Recently I’ve been reading Programming from the Ground Up by Jonathan Bartlett to begin my journey into reverse engineering and malware analysis. After spending a bit of time on this book I was very interested in seeing my new knowledge at work. So I took to hackthebox and found the perfect task. Under Reversing I found, Find The Easy pass.
After a bit of research I discovered Immunity Debugger which is a fantastic Windows tool that utilizes python 2.7 and made this mission a breeze. Below I will be documenting my experience with the software and the steps I took to solving the mission.
Firstly, I prepared my workstation by installing Immunity Debugger and python 2.7 which it requires. Then came downloading the EasyPass.zip from hackthebox which I then extracted the EasyPass.exe to my desktop for easy access. The password for the extraction was the basic default password “hackthebox”. After this I simply ran the EasyPass.exe and checked to see what the program actually did. I soon discovered that it simply prompts for a password and if you put the wrong password you will get a “Wrong Password!” alert as shown below.
Opening Immunity Debugger I went to file -> open and then selected the EasyPass.exe to run the code through the decompiler for deeper analysis.
All we really have so far is the alert that we get from inputting a wrong password. So let’s do a search for this string and see where it is occurring. To do this we will run the debugger by simply clicking on the run button or “f9” or going to debug -> run.
Now we want to search for strings so we will right click in the black-space and select search for -> all referenced text strings. Here we can see all strings referenced discovered by the debugger. In order to search this query for a specific string we can simply right click and select search for text here type in “Wrong Password” and hit enter. This should highlight the discovered string similar to my example below.
Here we also discover what may possibly occur when the correct password is entered “Good Job. Congratulations”. Let’s look deeper into the newly discovered string.
Right click and select Follow in Disassembler on that string. Here we can see the Assembly behind this string. Analyze the assembly code around it and think of how we can further understand what exactly is going on here.
Looking around we see the two possible outcomes of the input which are two MOV operations. We also see a jump operation JNZ so let’s see what happens if we follow this operation. Right click and hit follow and it will bring you to the “Wrong Password” MOV operation.
We also see the CALL operation on EasyPass.00404628 so let’s put a breakpoint here as we can determine this CALL operation is likely where the program determines if the password is right or wrong. You can set a breakpoint by selecting the line and pressing “f2” or by right clicking an toggling breakpoint.
Now run the debugger until the program appears and watch what happens under “Registers (FPU)” on Immunity when you type in a password. When I entered “password” I got the following result.
From here we can determine that our input is being inserted into the register EAX and is then being compared to the register EDX. Trying the password “fortran!” results in a “Good Job” alert. Therefore we have successfully completed the mission.
For further understanding we can select “Follow” on the CALL operation we set the breakpoint at and view exactly what this function is doing.
We see that our input is in the EAX register and we can now see that it is being compared to the EDX register using the CMP operator. This is exactly what we predicted earlier. We can then follow the different jump operators and check that the logic matches the outcome. For example the JE operator after the CMP will jump if EAX and EDX are equal. Following the JE operator we see it brings us to the end of the function as we would expect.