Friday, January 10, 2014

Building off of exercise one


I hope tutorial one wasn't overwhelming for you. In this tutorial we are going to explain some of the things you saw in the first tutorial. We are also going to find correct password, so we can enter successfully every single time.

Recall the breakpoint that we set on the line that I said compares if the password entered is correct or incorrect. Well I was lying about that being the line that compares if the password is correct or not. It is the line above that determines if the password is right or wrong. We can see this by reading what is inside the third column. Let's see two photos before some more explaining.

The password checker


Column names

The assembly code column shows us what the program is doing. This is what we read when we are reversing  programs. I do not expect you to be able to understand any of the code that is in the column. Learning to read that code will come with time. Do keep in mind though that reversing programs REQUIRES one to know assembly. If you do not learn assembly eventually, you will not be able to reverse programs like you want to. You can solve many low level Crackme's with very little assembly understanding, but that is the furthest your skill will take you.

Let your first lesson in assembly start today. We'll dissect the password checker. (The line in the red box from the photo above). It reads:

CMP DWORD PTR SS:[EBP-4], 7F97E56C

The first word in the assembly line is always the instruction. In this case the word CMP is our instruction. Everything that follows from the first word up until the comma is argument one. Here argument one is DWORD PTR SS:[EBP-4]. Everything after the comma is argument two. Argument two in this case is 7F97E56C. Thus the structure:

instruction argument1, argument2

The CMP instruction compares argument one and argument two for equality. If they both are equal then it sets that number next to the Z (from the previous tutorial) to a one. If they are not equal, then it sets the number next to the Z to a zero. This explains why when we double clicked the number next to the Z in the previous tutorial, the application told us we got the password correct. I'll give a series of steps of what happened in the last tutorial, and then I will explain argument one and argument two a little bit.

Here is what happened last tutorial. This should explain why we solved the application so easily.

1) We set a break point underneath the password checking line
2) We ran the program and entered some bogus password
3) The program runs every line of code until it reaches the break point. This also means it ran the line that determines if the password is correct or not. The result of the password checking line was setting the Z number to a 0 - it was not equal.
4) We manually changed the programs password checking result by changing the zero into a one.
5) We ran the program as if the password was correct all along, allowing us to see the "Correct, Good job!" response.

The explanation for what argument one and argument two are will be difficult to understand but that's fine. We will go over the items upcoming a few times in the tutorials to come. Argument one, or DWORD PTR SS:[EBP-4] is a reference to a location on the stack. Recall in tutorial one the image with the titles of the panels. The stack is the lower right panel.

The stack is the lower right panel

We know it is referencing the stack because of the EBP-4. EBP stands for extended base pointer. Like a variable in programming, the EBP holds data for the program to use. In assembly we call these variables registers. The EBP register stores a location in the stack, so when we say EBP-4 we mean: take the location in stack that EBP is holding and subtract four from it. Let us see what value EBP is holding when the application hit the break point that we set from the previous tutorial.

EBP holds 0028FF38

I used the picture from the last tutorial and added some more mspaint art to it. This is to give you a reference of which point I'm talking about. We can see EBP holds the value 0028FF38. If we look at the stack, we can find that value in the purple boxed area. The same way the EBP register can store data, so too can the stack. At the location 0028FF38 in the stack is the value 0028FF74.

Remember that argument one from the password checking line is [EBP-4]. So we have to subtract four from the EBP to find location the line is using. So if we subtract 4 from 0028FF38 we get the value 0028FF34.
Note: the value 4 and 0028FF34 is in hexadecimal. You can always load up the windows calculator to do the subtraction when the subtraction is no longer simple.

EBP-4
So we can see that [EBP-4] is holding the value 3F. We should open the windows calculator, set the view to programmer, and select hexadecimal on the left side. Enter 3F into the calculator and then select decimal on the left side. The value will be 63. This is the password that I entered. I ask that you also check the value of EBP-4 with the password you entered.

Do you see where this is going? :) If you don't, it is OK. We will learn.

Recall the structure:
instruction argument1, argument2

We have a CMP instruction which means check if argument1 and argument2 are equal. So if argument1 is the value of our password, then argument2 is the password of the application. We can prove this by taking argument2 and entering it into the program.

Recall the value of argument2, 7F97E56C. If we enter that as hexadecimal into the windows calculator and set it to decimal, we get the value
2140661100

So the password of the application must be 21400661100. Let us verify this.

Success!




5 comments: