Decompiling a program with Ida Pro

[79wjd]

Does anyone know how to use Ida Pro? I have to decompile a simple program to find the password but I'm not entirely sure how to proceed. 

[Mira Yurizaki]

The first bit is it disassembles a program. It's almost impossible to decompile a program unless the debug symbols were kept, which I'm going to assume were not.

 

The second part is to figure out what architecture it was originally written in. Or at the very least, start poking at various places to see if there's something that looks like a string characters. Assuming it's not some weird password and the author was trying to be a jerk, you could safely assume that it would be a string of characters that can be typed on a keyboard.

 

If the debug symbols were kept, then the job is a whole lot easier.

[79wjd]

9 minutes ago, M.Yurizaki said:

The first bit is it disassembles a program. It's almost impossible to decompile a program unless the debug symbols were kept, which I'm going to assume were not.

 

The second part is to figure out what architecture it was originally written in. Or at the very least, start poking at various places to see if there's something that looks like a string characters. Assuming it's not some weird password and the author was trying to be a jerk, you could safely assume that it would be a string of characters that can be typed on a keyboard.

 

If the debug symbols were kept, then the job is a whole lot easier.

It's a simple command line program that asks for you to input the password and then either says it's correct or incorrect. Presumably it's not meant to be a challenging assignment.

 

I was looking at the assembly and there's a call to a function that prompts the user, then a call to process the input, then a jnz instruction, so I originally assumed that whatever the jnz was responding to (the cmp instruction immediately above it comparing eax) would hold the value I was looking for. 

Valiant.exe

[mariushm]

You may also find out that the application doesn't store the password anywhere.

 

For example, the application may take your string (the password) and do some mathematical operations using it and then compare the result with a number of a bunch of numbers stored in the application.

 

For example, let's say you give each letter in the English alphabet a number , A is 65, B is 66, C is 67 and so on then your application could add all the characters together but ignore every 3rd character, then divide by the number of characters in the password and then multiply that number with itself and there's your secret number.

 

Once you figure out that internal number and what operations the application does every time on the password entered, you can make keygens .. you can pick any characters and any number of characters as long as those mathematical operations on the final string will produce that secret number.

 

[79wjd]

4 minutes ago, mariushm said:

You may also find out that the application doesn't store the password anywhere.

 

For example, the application may take your string (the password) and do some mathematical operations using it and then compare the result with a number of a bunch of numbers stored in the application.

 

For example, let's say you give each letter in the English alphabet a number , A is 65, B is 66, C is 67 and so on then your application could add all the characters together but ignore every 3rd character, then divide by the number of characters in the password and then multiply that number with itself and there's your secret number.

 

Once you figure out that internal number and what operations the application does every time on the password entered, you can make keygens .. you can pick any characters and any number of characters as long as those mathematical operations on the final string will produce that secret number.

 

I'm almost positive it uses a set password. 

[mariushm]

Look what happens in those calls between Processing and "Nice monkey suit"

Those "subs" have code with may do stuff on your character buffer (the array of characters entered above Processing and read using fgets)  and return the result in a variable, which is then compared to that number 0CFD etc

You can see there's a CMP eax , that number ... the subs that were called above may put some data in that eax register, and that data may be generated based on the text you enter from keyboard.

 

[79wjd]

8 minutes ago, mariushm said:

Look what happens in those calls between Processing and "Nice monkey suit"

Those "subs" have code with may do stuff on your character buffer (the array of characters entered above Processing and read using fgets)  and return the result in a variable, which is then compared to that number 0CFD etc

You can see there's a CMP eax , that number ... the subs that were called above may put some data in that eax register, and that data may be generated based on the text you enter from keyboard.

 

I've been looking over those three sections, but nothing pops out at me. I don't have much experience with x86. 

 

[79wjd]

@mariushm @M.Yurizaki I've been staring at this for a couple hours now and I'm still not sure where to go from here, normally I would just go to office hours and get help from a TA, but I'm taking classes remotely this semester. So any ideas that I could/should try? I don't think this is supposed to be that complicated since it's supposed to just be a short hour~ lab section. 

[Mira Yurizaki]

If the password is hard coded, it should be in the program somewhere. Not really in any of the subroutines. It might be a label.

 

Otherwise you'll have to find a subroutine that appears to be comparing two locations using indirect addressing and doing some branching back.

[79wjd]

2 minutes ago, M.Yurizaki said:

If the password is hard coded, it should be in the program somewhere. Not really in any of the subroutines. It might be a label.

 

Otherwise you'll have to find a subroutine that appears to be comparing two locations using indirect addressing and doing some branching back.

There are multiple calls to other subroutines (that I posted in the screenshots above), so it might not be hardcoded directly, but I think it takes the input, manipulates it and then compares it to a hard coded value (0CFD0A61Ch), but I can't figure out the manipulation part of it or how to reverse it. 

[79wjd]

@M.Yurizaki @mariushm

 

I know this may be a lot, but would either of you be willing to decompile the program and take a look at it. I've been looking at it over the last couple days and I must be missing something painfully obvious. 

[Dat Guy]

If you've never worked with IDA Pro before, you might or might not be interested in starting with a free alternative first:

http://x64dbg.com/

 

Awesome IMO.

[79wjd]

14 minutes ago, Dat Guy said:

If you've never worked with IDA Pro before, you might or might not be interested in starting with a free alternative first:

http://x64dbg.com/

 

Awesome IMO.

IDA Pro has a free trial, but if you have experience in decompiling would you be willing to take a look at the executable? I've been struggling with it for the past few days, and like I said in an earlier post, I'm pretty sure this is supposed to be a pretty straightforward assignment that's not supposed to take more than a couple hours. 

[79wjd]

bump

[Mira Yurizaki]

How hard would it be to dump the disassembly into pastebin or similar?

 

I kind of don't want to take a random program and install another one for this.

[79wjd]

1 hour ago, M.Yurizaki said:

How hard would it be to dump the disassembly into pastebin or similar?

HTML work? I can copy it into a pastebin if that's better for you. 

valiantdump.html

[Mira Yurizaki]

Just now, djdwosk97 said:

HTML work? I can copy it into a pastebin if that's better for you. 

valiantdump.html

I'd prefer pastebin.

[79wjd]

Just now, M.Yurizaki said:

I'd prefer pastebin.

https://pastebin.com/hfaujhp4

[kirashi]

Cannot confirm if I decompiled it correctly or not though, as I only deal with high level languages that don't require obfuscation via compilers.

It's not the course code either - just a decompiled interpretation of what the source code might look like in C or python.

Also, a lot of functions seem to be unreachable from only having Valiant.exe too, so not everything will be there.

 

C - https://pastebin.com/SKBfuTUa

Python - https://pastebin.com/arMFTi3y

 

From what I can see, the password is NOT hardcoded into the application in plain text or even using simplistic obfuscation.

There's probably a lot of calculations going on and a comparison against a known value when checking the plaintext password.

[79wjd]

5 minutes ago, kirashi said:

Cannot confirm if I decompiled it correctly or not though, as I only deal with high level languages that don't require obfuscation via compilers.

It's not the course code either - just a decompiled interpretation of what the source code might look like in C or python.

Also, a lot of functions seem to be unreachable from only having Valiant.exe too, so not everything will be there.

 

C - https://pastebin.com/SKBfuTUa

Python - https://pastebin.com/arMFTi3y

 

From what I can see, the password is NOT hardcoded into the application in plain text or even using simplistic obfuscation.

There's probably a lot of calculations going on and a comparison against a known value when checking the plaintext password.

I tried running the program in IDA Pro's debugger and looking at the registers to try and figure it out, but I just don't know what I should be looking for and nothing stood out at me as being useful in anyway. 

[kirashi]

3 minutes ago, djdwosk97 said:

I tried running the program in IDA Pro's debugger and looking at the registers to try and figure it out, but I just don't know what I should be looking for and nothing stood out at me as being useful in anyway. 

Appears to be A LOT of bit-shifting going on. In other news, has anyone seen Who Framed Roger Rabbit?  

[79wjd]

7 minutes ago, kirashi said:

Appears to be A LOT of bit-shifting going on. In other news, has anyone seen Who Framed Roger Rabbit?  

About a decade ago.

[79wjd]

@M.Yurizaki @kirashi

 

Yeah....so I was waaaaaay over thinking it. The password is "Walt sent me." I assumed I was supposed to find the password somewhere in the code....or in a register....or have to reverse the calculations....but no.

[kirashi]

Just now, djdwosk97 said:

@M.Yurizaki @kirashi

 

Yeah....so I was waaaaaay over thinking it. The password is "Walt sent me." I assumed I was supposed to find the password somewhere in the code....or in a register....or have to reverse the calculations....but no.

This is why programmers should NEVER use any real-world references in their strings.  Now you get to figure out how the program does the comparison.