issuhub.com

Reversing : The Hacker's Guide to Reverse Engineering

(ff) #1 
this time you have a real program to work with, so you can easily perform this

reversing session from within a debugger.

Before actually launching the program you must also set the launch para-

meters so that Cryptex knows which archive you’re trying to open. Keep in

mind that you must type an incorrect password, so that Cryptex generates its

incorrect password message. As for which command to have Cryptex perform,

it would probably be best to just have Cryptex list the files in the archive, so

that nothing is actually written into the archive (though Cryptex is unlikely to

change anything when supplied with a bad password anyway). I personally

used Cryptex l test1 6666666665, and placed a breakpoint on printf

from the MSVCR71.DLL(using the Executable Modules window in OllyDbg

and then listing its exports in the Names window).

Upon starting the program, three calls to printfwere caught. The first con-

tained the Cryptex 1.0... message, the second contained the Listing all file...

message, and the third contained what you were looking for: the ERROR:

Invalid password... string. From here, all you must do is jump back to the

caller and hopefully locate the logic that decides whether to accept or reject the

password that was passed in. Once you hit that third printf, you can use

Ctrl+F9 in Olly to go to the RETinstruction that will take you directly into the

function that made the call to printf. This function is given in Listing 6.3.

004011C0 PUSH ECX

004011C1 PUSH ESI

004011C2 MOV ESI,SS:[ESP+C]

004011C6 PUSH 0 ; Origin = FILE_BEGIN

004011C8 PUSH 0 ; pOffsetHi = NULL

004011CA PUSH 0 ; OffsetLo = 0

004011CC PUSH ESI ; hFile

004011CD CALL DS:[<&KERNEL32.SetFilePointer>]

004011D3 PUSH 0 ; pOverlapped = NULL

004011D5 LEA EAX,SS:[ESP+8]

004011D9 PUSH EAX ; pBytesRead

004011DA PUSH 28 ; BytesToRead = 28 (40.)

004011DC PUSH cryptex.00406058 ; Buffer = cryptex.00406058

004011E1 PUSH ESI ; hFile

004011E2 CALL DS:[<&KERNEL32.ReadFile>] ; ReadFile

004011E8 TEST EAX,EAX

004011EA JNZ SHORT cryptex.004011EF

004011EC POP ESI

004011ED POP ECX

004011EE RETN

004011EF CMP DWORD PTR DS:[406058],70597243

004011F9 JNZ SHORT cryptex.0040123C

004011FB CMP DWORD PTR DS:[40605C],39586554

Listing 6.3 Cryptex’s header-verification function that reads the Cryptex archive header

and checks the supplied password.

208 Chapter 6

Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2025. All rights reserved.