x86 Assembly, Array of Pointer

Dear Friends,

I would like to write about array of pointer in assembly so that you can idea during reversing the code.

I have simple application like below, it will retrieve a pointer from array that point to a string of month. I will pick array no 1 where it will return February.

When translated to assembly, it will be like below

main function
get_month function

We can see from the above image that in the get_month function the passed parameter is stored in eax. In order to get the element of the array, the application will use __data_start__[eax*4]. why eax shall be multiplied by 4? Because this is array of pointer where each pointer has been aligned to 4 bytes element. Element of array is accessed via its first element and multiplied with the size of each element.

x86 Assembly: Crack Challenge 1, Dynamic Analyses 2

Dear Brother,

In this post, I will continue to write about the debuging to analyze the application dynamically with IDA

We will continue to analyze the 4 and 5 condition in the appliation. Here is the static analyses from the application

Lets set break point to check the result

Lets input the application using the value below

We can see that below, the value of returned char at indext 0B = 11 is equal to 20h since it is the same for both value (jnz) then it will go down

The nex condition is checking about the element no 8 shall be ‘.’ so by inputing the correct value then it will goes to the next condition

So we can conclude that up to condition no 5 is the key would be like Y1234567.90 2345

x86 Assembly: Crack Challenge 1, Dynamic Analyses

Dear Friends,

I would like write tutorial on how to do simple dynamic analyses with IDA. I will use the same executable like the previous post where we will do debugging on the first 3 condition or check

Lets go, first we have to set break point at the first check and run the application

I only entered 5 char into the input. We can see that the Get_Array_Size return value that is stored in eax is equal to 5

Based on the condition that the application key shall be 16 chars so that with only 5 keys then the application will direct you to Go_To_Wrong_Key section

Lets move to the next condition and put the break point to it

let input this value Y123456789012345 to comply 16 char

If we hover our mouse to byte ptr [eax] then we can see that the input value from the application as the picture shown above. the command cmp byte ptr [eax], 40h means it will compare the first char of the array is more that 64 where Y is 89 in decimal.

additionaly, we can see that byte ptr [eax] is pointing to memory 00BB2FDC, we can go jump there by two ways which are

By using ‘g’ shortcut and put the memory that we want to inspect which is 00BB2FDC and press enter to OK

or the second way

You will be directed to the memory address that will look like below

I would also like to inform you that IDA has capability to define series of memory to become string so that it is easier to read by selecting the memory address then right click or press A to make it as string

and become like

as the default, IDA will give it a variable name with the current value on it aY1234567890123 where you can rename it to a meaningful name for you by pressing n

OK Next is to go to the third condition

Here the check is to ensure that the first char is less than Z or 90

So now we can actually imagine the key would be like this Y***************

OK, I will post another program flow and check in the next post

x86 Assembly: Crack Challenge 1, Make your code readable

Dear All,

Today I am going to write about how to do dynamic analyses of our keygen challenge with IDA Pro. In order to make you easier to do the dynamic analyses, you should change variable/function name and add line comments so that it will be more descriptive.

You can use ‘n’ button on the function or varibale name to rename them like the image below

I would change the call __ZNKSs4sizeEv to Get_Array_Size

in order to give comment to your code, you can use ‘;’ and put your description for the line that you want to comment

If you are using Ghidra to reverse, It has the same capabilities like IDA to rename and make comment using different button ‘l’ to rename function or variable name

It is important step to be done prior your dynamic analyses in order to make it easier to read and remember

here is below for the 3 first check

Check No 1
Check No 2
Check No 3

So what does this mean ? Based on the above condition, Our array lenght must be 16 chars and the first char shall be between 64 to 90 in decimal

x86 Assembly: Crack Challenge 1

Dear Friends,

I would like to write a walkthrough of challege so that we can practice the reverse engineering more detail.

I have downloaded an application from crackme.one but you can download it here https://github.com/rioasmara/wordpress/raw/master/keyme.exe

This application is actually a simple DOS application that is asking you to input series of key and check it with its internal calculation and will give you a congratulation if the answer is correct

First load the application to IDA Pro and see what is the flow and behaviour of this application

Since it is keygen like application then you need to understand hex to ascii convertion table as below or you can access https://www.garykessler.net/library/ascii.html

First we can check what is the the calculation logic happen

The above code will check that the char that we input shall enqual to 16 chars. it use std::string::size() to return the size of array. the code cmp eax, 10h is comparing the size of array that returned from string::size in eax. 10h is equal to 16

Here whenever the user input the key into the application the first check that we need to pass is the condition that check our input less than @ or 64 because it use jle comparation. there you can see the command cmp byte ptr [eax], 40h jle loc_4015FA .Now you must be asking what is the char that it compare to. it will try to extract a char from the array using command __ZNSsixEj std::string::operator[](uint) where it requires two input which are the index and the array.

Based on the above command, it needs to push 0 and the array to the function so that we can conclude that it will get the char that sit on the index 0 and return it.

The second check that it check is the value of char in the first array which is index 0 shall greater than Z because it use the jg comparation

We can see the above two blocks of codes are basically checking the other char in the array. first it will ensure that at array index no. 0Bh = 11 is actually “.” and check another index that is no 8 the where key shall be “space” = 2Eh

OK thats is all the first 2 checks happen in the application. I will continue to check the code in the next posts.

x86 Assembly : Reference Variable

I would like to continue on how to get return result from a function call by using reference variable pass. We can pass variable to the function that accept the memory pointer of a variable that will look like void function (int * pVariable) in this case function will receive passing variable of pointer to int variable.

Let see the C code below, We are passing 2 integers and 1 pointer to integer. we will return the value of a + b in variable c

Here is the assembly code, We can see that passing variable using reference is translated to the assembly code where passing the memory address of the varible using lea (load effective address)

we can see that varible passed to the _calculate function for c variable that it will execute lea eax, [esp+28] where it loads the passedResult variable memory address.

We can see the in the above variable, Variable C is actually pointing to the address of passedResult 0x60FEFC. We can see in the below image after the it executes the highlighted codes then the result in edx is passed to the address that C hold –> mov [eax], edx. You ca see varible in the Locals windows that is now C variable has value 5

So we can differentiate passing reference and passing object to a function where passing reference will use lea to load the effective address and passing object will just use move statement as normal assignment.

x86 Assembly function return variable

Dear Friends,

Today I am going to continue writing about assembly related to function return. So basically whenever you call a function and you can expect return value which maybe returning a value from function internal process.

A function by its nature can only return one variable but if you require to return more than one variable then you should pass reference variable that link to the variable in the function caller

Lets do check return value using 1 variable. the C code will be like below

Let check the assembly code below

Main Function
Calculate Function

Following the standard convention that every return variable will be stored in EAX so that we can see that in the calclate function there is statement add eax, edx which as you know that the result of that statement will be store in the left variable where it is EAX.

We also check after the function call the next operation is to assign return value to the new varibale in main function that directly use EAX where the complete statement is mov [esp+1Ch], eax.

Lets prove it with debuger. We can see the value of EAX is now 5 where it is from 2+3. this is EAX value in calculate function

Lets check the EAX value after it return to the main function. Yes we can see EAX has values 5.

So that is it. By the standard of assembly language the return variable for function will be assigned to EAX.

I will explain the return using passing variable with reference