Archive for the ‘Chal3. Replace Challenge’ Category


First, run file and input fake key, press check button. The program is crashed:

Krchal31

Figure 1

Use OllyDBG to load file and search for all referenced text strings:

Krchal32

Figure 2

Double-click on the “ASCII “Correct!”” will back to the disassembly window.

Krchal33

Figure 3

We see to JMP instructions above that will bypass the “Correct!” string. Scroll up a little bit and set BP at: 0040105A . FF15 9C504000     call   dword ptr [<GetDlgItemInt>] ; \GetDlgItemInt

Press F9 to run, input fake key to text box, then click Check button, we will stop at bp

Krchal34

Figure 4

EAX register contains the fake key and then fake key is stored at ds:[004084D0]=00000000. We need to trace into the 00401065   . E8 05360000       call   Replace.0040466F ; to see what happen with the fake key?

Krchal35

Figure 5

Review the code at 0040466F, we have some calls that can used to check or calculate something and at the end of this function, we see the jmp instruction that jump back to the 00401071 address. At 00401071 is the jump instruction that bypass the Correct message!! Continue to trace with F7:

0040467A         .  C705 16604000>mov     dword ptr [406016], 619060EB            ;  <-- mov opcode 0x619060EB to [406016]
Krchal36

Figure 6

Continue with this code:

00404684         .  E8 00000000   call    Replace.00404689
00404689        /$  FF05 D0844000 inc     dword ptr [<InputKey>]  ;  <- InputKey ++
0040468F        \.  C3            retn

Pseudo code: InputKey = InputKey + 1 + 1. Then return to this instruction:

00404674          8105 D0844000 C7051660   add     dword ptr [<InputKey>], 601605C7 ; <- InputKey +  0x601605C7

After trace over this instruction, we have: InputKey = InputKey + 0x601605C7
Next, we go to these codes same as we see above:

0040467E          40                       inc     eax
0040467F          00EB                     add     bl, ch
00404681          60                       pushad
00404682          90                       nop
00404683          61                       popad
00404684          E8 00000000              call    Replace.00404689
00404689          FF05 D0844000            inc     dword ptr [<InputKey>]  ; <- InputKey ++
0040468F          C3                       retn

This code again increases InputKey: InputKey = InputKey + 1 + 1. Summerize, we have: InputKey = InputKey + 1 + 1 + 0x601605C7 + 1 + 1 (Example: If the InputKey is 123456789 (0x75B CD15), after calculate we have result is 0x6771 D2E0). After have the result of InputKey, we will return to:

Krchal37

Figure 7

Trace over the JMP, we land at this code:

Krchal38

Figure 8

Krchal39

Figure 9

Notice the JMP that jump back to 00401071. First, this code loads InputKey that calculated above to EAX, then replace the content of 40466F to asm instruction with opcode is 0xC39000C6:

Krchal310

Figure 10

Bellow 0040469F C705 6F464000 C60090C3 mov dword ptr [40466F], C39000C6 ; , we see two call instruction to 40466F. Cause EAX contains InputKey value, so at 40466F will mov the hex value 0x90 to the content of EAX (in other words, it is the content of InputKey). 0x90 equivalent to NOP instruction. Thus, we can see two NOP instructions is used to assign to the content of EAX. Finally, we jump back to the 0x401071 (004046C4 ^\E9 A8C9FFFF   jmp     Replace.00401071), at this address we see the jmp that bypass the Correct message:

Krchal311

Figure 11

At 401071 address, we need to NOP the jmp instruction so that can not jump out of the code that contains the correct string. With this idea and along with the entire process of code analysis above, we need to enter the InputKey, then after calculation code we’ll have value is 401071. So the right InputKey is:

InputKey + 1 + 1 + 0x601605C7 + 1 + 1 = 0x401071

  • InputKey = 0x00401071 - 1 - 1 - 0x601605C7 - 1 – 1 = FFFFFFFFA02A0AA6
  • FFFFFFFFA02A0AA6 + 100000000 = A02A 0AA6 (2687109798 in decimal format)
Krchal312

Figure 12

End.
Advertisements