challenges
Game 11
Challenge: Reverse engineering a Windows executable
with string manipulation
Step 1: Identify File
Output:
PE32 executable for MS Windows 4.00 (GUI), Intel i386, 8 sections
From IDA disassembly, key strings:
1
2
3
4
5
6
| CODE:0045041C Congratulation!
CODE:00450434 Authkey :
CODE:004504B8 2abbe4b6
CODE:004504CC 44536ca0
CODE:004504E0 81aae922
CODE:004504F4 e32fa0de
|
In _TForm1_FormCreate, these strings are assigned to
variables at offsets:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| lea eax, [ebx+300h]
mov edx, offset _str_2abbe4b6.Text
call @System@@LStrAsg$qqrpvpxv
lea eax, [ebx+304h]
mov edx, offset _str_44536ca0.Text
call @System@@LStrAsg$qqrpvpxv
lea eax, [ebx+308h]
mov edx, offset _str_81aae922.Text
call @System@@LStrAsg$qqrpvpxv
lea eax, [ebx+30Ch]
mov edx, offset _str_e32fa0de.Text
call @System@@LStrAsg$qqrpvpxv
|
All strings are concatenated in order:
1
2
3
4
| push dword ptr [ebx+300h]
push dword ptr [ebx+308h]
push dword ptr [ebx+304h]
push dword ptr [ebx+30Ch]
|
Result:
2abbe4b681aae92244536ca0e32fa0de
Alternative: Decompiled
Code Analysis
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| int __fastcall TForm1_Button1Click(int a1)
{
System::__linkproc__ LStrAsg(a1 + 784, &str_2V[1]);
System::__linkproc__ LStrAsg(a1 + 788, &str_XS[1]);
System::__linkproc__ LStrAsg(a1 + 792, &str_B6[1]);
System::__linkproc__ LStrAsg(a1 + 796, &str_H1[1]);
System::__linkproc__ LStrAsg(a1 + 800, &str_0F[1]);
System::__linkproc__ LStrCatN(
a1 + 816,
5,
v2,
*(_DWORD *)(a1 + 792),
*(_DWORD *)(a1 + 796),
*(_DWORD *)(a1 + 788),
*(_DWORD *)(a1 + 800));
}
|
The strings are rearranged in the concatenation.
Check assembly for the actual order.
Assembly Order
1
2
3
4
5
6
7
| push dword ptr [ebx+310h] ; 2V
push dword ptr [ebx+318h] ; B6
push dword ptr [ebx+31Ch] ; H1
push dword ptr [ebx+314h] ; XS
push dword ptr [ebx+320h] ; 0F
; Password: 2VB6H1XS0F
|