{"componentChunkName":"component---src-templates-post-template-js","path":"/magical-windbg-vol2-03-en","result":{"data":{"markdownRemark":{"id":"27496364-ca77-550a-8f7a-86c61b7ff26b","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/magical-windbg-vol2-03\">original page</a>.</p>\n</blockquote>\n<p>In this chapter, we gather the information needed to identify the Flag by statically analyzing DoPClient.</p>\n<p>Static analysis is a method of analyzing a program without actually executing it.</p>\n<p>Depending on the definition, the investigation of file metadata and similar information performed in Chapter 2 can also be classified as static analysis, but in this book I use the term static analysis to refer to disassembling the program and analyzing it in detail.</p>\n<p>This book uses Binary Ninja as the tool for disassembly.</p>\n<p>If you are more comfortable with another tool such as IDA or Ghidra, feel free to use that instead.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li><a href=\"#disassemble-dopclient-with-binary-ninja\">Disassemble DoPClient with Binary Ninja</a></li>\n<li><a href=\"#rename-functions\">Rename Functions</a></li>\n<li><a href=\"#read-conditional-branches\">Read Conditional Branches</a></li>\n<li><a href=\"#read-loops\">Read Loops</a></li>\n<li><a href=\"#validate-the-input-string\">Validate the Input String</a></li>\n<li><a href=\"#load-the-kernel-driver\">Load the Kernel Driver</a></li>\n<li><a href=\"#access-the-driver-object\">Access the Driver Object</a></li>\n<li><a href=\"#summary-of-chapter-3\">Summary of Chapter 3</a></li>\n<li><a href=\"#links-to-each-chapter\">Links to Each Chapter</a></li>\n</ul>\n<h2 id=\"disassemble-dopclient-with-binary-ninja\" style=\"position:relative;\"><a href=\"#disassemble-dopclient-with-binary-ninja\" aria-label=\"disassemble dopclient with binary ninja permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Disassemble DoPClient with Binary Ninja</h2>\n<p>First, use Binary Ninja to disassemble DoPClient.</p>\n<p>Disassembly is a method of reconstructing a program expressed in machine language into human-readable source code (assembly).</p>\n<p>Today, when humans create programs, they almost never type machine language consisting directly of 0s and 1s to create an executable.</p>\n<p>Normally, people save source code written in C, assembly language, or a similar language to a file, and then use a compiler and linker to build a machine-language file that a computer can execute.</p>\n<p>The method of converting a program built in this way back into source code so that humans can read it again is called disassembly.</p>\n<p>When a compiler or linker builds a program, it applies optimizations such as improving the efficiency of the executable code and removing comments.</p>\n<p>For that reason, note that the code you can recover by disassembling a built program does not exactly match the original source code.</p>\n<p>This book does not cover the detailed steps for building an executable program from C source code or the basic methods and algorithms of disassembly, but those topics are explained in detail in “実践バイナリ解析 バイナリ計装、解析、逆アセンブリのためのLinuxツールの作り方” <sup id=\"fnref-1\"><a href=\"#fn-1\" class=\"footnote-ref\">1</a></sup>, which is a useful reference.</p>\n<p>Disassembling with Binary Ninja is extremely easy: just launch the installed Binary Ninja and drag and drop the executable you want to analyze.</p>\n<p>When you load DoPClient.exe into Binary Ninja, the following screen appears.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/4eb9bf09b9dab6f34bf63e9ba9c78c80/5a791/client-binaryninja-001.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 66.66666666666666%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAA7DAAAOwwHHb6hkAAACpUlEQVQ4y11TSW/TUBD2vYuEhESz2HESL/Ea73ZsZy1JNwkuUFBTWtQiVYVCDwWVU1nEpRIX+MMf817aSOXwaUZvRt+b5RshDkPkRYHhcIgszeC6Lodt29B1naPT6Sxx/7aMLa0Gg+LCdLaF3WfPMZ1NUZQFoijCdDrF9vY2dnZ2uT8ajQhjjMcPMZlMuN0kOz85xcv5IQTf92FbNuzAhdm1oakqQqo6zTOESUJ+gCyJqPqY+57nodvtLuH5ARxdweubP9j/eguBtadpGlSnA1lvo16r8XaLSR9+6BNRhKLIOBF7tyzrAWzHgdqScfb9Fm+vv0FgiXK9CsVU0OookEQJKlXZcU20lBZUpQ2FUKvX0Wg0IEkSRFFcoiGJePS4gt/Xc/y6mkNIqK22+IQIdLRNDWJdpDZ85IMCcRIjimMEYQQ2mpj8MAjJDxAEC0RRCN108ffmHX5eHUEwTQOaXIVqqrzCOlXCEkezCfIyx3BQYkTkQ/LTNCGk3LLlMST0ieV4+PH5EF8uXkFgq25J1LKloMkIa3Xo9GaxBZEUVEWhGavQNYVGodzNzkSz2US73eaQaiIOLo5x8OEYwn3pSdlDSAtwHRdZlmEwHqLsl4Q+emWfRjAmO0CSpHdVLsByI1LFm5NjvDigCtmM4rQH1wsWW7MX28tGObzQ41IJ4whO14NDirAobpgmF7lhGDDJb8ktvL/+hNPLMwgssLKygrW1Nayvr2N1dRWyLKPY7KMbEAlJJSJCl+mPOmEyYR8yoiV0A1v7e5i92KMZ0i+MhJExMOIGEZZPB/CI0OgY8GmTIZ2nT+2y/P9P0TRMpL0M/dFwocONjQ1Uq1WOSqXCBTye0paLnISdkrALFDTPjCyTDrv5PM/R6/VQ8nNNcfnxCOfnh/gHZ4eeNVVG9LsAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/4eb9bf09b9dab6f34bf63e9ba9c78c80/8ac56/client-binaryninja-001.webp 240w,\n/static/4eb9bf09b9dab6f34bf63e9ba9c78c80/d3be9/client-binaryninja-001.webp 480w,\n/static/4eb9bf09b9dab6f34bf63e9ba9c78c80/e46b2/client-binaryninja-001.webp 960w,\n/static/4eb9bf09b9dab6f34bf63e9ba9c78c80/1b8e7/client-binaryninja-001.webp 1248w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/4eb9bf09b9dab6f34bf63e9ba9c78c80/8ff5a/client-binaryninja-001.png 240w,\n/static/4eb9bf09b9dab6f34bf63e9ba9c78c80/e85cb/client-binaryninja-001.png 480w,\n/static/4eb9bf09b9dab6f34bf63e9ba9c78c80/d9199/client-binaryninja-001.png 960w,\n/static/4eb9bf09b9dab6f34bf63e9ba9c78c80/5a791/client-binaryninja-001.png 1248w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/4eb9bf09b9dab6f34bf63e9ba9c78c80/d9199/client-binaryninja-001.png\"\n            alt=\"Screen after loading DoPClient into Binary Ninja\"\n            title=\"Screen after loading DoPClient into Binary Ninja\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>To display the disassembly result for DoPClient, change the display mode in the pull-down menu in the center of the screen from [High Level IL] to [Disassembly].</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 488px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/97aee9ffb31f3185ad42c174b8b4c454/bd48c/client-binaryninja-002.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 39.166666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAA7DAAAOwwHHb6hkAAABt0lEQVQoz22RO2sUURiG568o7Lhznzk718xlZ3azCZtNdiewC5pKLARFvDRJbW0lSLqIlaggCkIKS7Gw0MLGv/N4ztEsCBYvH+f2fO/3HmOz2dD3PTdvnbDul9x++pzH77/z8PUXTi9/cf/FWw7mc46O1xyueqljDpcr5nLvfzKapmE8HrO7O2M66ZguVkyXa+48e8Wjd9+49/Izd88/8OTNV04//uDs008eXFzSdBPKsqSqqn9k+L5PEAQIIXT1/IBAjMiaCXv9RmuxOaHcPyKdzslnC7JuD89zcR0H1/NwXXcrwzRNzIGJZVk48oKWZePJ2o4b2qamLDKqIsd3LAbXr2HdMLH9kKF8o94PBoOtDEX1ZJdYxGRxSp7mFFmOiARt1+k42rYlSVNs2cS2benKJ0oLwjDCkWtlQnFUNdQFpaTKiHdSglGoG4RhSF3XEtYRxzHWcMhQSk2iFMjzIIoQSYrre9szDXQkvT2YMt7vyOtCAhLpKKOTwc9mM2odeKkb/MnKYzQS1NKAEJF2rmCKpYEq3CIr9KiJgo1iqp2SPMuIpIurj1Our8K3bUuPa/11pjiq/gY54hM+4Y4t7wAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/97aee9ffb31f3185ad42c174b8b4c454/8ac56/client-binaryninja-002.webp 240w,\n/static/97aee9ffb31f3185ad42c174b8b4c454/d3be9/client-binaryninja-002.webp 480w,\n/static/97aee9ffb31f3185ad42c174b8b4c454/607ea/client-binaryninja-002.webp 488w\"\n              sizes=\"(max-width: 488px) 100vw, 488px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/97aee9ffb31f3185ad42c174b8b4c454/8ff5a/client-binaryninja-002.png 240w,\n/static/97aee9ffb31f3185ad42c174b8b4c454/e85cb/client-binaryninja-002.png 480w,\n/static/97aee9ffb31f3185ad42c174b8b4c454/bd48c/client-binaryninja-002.png 488w\"\n            sizes=\"(max-width: 488px) 100vw, 488px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/97aee9ffb31f3185ad42c174b8b4c454/bd48c/client-binaryninja-002.png\"\n            alt=\"Change the display mode to Disassembly\"\n            title=\"Change the display mode to Disassembly\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Now the analysis result displayed in the view has become disassembled assembly code.</p>\n<p>Next, identify the address of the program’s main function and inspect its disassembly.</p>\n<p>Find the main function in the [Symbols] window on the left side of the screen and double-click it to inspect the disassembly result for main.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/759fea4f6d0632a6704150fdcc7de923/bf433/client-binaryninja-003.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 41.25%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAA7DAAAOwwHHb6hkAAABrklEQVQoz22R247aQBBE/RHRBlYgwNiw4LuN74NtbAO70UZRFCnK7S3//w0nPc7mLQ+lkWqk6tPVRt/33F4+0LQd5+ZMrWqKPEcphf67XC7043V6tVeLpreu/ysjTVN2to3ne7ipzyF0MTcmrutyv9+5v75wfX5mlNDhdp+G/NMwDPSi4U3aM05Jwnq14ulpz9axWFtrZg8P2NaWtusYX290fUfbNBNZ27Z0naYeZcBI07Wo81/qqqow6lZW+fSN8ftvzl9/or78oP78i/L2Ed93KQfFKU/Js4woigiCYNJJainKgiiJ8cT3kxOO52FUtcLe7/FCWbnKOaYnrKPH0QuI4oh6PJMVGXoTXYMO1X5WlFTSeVZXhPLnSdjhcMBQ6sxq/g57PcdybTb2msfZe7bmZpo+BZb5ROhLzzpQ915UNbkcIRI/yTOCMCSIQgzP99ltFtjmkn3kYDk7losllmVNJJWsnAphLis6jkMcxxRFQaM7bRuhlOuqilJp2hLDlz5Wixnm6hHzaLGyNszn87fAGHVtyKSKPC+mlUMhScQvhbCSo2n6TChjoU7ShD8ebAOW0gjVwgAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/759fea4f6d0632a6704150fdcc7de923/8ac56/client-binaryninja-003.webp 240w,\n/static/759fea4f6d0632a6704150fdcc7de923/d3be9/client-binaryninja-003.webp 480w,\n/static/759fea4f6d0632a6704150fdcc7de923/e46b2/client-binaryninja-003.webp 960w,\n/static/759fea4f6d0632a6704150fdcc7de923/3697b/client-binaryninja-003.webp 971w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/759fea4f6d0632a6704150fdcc7de923/8ff5a/client-binaryninja-003.png 240w,\n/static/759fea4f6d0632a6704150fdcc7de923/e85cb/client-binaryninja-003.png 480w,\n/static/759fea4f6d0632a6704150fdcc7de923/d9199/client-binaryninja-003.png 960w,\n/static/759fea4f6d0632a6704150fdcc7de923/bf433/client-binaryninja-003.png 971w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/759fea4f6d0632a6704150fdcc7de923/d9199/client-binaryninja-003.png\"\n            alt=\"Inspect the disassembly result of the main function\"\n            title=\"Inspect the disassembly result of the main function\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Finally, change the display mode from Linear mode to Graph mode so that the program’s branches and other control flow are easier to follow.</p>\n<p>By changing the display mode in the pull-down menu in the center of the screen from [Linear] to [Graph], you can inspect the disassembly result of the main function in Graph view.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/17453b95e130313e3c71992c6b4756f6/6937a/client-binaryninja-004.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 97.91666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAACXBIWXMAAA7DAAAOwwHHb6hkAAACLklEQVQ4y42UybKiQBBF+RplFJVBVGgBJxRk0va56t1b9/+vbmeiGMjwohcZFWLWqZuZt0rI/3wj//6L+BTB931sNhuEYYggCDrB3+vo+59DkMQxZvoEtm1jPB5DUZROqKqKw+mI5HLBkQ6OKEzThCRJnVxBFEUY9KdPyjRNq5LaISsy0iLF/fFAludIkgSmZVYCZFn+yH0CDQOe52EymVQJzXgCFSTZBeX9gSRN30BxLHbyhVp2B/IBlJHkFxR3VljgWpSwLOut8APYllzDPlYGksL89xfK6w0PWi17ANhU0xdNYEGgNMtxLcthoNxSxj3lRI7mUC5Ucnm74Ryfq+C+N4fSq5BhzsLGbrvDNghhNaxhmAbmBFmtVzhEB1rX6KtOaJen6zpM2mjM55WNxIby0WiE2XyG/XGP5XI5DOyU/NrMCjee+3TBywmqplbA7W4Lx3E6AxU6FmmcVt+S9tSd1RKH46GyTnuP0Oe75ubm77qCJQGj86matCS/fKw8BQg/2qX1jdvAw0myFGe616coqnrOh9T5/wWUaAMr8MOAHgeyTRJXj4lKilye+m6P0A+o394wsAnlUib0IqVFhuJaIn75kJXx/Z9Op9BpZbVCu0d9QO6VvXCwWCywJkU+vXuu9wue61YQNnhVNvVTGOpZczD17eGSkzTDfr+HRor6HpFPhQPQuo9RHOH+dUdME9bITnxQ22Y/ltwO7pfrrpHShHekckulT6f6G8bxD9hbdbN9GHRKAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/17453b95e130313e3c71992c6b4756f6/8ac56/client-binaryninja-004.webp 240w,\n/static/17453b95e130313e3c71992c6b4756f6/d3be9/client-binaryninja-004.webp 480w,\n/static/17453b95e130313e3c71992c6b4756f6/e46b2/client-binaryninja-004.webp 960w,\n/static/17453b95e130313e3c71992c6b4756f6/e4bbf/client-binaryninja-004.webp 1094w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/17453b95e130313e3c71992c6b4756f6/8ff5a/client-binaryninja-004.png 240w,\n/static/17453b95e130313e3c71992c6b4756f6/e85cb/client-binaryninja-004.png 480w,\n/static/17453b95e130313e3c71992c6b4756f6/d9199/client-binaryninja-004.png 960w,\n/static/17453b95e130313e3c71992c6b4756f6/6937a/client-binaryninja-004.png 1094w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/17453b95e130313e3c71992c6b4756f6/d9199/client-binaryninja-004.png\"\n            alt=\"Change the display mode to Graph mode\"\n            title=\"Change the display mode to Graph mode\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"rename-functions\" style=\"position:relative;\"><a href=\"#rename-functions\" aria-label=\"rename functions permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Rename Functions</h2>\n<p>If you start reading the disassembly of the main function from the beginning, you can see that the <code class=\"language-text\">sub_140001008</code> function is called repeatedly near the start.</p>\n<p>Immediately before the call to <code class=\"language-text\">sub_140001008</code>, a string is loaded from the .data section into the RCX register.</p>\n<p>The information in the [Cross Reference] window on the left side also shows that <code class=\"language-text\">sub_140001008</code> is being executed with some kind of message text as its argument.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/531dd1c1add44074d797a90cc3222c6d/b880f/client-binaryninja-005.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 58.333333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAA7DAAAOwwHHb6hkAAACZklEQVQoz1WTW2/aQBSE+Q1tBMHYxvgaIA23PPahUgBztfEF25iQVFVUpVHbVOn/13R2SUn7cLS7svRpZs648vHTDQaDIfq9Hvr9/ml6fI9GI34bwHVcTBZT5Pscm02ErNwhSlOs1mvM53MsFgs548kYFat9AaXRQF03oDUN6KoGVVVRq9ag8TwBl1MUtwWSJEW6KxBnKaIkkdDZbCbBN+MbVJqeB0Wpo6YZaKg6VKUhRwCbuorRcAjHceCv5zh8ucOh3OPh4QHFfoeiLBGnCcIgoPINfIIrhmdBtT203A4c04JpmGhRqdlUeddOCqfLGYpDic+7W7x8+4koLxDFMTbhRsIS3v2ZT4WujbphQzcdNBuqtKzUqbh6hvNalXkS6LoYzye0muGQ7/D89QnBNsPy1a6Y1XJFy8xQt1rQNFok5Jw5Gi0LdsuEwbtruxjS8jFDH9m+wF1e4vnxO8Isx4pWI6FQTni0bHVdODbz07gMp4PuhwFGVwMMOQNxSqBDywRyKXfFHr9oOcwyhLSaU6mcNIPv+/8CVahuVwKvewT1hgT2/1O4ZW3uCRQZBukWURRLUMa7mKkAti5sGLYJnTZVw4J1cQnPbcM2bVx1r96A7KHI8L4o8fL4A2tWRihM44QLSeQpgWbHgeZ14V72obOPQmW9aeLs3XuqpNrra1kbAdyWbwrX7GPA3E5Avqf+lApZG81pS2WGxh5aLjTWqKEoaHtt+bdI4KtlUZvfT88yQ7GUWNje5jJHWZtW26bCjgTa7KBhcOucWq3G6lTlLyhqc9zyUeHfpQS0HKwDWewwCDGZTvAH9NiXb/HRJ7MAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/531dd1c1add44074d797a90cc3222c6d/8ac56/client-binaryninja-005.webp 240w,\n/static/531dd1c1add44074d797a90cc3222c6d/d3be9/client-binaryninja-005.webp 480w,\n/static/531dd1c1add44074d797a90cc3222c6d/e46b2/client-binaryninja-005.webp 960w,\n/static/531dd1c1add44074d797a90cc3222c6d/f992d/client-binaryninja-005.webp 1440w,\n/static/531dd1c1add44074d797a90cc3222c6d/794a2/client-binaryninja-005.webp 1507w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/531dd1c1add44074d797a90cc3222c6d/8ff5a/client-binaryninja-005.png 240w,\n/static/531dd1c1add44074d797a90cc3222c6d/e85cb/client-binaryninja-005.png 480w,\n/static/531dd1c1add44074d797a90cc3222c6d/d9199/client-binaryninja-005.png 960w,\n/static/531dd1c1add44074d797a90cc3222c6d/07a9c/client-binaryninja-005.png 1440w,\n/static/531dd1c1add44074d797a90cc3222c6d/b880f/client-binaryninja-005.png 1507w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/531dd1c1add44074d797a90cc3222c6d/d9199/client-binaryninja-005.png\"\n            alt=\"Code at the beginning of the main function\"\n            title=\"Code at the beginning of the main function\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>From this, we can predict that <code class=\"language-text\">sub_140001008</code> is likely a function similar to printf.</p>\n<p>In fact, if you double-click <code class=\"language-text\">sub_140001008</code> and jump to its address, you can see that <code class=\"language-text\">__stdio_common_vfprintf</code> is called within the function.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 508px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/30ac8f8e4bfec19b5e1016abef95c80d/2fd48/client-binaryninja-006.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 106.66666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAVCAYAAABG1c6oAAAACXBIWXMAAA7DAAAOwwHHb6hkAAAC9UlEQVQ4y51U2ZLbNhDcr7NWEkHcFw8pXtl7pex4HecT8uTEv9zpAaW1VJZTqTxMkQSBRs90z9ysO4XOOPQho08DlIvYrNdY/4/Ybre46a1BOexa+KEi5YrtZgNlDIxzsDHCGAsfPUIKCDkil9wON6DbW2y4X967rsON0gr1MKK8HeCSR8mZG9bwIWC327dnnWekXWmAeSgotcBxXVsL1etLhkr3BJyQ9pVsHAFLS9l7Adw1wDKNiFNaAGvmd0XmxY7slf4OuDA0BHw3Ic4ZxlvUWlsKC8Mj4Dw1hrGkBighFxrvcftjygugHBDAaZxgeGvPdELKsHyWkbUlWMqpHT6FgJy/vzIc3s2vgPM0UwTTRPExwTqLcT8tzEpeDm/WP4BeMjycpVxqK25vHWuUEMcE7QzrumnrkmKLM6CrgPmXRZQGyA3auVZ0n+QiB3FDpxSVNdBGQx/F+EnKU7PNSWVhooVhiAisnYu0iDfo+55rrpXB/BvgiaEJi8qKTBwVHKcJgQCOjKzaIFiFYDpk1yG5nhd3V1I+A7QELExZ8Yey0iW0xzBDJ5ahtxeMzpldNXZjyLQk5ROgI7irE58jXTC19Wug1xm2TvGvneJo3HEcaZ2IyK5IdIEPHpYChRSbP43zzWLSQZ51tnx/7eW0L00UaSkB1Nws/WppnTUZvFm9wepkmWOsuHa7WrX/wvI4bTSm+z3qHdlwkgwDR5jq2u1im5FGTym12kaylmkUy4A4cKDcHZDnXWMpgCLmTaL7n37/Ffe/PeLt+zs8PT1hv9/j7nDA8/MzHh4f8PjwgD8/fMDfLx/x9eUTvv3xCV8/v+CvLy/49uUzPt6/x8DyyKS6EMUx5ZE3S3HF2JH1DIX1yYEeVGSim+m7LRXdfI+TMJedcpyHQx3aIRkO0suSTp0HpLoMh/8wsTXGe07sVkPfpo3YQzpFpk2gesNubBOn1HzVMhcMZXLY7GCixVZtKb1lSssQkA2GbdbrpeXke0VVfxbC8h+IgTXzJRj0uwAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/30ac8f8e4bfec19b5e1016abef95c80d/8ac56/client-binaryninja-006.webp 240w,\n/static/30ac8f8e4bfec19b5e1016abef95c80d/d3be9/client-binaryninja-006.webp 480w,\n/static/30ac8f8e4bfec19b5e1016abef95c80d/7b066/client-binaryninja-006.webp 508w\"\n              sizes=\"(max-width: 508px) 100vw, 508px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/30ac8f8e4bfec19b5e1016abef95c80d/8ff5a/client-binaryninja-006.png 240w,\n/static/30ac8f8e4bfec19b5e1016abef95c80d/e85cb/client-binaryninja-006.png 480w,\n/static/30ac8f8e4bfec19b5e1016abef95c80d/2fd48/client-binaryninja-006.png 508w\"\n            sizes=\"(max-width: 508px) 100vw, 508px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/30ac8f8e4bfec19b5e1016abef95c80d/2fd48/client-binaryninja-006.png\"\n            alt=\"Code of the sub_140001008 function\"\n            title=\"Code of the sub_140001008 function\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>There is not much detailed information about <code class=\"language-text\">__stdio_common_vfprintf</code>, but judging from its name, it seems likely to be related to the CRT library and to the vprintf function that corresponds to printf.</p>\n<br>\n<p>vprintf function:</p>\n<p><a href=\"https://learn.microsoft.com/ja-jp/cpp/c-runtime-library/vprintf-functions?view=msvc-170\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https://learn.microsoft.com/ja-jp/cpp/c-runtime-library/vprintf-functions?view=msvc-170</a></p>\n<br>\n<p>You can also confirm that if you actually build C source code containing the library function printf in Visual Studio, processing similar to the <code class=\"language-text\">sub_140001008</code> function is called.</p>\n<p>This also suggests that <code class=\"language-text\">sub_140001008</code> is the printf function and is very likely responsible for outputting the string stored in RCX.</p>\n<p>So, in Binary Ninja, right-click the <code class=\"language-text\">sub_140001008</code> function, choose [Rename Symbol], and rename it to printf.</p>\n<p>Once you do this, <code class=\"language-text\">sub_140001008</code> is replaced with printf in the Binary Ninja UI, making the disassembly result easier to analyze.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 694px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/6670abc4cddde93405d23cf7e9fefecb/31198/client-binaryninja-007.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 97.50000000000001%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAACXBIWXMAAA7DAAAOwwHHb6hkAAADXElEQVQ4y4WUy1baUBSGeRVtFROEpSCXQAIEUYEkEHIFEq5V2zrooKNOa+0TuNpVn/bv3icBsZMO9jonIfzn//blZFYfN9g83GK9WWO+WODL/Sc8xEv0r69g9HswKdpqHc0GhyLWttYQe62uIAwCLJdLxFGMKIqQ8eMQwWICz/dgj8dYhBP4YYz2yEfPm6FtOqh0DdSuLVQ5rkwotNbSvWGN4Ng2RsMRDMNAZrqJML2NEIQBXM/D3A/w8O0J0eMvLB+fsfj+jPjpDyKK+OdLEj9+07sX8d70pzAHfQyHQ/T7fWS8KIAXB3AcB8PRCKtpBPumD6VWJTQVektDpXSOvCzh6N0Bjimk4yNk3x/i6PAAHV2HPbIxGAwSQUb252GCTNZXsxguYaiahk6ng4uLMsUFcqenkHM55CgkWYYkycgXCri8vCTBBFcIMvLsfo5wOoHjulhGcziWjXKljHKZo4JSqQRZkiALIQlnZ2c4Pz8Xz3wo43qOC8uyCHkWCIeO5wrkNSE7hoUSieXJ1cnJiQj+MwfvK9UqGlTtXE6GTshcEBY0TTNB5hy6JLhFdswh6qqKJmEzrpS62wlWKtDbbfFb76aHwPPhjh1YLCiQ72IEk1AUZkXI3tBGTVGEQxYReSPRJGQUKHf5fF48D+nwmKhC6g7hkKvMyG6KvEyR640GVFUjtAY0clqr1XCaHrAV54MG/cHOoWGkyP4i3DX2FrlByNwSnCOF3Co1BWWB/5pPDoPaJSB3vuslDhl58iGCHwQ7ZJeQ2Vmr1aZoodnUUKSqZrPZN2Ls0jItRNMZJn4o9jtkx31t7PHAFA7ZHbtkUS5AIiS9EWRkzp+7X2Uxy4H/psrc2HpHF/lrU0VZnHO4X3HeGyQ4CcK3yFzlkKrs7jV2Mim6WLkgakMV4oW0ultRy0iQ2eUOWcxyirxOkZuEedW9ovw1xWRw/4nq7uWQHXNRQsqf+7/GbraalL+OQG2RaJWmg6vNPbjvULTNfg53yNOksdfRgi4HGxqJ8OB3u11c0rzqFPzM870VZNcW9d6cTEzpHk1m+R/k5WQmkFtUiHq9jlKxKC6HYrqKm4caeovMB47ocuCx4ytsh8yNPabGZsGvd5/R6/XEx53U2Tb4md9vg7/ja6tHwetf9vzXc6O0eEUAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/6670abc4cddde93405d23cf7e9fefecb/8ac56/client-binaryninja-007.webp 240w,\n/static/6670abc4cddde93405d23cf7e9fefecb/d3be9/client-binaryninja-007.webp 480w,\n/static/6670abc4cddde93405d23cf7e9fefecb/181fb/client-binaryninja-007.webp 694w\"\n              sizes=\"(max-width: 694px) 100vw, 694px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/6670abc4cddde93405d23cf7e9fefecb/8ff5a/client-binaryninja-007.png 240w,\n/static/6670abc4cddde93405d23cf7e9fefecb/e85cb/client-binaryninja-007.png 480w,\n/static/6670abc4cddde93405d23cf7e9fefecb/31198/client-binaryninja-007.png 694w\"\n            sizes=\"(max-width: 694px) 100vw, 694px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/6670abc4cddde93405d23cf7e9fefecb/31198/client-binaryninja-007.png\"\n            alt=\"Renaming a function\"\n            title=\"Renaming a function\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>When analyzing a file that has no symbols, analysis becomes smoother if you rename functions and variables in the tool as you work.</p>\n<h2 id=\"read-conditional-branches\" style=\"position:relative;\"><a href=\"#read-conditional-branches\" aria-label=\"read conditional branches permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Read Conditional Branches</h2>\n<p>Now that the code has become easier to read after renaming the printf function, let’s continue reading the code near the beginning.</p>\n<p>The assembly code from the start of the main function up to the first conditional branch at 0x140001945 is shown below.</p>\n<div class=\"gatsby-highlight\" data-language=\"nasm\"><pre class=\"language-nasm\"><code class=\"language-nasm\"><span class=\"token label function\">main:</span>\nmov     qword <span class=\"token operator\">[</span><span class=\"token register variable\">rsp</span><span class=\"token operator\">+</span><span class=\"token number\">0x8</span> {__saved_rbx}<span class=\"token operator\">]</span>, <span class=\"token register variable\">rbx</span>\npush    <span class=\"token register variable\">rdi</span> {__saved_rdi}\nsub     <span class=\"token register variable\">rsp</span>, <span class=\"token number\">0x80</span>\nmov     <span class=\"token register variable\">rax</span>, qword <span class=\"token operator\">[</span>rel __security_cookie<span class=\"token operator\">]</span>\nxor     <span class=\"token register variable\">rax</span>, <span class=\"token register variable\">rsp</span> {var_88}\nmov     qword <span class=\"token operator\">[</span><span class=\"token register variable\">rsp</span><span class=\"token operator\">+</span><span class=\"token number\">0x70</span> {var_18}<span class=\"token operator\">]</span>, <span class=\"token register variable\">rax</span>\nxor     <span class=\"token register variable\">eax</span>, <span class=\"token register variable\">eax</span>  {<span class=\"token number\">0x0</span>}\nlea     <span class=\"token register variable\">rcx</span>, <span class=\"token operator\">[</span>rel data_14000342c<span class=\"token operator\">]</span>\nxorps   <span class=\"token register variable\">xmm0</span>, <span class=\"token register variable\">xmm0</span>\nmov     qword <span class=\"token operator\">[</span><span class=\"token register variable\">rsp</span><span class=\"token operator\">+</span><span class=\"token number\">0x60</span> {var_28}<span class=\"token operator\">]</span>, <span class=\"token register variable\">rax</span>  {<span class=\"token number\">0x0</span>}\nmovups  xmmword <span class=\"token operator\">[</span><span class=\"token register variable\">rsp</span><span class=\"token operator\">+</span><span class=\"token number\">0x40</span> {var_48}<span class=\"token operator\">]</span>, <span class=\"token register variable\">xmm0</span>\nmov     dword <span class=\"token operator\">[</span><span class=\"token register variable\">rsp</span><span class=\"token operator\">+</span><span class=\"token number\">0x68</span> {var_20}<span class=\"token operator\">]</span>, <span class=\"token register variable\">eax</span>  {<span class=\"token number\">0x0</span>}\nmovups  xmmword <span class=\"token operator\">[</span><span class=\"token register variable\">rsp</span><span class=\"token operator\">+</span><span class=\"token number\">0x50</span> {var_38}<span class=\"token operator\">]</span>, <span class=\"token register variable\">xmm0</span>\nmov     word <span class=\"token operator\">[</span><span class=\"token register variable\">rsp</span><span class=\"token operator\">+</span><span class=\"token number\">0x6c</span> {var_1c}<span class=\"token operator\">]</span>, <span class=\"token register variable\">ax</span>  {<span class=\"token number\">0x0</span>}\nmov     byte <span class=\"token operator\">[</span><span class=\"token register variable\">rsp</span><span class=\"token operator\">+</span><span class=\"token number\">0x6e</span> {var_1a}<span class=\"token operator\">]</span>, <span class=\"token register variable\">al</span>  {<span class=\"token number\">0x0</span>}\ncall    printf\nlea     <span class=\"token register variable\">rcx</span>, <span class=\"token operator\">[</span>rel data_140003430<span class=\"token operator\">]</span>  {<span class=\"token string\">\"DoP -The dream of a pumpkin-\\n\\n\"</span>}\ncall    printf\n{中略}\nlea     <span class=\"token register variable\">rcx</span>, <span class=\"token operator\">[</span>rel data_1400036e0<span class=\"token operator\">]</span>  {<span class=\"token string\">\"Password: \"</span>}\ncall    printf\nxor     <span class=\"token register variable\">ecx</span>, <span class=\"token register variable\">ecx</span>  {<span class=\"token number\">0x0</span>}\ncall    qword <span class=\"token operator\">[</span>rel __acrt_iob_func<span class=\"token operator\">]</span>\nmov     <span class=\"token register variable\">edx</span>, <span class=\"token number\">0x2f</span>\nlea     <span class=\"token register variable\">rcx</span>, <span class=\"token operator\">[</span><span class=\"token register variable\">rsp</span><span class=\"token operator\">+</span><span class=\"token number\">0x40</span> {var_48}<span class=\"token operator\">]</span>\nmov     <span class=\"token register variable\">r8</span>, <span class=\"token register variable\">rax</span>\ncall    qword <span class=\"token operator\">[</span>rel fgets<span class=\"token operator\">]</span>\nxor     <span class=\"token register variable\">edi</span>, <span class=\"token register variable\">edi</span>  {<span class=\"token number\">0x0</span>}\ntest    <span class=\"token register variable\">rax</span>, <span class=\"token register variable\">rax</span>\nje      <span class=\"token number\">0x140001a8b</span></code></pre></div>\n<p>First, the earlier part is just the function prologue and processing that outputs the program title and ASCII art, so we can ignore it.</p>\n<p>What we want to focus on in the later code is the processing from <code class=\"language-text\">lea     rcx, [rel data_1400036e0]  {\"Password: \"}</code> at 0x140001919 through <code class=\"language-text\">je      0x140001a8b</code> at 0x140001945.</p>\n<p>Here, we can see that after outputting the string <code class=\"language-text\">Password:</code>, the program waits for input and uses the fgets function to receive 47 (0x2f) bytes from standard input.</p>\n<p>The string received by fgets is written to the address of the stack area loaded into RCX by <code class=\"language-text\">lea     rcx, [rsp+0x40 {var_48}]</code>.</p>\n<p>After that, the following conditional branch is implemented by using the RAX register, which stores the return value of the fgets function.</p>\n<div class=\"gatsby-highlight\" data-language=\"nasm\"><pre class=\"language-nasm\"><code class=\"language-nasm\">test    <span class=\"token register variable\">rax</span>, <span class=\"token register variable\">rax</span>\nje      <span class=\"token number\">0x140001a8b</span></code></pre></div>\n<p>This is assembly code that appears frequently when code containing an if-else conditional branch is compiled.</p>\n<p>These two lines compare whether the value of RAX is 0; if RAX is 0, execution jumps to the address pointed to by <code class=\"language-text\">je</code>.<sup id=\"fnref-2\"><a href=\"#fn-2\" class=\"footnote-ref\">2</a></sup></p>\n<p>First, the test instruction performs an AND operation on its two operands and rewrites the flag register based on the result.</p>\n<p>When the instruction <code class=\"language-text\">test    rax, rax</code> is executed, if RAX is 0 then the zero flag (ZF) in the flag register becomes 1; otherwise it becomes 0.</p>\n<p>The following <code class=\"language-text\">je</code> is an instruction that jumps to the specified address when the zero flag (ZF) is 1, so in this case the branch means that if the return value of the fgets function is 0 (= if receiving input with fgets failed), execution moves to the instruction at 0x140001a8b.</p>\n<p>With that in mind, let’s take a look at Binary Ninja’s Graph view.</p>\n<p>If execution jumps to the instruction at 0x140001a8b through this conditional branch, the string <code class=\"language-text\">Good Bye</code> is printed and the program then terminates via the exit function.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/354e05a461d7f1d66d32d54cc04e94b7/bd44e/client-binaryninja-008.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 63.33333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAA7DAAAOwwHHb6hkAAABuklEQVQ4y41T23KqQBDkZwIIKIKGmyB3kYuIIoZU/v87OrNrkrJOQU4eumDYpae7Z1cIwwhhFMHzPLiuOwm2lh0yZHmONMuQpilHRu8MQRDAcRzsdjsIsixDIsgzkCQJqqaiu19xufZo+xtOhPbUYugH3G8DLMuCKIpYLBYQFEXBb2CblqsluuGCS9/jfL2i7c5o6hplWaKmp2VbvLmqqg+F7KdnVaxm4IQyES6XuH3c8TaOGN9HdIywaThZ27ZcIXPC9guGrmO1WkFfr7Hm0KGRRYW6sY6KqnDCOE9QFAeUxwOiOKLsUl4XRQHHdX4cCePbgHPXcRs1da3Ihk5NvhV+QxIlnpMoEV5eYHs2H1SUxEjzDKZpPjI0TYMXpmHA+FLJlT1l+EzO1lgsQbxHWZfISWWSJLBt+0E4N1kG9j43LBZDdsxRViWCcD8/ZfbRD3zkZMPfeT+qnsFy1TQNURpzdQnluSdSn87jJOHrdguXDurmK5dJ0PS57aZCUT2sR3RBhKms/mKZrRkbA1mRozgWSNKEH59Jhb/V/655vsfJ9nHIT8d/b8ocmIPN65ZuToeqOaE5t/B9H5+jn6DfqXyZUAAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/354e05a461d7f1d66d32d54cc04e94b7/8ac56/client-binaryninja-008.webp 240w,\n/static/354e05a461d7f1d66d32d54cc04e94b7/d3be9/client-binaryninja-008.webp 480w,\n/static/354e05a461d7f1d66d32d54cc04e94b7/e46b2/client-binaryninja-008.webp 960w,\n/static/354e05a461d7f1d66d32d54cc04e94b7/f992d/client-binaryninja-008.webp 1440w,\n/static/354e05a461d7f1d66d32d54cc04e94b7/654f6/client-binaryninja-008.webp 1643w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/354e05a461d7f1d66d32d54cc04e94b7/8ff5a/client-binaryninja-008.png 240w,\n/static/354e05a461d7f1d66d32d54cc04e94b7/e85cb/client-binaryninja-008.png 480w,\n/static/354e05a461d7f1d66d32d54cc04e94b7/d9199/client-binaryninja-008.png 960w,\n/static/354e05a461d7f1d66d32d54cc04e94b7/07a9c/client-binaryninja-008.png 1440w,\n/static/354e05a461d7f1d66d32d54cc04e94b7/bd44e/client-binaryninja-008.png 1643w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/354e05a461d7f1d66d32d54cc04e94b7/d9199/client-binaryninja-008.png\"\n            alt=\"The first conditional branch in the main function\"\n            title=\"The first conditional branch in the main function\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>In other words, we have learned that this conditional branch checks whether receiving input with fgets succeeded, and terminates the program if it failed.</p>\n<p>When analyzing program behavior, one important point is to focus on conditional branches and on the behavior before and after them, and to investigate what operations cause what processing to be executed.</p>\n<h2 id=\"read-loops\" style=\"position:relative;\"><a href=\"#read-loops\" aria-label=\"read loops permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Read Loops</h2>\n<p>Next, let’s read the processing that runs after fgets successfully receives the input value, in other words the code from 0x14000194b onward.</p>\n<p>Binary Ninja’s Graph view is shown below.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/f4adc66ac12339cb85341363d16a25b8/1be7e/client-binaryninja-009.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 95%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAATCAYAAACQjC21AAAACXBIWXMAAA7DAAAOwwHHb6hkAAACW0lEQVQ4y41U23baMBDkZwj4AgSwjU0AX+W7jI0DaUpOT/7/J6YrgSlpU+BhzsqSPJrVrLYXRRGSNJNgjMHzPXieB9/3JcT4f3BdF5vN5gt6qqpCURSoqoZix7HdbZEXOfiuRpqlYDGTCMNQIiBELIJhGuj3+xD/X6Onj3RougYRTduCRTAXJixnAcMyYFo0Nk24nkuKSTmpEuP1agWb5i+CCCL2rtmHw+EfDE5xMBhA10h9XYJvOYqyRF5x7CiDgjIYyuyuFHYnKH8tdBDzM3MOViQIKdUwjuEHAVbrNRjF2XQqD/6H8DuyTrVBaRdNCZbEZF6CJE/JPB91UcCYz78nvAWxZ/I8QVYXyMscojKCKISiKl/IJKEwRNNuQ2wcj8cIk0g6HBIZSxg0qoz+0xOU871LU+4S6tpFYU7GZHmGNE5IaYm2bfD59oYsy+iQSO5/KGWhQNd1BHEIP/ThUvmEaYw4JsWBD2e5hG3bj5lyMYfKaE5ubw8NCl4QSjLnpGzHOaZntx8m7MrHZwGpDOQ9BhTX9NxEsU/oji+FfY+wWx8qp9STKpPlI58ipS2M6dy+S9itiSgu3Vk6WG3W2Kw3cOn+GLnuUZFrdJB4vjcJr+fFExyNRjj8+oHD+wFN+4r2eMR+v0dJLg/P5j2scDKZYDabwXZs6ejLy5LubwWHorWwMDfmeCZj7hOqopOoKNtKKuPVFrzegbctzb2iou9mW6OpG/jUIx8mbN5bHD8/0O4PaH9+oGqItKrAuQAn4ko23YcJRVGn1BQi6upxnpy6ueiNZ4hvx3HwG4uKZqoa4md7AAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/f4adc66ac12339cb85341363d16a25b8/8ac56/client-binaryninja-009.webp 240w,\n/static/f4adc66ac12339cb85341363d16a25b8/d3be9/client-binaryninja-009.webp 480w,\n/static/f4adc66ac12339cb85341363d16a25b8/e46b2/client-binaryninja-009.webp 960w,\n/static/f4adc66ac12339cb85341363d16a25b8/11814/client-binaryninja-009.webp 1059w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/f4adc66ac12339cb85341363d16a25b8/8ff5a/client-binaryninja-009.png 240w,\n/static/f4adc66ac12339cb85341363d16a25b8/e85cb/client-binaryninja-009.png 480w,\n/static/f4adc66ac12339cb85341363d16a25b8/d9199/client-binaryninja-009.png 960w,\n/static/f4adc66ac12339cb85341363d16a25b8/1be7e/client-binaryninja-009.png 1059w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/f4adc66ac12339cb85341363d16a25b8/d9199/client-binaryninja-009.png\"\n            alt=\"Validation of the input string\"\n            title=\"Validation of the input string\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>First, at 0x14000194b, <code class=\"language-text\">lea     rcx, [rsp+0x40 {var_48}]</code> stores the address <code class=\"language-text\">RSP+0x40</code> in the RCX register.</p>\n<p>As we already confirmed, the stack area pointed to by the address <code class=\"language-text\">RSP+0x40</code> stores the input value received by the fgets function.</p>\n<p>For that reason, analysis will probably go more smoothly if you rename the local variable var_48 to something like inputText.</p>\n<p>The following instructions execute the first loop in this function.</p>\n<div class=\"gatsby-highlight\" data-language=\"nasm\"><pre class=\"language-nasm\"><code class=\"language-nasm\">14000194b  lea     <span class=\"token register variable\">rcx</span>, <span class=\"token operator\">[</span><span class=\"token register variable\">rsp</span><span class=\"token operator\">+</span><span class=\"token number\">0x40</span> {inputText}<span class=\"token operator\">]</span>\n<span class=\"token number\">140001950</span>  or      <span class=\"token register variable\">rax</span>, <span class=\"token number\">0xffffffffffffffff</span>\n\n<span class=\"token operator\">/</span><span class=\"token operator\">/</span> 以下、ループ処理\n<span class=\"token number\">140001954</span>  inc     <span class=\"token register variable\">rax</span>\n<span class=\"token number\">140001957</span>  cmp     byte <span class=\"token operator\">[</span><span class=\"token register variable\">rcx</span><span class=\"token operator\">+</span><span class=\"token register variable\">rax</span><span class=\"token operator\">]</span>, dil {inputText}\n14000195b  jne     <span class=\"token number\">0x140001954</span></code></pre></div>\n<p>This assembly code may look a little tricky, but the following loop processing is taking place here.</p>\n<ol>\n<li>First, the loop counter effectively starts at 0. (By replacing RAX with <code class=\"language-text\">0xffffffffffffffff</code> using an OR operation and then incrementing it once, the value used when the loop begins becomes 0.)</li>\n<li>Next, the <code class=\"language-text\">cmp</code> instruction compares whether the value at <code class=\"language-text\">RCX+RAX</code>, in other words <code class=\"language-text\">inputText[i]</code>, matches the value in dil (NULL here).</li>\n<li>If <code class=\"language-text\">inputText[i]</code> does not match the value in dil, execution jumps to 0x140001954 and increments the value in the RAX register.</li>\n</ol>\n<p>In this loop, RAX continues to be incremented until <code class=\"language-text\">inputText[i]</code> becomes a NULL character.</p>\n<p>In other words, after this loop finishes, RAX will contain a value equal to “the size of the input received by fgets + 1.”</p>\n<p>Now that we can read the code up to this point, let’s look once again at the assembly code including the processing that follows.</p>\n<div class=\"gatsby-highlight\" data-language=\"nasm\"><pre class=\"language-nasm\"><code class=\"language-nasm\">14000194b  lea     <span class=\"token register variable\">rcx</span>, <span class=\"token operator\">[</span><span class=\"token register variable\">rsp</span><span class=\"token operator\">+</span><span class=\"token number\">0x40</span> {inputText}<span class=\"token operator\">]</span>\n<span class=\"token number\">140001950</span>  or      <span class=\"token register variable\">rax</span>, <span class=\"token number\">0xffffffffffffffff</span>\n\n<span class=\"token operator\">/</span><span class=\"token operator\">/</span> ループ処理の開始\n<span class=\"token number\">140001954</span>  inc     <span class=\"token register variable\">rax</span>\n<span class=\"token number\">140001957</span>  cmp     byte <span class=\"token operator\">[</span><span class=\"token register variable\">rcx</span><span class=\"token operator\">+</span><span class=\"token register variable\">rax</span><span class=\"token operator\">]</span>, dil {inputText}\n14000195b  jne     <span class=\"token number\">0x140001954</span>\n\n<span class=\"token register variable\">RAX</span> には「fgets 関数で受け取った入力値のサイズ <span class=\"token operator\">+</span> <span class=\"token number\">1</span>」分の値が格納されている\n<span class=\"token number\">14000195d</span>  dec     <span class=\"token register variable\">rax</span>\n<span class=\"token number\">140001960</span>  cmp     <span class=\"token register variable\">rax</span>, <span class=\"token number\">0x2f</span>\n<span class=\"token number\">140001964</span>  jae     <span class=\"token number\">0x140001aa0</span>\n\n14000196a  mov     byte <span class=\"token operator\">[</span><span class=\"token register variable\">rsp</span><span class=\"token operator\">+</span><span class=\"token register variable\">rax</span><span class=\"token operator\">+</span><span class=\"token number\">0x40</span> {inputText}<span class=\"token operator\">]</span>, dil  {<span class=\"token number\">0x0</span>}</code></pre></div>\n<p>Once you understand that the processing from 0x140001954 to 0x14000195b keeps incrementing RAX until it becomes a value equal to “the size of the input received by fgets + 1,” it should also make sense that this sequence can be expressed as the following simple code.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\">inputText<span class=\"token punctuation\">[</span><span class=\"token function\">strlen</span><span class=\"token punctuation\">(</span>inputText<span class=\"token punctuation\">)</span> <span class=\"token operator\">-</span> <span class=\"token number\">1</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>This code replaces the last one byte of the input received by fgets with a NULL character.</p>\n<p>In other words, it removes the newline character from the input received by fgets.</p>\n<p>Incidentally, if you change Binary Ninja’s analysis mode to Decompile (Pseudo C), this sequence of code is replaced by the following pseudocode containing a loop.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"> <span class=\"token keyword\">do</span>\n <span class=\"token punctuation\">{</span>\n     i <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>i <span class=\"token operator\">+</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n <span class=\"token punctuation\">}</span> <span class=\"token keyword\">while</span> <span class=\"token punctuation\">(</span><span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">uint8_t</span><span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span>inputText <span class=\"token operator\">+</span> i<span class=\"token punctuation\">)</span> <span class=\"token operator\">!=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>i <span class=\"token operator\">-</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">>=</span> <span class=\"token number\">0x2f</span><span class=\"token punctuation\">)</span>\n <span class=\"token punctuation\">{</span>\n     <span class=\"token function\">_lockexit</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n     <span class=\"token function\">breakpoint</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n <span class=\"token punctuation\">}</span>\n <span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">uint8_t</span><span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span>inputText <span class=\"token operator\">+</span> <span class=\"token punctuation\">(</span>i <span class=\"token operator\">-</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>You can also see that a similar structure appears in the code executed immediately afterward, from 0x14000196a to 0x140001985.</p>\n<div class=\"gatsby-highlight\" data-language=\"nasm\"><pre class=\"language-nasm\"><code class=\"language-nasm\">14000196a  mov     byte <span class=\"token operator\">[</span><span class=\"token register variable\">rsp</span><span class=\"token operator\">+</span><span class=\"token register variable\">rax</span><span class=\"token operator\">+</span><span class=\"token number\">0x40</span> {inputText}<span class=\"token operator\">]</span>, dil  {<span class=\"token number\">0x0</span>}\n14000196f  lea     <span class=\"token register variable\">rcx</span>, <span class=\"token operator\">[</span><span class=\"token register variable\">rsp</span><span class=\"token operator\">+</span><span class=\"token number\">0x40</span> {inputText}<span class=\"token operator\">]</span>\n<span class=\"token number\">140001974</span>  or      <span class=\"token register variable\">rax</span>, <span class=\"token number\">0xffffffffffffffff</span>\n\n<span class=\"token number\">140001978</span>  inc     <span class=\"token register variable\">rax</span>\n14000197b  cmp     byte <span class=\"token operator\">[</span><span class=\"token register variable\">rcx</span><span class=\"token operator\">+</span><span class=\"token register variable\">rax</span><span class=\"token operator\">]</span>, dil {inputText}\n14000197f  jne     <span class=\"token number\">0x140001978</span>\n\n<span class=\"token number\">140001981</span>  cmp     <span class=\"token register variable\">rax</span>, <span class=\"token number\">0x2d</span>\n<span class=\"token number\">140001985</span>  jne     <span class=\"token number\">0x140001a76</span>\n\n14000198b  lea     <span class=\"token register variable\">rcx</span>, <span class=\"token operator\">[</span><span class=\"token register variable\">rsp</span><span class=\"token operator\">+</span><span class=\"token number\">0x40</span> {inputText}<span class=\"token operator\">]</span>\n<span class=\"token number\">140001990</span>  call    sub_140001360</code></pre></div>\n<p>In the loop processing from 0x14000196a through 0x14000197f, the length of the string received by fgets is counted again, just as before.</p>\n<p>Then, in the code starting at 0x140001981, the program checks whether the length of the received string is 45 (0x2d) characters and performs a conditional branch.</p>\n<h2 id=\"validate-the-input-string\" style=\"position:relative;\"><a href=\"#validate-the-input-string\" aria-label=\"validate the input string permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Validate the Input String</h2>\n<p>When the length of the input string is 45 characters, the <code class=\"language-text\">sub_140001360</code> function is called with the input string stored in the RCX register as its argument.</p>\n<p>If you inspect the surrounding code in Binary Ninja’s Graph view, you can see that the value in the RAX register, which stores the return value of <code class=\"language-text\">sub_140001360</code>, is checked with <code class=\"language-text\">test    eax, eax</code>, and that if RAX contains 0, the string <code class=\"language-text\">Password is Correct</code> is printed.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 636px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/795434840cef93e3e4fe15425970657d/9be90/client-binaryninja-010.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 85.83333333333334%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAARCAYAAADdRIy+AAAACXBIWXMAAA7DAAAOwwHHb6hkAAAC7ElEQVQ4y31UaXPaMBTkxzThMAFjEwiQcBmf+JLBGF8c0xztdKbH9P/P9kmEHJO2H3aenkCr3ZXkSqPRAEe9Vofc7WA4GeF2eofR5Baj8S2G4xFG1E+MBVRFgfIXNJtN1Ot1wVN5S9jpKlj6LpLdFuGKIWIRls4SLFrBDwJ4fgDf96n6og9CAlVOWqvVPhIqnDD0kBxSBKsQSZLAdV3E2w1tkiLOt4LI9TxBFrJQbNDpdP5GWIPSU9Ef3aA/7KM36EPtddHlGPQwpPkrstaUJAE+brVaAhL17yyfG145qtWqsGE4JjTKbq7NYeo6prMZ5gsNC1PHYDgQ/zuvOQt7VfhmkssfDAbI73fC6mabYLWiHMliUqbIjjkMy8TlxeU7IRwfCM8KeaYS9VJDgtSUcN1V0ZbbuGpdodVuidqQ6Perphg3Cby+EJ6VqaoKwzaxsHRhdUY2x5MJTEMXqnTbgC7GBmzHxt347kTcPG38jpAruxncICVLm/1WWN3EMbyAgSUp1sURbJuergyBRQyapgkhL5bPVvlJiewo7OJhh+0xE4RJvEFAC9NDiWRfwKfrEq0juk5LuMulcPDhULiyi08XAryX6V7JsizQbvPcWrim6yN3ZHSUDlTKk1dFVUSel7S+WjudeIWr4jZ5bpquCQvT6VRckdl8hsViAd9ykAQhIoJtWdBozqI8DYPnacCyLdi2jfF0ggpXZ9LE448vKO/3OByPKMsCWbnD7vgZh/0ePx+e8OvpK35/+477wxFZlmNPv5d5gZzGRZ6jLEqKwCWF1RpmdJrZQ4koWyOmzEIKfBlGCOOEMgthcWWMwVnHcPhbpucYUGUhE3BsRyjmeQrC+WKOnAhXWYw1nSojEo+tECY5gjiFxxc5Di20Bbg93tvPY44lHRCPiwir4jkVjzus8xjJlr40RBhEEeIsBaMX4jwT/A+vhHQoPMwV2XWZJ74eYnfXIXURvCiASXZMCt/4B3R656ZpYkIP4A+EK1Gj/YKuGgAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/795434840cef93e3e4fe15425970657d/8ac56/client-binaryninja-010.webp 240w,\n/static/795434840cef93e3e4fe15425970657d/d3be9/client-binaryninja-010.webp 480w,\n/static/795434840cef93e3e4fe15425970657d/6d494/client-binaryninja-010.webp 636w\"\n              sizes=\"(max-width: 636px) 100vw, 636px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/795434840cef93e3e4fe15425970657d/8ff5a/client-binaryninja-010.png 240w,\n/static/795434840cef93e3e4fe15425970657d/e85cb/client-binaryninja-010.png 480w,\n/static/795434840cef93e3e4fe15425970657d/9be90/client-binaryninja-010.png 636w\"\n            sizes=\"(max-width: 636px) 100vw, 636px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/795434840cef93e3e4fe15425970657d/9be90/client-binaryninja-010.png\"\n            alt=\"Password validation\"\n            title=\"Password validation\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>In other words, we can predict that <code class=\"language-text\">sub_140001360</code> is a function that validates the input string (password) received by fgets, and returns 0 when the password is correct.</p>\n<p>So, let’s rename <code class=\"language-text\">sub_140001360</code> to the checkPassword function and analyze it in more detail.</p>\n<p>If you double-click the <code class=\"language-text\">sub_140001360</code> function (the checkPassword function) in Binary Ninja’s Graph view, you can inspect the code of the target function.</p>\n<p>When you view the overall structure of the checkPassword function in Graph view, the processing branches in a complex way and at first glance does not seem easy to analyze.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/c207ed4c56c759f884b4882228d2e6ce/c5ece/client-binaryninja-011.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 20.416666666666668%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAA7DAAAOwwHHb6hkAAAAlUlEQVQY011QSRIDIQic36iA4JLlkvn/swhgxkpy6MKGbkAOAFBEDEAp+4248jlnHXNoH11DSxiRiCJeKOYl0x/MrNKaikiYXBg8INr6asTCofGc16hWq7XNveYLHIC4p6A1W6iKZqDKSj5w3izK5tXMzrl1rQaPMqblmzWE8rP29zccKSV9nafenw/Nn5PAhT8t2Jneitt5kKHCaoAAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/c207ed4c56c759f884b4882228d2e6ce/8ac56/client-binaryninja-011.webp 240w,\n/static/c207ed4c56c759f884b4882228d2e6ce/d3be9/client-binaryninja-011.webp 480w,\n/static/c207ed4c56c759f884b4882228d2e6ce/e46b2/client-binaryninja-011.webp 960w,\n/static/c207ed4c56c759f884b4882228d2e6ce/f992d/client-binaryninja-011.webp 1440w,\n/static/c207ed4c56c759f884b4882228d2e6ce/882b9/client-binaryninja-011.webp 1920w,\n/static/c207ed4c56c759f884b4882228d2e6ce/0babd/client-binaryninja-011.webp 2283w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/c207ed4c56c759f884b4882228d2e6ce/8ff5a/client-binaryninja-011.png 240w,\n/static/c207ed4c56c759f884b4882228d2e6ce/e85cb/client-binaryninja-011.png 480w,\n/static/c207ed4c56c759f884b4882228d2e6ce/d9199/client-binaryninja-011.png 960w,\n/static/c207ed4c56c759f884b4882228d2e6ce/07a9c/client-binaryninja-011.png 1440w,\n/static/c207ed4c56c759f884b4882228d2e6ce/29114/client-binaryninja-011.png 1920w,\n/static/c207ed4c56c759f884b4882228d2e6ce/c5ece/client-binaryninja-011.png 2283w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/c207ed4c56c759f884b4882228d2e6ce/d9199/client-binaryninja-011.png\"\n            alt=\"Graph view of the checkPassword function\"\n            title=\"Graph view of the checkPassword function\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Of course, if you are already comfortable analyzing disassembly results or decompiled pseudocode, you can easily analyze the detailed behavior of this seemingly complex code using static analysis alone.</p>\n<p>However, to make the analysis smoother, we will postpone the checkPassword function and perform dynamic analysis with a debugger in Chapter 4.</p>\n<p>For that reason, in this chapter we will skip analysis of the checkPassword function for now and continue with the static analysis of the main function.</p>\n<h2 id=\"load-the-kernel-driver\" style=\"position:relative;\"><a href=\"#load-the-kernel-driver\" aria-label=\"load the kernel driver permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Load the Kernel Driver</h2>\n<p>If validation of the input string succeeds in the checkPassword function, DoPClient prints the strings <code class=\"language-text\">Password is Correct</code> and <code class=\"language-text\">Clear Stage1</code> in sequence.</p>\n<p>From this, it seems that the first Flag is the correct password that allows you to pass the checkPassword function.</p>\n<p>Analysis of the checkPassword function and identification of the Flag are performed in Chapter 4.</p>\n<p>If you inspect the code after password validation succeeds in the checkPassword function, you can see that at 0x1400019b5 the <code class=\"language-text\">sub_140001148</code> function is executed, after which the program checks the value in the RAX register that stores the return value and performs a conditional branch.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/976745349ff64224433442499c3f3d66/71c1d/client-binaryninja-012.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 33.33333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAA7DAAAOwwHHb6hkAAABPklEQVQoz22RW3OCMBCF+TWFcPEF3xAIEAhXFeTasVX7///D6QZra2d8+Cabmd1zNieaaZpgjMGyLPg8AI84PN9HwCNwkYBzjiiKEAQBnM0Glm3Btm06X6M9BFXTdFlw+bri9nnD9XpDPy+YpgnLPKNtWzjOBgb1PmZeoRmGAYVJlzRPUZQFUSLPcyRxjCRJVmLa0iFT400Ho/5nHhqroMwl4kRAZBmEEhECGdXezltNLNpGxcEMhq3romrITMrVUBIiTSHIUKYZfG8HbTkv6PsB88cZ/TLjNI4Y6B5HMXS1OQkqdF2Hu3XR9S32TYO6blBVJWQmiQwFiYeUszbMI45th/F9QtcdqKlCSU8Ow/AexY/gb260qbmexl/9nGE/9ji0R7RDh2ZfoygK1FW9/u4/QUaCJrujhpXBi8/5Bkcd6j7O+RJcAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/976745349ff64224433442499c3f3d66/8ac56/client-binaryninja-012.webp 240w,\n/static/976745349ff64224433442499c3f3d66/d3be9/client-binaryninja-012.webp 480w,\n/static/976745349ff64224433442499c3f3d66/e46b2/client-binaryninja-012.webp 960w,\n/static/976745349ff64224433442499c3f3d66/f992d/client-binaryninja-012.webp 1440w,\n/static/976745349ff64224433442499c3f3d66/0abaa/client-binaryninja-012.webp 1536w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/976745349ff64224433442499c3f3d66/8ff5a/client-binaryninja-012.png 240w,\n/static/976745349ff64224433442499c3f3d66/e85cb/client-binaryninja-012.png 480w,\n/static/976745349ff64224433442499c3f3d66/d9199/client-binaryninja-012.png 960w,\n/static/976745349ff64224433442499c3f3d66/07a9c/client-binaryninja-012.png 1440w,\n/static/976745349ff64224433442499c3f3d66/71c1d/client-binaryninja-012.png 1536w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/976745349ff64224433442499c3f3d66/d9199/client-binaryninja-012.png\"\n            alt=\"Processing after password validation\"\n            title=\"Processing after password validation\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>In the branch where the return value of <code class=\"language-text\">sub_140001148</code> is not NULL, the string <code class=\"language-text\">Driver loaded</code> is printed, while in the other branch <code class=\"language-text\">Driver load failed</code> is printed and the program then exits.</p>\n<p>From this, we can infer that <code class=\"language-text\">sub_140001148</code> is a function that loads a kernel driver into the system, and that if loading the driver succeeds it is very likely to return a non-NULL value.</p>\n<p>For that reason, rename <code class=\"language-text\">sub_140001148</code> to something like loadDriver.</p>\n<p>Although it is not especially necessary to understand the detailed implementation of the loadDriver function in order to analyze DoPClient and DoPDriver and obtain the Flags, we will take a quick look at it by referring to Binary Ninja’s decompilation result.</p>\n<p>Below is an excerpt from the decompiled result of the loadDriver function.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\">SC_HANDLE <span class=\"token function\">loadDriver</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">void</span> var_4a8<span class=\"token punctuation\">;</span>\n    <span class=\"token class-name\">int64_t</span> rax_1 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>__security_cookie <span class=\"token operator\">^</span> <span class=\"token operator\">&amp;</span>var_4a8<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    SC_HANDLE rax_2 <span class=\"token operator\">=</span> <span class=\"token function\">OpenSCManagerW</span><span class=\"token punctuation\">(</span>nullptr<span class=\"token punctuation\">,</span> nullptr<span class=\"token punctuation\">,</span> <span class=\"token number\">2</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    \n    <span class=\"token comment\">/* 中略 */</span>\n\n    <span class=\"token keyword\">void</span> var_438<span class=\"token punctuation\">;</span>\n    <span class=\"token class-name\">uint32_t</span> rax_4<span class=\"token punctuation\">;</span>\n    <span class=\"token class-name\">int64_t</span> rdx_2<span class=\"token punctuation\">;</span>\n    rax_4 <span class=\"token operator\">=</span> <span class=\"token function\">GetModuleFileNameA</span><span class=\"token punctuation\">(</span>nullptr<span class=\"token punctuation\">,</span> <span class=\"token operator\">&amp;</span>var_438<span class=\"token punctuation\">,</span> <span class=\"token number\">0x104</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    \n    <span class=\"token comment\">/* 中略 */</span>\n\n    <span class=\"token keyword\">char</span><span class=\"token operator\">*</span> rax_5 <span class=\"token operator\">=</span> <span class=\"token function\">strrchr</span><span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span>var_438<span class=\"token punctuation\">,</span> <span class=\"token number\">0x5c</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    \n    <span class=\"token comment\">/* 中略 */</span>\n\n    <span class=\"token keyword\">enum</span> <span class=\"token class-name\">ENUM_SERVICE_TYPE</span> var_488 <span class=\"token operator\">=</span> <span class=\"token number\">0x40003390</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">void</span> lpBinaryPathName<span class=\"token punctuation\">;</span>\n    <span class=\"token function\">sub_14000105c</span><span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span>lpBinaryPathName<span class=\"token punctuation\">,</span> <span class=\"token number\">0x208</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"%s\\%s\"</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">&amp;</span>var_438<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    SC_HANDLE hSCObject <span class=\"token operator\">=</span> <span class=\"token function\">OpenServiceA</span><span class=\"token punctuation\">(</span>rax_2<span class=\"token punctuation\">,</span> <span class=\"token string\">\"DoPDriver\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xf003f</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    \n    <span class=\"token comment\">/* 中略 */</span>\n\n    PSTR var_468<span class=\"token punctuation\">;</span>\n    <span class=\"token function\">__builtin_memset</span><span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span>var_468<span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x28</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    \n    <span class=\"token class-name\">uint32_t</span><span class=\"token operator\">*</span> lpdwTagId<span class=\"token punctuation\">;</span>\n    PSTR lpDependencies<span class=\"token punctuation\">;</span>\n    PSTR lpServiceStartName<span class=\"token punctuation\">;</span>\n    PSTR lpPassword<span class=\"token punctuation\">;</span>\n    SC_HANDLE rax_6 <span class=\"token operator\">=</span> <span class=\"token function\">CreateServiceA</span><span class=\"token punctuation\">(</span>rax_2<span class=\"token punctuation\">,</span> <span class=\"token string\">\"DoPDriver\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"DoPDriver\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x10030</span><span class=\"token punctuation\">,</span> SERVICE_KERNEL_DRIVER<span class=\"token punctuation\">,</span> SERVICE_DEMAND_START<span class=\"token punctuation\">,</span> SERVICE_ERROR_IGNORE<span class=\"token punctuation\">,</span> <span class=\"token operator\">&amp;</span>lpBinaryPathName<span class=\"token punctuation\">,</span> var_468<span class=\"token punctuation\">,</span> lpdwTagId<span class=\"token punctuation\">,</span> lpDependencies<span class=\"token punctuation\">,</span> lpServiceStartName<span class=\"token punctuation\">,</span> lpPassword<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    \n    <span class=\"token comment\">/* 中略 */</span>\n    \n    BOOL rax_8<span class=\"token punctuation\">;</span>\n    <span class=\"token class-name\">int64_t</span> rdx_4<span class=\"token punctuation\">;</span>\n    rax_8 <span class=\"token operator\">=</span> <span class=\"token function\">StartServiceW</span><span class=\"token punctuation\">(</span>rax_6<span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> nullptr<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>rax_8 <span class=\"token operator\">!=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span>\n    <span class=\"token punctuation\">{</span>\n        <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Service started successfully\\n\"</span><span class=\"token punctuation\">,</span> rdx_4<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token function\">CloseServiceHandle</span><span class=\"token punctuation\">(</span>rax_2<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token function\">__security_check_cookie</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>rax_1 <span class=\"token operator\">^</span> <span class=\"token operator\">&amp;</span>var_4a8<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">return</span> rax_6<span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n    <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"StartService failed (%d)\\n\"</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">uint64_t</span><span class=\"token punctuation\">)</span><span class=\"token function\">GetLastError</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    \n    <span class=\"token comment\">/* 中略 */</span>\n\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>Some functions still have unclear details, but it appears that <code class=\"language-text\">OpenSCManager</code> <sup id=\"fnref-3\"><a href=\"#fn-3\" class=\"footnote-ref\">3</a></sup> obtains a handle (<code class=\"language-text\">SC_HANDLE rax_2</code>) to the service control manager database, and that <code class=\"language-text\">OpenService</code> <sup id=\"fnref-4\"><a href=\"#fn-4\" class=\"footnote-ref\">4</a></sup> and <code class=\"language-text\">CreateService</code> <sup id=\"fnref-5\"><a href=\"#fn-5\" class=\"footnote-ref\">5</a></sup> are used to register a service named DoPDriver.</p>\n<p>When loading a kernel driver into a Windows system, the <code class=\"language-text\">CreateService</code> API is used just as it is for user-mode services <sup id=\"fnref-6\"><a href=\"#fn-6\" class=\"footnote-ref\">6</a></sup>, so this function is probably registering the <code class=\"language-text\">DoPDriver.sys</code> file as a service named DoPDriver.</p>\n<p>For detailed information about kernel driver implementation and loading, books such as “Windows Kernel Programming, Second Edition” <sup id=\"fnref-6\"><a href=\"#fn-6\" class=\"footnote-ref\">6</a></sup> are useful references.</p>\n<p>The handle to the registered service obtained as the return value of the CreateService function (<code class=\"language-text\">SC_HANDLE rax_6</code>) is passed as an argument to the <code class=\"language-text\">StartServiceW</code> function <sup id=\"fnref-7\"><a href=\"#fn-7\" class=\"footnote-ref\">7</a></sup>, and when starting the DoPDriver service succeeds, the service handle is returned as the return value.</p>\n<h2 id=\"access-the-driver-object\" style=\"position:relative;\"><a href=\"#access-the-driver-object\" aria-label=\"access the driver object permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Access the Driver Object</h2>\n<p>The code below is executed after DoPDriver has been loaded successfully.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/d0ea3865364972c9f21cb3303fb051e0/91608/client-binaryninja-013.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 65.83333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAA7DAAAOwwHHb6hkAAAB4klEQVQ4y51Ta3OaUBDlzxQUHBWFKFAeVonyfitqnGba//8bTnchJjRJZ9p+OLMXZvfcs3v2CrIsY4jRaAR1oSKtM0RRhDCKEcaELEPA5zBEFEbQNA3yeIyJokCR3yB8IJRGWFJy+3xBWZWomwanpyuqc4uqOaKqKxRFAV3XIUlSVzMm4juEzxQutSWaW4u8yIm0wvHaUsyRJDGCIOhUMiHnvq8X+OcdfIMoilgsFzi9KCybGs3liLLMEMd9yxy5Zc7lmiGHMJ3NMFfnmHGcz+msQl89wN14cFwHjufCpmgaJgzD6MBnJpxOp5gRpgMI3nZDQw/hPz7C3x/gHw7Y7ffYfttit9vBJ7iui7Kt+vmVBXJCkuWI0xRpkhBSJHHSKf8wQ2UygULODVvhb9O2YH0lWCZFVntXvH5VzhCGDjFkKpaVCa3OEoZlYbU2sDYt6A8raGQEx9lcxZjy+gul32f4XiFD/CLC2bi4/rihIpfr07lvN0uQUJs8gs8c7lwefnQKmZDcsz0H5+drt3PFsUVWVojDgOYVw7btvyN8VXgn/H5BltMu1rQ6x5rIU+R59h+ELy0//bzR/lUd2eVyoldTksslPM/7N0JJlMgQExm9Dn4ZQUTLnMb9Gvk+TNP8I+EvMY6u0qY1lG0AAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/d0ea3865364972c9f21cb3303fb051e0/8ac56/client-binaryninja-013.webp 240w,\n/static/d0ea3865364972c9f21cb3303fb051e0/d3be9/client-binaryninja-013.webp 480w,\n/static/d0ea3865364972c9f21cb3303fb051e0/e46b2/client-binaryninja-013.webp 960w,\n/static/d0ea3865364972c9f21cb3303fb051e0/e4396/client-binaryninja-013.webp 1251w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/d0ea3865364972c9f21cb3303fb051e0/8ff5a/client-binaryninja-013.png 240w,\n/static/d0ea3865364972c9f21cb3303fb051e0/e85cb/client-binaryninja-013.png 480w,\n/static/d0ea3865364972c9f21cb3303fb051e0/d9199/client-binaryninja-013.png 960w,\n/static/d0ea3865364972c9f21cb3303fb051e0/91608/client-binaryninja-013.png 1251w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/d0ea3865364972c9f21cb3303fb051e0/d9199/client-binaryninja-013.png\"\n            alt=\"Processing after loading the driver\"\n            title=\"Processing after loading the driver\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>At 0x140001a06, the <code class=\"language-text\">CreateFileW</code> function <sup id=\"fnref-8\"><a href=\"#fn-8\" class=\"footnote-ref\">8</a></sup> is executed with the path <code class=\"language-text\">\\\\.\\DoPDriver</code> and several other values as arguments.</p>\n<p>The <code class=\"language-text\">CreateFileW</code> function takes the following values as arguments and returns a handle to the specified file or device.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\">HANDLE <span class=\"token function\">CreateFileW</span><span class=\"token punctuation\">(</span>\n  <span class=\"token punctuation\">[</span>in<span class=\"token punctuation\">]</span>           LPCWSTR               lpFileName<span class=\"token punctuation\">,</span>\n  <span class=\"token punctuation\">[</span>in<span class=\"token punctuation\">]</span>           DWORD                 dwDesiredAccess<span class=\"token punctuation\">,</span>\n  <span class=\"token punctuation\">[</span>in<span class=\"token punctuation\">]</span>           DWORD                 dwShareMode<span class=\"token punctuation\">,</span>\n  <span class=\"token punctuation\">[</span>in<span class=\"token punctuation\">,</span> optional<span class=\"token punctuation\">]</span> LPSECURITY_ATTRIBUTES lpSecurityAttributes<span class=\"token punctuation\">,</span>\n  <span class=\"token punctuation\">[</span>in<span class=\"token punctuation\">]</span>           DWORD                 dwCreationDisposition<span class=\"token punctuation\">,</span>\n  <span class=\"token punctuation\">[</span>in<span class=\"token punctuation\">]</span>           DWORD                 dwFlagsAndAttributes<span class=\"token punctuation\">,</span>\n  <span class=\"token punctuation\">[</span>in<span class=\"token punctuation\">,</span> optional<span class=\"token punctuation\">]</span> HANDLE                hTemplateFile\n<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>A user-mode process on Windows cannot access the device object of a kernel driver directly.</p>\n<p>For that reason, when it is necessary to allow an application running in user mode to access a kernel driver, the kernel driver creates a symbolic link in the <code class=\"language-text\">\\GLOBAL\\??</code> directory and links it to the name of the device object in the <code class=\"language-text\">\\Device</code> directory.<sup id=\"fnref-9\"><a href=\"#fn-9\" class=\"footnote-ref\">9</a></sup></p>\n<p>You can confirm that a kernel driver has registered a symbolic link for its driver object in the <code class=\"language-text\">\\GLOBAL\\??</code> directory by using a tool such as WinObj.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 659px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/124060f0de7cea770cf4bc0440d95b7d/6db71/winobj-view-001.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 48.33333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAA7DAAAOwwHHb6hkAAABJ0lEQVQoz6VSy07DMBDMl/MR/AZfwJUrCCF6AKU9gETIw4nzUhO7sTPsLrhKG1VCqqXR7CMZz24S1UqhqjSKvCCuoCgPccibpsF/T6SbCmmWoCgUyrKEIq7rWuJpcvDzTDzBGAtrLbERds4T3ApR2yXQrRaR/TCgaztxxDkzYxxHEVnCey+Y6cIAziNTb5Amn+SowkCC3AiHRbfbWNyzSN/30LQeMxrpOzfJMxVNo4nZdTTqZ8Rvr8gyha7rZLwgGtyF23kk7nPMh+uOcq5xj/PI9h+oi3fYgz86OxeUGuaT5S8nOfkofqIxvh5QqOb3tb99rAQXuwr985o4nMYM6vsFuWppT+aywwuOVg5ts0Gf7nDYt/KLXC3Y5k+4uXvE7X183NQ1gj/29wthJGyCAwAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/124060f0de7cea770cf4bc0440d95b7d/8ac56/winobj-view-001.webp 240w,\n/static/124060f0de7cea770cf4bc0440d95b7d/d3be9/winobj-view-001.webp 480w,\n/static/124060f0de7cea770cf4bc0440d95b7d/d2334/winobj-view-001.webp 659w\"\n              sizes=\"(max-width: 659px) 100vw, 659px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/124060f0de7cea770cf4bc0440d95b7d/8ff5a/winobj-view-001.png 240w,\n/static/124060f0de7cea770cf4bc0440d95b7d/e85cb/winobj-view-001.png 480w,\n/static/124060f0de7cea770cf4bc0440d95b7d/6db71/winobj-view-001.png 659w\"\n            sizes=\"(max-width: 659px) 100vw, 659px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/124060f0de7cea770cf4bc0440d95b7d/6db71/winobj-view-001.png\"\n            alt=\"Symbolic link for the DoPDriver object\"\n            title=\"Symbolic link for the DoPDriver object\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>In a user-mode program, access to the kernel driver becomes possible by using this symbolic link with the CreateFileW function to obtain a handle to the driver object.</p>\n<p>When specifying a symbolic link to a device object in the CreateFileW function, you need to add the prefix <code class=\"language-text\">\\\\.\\</code> as in <code class=\"language-text\">\\\\.\\DoPDriver</code> so that the I/O manager does not mistake it for a file named DoPDriver in the current folder.<sup id=\"fnref-10\"><a href=\"#fn-10\" class=\"footnote-ref\">10</a></sup></p>\n<p>The code executed after obtaining a handle to DoPDriver with the CreateFileW function is shown below.</p>\n<div class=\"gatsby-highlight\" data-language=\"nasm\"><pre class=\"language-nasm\"><code class=\"language-nasm\">call    qword <span class=\"token operator\">[</span>rel CreateFileW<span class=\"token operator\">]</span>\nmov     <span class=\"token register variable\">rdi</span>, <span class=\"token register variable\">rax</span>\ncmp     <span class=\"token register variable\">rax</span>, <span class=\"token number\">0xffffffffffffffff</span>\nje      <span class=\"token number\">0x140001a28</span>\n\nlea     <span class=\"token register variable\">rcx</span>, <span class=\"token operator\">[</span>rel data_140003760<span class=\"token operator\">]</span>  {<span class=\"token string\">\"Please input key to close.\\n\"</span>}\ncall    printf\ncall    _getch\n\nmov     <span class=\"token register variable\">rcx</span>, <span class=\"token register variable\">rdi</span>\ncall    qword <span class=\"token operator\">[</span>rel CloseHandle<span class=\"token operator\">]</span>\n\n{省略}</code></pre></div>\n<p>Here, after printing the string <code class=\"language-text\">Please input key to close</code>, the program appears to wait for user input.</p>\n<p>Then, when it receives any input with the getch function, it closes the obtained handle, deletes the loaded kernel driver, and ends execution of the program.</p>\n<p>Because the device object obtained through the CreateFileW function is not used afterward, it seems that we will need to analyze DoPDriver in order to obtain the second Flag.</p>\n<p>Analysis of DoPDriver is covered in Chapters 5 and 6.</p>\n<h2 id=\"summary-of-chapter-3\" style=\"position:relative;\"><a href=\"#summary-of-chapter-3\" aria-label=\"summary of chapter 3 permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary of Chapter 3</h2>\n<p>In Chapter 3, we performed static analysis of DoPClient, which is a user-mode program.</p>\n<p>From the result of disassembling the program with Binary Ninja, we confirmed that DoPClient behaves as follows.</p>\n<ol>\n<li>It receives a password string from standard input with the fgets function.</li>\n<li>It verifies that the input string is 45 characters long.</li>\n<li>It validates the input password string with the checkPassword function (<code class=\"language-text\">sub_140001360</code>). At this point, the correct password that passes validation by checkPassword appears to be the first Flag.</li>\n<li>If the correct password is entered, it loads <code class=\"language-text\">DoPDriver.sys</code> into the system as a kernel driver.</li>\n<li>It obtains a handle to DoPDriver’s driver object with the CreateFileW function.</li>\n<li>It waits for arbitrary input from the user and then exits.</li>\n</ol>\n<p>In Chapter 4, we will use WinDbg to dynamically analyze the behavior of the checkPassword function and identify the correct password that becomes the first Flag.</p>\n<h2 id=\"links-to-each-chapter\" style=\"position:relative;\"><a href=\"#links-to-each-chapter\" aria-label=\"links to each chapter permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Links to Each Chapter</h2>\n<ul>\n<li><a href=\"/magical-windbg-vol2-00-en\">Preface</a></li>\n<li><a href=\"/magical-windbg-vol2-01-en\">Chapter 1: Environment Setup</a></li>\n<li><a href=\"/magical-windbg-vol2-02-en\">Chapter 2: Surface Analysis of DoPClient and DoPDriver</a></li>\n<li><a href=\"/magical-windbg-vol2-03-en\">Chapter 3: Static Analysis of DoPClient</a></li>\n<li><a href=\"/magical-windbg-vol2-04-en\">Chapter 4: Dynamic Analysis of DoPClient</a></li>\n<li><a href=\"/magical-windbg-vol2-05-en\">Chapter 5: Static Analysis of DoPDriver</a></li>\n<li><a href=\"/magical-windbg-vol2-06-en\">Chapter 6: Dynamic Analysis of DoPDriver</a></li>\n</ul>\n<div class=\"footnotes\">\n<hr>\n<ol>\n<li id=\"fn-1\">\n<p>実践バイナリ解析 バイナリ計装、解析、逆アセンブリのためのLinuxツールの作り方(Dennis Andriesse 著 / 株式会社クイープ,遠藤美代子 訳 / KADOKAWA / 2022 年)</p>\n<a href=\"#fnref-1\" class=\"footnote-backref\">↩</a>\n</li>\n<li id=\"fn-2\">\n<p>詳解セキュリティコンテスト CTF で学ぶ脆弱性攻略の技術 P.375 (梅内 翼, 清水 祐太郎, 藤原 裕大, 前田 優人, 米内 貴志, 渡部 裕 著 / マイナビ出版 / 2021 年)</p>\n<a href=\"#fnref-2\" class=\"footnote-backref\">↩</a>\n</li>\n<li id=\"fn-3\">\n<p>OpenSCManagerW function <a href=\"https://learn.microsoft.com/ja-jp/windows/win32/api/winsvc/nf-winsvc-openscmanagerw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https://learn.microsoft.com/ja-jp/windows/win32/api/winsvc/nf-winsvc-openscmanagerw</a></p>\n<a href=\"#fnref-3\" class=\"footnote-backref\">↩</a>\n</li>\n<li id=\"fn-4\">\n<p>OpenServiceA function <a href=\"https://learn.microsoft.com/ja-jp/windows/win32/api/winsvc/nf-winsvc-openservicea\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https://learn.microsoft.com/ja-jp/windows/win32/api/winsvc/nf-winsvc-openservicea</a></p>\n<a href=\"#fnref-4\" class=\"footnote-backref\">↩</a>\n</li>\n<li id=\"fn-5\">\n<p>CreateServiceA function <a href=\"https://learn.microsoft.com/ja-jp/windows/win32/api/winsvc/nf-winsvc-createservicea\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https://learn.microsoft.com/ja-jp/windows/win32/api/winsvc/nf-winsvc-createservicea</a></p>\n<a href=\"#fnref-5\" class=\"footnote-backref\">↩</a>\n</li>\n<li id=\"fn-6\">\n<p>Windows Kernel Programming, Second Edition P.27 (Pavel Yosifovich 著 / Independently published / 2023 年)</p>\n<a href=\"#fnref-6\" class=\"footnote-backref\">↩</a>\n</li>\n<li id=\"fn-7\">\n<p>StartServiceW function <a href=\"https://learn.microsoft.com/ja-jp/windows/win32/api/winsvc/nf-winsvc-startservicew\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https://learn.microsoft.com/ja-jp/windows/win32/api/winsvc/nf-winsvc-startservicew</a></p>\n<a href=\"#fnref-7\" class=\"footnote-backref\">↩</a>\n</li>\n<li id=\"fn-8\">\n<p>CreateFileW function <a href=\"https://learn.microsoft.com/ja-jp/windows/win32/api/fileapi/nf-fileapi-createfilew\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https://learn.microsoft.com/ja-jp/windows/win32/api/fileapi/nf-fileapi-createfilew</a></p>\n<a href=\"#fnref-8\" class=\"footnote-backref\">↩</a>\n</li>\n<li id=\"fn-9\">\n<p>インサイド Windows 第 7 版 上 P.558 (Pavel Yosifovich, Alex Ionescu, Mark E. Russinovich, David A. Solomon 著 / 山内 和朗 訳 / 日系 BP 社 / 2018 年)</p>\n<a href=\"#fnref-9\" class=\"footnote-backref\">↩</a>\n</li>\n<li id=\"fn-10\">\n<p>Windows Kernel Programming, Second Edition P.52 (Pavel Yosifovich 著 / Independently published / 2023 年)</p>\n<a href=\"#fnref-10\" class=\"footnote-backref\">↩</a>\n</li>\n</ol>\n</div>","fields":{"slug":"/magical-windbg-vol2-03-en","tagSlugs":["/tag/magical-win-dbg/","/tag/windows/","/tag/win-dbg/","/tag/english/"]},"frontmatter":{"date":"2024-05-26","description":"This is the web edition of Magical WinDbg 2 - Learn User-Mode & Kernel Debugging Through CTFs -, distributed at Tech Book Fest 16.","tags":["Magical WinDbg","Windows","WinDbg","English"],"title":"Magical WinDbg VOL.2 [Chapter 3: Static Analysis of DoPClient]","socialImage":{"publicURL":"/static/e9bfc3718fd53ab58623a496fc9a302e/magical-windbg-vol2.png"}}}},"pageContext":{"slug":"/magical-windbg-vol2-03-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}