts: 20
Joined: Tue Mar 31, 2009 4:57 pm
Blog: View Blog (0)


Re: App 12

Post by Defience on Mon Mar 22, 2010 6:50 pm
([msg=37200]see Re: App 12[/msg])

UKCrack wrote:Hey there
Im kinda stuck. Im pretty sure how it selects the chars for the password, and I wonder if anyone could advise me in the right direction. [Edited by Defience] I believe it is a short word but need help. I do not want to post any more info incase
of violation of the rules.
Thanks


You seem to be on the right track. Have you tried entering your own password and seeing how it is stored? If that doesn't help and you are concerned that your questions might be spoilers, send me a pm.
User avatar
Defience
Addict
Addict
 
Posts: 1275
Joined: Thu Jun 12, 2008 3:16 pm
Blog: View Blog (0)


Re: App 12

Post by UKCrack on Wed Mar 24, 2010 9:17 pm
([msg=37286]see Re: App 12[/msg])

Ok hint for anyone trying to solve this.
Firstly Smartcheck only works in XP or below, you will not get any use out of it otherwise.
This is solveable with olly, and is pretty easy to work it out.
Think on the lines of what that long string could be used for and then thick how would the program use it.
The last bit is pretty much the phonetical hint :P
Basic: Complete
Realistic: Complete
Application: 1,2,3,4,5,6,7,8,9,10,11,12,14,15,16,17,18
Programming: 1,2,4,11,12
Javascript: Complete
Irc: 1
Extbasic: 1,2,3,4,5,6,7,8,9,10,12,13
Stego: 1,2,3,4,6,7,8,13
UKCrack
New User
New User
 
Posts: 20
Joined: Tue Mar 31, 2009 4:57 pm
Blog: View Blog (0)


Re: App 12

Post by OnlyHuman on Thu May 20, 2010 12:14 am
([msg=38823]see Re: App 12[/msg])

I'm not sure if I'm just tired, or if it's the VB turned assembly that's really throwing me off on this one. But, I definitely have yet to fully understand how the verification is actually performed for this mission. The only thing I have to go on is a seemingly endless number of memory references that appear to ultimately do nothing. I've torn this thing apart with some of the best reverse engineering tools out there too. I've set breakpoints at nearly every string operation I could find, and every single function call imported from a Visual BASIC library. At some point, given the embedded magic string, I expected to see some sort of hashing operations performed, but the only thing I've witnessed, is a single character of my input string being replaced by another (withholding which character exactly in case it has something to do with completing the mission). I'm even fairly certain that I understand your phonetic hint as well UKCrack, but after several synonyms and antonyms, I still don't feel even remotely close to the solution. I'm tempted to perform a dictionary attack against the password submission page, just to get the mission accomplished. Could I possibly PM either of you, or get a nudge in the right direction from someone? I'll return the favor with other missions if I can offer the help.

EDIT: Nevermind, i got it finally. Here's a tip for anybody that seems to be stuck as well. Disregard everything I wrote previously. It's not really going to help much. Olly is all you need, but you have to watch the lower panels VERY closely. Don't be afraid to scroll up and down and make sure that you're looking at the application's entire memory range. Then just crawl through the program as slowly as needed. If you're watching closely, you should be able to spot what you need with little trouble.
OnlyHuman
Poster
Poster
 
Posts: 191
Joined: Sat Aug 22, 2009 1:37 am
Blog: View Blog (0)


Re: App 12

Post by Wells on Wed Feb 02, 2011 7:52 am
([msg=53116]see Re: App 12[/msg])

I just did this using a standard debugger. It's pretty annoying at first because with VB code you have double pointers to everything, but you should be able to figure out the JMP that leads to the "Password is correct" and then you just need to look at the code above that.

EAX is used a lot to store pointers to VB strings that are used in various StrCat functions etc. You need to figure out where the actual string data is from that EAX pointer so you can see what is happening. Think of the pointer as pointing to a struct, and one of the members is a pointer to the actual string. Once you've done that you can figure out the manipulations done on your password and find the string that it is compared to it at the end. From there you should be able to guess what the word is like a crossword puzzle.
Wells
New User
New User
 
Posts: 23
Joined: Wed Jan 19, 2011 3:57 am
Blog: View Blog (0)



Return to Application

Who is online

Users browsing this forum: No registered users and 0 guests