Write a question
on reversing.kr Log on to the website http://reversing.kr and click on the challenge option to select a question to complete.
When PEPassword
first got this question, we found that there were two exe files. At first, we didn't understand the meaning of the two exe files, so we ran the two exe files separately, and the results of the operation are as follows:
Run Original.exe results :
Run Packed.exe results:
It can be seen that we are required to enter a string of data, then we first analyze Packed.exe to see what processing will be done after we enter the data. Drag packed.exe into ida for analysis and found that there are four functions, and we observe that the starting positions of these four functions are 0x409009, 0x4091d8, 0x4091da, 0x409200
Then drag packed.exe into the OD, and breakpoints on these four functions.
When we enter a piece of data, we will find that the program is broken at 0x4091d8, and then a series of processing will be performed on the data we entered
Finally, the processed result will be returned. When we continue to run, we will find that there will be a comparison statement after the return. The processed data will be compared with 0xe98f842a.
Continue to run down, and then enter the system airspace, and then press ctrl+f9 to execute to return, we will find that we have returned to another comparison statement, and then the program will jump to 0x409085 and continue to execute
We found that GetMessageA, TranslateMessage and DispatchMessageA functions will be executed in a loop. After consulting, we found that the GetMessage function will take out a message from the message queue and then send the message to the corresponding window for processing through DispatchMessage, so if we are stuck in a loop, we will If you keep inputting, you cannot continue to run the program, so we have to jump out of the loop first, that is, the data at ss:[ebp+0x402A3E] must not be equal to 0, so we find it in IDA by cross-reference Code to operate ss:[ebp+0x402A3E]:
I found a code that would add one to this memory. Find the corresponding code in the OD, and found that the jump above is the jump after we return after processing the input data.
In order to enable us to perform the operation of adding one, we set a breakpoint at 0x4091a6, and change the flag bit every time the execution reaches this point to perform the operation of adding one without jumping.
After that, the program will no longer fall into the loop of operating on the message, so it can continue to execute downward.
Next, the program continues to run down and will be broken in another function
In this function, we will find that it uses two data obtained by the 0x4091DA function to store them in eax and ebx respectively, and process the data of 0x401000. The main performance is to use eax to calculate the data from 0x401000 and later. The four bytes are XORed, and then ebx and eax are changed accordingly. So cycle.
We guessed from the name of Original.exe that the machine code in Original.exe should be the original machine code, and the data after processing 0x401000 in Packed.exe should be equal to the machine code at 0x401000 in Original.exe , So we can find out that the data of eax is the data 0xb6e62e17 of 0x401000 in Packed.exe and the data 0x014cec81 of 0x401000 in Orginal.exe. The eax is 0xb7aac296. Since we don’t know how to solve ebx, we Use brute force to get ebx.
code show as below:
#include <stdio.h>
int globalebx;
int GetEax(int eax1,int ebx1)
{
int resulteax;
_asm
{
mov eax,eax1
mov ebx,ebx1
mov cl,al
rol ebx,cl
xor eax,ebx
mov cl,bh
ror eax,cl
add ebx,eax
mov resulteax,eax
mov globalebx,ebx
}
return resulteax;
}
int result1=0x5a5a7e05;
int result2=0x99c51d27;
int eax=0xb7aac296;
int main()
{
/*int eax=0x99c5159e;
int eax1=0x000008b9;
printf("%x",eax^eax1);
//int eax=b7aac296
*/
int ebx1=0;
int flag=1;
while(flag)
{
for(ebx1=0;ebx1<=0xffffffff;ebx1++)
{
if(GetEax(eax,ebx1)==result1)
{
if(GetEax(result1,globalebx)==result2)
{
printf("ebx is :%x\n",ebx1);
break;
}
}
}
}
return 0;
}
Get ebx=0xc263a2cb:
Then change the values of eax and ebx to 0xb7aac296 and 0xc263a2cb respectively, and you can get the result as shown in the figure below.
From_GHL2_!!