I’ll jump to challenge #30, the #29 is an obfuscated one, and I’ll need more time to work on that. The #30 is a simple one and is in the format of finding the password. For the disassembly of this program I’ll use Ida, from the one I’ve tried is honestly the more user-friendly.

Analysis

Let’s analyze the main thread only, here is the code associated with it

; int __cdecl main(int, char **, char **)
main            proc near               ; DATA XREF: start+17↑o
; __unwind {
                push    ebp
                mov     ebp, esp
                and     esp, 0FFFFFFF0h
                sub     esp, 0A0h
                mov     eax, large gs:14h
                mov     [esp+9Ch], eax
                xor     eax, eax
                mov     dword ptr [esp], offset aEnterPassword ; "enter password:" 1st argument, only one argument it's required
                call    _puts

                lea     eax, [esp+1Ch]
                mov     [esp+4], eax
                mov     dword ptr [esp], offset aS ; "%s"
                call    ___isoc99_scanf

                cmp     eax, 1 ;; number of items successfully matched
                jz      short loc_8048539

                mov     dword ptr [esp], offset aNoPasswordSupp ; "no password supplied"
                call    _puts

loc_8048539:                            ; CODE XREF: main+3E↑j
                mov     dword ptr [esp+4], offset aMetallica ; "metallica"
                lea     eax, [esp+1Ch]
                mov     [esp], eax
                call    _strcmp

                test    eax, eax
                jnz     short loc_804855F ;; INCORRECT PASSWORD PRINT IT

                mov     dword ptr [esp], offset aPasswordIsCorr ; "password is correct"
                call    _puts
                jmp     short loc_804856B
; ---------------------------------------------------------------------------

loc_804855F:                            ; CODE XREF: main+62↑j
                mov     dword ptr [esp], offset aPasswordIsNotC ; "password is not correct"
                call    _puts

loc_804856B:                            ; CODE XREF: main+70↑j
                mov     edx, [esp+9Ch]
                xor     edx, large gs:14h
                jz      short locret_8048580
                call    ___stack_chk_fail

locret_8048580:                         ; CODE XREF: main+8C↑j
                leave
                retn
; } // starts at 80484ED
main            endp

In this code we have first a call to puts printing the text enter password:, we know that is this text thanks to Ida. What follows after that it’s a call to scanf, for waiting for the input of the password. Nothing too hard here, so we need to look for the part of the code that validate this password. Right after the call to scanf we have the following code

                lea     eax, [esp+1Ch]
                mov     [esp+4], eax
                mov     dword ptr [esp], offset aS ; "%s"
                call    ___isoc99_scanf

                cmp     eax, 1 ;; number of items successfully matched
                jz      short loc_8048539

After the call to scanf we check if the user supplied something, in positive case we jump to loc_8048539, that is where our validation it’s present. Let’s see how this password it’s validated.

loc_8048539:                            ; CODE XREF: main+3E↑j
                mov     dword ptr [esp+4], offset aMetallica ; "metallica"
                lea     eax, [esp+1Ch]
                mov     [esp], eax
                call    _strcmp

                test    eax, eax
                jnz     short loc_804855F ;; INCORRECT PASSWORD PRINT IT

                mov     dword ptr [esp], offset aPasswordIsCorr ; "password is correct"
                call    _puts
                jmp     short loc_804856B

Easy! We have a comparison with strcmp to the text metallica, seems Denis is a fan of Metallica, and the printing of the text password is correct.

That’s it.

Conclusion

I’m becoming better at this, some progress.