Find The Easy Pass [by Thiseas]

Find The Easy Pass is one of the Hack The Box Reversing challenge,

Tools used:

  • Wine
  • OLLYDBG

So let's start this by Downloading the file,

Unzip the file, you can see

Now lets unzip the file so we can see whats in it using OLLYDGB. It prompts for password,

if you were wondering for the password here you can see that in the main site it had all the information!!

So, Since we required wine to use OLLYDGB, lets copy the extracted file to the like folder like shown in the figure

Done copying so lets open the file in OLLYDGB

now we got this lets search for some texts

steps to get All referenced text strings:

  • right click
  • go to search for
  • click on All referenced text strings

now,

looking at the strings, i found two great strings

Good job, Congratulations  
Wrong Password

lets double click on wrong password to see whats going on there

if you may be wondering how the text font changed then,
1)Right click on the blank space
2)Click on Appearance ( the last option )
3)then goto Font and choose the font you like

now in the image above, we can see stuffs going on

you can see a JNZ assembly above the ASCII "Good Job. Congratulations"

As you know JNZ is a conditional jump, lets single left click on the JNZ and press enter,

It goes to 00454144

Now, we see that the condition is that if the password is wrong then its gonna jump to the Wrong password stuff.

Lets set a Breakpoint at the CALL part.

so to set a Breakpoint you need to

double left click in the 2nd is and you will get the binary highlighted as in the image

now lets run the exe

It prompts for the password,

type  anything you want

now click check password

looks like something poped up in the Registers

so what happened here is

you can see the line
CMP EAX,EDX

It compares the EAX which was GOGLIDES in this case and EDX had fortran! which is the password for the EasyPass.exe

What actually happened there?

You can see that the EAX has been moved to ESI and followed by EDX moving to EDI.

then there is a comparison between EAX and EDX

If the comparison is successful or you have entered the right password in this context which is supposed to be fortran!, it jumps to 004046C6

Here the values are POPed which means that the value are restored and following the functions, the function RETN or returns.

then as we have already talked before, with the correct password, the JNZ or the conditional jump is skipped and you get the message

"Good Job. Congratulations"