Thursday, 2 August 2012
Hack This Site application challenges (part 2)
let's have a look at some more of the application challenges...
Application challenge 4
when you run this app you are presented with a form showing two buttons, one enabled, one disabled, both labelled Click Me. the aim is to click one of the buttons to reveal the password, which of course you can't because every time you move the mouse over the button, the button is disabled, and the other is enabled and so on....
open the app with your preferred hex editor (i'm using ht editor) and have a look through. it should become rapidly apparent that it was written in VB6. if only there was some way we could decompile or disassemble the app... oh wait there is, download vb decompiler lite and open the app with that.
in here we can view things like form properties and, more helpfully in this case, you can see the events associated with the different form controls. the screenie above shows the assembled code behind the MouseMove event associated with one of the buttons.
the Click event is also there, but you'll quickly notice the password we're after has not been stored in plaintext (where would be the fun in that?)
i'm assuming at this point that you're comfortable with the basics of addressing etc. within programs...
a very useful piece of information that vb decompiler gives for each of the assembled instructions is the address.
the address of the first instruction of the event handler for clicking one of the buttons is 00402AD0. the address of the first instruction of the event handler for loading the form when the app starts is 00402590.
now we have this information we no longer need to worry about trying to click one of the buttons.
you'll now require something like OllyDbg which is an assembler-level debugger. File > Open, and find the location of the app.
on the left hand side you will see addresses similar to the ones we found a moment ago. find the first instruction of the form load event handler (00402590). double click on the instruction at that address (push ebp). you can now edit the instruction at that location.
we would like to go straight to the first instruction of the click event handler (00402AD0).
the instruction we can use to do this is JMP 00402AD0 so enter that in and click Assemble. you will see the change in red (see screenie below), now click Cancel to close the dialog box.
now we would like to run the modified version of the app, to do this click the button that looks like a play symbol, just below the Debug menu. and there you go, the first thing the app does is give you the password to proceed.
Application challenge 5
this is a console app, so run it from a command prompt. you're asked to enter a password, it then says invalid password and exits.
open the app in ollydbg. we can find the actual program code fairly easily; press alt+e then double click the app5win entry in the list. you'll see it takes us to where we want to be.
a good place to start looking (and working out how the program works) in this case is at instructions where comparisons are being carried out as we can say with some certainty that it has to check our password against something. we can insert breakpoints on an instruction using f2 (see screenie). for now, just put one at address 00401073.
hit f9 a couple of times to get the app running in ollydbg, you can now enter a password. we'll start with abcd. type it in and hit return. ollydbg will now pause the execution at the breakpoint.
the instruction at this address is CMP ECX,0A. this compares the contents of register ECX (look on the right hand side of ollydbg for registers) with the hexadecimal value 0A.
the ECX register contains 0x61. if you're as sad as i am and can remember the hexadecimal ascii codes you'll know that 0x61 equates to lowercase a. coincidence? maybe. (if you have better things to do than memorise the ascii table you can use this website as a handy reference).
hit f9 in ollydbg and let it run again...no it wasn't a coincidence, it's looking at each character of what we entered. the significance of 0A, newline, now becomes apparent. it's reading the password in and looking for the newline at the end. so this part of the code is handling the reading in of the entered password.
remove the breakpoint at 00401073 as we're done with that now. if you like you can right click and put a comment on the instructions as a reminder of what that part is doing.
put a breakpoint at 004010AE, CMP DWORD PTR SS:[EBP-20],0D. step through the code using f7 to reach the new breakpoint.
the registers part of ollydbg shows EAX and ESP containing 0018FF14, so what happened to the ascii codes? the instructions on the way to the new breakpoints have modified the registers.
if you look in the window below the registers, you'll see the contents of memory addresses. the 0018FF14 is, in fact, a pointer to a memory location. if you look for 0018FF14 you can see it contains the codes for abcd, 64 63 62 61 (read from right to left) and the newline has been put into 0018FF18.
now restart the app from the Debug menu (or press ctrl+f2) then press f9 a couple of times to get it running. we can at this point try and determine the maximum password length by entering something very long, like the lowercase alphabet. look again at 0018FF14, you can see that 0018FF-14,-18,-1C,-20 contains the inputted password with the rest nowhere to be seen so it would appear that the maximum length of the password is 16 characters.so then, what is happening at our new breakpoint? it is comparing the contents of the memory location that is referenced by the location of the EBP register - 20, with the hexadecimal value 0D (carriage return). click on the view menu in ollydbg and select watches. double click in the expression box and then add the expression [EBP-20]. you can now see that EBP-20 points at 0018FF28. the result of the comparison at this point is false, the branch below it is not taken and it carries on down. you can use F7 to step through the code.
step to address 004010C3, CMP EAX,DWORD PTR SS:[EBP+EDX*4-18]. the instructions just before this one have copied the first four characters of the entered password into EAX so a comparison can be made between that and something else. create a new watch for [EBP+EDX*4-18]. you can see it has the value 65776F70.
in the registers window in ollydbg right click on EAX and choose modify. put that value in...it seems to correspond to some lowercase letters. by modifying EAX just before the comparison is made we can make sure it carries on to the next one. keep stepping and you'll end up passing the breakpoint again; keep going til you get to 004010C3 again. now look at the evaluation of [EBP+EDX*4-18] in the watch window, it's changed and has given us the next four characters.
i think you can probably work out the rest for yourself ;)
Application challenge 6
This one is pretty much the same as 5, i just found it took a bit longer to locate the relevant parts of the code.