RE challenges - .:: HVAOnline ::.

1858:0100 B90300 MOV CX,0003 1858:0103 E81C00 CALL 0122 ; gọi đoạn mã tại 0122, đoạn mã này tăng AX lên 1 đơn vị 1858:0106 E2FB LOOP 0103 ; lặp lại, tổng cộng 3 lần (do CX=3), sau khi kết thúc AX=3 1858:0108 50 PUSH AX ; PUSH AX vào stack mà không có POP (như bạn mfeng đã nói ở trên) 1858:0109 41 INC CX ; -> CX=1 1858:010A 41 INC CX : -> CX=2 1858:010B 41 INC CX ; -> CX=3 1858:010C E81700 CALL 0126 ; gọi đoạn mã in chuỗi "Cool Hacker!" ra màn hình 1858:010F E2FB LOOP 010C ; lặp lại, tổng cộng 3 lần (do CX=3) 1858:0111 CD20 INT 20 1858:0113 43 INC BX 1858:0114 6F DB 6F 1858:0115 6F DB 6F 1858:0116 6C DB 6C 1858:0117 204861 AND [BX+SI+61],CL 1858:011A 63 DB 63 1858:011B 6B DB 6B 1858:011C 65 DB 65 1858:011D 7221 JB 0140 1858:011F 0D0A24 OR AX,240A 1858:0122 83C001 ADD AX,+01 1858:0125 C3 RET 1858:0126 B409 MOV AH,09 1858:0128 BA1301 MOV DX,0113 1858:012B CD21 INT 21 1858:012D C3 RET

Load target vô IDA: seg000:0100 start proc near seg000:0100 mov cx, 3 seg000:0103 seg000:0103 loc_10103: ; CODE XREF: start+6j seg000:0103 call sub_10122 ; tăng ax lên 1 seg000:0106 loop loc_10103 seg000:0108 push ax seg000:0109 inc cx seg000:010A inc cx seg000:010B inc cx seg000:010C ; tới đây cx sẽ chứa số lần in ra string, tìm cách để tới đây cx = 5 seg000:010C @@LoopPrint: seg000:010C call sub_10126 seg000:010F loop @@LoopPrint seg000:0111 int 20h seg000:0111 start endp

00401013  |. 68 D0204000    PUSH hehehe.004020D0                     ; /format = "Enter login:"
00401018  |. FF15 98204000  CALL DWORD PTR DS:[<&MSVCR80.printf>]    ; \printf
0040101E  |. 83C4 04        ADD ESP,4
00401021  |. FF15 9C204000  CALL DWORD PTR DS:[<&MSVCR80.__iob_func>>;  MSVCR80.__p__iob
00401027  |. 50             PUSH EAX                                 ; /stream
00401028  |. 68 00010000    PUSH 100                                 ; |n = 100 (256.)
0040102D  |. 8D85 F8FDFFFF  LEA EAX,DWORD PTR SS:[EBP-208]           ; |
00401033  |. 50             PUSH EAX                                 ; |s
00401034  |. FF15 A0204000  CALL DWORD PTR DS:[<&MSVCR80.fgets>]     ; \fgets
0040103A  |. 83C4 0C        ADD ESP,0C
0040103D  |. 68 E0204000    PUSH hehehe.004020E0                     ; /format = "Enter password:"
00401042  |. FF15 98204000  CALL DWORD PTR DS:[<&MSVCR80.printf>]    ; \printf
00401048  |. 83C4 04        ADD ESP,4
0040104B  |. FF15 9C204000  CALL DWORD PTR DS:[<&MSVCR80.__iob_func>>;  MSVCR80.__p__iob
00401051  |. 50             PUSH EAX                                 ; /stream
00401052  |. 68 00010000    PUSH 100                                 ; |n = 100 (256.)
00401057  |. 8D8D F8FEFFFF  LEA ECX,DWORD PTR SS:[EBP-108]           ; |
0040105D  |. 51             PUSH ECX                                 ; |s
0040105E  |. FF15 A0204000  CALL DWORD PTR DS:[<&MSVCR80.fgets>]     ; \fgets
00401064  |. 83C4 0C        ADD ESP,0C
00401067  |. 8D95 F8FDFFFF  LEA EDX,DWORD PTR SS:[EBP-208]
0040106D  |. 52             PUSH EDX                                 ; /s2
0040106E  |. 68 00404000    PUSH hehehe.00404000                     ; |s1 = "reversing
"
00401073  |. E8 B8000000    CALL <JMP.&MSVCR80.strcmp>               ; \strcmp
00401078  |. 83C4 08        ADD ESP,8
0040107B  |. 85C0           TEST EAX,EAX
0040107D  |. 0F85 89000000  JNZ hehehe.0040110C
00401083  |. C745 FC 000000>MOV DWORD PTR SS:[EBP-4],0
0040108A  |. EB 09          JMP SHORT hehehe.00401095
0040108C  |> 8B45 FC        /MOV EAX,DWORD PTR SS:[EBP-4]
0040108F  |. 83C0 01        |ADD EAX,1
00401092  |. 8945 FC        |MOV DWORD PTR SS:[EBP-4],EAX
00401095  |> 8D8D F8FEFFFF   LEA ECX,DWORD PTR SS:[EBP-108]
0040109B  |. 51             |PUSH ECX                                ; /s
0040109C  |. E8 89000000    |CALL <JMP.&MSVCR80.strlen>              ; \strlen
004010A1  |. 83C4 04        |ADD ESP,4
004010A4  |. 83E8 01        |SUB EAX,1
004010A7  |. 3945 FC        |CMP DWORD PTR SS:[EBP-4],EAX
004010AA  |. 73 1D          |JNB SHORT hehehe.004010C9
004010AC  |. 8B55 FC        |MOV EDX,DWORD PTR SS:[EBP-4]
004010AF  |. 0FBE8415 F8FEF>|MOVSX EAX,BYTE PTR SS:[EBP+EDX-108]
004010B7  |. 83F0 05        |XOR EAX,5
004010BA  |. 83E8 08        |SUB EAX,8
004010BD  |. 8B4D FC        |MOV ECX,DWORD PTR SS:[EBP-4]
004010C0  |. 88840D F8FEFFF>|MOV BYTE PTR SS:[EBP+ECX-108],AL
004010C7  |.^EB C3          \JMP SHORT hehehe.0040108C
004010C9  |> 8D95 F8FEFFFF  LEA EDX,DWORD PTR SS:[EBP-108]
004010CF  |. 52             PUSH EDX                                 ; /s2
004010D0  |. 68 00504000    PUSH hehehe.00405000                     ; |s1 = "showme
"
004010D5  |. E8 56000000    CALL <JMP.&MSVCR80.strcmp>               ; \strcmp
004010DA  |. 83C4 08        ADD ESP,8
004010DD  |. 85C0           TEST EAX,EAX
004010DF  |. 75 2B          JNZ SHORT hehehe.0040110C
004010E1  |. 68 00504000    PUSH hehehe.00405000                     ; /s2 = "showme
"
004010E6  |. 68 00404000    PUSH hehehe.00404000                     ; |s1 = "reversing
"
004010EB  |. E8 40000000    CALL <JMP.&MSVCR80.strcmp>               ; \strcmp
004010F0  |. 83C4 08        ADD ESP,8
004010F3  |. 85C0           TEST EAX,EAX
004010F5  |. 74 15          JE SHORT hehehe.0040110C
004010F7  |. 68 F0204000    PUSH hehehe.004020F0                     ; /format = "
Yees... You are cOOl HaCker!!!

"
004010FC  |. FF15 98204000  CALL DWORD PTR DS:[<&MSVCR80.printf>]    ; \printf
00401102  |. 83C4 04        ADD ESP,4
00401105  |. B8 01000000    MOV EAX,1
0040110A  |. EB 10          JMP SHORT hehehe.0040111C
0040110C  |> 68 14214000    PUSH hehehe.00402114                     ; /format = "
He he he. You are Lamer!

"
00401111  |. FF15 98204000  CALL DWORD PTR DS:[<&MSVCR80.printf>]    ; \printf
00401117  |. 83C4 04        ADD ESP,4
0040111A  |. 33C0           XOR EAX,EAX
0040111C  |> 8B4D F8        MOV ECX,DWORD PTR SS:[EBP-8]
0040111F  |. 33CD           XOR ECX,EBP
00401121  |. E8 10000000    CALL hehehe.00401136
00401126  |. 8BE5           MOV ESP,EBP
00401128  |. 5D             POP EBP
00401129  \. C3             RETN

Users currently in here

1 Anonymous