Crack Me Challenge Part 4

First we must take a look at the following piece of code that will be presented in the code segment 5:

004017FC |. B8 40000000 mov eax,40

00401801 |. 33C9 xor ecx,ecx

00401803 |> 8B940C C000000>/mov edx,dword ptr ss:[esp+ecx+C0]

0040180A |. 3B540C 70 |cmp edx,dword ptr ss:[esp+ecx+70]

0040180E 0F85 53010000 jnz main.00401967

00401814 |. 83E8 04 |sub eax,4

00401817 |. 83C1 04 |add ecx,4

0040181A |. 83F8 04 |cmp eax,4

0040181D |.^73 E4 jnb short main.00401803

We can see that it’s comparing the stack memory at addresses from [esp+C0]-[esp+100] to [esp+70]-[esp+B0]. This is why from now on, we’ll refer to these addresses as 0xC0 and 0x70 for clarity; but remember we’re actually talking about the stack addresses being compared in the above piece of code.

The code in the logical segment 1 changes the stack memory at address 0x70, therefore actually changing the stack addresses from [esp+70] to [esp+B0]. The actual code is as follows:

004017AF |. 8D7C24 70 lea edi,dword ptr ss:[esp+70]

004017B3 |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi]

We’re loading the stack address [esp+70] into the register edi and then using the rep instruction to copy a string from register esi to edi until a null byte is encountered. The esi register contains the following value:

ESETNOD32@ESETNOD32@ESETNOD32@ESETNOD32@ESETNOD32

@ESETNOD32@ESETNOD32@ESETNOD32@

The length of the above string is 80 bytes (0x50), which is how many bytes will be copied from one location to the other. Let’s take a look at the stack before this function changes it:

0012EAB8 77D48808 [esp+70]

0012EABC FFFFFFFF [esp+74]

0012EAC0 77D487FF [esp+78]

0012EAC4 77D4B743 [esp+7C]

0012EAC8 00000000 [esp+80]

0012EACC 0040B13F [esp+84]

0012EAD0 0004018A [esp+88]

0012EAD4 0000000D [esp+8C]

0012EAD8 00000071 [esp+90]

0012EADC 00B98670 [esp+94]

0012EAE0 0082BAE4 [esp+98]

0012EAE4 00000001 [esp+9C]

0012EAE8 00B98670 [esp+A0]

(Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Dejan Lukan. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/0r4eY_MLQ3A/