.text:00401B54 call scanf .text:00401B59 lea eax, [ebp+var_143] .text:00401B5F mov [esp+164h+var_160], eax .text:00401B63 lea eax, [ebp+var_157] .text:00401B69 mov [esp+164h+var_164], eax .text:00401B6C call strcmp .text:00401B71 test eax, eax .text:00401B73 jnz short loc_401B8D .text:00401B75 mov [esp+164h+var_164], offset aYouPassedLevel ; "You passed level1!"
Later in the program, it calls an int 3. The int 3 forces the program to jump to the exception handler that had been set up. Inside the exception handler, the program takes another set of user input for the second string. The exception handler calls a decrypt routine.
.text:004015B2 call scanf .text:004015B7 mov eax, ds:dword_40AD98 .text:004015BC mov [esp+38h+var_34], eax .text:004015C0 lea eax, [ebp+var_20] .text:004015C3 mov [esp+38h+var_38], eax .text:004015C6 call decryptCompare .text:004015CB test eax, eax
Inside the decrypt routine, each byte of a stored string is xor'ed by 0x02 then compared. Settting a breakpoint at the "cmp dl, al" after the xor allows each byte to be extracted.
.text:00401558 xor eax, 2 .text:0040155B cmp dl, alThe key, in the format string1_string2, was r0b0RUlez!_w3lld0ne
--Imp3rial
No comments:
Post a Comment