First, run file and input fake key, press check button. The program is crashed:
Figure 1
Use OllyDBG to load file and search for all referenced text strings:
Figure 2
Double-click on the “ASCII “Correct!”” will back to the disassembly window.
Figure 3
We see to JMP instructions above that will bypass the “Correct!” string. Scroll up a little bit and set BP at: 0040105A . FF15 9C504000 call dword ptr [<GetDlgItemInt>] ; \GetDlgItemInt
Press F9 to run, input fake key to text box, then click Check button, we will stop at bp
Figure 4
EAX register contains the fake key and then fake key is stored at ds:[004084D0]=00000000. We need to trace into the 00401065 . E8 05360000 call Replace.0040466F ; to see what happen with the fake key?
Figure 5
Review the code at 0040466F, we have some calls that can used to check or calculate something and at the end of this function, we see the jmp instruction that jump back to the 00401071 address. At 00401071 is the jump instruction that bypass the Correct message!! Continue to trace with F7:
0040467A . C705 16604000>mov dword ptr [406016], 619060EB ; <-- mov opcode 0x619060EB to [406016]
Figure 6
Continue with this code:
00404684 . E8 00000000 call Replace.00404689 00404689 /$ FF05 D0844000 inc dword ptr [<InputKey>] ; <- InputKey ++ 0040468F \. C3 retn
Pseudo code: InputKey = InputKey + 1 + 1. Then return to this instruction:
00404674 8105 D0844000 C7051660 add dword ptr [<InputKey>], 601605C7 ; <- InputKey + 0x601605C7
After trace over this instruction, we have: InputKey = InputKey + 0x601605C7
Next, we go to these codes same as we see above:
0040467E 40 inc eax 0040467F 00EB add bl, ch 00404681 60 pushad 00404682 90 nop 00404683 61 popad 00404684 E8 00000000 call Replace.00404689 00404689 FF05 D0844000 inc dword ptr [<InputKey>] ; <- InputKey ++ 0040468F C3 retn
This code again increases InputKey: InputKey = InputKey + 1 + 1. Summerize, we have: InputKey = InputKey + 1 + 1 + 0x601605C7 + 1 + 1 (Example: If the InputKey is 123456789 (0x75B CD15), after calculate we have result is 0x6771 D2E0). After have the result of InputKey, we will return to:
Figure 7
Trace over the JMP, we land at this code:
Figure 8
Figure 9
Notice the JMP that jump back to 00401071. First, this code loads InputKey that calculated above to EAX, then replace the content of 40466F to asm instruction with opcode is 0xC39000C6:
Figure 10
Bellow 0040469F C705 6F464000 C60090C3 mov dword ptr [40466F], C39000C6 ; , we see two call instruction to 40466F. Cause EAX contains InputKey value, so at 40466F will mov the hex value 0x90 to the content of EAX (in other words, it is the content of InputKey). 0x90 equivalent to NOP instruction. Thus, we can see two NOP instructions is used to assign to the content of EAX. Finally, we jump back to the 0x401071 (004046C4 ^\E9 A8C9FFFF jmp Replace.00401071), at this address we see the jmp that bypass the Correct message:
Figure 11
At 401071 address, we need to NOP the jmp instruction so that can not jump out of the code that contains the correct string. With this idea and along with the entire process of code analysis above, we need to enter the InputKey, then after calculation code we’ll have value is 401071. So the right InputKey is:
InputKey + 1 + 1 + 0x601605C7 + 1 + 1 = 0x401071
InputKey = 0x00401071 - 1 - 1 - 0x601605C7 - 1 – 1 = FFFFFFFFA02A0AA6FFFFFFFFA02A0AA6 + 100000000 = A02A 0AA6 (2687109798 in decimal format)
Figure 12
End.
0day in {REA_TEAM} 