-1

I need to trace the password using the assembly code, any guesses, the parts of code i think should be helpful is given below.

            0x080484e9      89542404       mov dword [esp + 4], edx                                                                                                                                                
        0x080484ed      890424         mov dword [esp], eax                                                                                                                                                    
        0x080484f0      e8fbfeffff     call sym.imp.__isoc99_scanf ;[2]                                                                                                                                        
        0x080484f5      c74424200000.  mov dword [esp + 0x20], 0                                                                                                                                               
    ,=< 0x080484fd      eb3f           jmp 0x804853e               ;[3]                                                                                                                                        
   .--> 0x080484ff      8b442420       mov eax, dword [esp + 0x20] ; [0x20:4]=0x115c ; "\." 0x00000020  ; "\." @ 0x20                                                                                          
   ||   0x08048503      0520a00408     add eax, str.5tr0vZBrX:xTyR_P_                                                                                                                                          
   ||   0x08048508      0fb610         movzx edx, byte [eax]                                                                                                                                                   
   ||   0x0804850b      8b442420       mov eax, dword [esp + 0x20] ; [0x20:4]=0x115c ; "\." 0x00000020  ; "\." @ 0x20                                                                                          
   ||   0x0804850f      31d0           xor eax, edx                                                                                                                                                            
   ||   0x08048511      88442427       mov byte [esp + 0x27], al                                                                                                                                               
   ||   0x08048515      8d442428       lea eax, [esp + 0x28]       ; 0x28 ; '(' ; "4" @ 0x28                                                                                                                   
   ||   0x08048519      03442420       add eax, dword [esp + 0x20]                                                                                                                                             
   ||   0x0804851d      0fb600         movzx eax, byte [eax]                                                                                                                                                   
   ||   0x08048520      3a442427       cmp al, byte [esp + 0x27]   ; [0x27:1]=0 ; '''                                                                                                                          
  ,===< 0x08048524      7413           je 0x8048539                ;[4]                                                                                                                                        
  |||   0x08048526      c70424848604.  mov dword [esp], str.Wrong_ ; [0x8048684:4]=0x6e6f7257 LEA str.Wrong_ ; "Wrong!" @ 0x8048684                                                                            
  |||   0x0804852d      e88efeffff     call sym.imp.puts           ;[5]                                                                                                                                        
  |||   0x08048532      b801000000     mov eax, 1                                                                                                                                                              
 ,====< 0x08048537      eb41           jmp 0x804857a               ;[6]                                                                                                                                        
 |`---> 0x08048539      8344242001     add dword [esp + 0x20], 1                                                                                                                                               
 | |`-> 0x0804853e      8b5c2420       mov ebx, dword [esp + 0x20] ; [0x20:4]=0x115c ; "\." 0x00000020  ; "\." @ 0x20                                                                                          
 | |    0x08048542      b820a00408     mov eax, str.5tr0vZBrX:xTyR_P_ ; "5tr0vZBrX:xTyR-P!" @ 0x804a020                                                                                                        
 | |    0x08048547      c744241cffff.  mov dword [esp + 0x1c], 0xffffffff ; [0xffffffff:4]=-1 ; -1 ; -1                                                                                                        
 | |    0x0804854f      89c2           mov edx, eax                                                                                                                                                            
 | |    0x08048551      b800000000     mov eax, 0                                                                                                                                                              
 | |    0x08048556      8b4c241c       mov ecx, dword [esp + 0x1c] ; [0x1c:4]=52 ; "4" @ 0x1c                                                                                                                  
 | |    0x0804855a      89d7           mov edi, edx                                                                                                                                                            
 | |    0x0804855c      f2ae           repne scasb al, byte es:[edi]                                                                                                                                           
 | |    0x0804855e      89c8           mov eax, ecx                                                                                                                                                            
 | |    0x08048560      f7d0           not eax                                                                                                                                                                 
 | |    0x08048562      83e801         sub eax, 1                                                                                                                                                              
 | |    0x08048565      39c3           cmp ebx, eax                                                                                                                                                            
 | `==< 0x08048567      7296           jb 0x80484ff                ;[7]                                                                                                                                        
 |      0x08048569      c704248b8604.  mov dword [esp], str._nSuccess___Too_easy. ; [0x804868b:4]=0x6375530a LEA str._nSuccess___Too_easy. ; str._nSuccess___Too_easy.                                         
 |      0x08048570      e84bfeffff     call sym.imp.puts           ;[5]                                                                                                                                        
 |      0x08048575      b800000000     mov eax, 0                                                                                                                                                              
 `----> 0x0804857a      8b54243c       mov edx, dword [esp + 0x3c] ; [0x3c:4]=0x8048034 section_end.ehdr ; '<' ; "4...4... ." @ 0x3c                                                                           
        0x0804857e      653315140000.  xor edx, dword gs:[0x14]

Any ideas, to what can be the possible password, i can't find any cmp statement in the main section which would do the checking of the password. although other sections do have a cmp statement which might be helpful.

TheAmateur
  • 45
  • 12
  • Did you see the `jmp` on the 5th line? What do you mean by `main section`... – Jester Jun 12 '16 at 22:45
  • its a binary file, so i'm using radare2, which says its the main function, the jmp on 5th line corresponds to 0x0804853e 8b5c2420 mov ebx, dword [esp + 0x20] [0x20:4]=0x115c ; "\." 0x00000020 ; "\." @ 0x20 – TheAmateur Jun 12 '16 at 22:57
  • I know what it corresponds to, my point was, do you see it jumps away and indeed will hit a `cmp` or two? – Jester Jun 12 '16 at 23:00

1 Answers1

0

If you have IDA do a static analysis, so you can figure out how the program work.

Start from this addres:0x08048569 as you can see the string: str._nSuccess___Too_easy

Also same here **0x08048526 ** string: str.Wrong_

Not always a simple cmp check if the password is correct.

Millex
  • 29
  • 4