badfile.exe – Part 4 – Dynamic Analysis

Based off of what we found in the last post, we have a few different things to look for in OllyDbg.

  1. We know that strcmp is being called at 0x004015BC
  2. We know that the results of strcmp leads to a conditional jump, with one of the two possible options containing the “Incorrect” string.

Method 1:

Strcmp takes two inputs, which are first pushed onto the stack before a call is made.  Lets pause execution immediately before stcmp is called.

If we enter a bogus value (in this case I enter “1111aaaa”), we can see that it is pushed onto the stack, along with another string, “my_password12345″…Could this be the password?

Turns out it is! We’ve revealed the second part of the secret, which is “Cars”.

 

Method 2:
We could have manipulated the results of strmp to reveal the second part of the secret.

If we provide an incorrect password, we can manually set the zero flag, and the second part of the password should be revealed.

Something funky happens after the strmp is called, where the following instructions are observed:

 

test eax, eax
setz al
test al, al
jz short loc_401605

Now, at the jz instruction, if the zero flag is set, we actually jump to the “Incorrect” block.  I will look into this to see if there is a reason why the compiler has added these instructions.

So, at the instruction 0x004015FC (jz short loc_401605), we unset the zero flag with our incorrect password.

 

And we reveal the secret!

 

Stay tuned for part 5 for some buffer overflow exploitation of badfile.exe…

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *