まずは、ollydbgにてダンプを作成
00401000 /$ 55 PUSH EBP
00401001 |. 8BEC MOV EBP,ESP
00401003 |. 83EC 34 SUB ESP,34
00401006 |. C745 E8 670A00>MOV DWORD PTR SS:[EBP-18],0A67
0040100D |. C745 EC 707069>MOV DWORD PTR SS:[EBP-14],6E697070
00401014 |. C745 F0 727472>MOV DWORD PTR SS:[EBP-10],69727472
0040101B |. C745 F4 706F77>MOV DWORD PTR SS:[EBP-C],65776F70
00401022 |. 68 30704000 PUSH app5win.00407030 ; ASCII "Please enter the password:"
00401027 |. E8 7C010000 CALL app5win.004011A8
0040102C |. 83C4 04 ADD ESP,4
0040102F |. 6A 10 PUSH 10
00401031 |. 6A 00 PUSH 0
00401033 |. 8D45 CC LEA EAX,DWORD PTR SS:[EBP-34]
00401036 |. 50 PUSH EAX
00401037 |. E8 14010000 CALL app5win.00401150
0040103C |. 83C4 0C ADD ESP,0C
0040103F |. C745 E4 000000>MOV DWORD PTR SS:[EBP-1C],0
00401046 |. C745 E0 000000>MOV DWORD PTR SS:[EBP-20],0
0040104D |. C745 DC 000000>MOV DWORD PTR SS:[EBP-24],0
00401054 |> E8 E7000000 /CALL app5win.00401140
00401059 |. 8845 FC |MOV BYTE PTR SS:[EBP-4],AL
0040105C |. 8B4D E4 |MOV ECX,DWORD PTR SS:[EBP-1C]
0040105F |. 8A55 FC |MOV DL,BYTE PTR SS:[EBP-4]
00401062 |. 88540D CC |MOV BYTE PTR SS:[EBP+ECX-34],DL
00401066 |. 8B45 E4 |MOV EAX,DWORD PTR SS:[EBP-1C]
00401069 |. 83C0 01 |ADD EAX,1
0040106C |. 8945 E4 |MOV DWORD PTR SS:[EBP-1C],EAX
0040106F |. 0FBE4D FC |MOVSX ECX,BYTE PTR SS:[EBP-4]
00401073 |. 83F9 0A |CMP ECX,0A
00401076 |. 74 0E |JE SHORT app5win.00401086
00401078 |. 0FBE55 FC |MOVSX EDX,BYTE PTR SS:[EBP-4]
0040107C |. 85D2 |TEST EDX,EDX
0040107E |. 74 06 |JE SHORT app5win.00401086
00401080 |. 837D E4 10 |CMP DWORD PTR SS:[EBP-1C],10
00401084 |.^72 CE \JB SHORT app5win.00401054
00401086 |> 8D45 CC LEA EAX,DWORD PTR SS:[EBP-34]
00401089 |. 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
0040108C |. C745 E0 000000>MOV DWORD PTR SS:[EBP-20],0
00401093 |. C745 DC 030000>MOV DWORD PTR SS:[EBP-24],3
0040109A |. EB 12 JMP SHORT app5win.004010AE
0040109C |> 8B4D E0 /MOV ECX,DWORD PTR SS:[EBP-20]
0040109F |. 83C1 04 |ADD ECX,4
004010A2 |. 894D E0 |MOV DWORD PTR SS:[EBP-20],ECX
004010A5 |. 8B55 DC |MOV EDX,DWORD PTR SS:[EBP-24]
004010A8 |. 83EA 01 |SUB EDX,1
004010AB |. 8955 DC |MOV DWORD PTR SS:[EBP-24],EDX
004010AE |> 837D E0 0D CMP DWORD PTR SS:[EBP-20],0D
004010B2 |. 73 28 |JNB SHORT app5win.004010DC
004010B4 |. 8B45 E0 |MOV EAX,DWORD PTR SS:[EBP-20]
004010B7 |. C1E8 02 |SHR EAX,2
004010BA |. 8B4D F8 |MOV ECX,DWORD PTR SS:[EBP-8]
004010BD |. 8B55 DC |MOV EDX,DWORD PTR SS:[EBP-24]
004010C0 |. 8B0481 |MOV EAX,DWORD PTR DS:[ECX+EAX*4]
004010C3 |. 3B4495 E8 |CMP EAX,DWORD PTR SS:[EBP+EDX*4-18]
004010C7 | 74 11 JE SHORT app5win.004010DA
004010C9 | 68 4C704000 PUSH app5win.0040704C ; ASCII "Invalid Password"
004010CE | E8 20000000 CALL app5win.004010F3
004010D3 |. 83C4 04 |ADD ESP,4
004010D6 | 33C0 XOR EAX,EAX
004010D8 |. EB 15 |JMP SHORT app5win.004010EF
004010DA | ^EB C0 JMP SHORT app5win.0040109C
004010DC |> 8D4D CC LEA ECX,DWORD PTR SS:[EBP-34]
004010DF |. 51 PUSH ECX
004010E0 |. 68 60704000 PUSH app5win.00407060 ; ASCII "The password is %s
"
004010E5 |. E8 09000000 CALL app5win.004010F3
004010EA |. 83C4 08 ADD ESP,8
004010ED |. 33C0 XOR EAX,EAX
004010EF |> 8BE5 MOV ESP,EBP
004010F1 |. 5D POP EBP
004010F2 \. C3 RETN
004010C3 |. 3B4495 E8 |CMP EAX,DWORD PTR SS:[EBP+EDX*4-18]で入力文字とパスワードを比較
EBP+EDX*4-18のアドレスにパスワードがあるっぽい。
004010C3にブレークポイントをしかけ実行。
Please enter the password:
で適当な文字を入力するとブレークするのでレジスタの値を確認。
EDX:00000003
EBP:0012FF48
0012FF48+00000003*4-18=12FF3C
12FF3Cのアドレスあたりか怪しい。
0012FF2C 02 00 00 00 67 0A 00 00 70 70 69 6E 72 74 72 69 ...g...ppinrtri
0012FF3C 70 6F 77 65 14 FF 12 00 0A 20 40 00 88 FF 12 00 powe.. @.・.
powertripping
|
この問題はApplication Challenge 5と同じ方法で解析が可能
004011A3 ? E8 837DE808 CALL 09288F2B
004011A8 . 73 2E JNB SHORT app6win.004011D8
004011AA . 8B4D E8 MOV ECX,DWORD PTR SS:[EBP-18]
004011AD . C1E9 02 SHR ECX,2
004011B0 . 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14]
004011B3 . 2B55 E8 SUB EDX,DWORD PTR SS:[EBP-18]
004011B6 . C1EA 02 SHR EDX,2
004011B9 . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004011BC . 8B0C88 MOV ECX,DWORD PTR DS:[EAX+ECX*4]
004011BF . 3B4C95 EC CMP ECX,DWORD PTR SS:[EBP+EDX*4-14]
004011C3 . 74 11 JE SHORT app6win.004011D6
004011C5 . 68 5C704000 PUSH app6win.0040705C ; ASCII "Invalid Password"
004011CA . E8 3F020000 CALL app6win.0040140E
004011CF . 83C4 04 ADD ESP,4
004011D2 . 33C0 XOR EAX,EAX
004011D4 . EB 15 JMP SHORT app6win.004011EB
004011D6 >^EB C3 JMP SHORT app6win.0040119B
004011D8 > 8D55 D8 LEA EDX,DWORD PTR SS:[EBP-28]
004011DB . 52 PUSH EDX
004011DC . 68 70704000 PUSH app6win.00407070 ; ASCII "The password is %s"
004011E1 . E8 28020000 CALL app6win.0040140E
004011E6 . 83C4 08 ADD ESP,8
004011E9 . 33C0 XOR EAX,EAX
004011EB > 8BE5 MOV ESP,EBP
004011ED . 5D POP EBP
004011EE . C3 RETN
004011BF . 3B4C95 EC CMP ECX,DWORD PTR SS:[EBP+EDX*4-14]
にブレークポイントを実施。
EBP 0012FF14
EDX 00000000
0012FF14-14=12FF00
アドレス0012FF00の中身は、
0012FF00 02 00 00 00 63 61 6C 0A 6D 61 67 69 EC FE 12 00 ...cal.magi・.
magical
|