Help with understand ror to determine password

[Taken17]

Hi,

Working on a class assignment and i'm trying to understand the ror rotate right argument. Also am I correct in thinking that eax is the user input and is being compared against ebx which means ebx is holding the correct password? I would appreciate any help you can provide.

thanks again,


.text:00401000 ; =============== S U B R O U T I N E =======================================
.text:00401000
.text:00401000 ; Attributes: noreturn
.text:00401000
.text:00401000 public start
.text:00401000 start proc near ; CODE XREF: TlsCallback_0+2D↓j
.text:00401000 push offset Format ; "Hope you enjoy this!\r\n"
.text:00401005 call ds:printf ; Indirect Call Near Procedure
.text:0040100B add esp, 4 ; Add
.text:0040100E push offset aPlzEnterYourPa ; "Plz Enter your password: "
.text:00401013 call ds:printf ; Indirect Call Near Procedure
.text:00401019 add esp, 4 ; Add
.text:0040101C push offset dword_4030BC
.text:00401021 push offset aD ; "%d"
.text:00401026 call ds:scanf ; Indirect Call Near Procedure
.text:0040102C add esp, 8 ; Add
.text:0040102F mov eax, dword_4030BC
.text:00401034 ror eax, 11h ; Rotate Right
.text:00401037 mov ebx, 554F0000h
.text:0040103C cmp eax, ebx ; Compare Two Operands
.text:0040103E jnz short loc_401055 ; Jump if Not Zero (ZF=0)
.text:00401040 push 0 ; uType
.text:00401042 push offset Caption ; "Message:"
.text:00401047 push offset Text ; "Congratulation!!"
.text:0040104C push 0 ; hWnd
.text:0040104E call MessageBoxA ; Call Procedure
.text:00401053 jmp short loc_401068 ; Jump
.text:00401055 ; ---------------------------------------------------------------------------
.text:00401055
.text:00401055 loc_401055: ; CODE XREF: start+3E↑j
.text:00401055 push 0 ; uType
.text:00401057 push offset aError ; "Error!"
.text:0040105C push offset aOopsWrongPassw ; "Oops Wrong Password!!"
.text:00401061 push 0 ; hWnd
.text:00401063 call MessageBoxA ; Call Procedure
.text:00401068
.text:00401068 loc_401068: ; CODE XREF: start+53↑j
.text:00401068 push 0 ; uExitCode
.text:0040106A call ExitProcess ; Call Procedure
.text:0040106A start endp
.text:0040106A
.text:0040106F ; ---------------------------------------------------------------------------


Output:

Assignment 4>Malware-A4Pr5.exe
Hope you enjoy this!
Plz Enter your password: 123456
Oops Wrong Password!!

[Mijikai]

Yes thats correct, u can reveal the password by rol 0x11 on ebx.

PB is really great for doing ASM stuff

Code: Select all

EnableExplicit

Procedure.i PasswordTest(Password.i);<- rebuild procedure
  !mov eax,[p.v_Password]
  !ror eax,0x11
  !mov ebx,0x554F0000
  !cmp eax,ebx
  !jnz @f
  ProcedureReturn #True
  !@@:
  ProcedureReturn #False
EndProcedure

Procedure.i PasswordDecode();<- swapped ror with rol which does the opposite
  !mov eax,0x554F0000
  !rol eax,0x11
  ProcedureReturn
EndProcedure

Debug PasswordTest(PasswordDecode())

End

[Taken17]

Thank you very much. I'll have to look into PB. Just doing this manually shouldn't the answer be F8000554h? That's if it did the rol correctly.

5540000h = 1010101010011110000000000000000b

F8000554h = 11111000000000000000010101010100