Hacking a DLL – Disassembly for beginners

At the beginning of this month, the Mossad published a hacking challenge. out of curiosity I took some time playing with it and while progressing within the challenge I discovered a dll file which should contain a hint (admin password for a fake chat room).

The interesting question is what do I do with it ?

The first step was opening the DLLfile in a hex editor and looking for interesting stuff. When doing that I’ve noticed that this is a WIN32 DLL:

Capture.PNG

And that it has some interesting things in it that will help me going to get the desired password:

Capture2.PNG

My next step was loading the DLL into a disassembly tool (I’ve used the demo version of IDA) and checking what are the exports of this DLL:

Capture7.PNG

From the disassembly of “Run” I can see that there is some input request from the user followed by many lines of code:

Capture4.PNG

So now we have an export within the dll that we can call and see what happens. In order to do that I’ve wrote a short C++ program that loads the dll file and calls the “Run” function.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
#include <windows.h>
#include <iostream>

typedef void(__cdecl *MYPROC)();

int main()
{
    HINSTANCE hinstLib = LoadLibrary(TEXT("PassMasterExtension3_1.dll"));

    if (!hinstLib) {
        std::cout << "Could not load the dynamic library" << std::endl;
        return EXIT_FAILURE;
    }

    MYPROC proc = (MYPROC)GetProcAddress(hinstLib, "Run");
    proc();

    return EXIT_SUCCESS;
}

Running the program gave me the following output (I don’t know the password so I just entered a random string):

Capture5.PNG

Instead of looking for the right password (there is a lot of code here), let’s try to see where is the password verification take place and try to override it so the program execution will continue the positive flow in the way that it would if we’ve entered the right password:

Capture8.PNG

Looks like we found it, now let’s go back to the hex editor and change the “jnz” direction into “jz” direction:

Capture9.PNG

After changing the hex value 75 into 74 and saving the file, I went back to my c++ program and re-ran it.

Capture10.PNG

And we got the password 🙂

– Alexander

Oh hi there 👋
It’s nice to meet you.

Sign up to receive awesome content in your inbox, as soon as it is published!