Hacking a DLL – Disassembly for beginners

2017-05-12 Cyber Security 2 Comments 1 minute read

At the beginning of this month, the Mossad published a hacking challenge. out of curiosity I took some time playing with it and while progressing within the challenge I discovered a dll file which should contain a hint (admin password for a fake chat room).

The interesting question is what do I do with it ?

The first step was opening the DLLfile in a hex editor and looking for interesting stuff. When doing that I’ve noticed that this is a WIN32 DLL:

Capture.PNG

And that it has some interesting things in it that will help me going to get the desired password:

Capture2.PNG

My next step was loading the DLL into a disassembly tool (I’ve used the demo version of IDA) and checking what are the exports of this DLL:

Capture7.PNG

From the disassembly of “Run” I can see that there is some input request from the user followed by many lines of code:

Capture4.PNG

So now we have an export within the dll that we can call and see what happens. In order to do that I’ve wrote a short C++ program that loads the dll file and calls the “Run” function.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
#include <windows.h>
#include <iostream>

typedef void(__cdecl *MYPROC)();

int main()
{
    HINSTANCE hinstLib = LoadLibrary(TEXT("PassMasterExtension3_1.dll"));

    if (!hinstLib) {
        std::cout << "Could not load the dynamic library" << std::endl;
        return EXIT_FAILURE;
    }

    MYPROC proc = (MYPROC)GetProcAddress(hinstLib, "Run");
    proc();

    return EXIT_SUCCESS;
}

Running the program gave me the following output (I don’t know the password so I just entered a random string):

Capture5.PNG

Instead of looking for the right password (there is a lot of code here), let’s try to see where is the password verification take place and try to override it so the program execution will continue the positive flow in the way that it would if we’ve entered the right password:

Capture8.PNG

Looks like we found it, now let’s go back to the hex editor and change the “jnz” direction into “jz” direction:

Capture9.PNG

After changing the hex value 75 into 74 and saving the file, I went back to my c++ program and re-ran it.

Capture10.PNG

And we got the password πŸ™‚

– Alexander

Oh hi there πŸ‘‹
It’s nice to meet you.

Sign up to receive a notification when new posts are published!

We don’t spam!

Building simple testing framework in Python

Building simple url-redirection service using Flask and Python
2 thoughts on “Hacking a DLL – Disassembly for beginners
  1. archer920gmailcom

    Wow! Thank you for this post. It really makes me think about the security implication of my code when all someone needs to do is figure out how to bypass the password control systems to proceed with normal control.

    Reply
  2. lordskc

    Nice and concise

    Reply
Leave a Reply