{"componentChunkName":"component---src-templates-post-template-js","path":"/magical-windbg-vol2-04-en","result":{"data":{"markdownRemark":{"id":"44e3410d-415a-5963-8929-86001cfd356c","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/magical-windbg-vol2-04\">original page</a>.</p>\n</blockquote>\n<p>In this chapter, we dynamically analyze DoPClient’s <code class=\"language-text\">checkPassword</code> function with WinDbg to identify the first Flag.</p>\n<p>Dynamic analysis is a technique that analyzes a program based on its behavior when it actually runs, along with information such as memory and registers.</p>\n<p>This includes not only suspending program execution with a debugger such as WinDbg and analyzing it while inspecting (or modifying) memory and registers, but also collecting process monitor logs or network traces while the program is running.</p>\n<p>In this book, we primarily use WinDbg for analysis.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li><a href=\"#run-the-program-in-windbg-and-set-breakpoints\">Run the Program in WinDbg and Set Breakpoints</a></li>\n<li><a href=\"#read-register-stack-and-memory-information\">Read Register, Stack, and Memory Information</a></li>\n<li><a href=\"#resume-program-execution-in-the-debugger\">Resume Program Execution in the Debugger</a></li>\n<li><a href=\"#statically-analyze-the-checkpassword-function\">Statically Analyze the checkPassword Function</a></li>\n<li><a href=\"#dynamically-analyze-the-checkpassword-function\">Dynamically Analyze the checkPassword Function</a></li>\n<li><a href=\"#analyze-the-behavior-when-entering-the-correct-string\">Analyze the Behavior When Entering the Correct String</a></li>\n<li><a href=\"#use-javascript-based-debugger-scripts\">Use JavaScript-based Debugger Scripts</a></li>\n<li><a href=\"#automate-debugger-operations-with-a-script\">Automate Debugger Operations with a Script</a></li>\n<li><a href=\"#identify-the-correct-flag-by-brute-force\">Identify the Correct Flag by Brute Force</a></li>\n<li><a href=\"#speed-up-the-brute-force-script\">Speed Up the Brute-force Script</a></li>\n<li><a href=\"#chapter-4-summary\">Chapter 4 Summary</a></li>\n<li><a href=\"#links-to-each-chapter\">Links to Each Chapter</a></li>\n</ul>\n<h2 id=\"run-the-program-in-windbg-and-set-breakpoints\" style=\"position:relative;\"><a href=\"#run-the-program-in-windbg-and-set-breakpoints\" aria-label=\"run the program in windbg and set breakpoints permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Run the Program in WinDbg and Set Breakpoints</h2>\n<p>Generally, when debugging a user-mode program with a debugger such as WinDbg, you either run the program under the debugger or attach the debugger to a process that is already running.</p>\n<p>This time, we will analyze it by running the program under the debugger.</p>\n<p>After launching WinDbg in the virtual machine where you placed <code class=\"language-text\">DoPClient.exe</code>, click [File] > [Start Debugging], then click [Launch executable(advanced)].</p>\n<p>In the [Executable] field, specify the path to <code class=\"language-text\">DoPClient.exe</code> placed in the virtual machine.</p>\n<p>Also, specify the program’s working folder in [Start Directory].</p>\n<p>For identifying the first Flag this time, setting [Start Directory] is not necessary, but depending on how the target program is implemented, you may need to set [Start Directory] properly to the program’s working folder.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/44a4531762bd9ccb381af93771fd11de/6bfd0/client-windbg-001.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 66.66666666666666%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAA7DAAAOwwHHb6hkAAACDklEQVQ4y31Ty24TQRDchIAQSBAkTnwBEhInDvyi4we2QziB/SlBcCCHRCEWjo2f+5rZ9b7Xa5+L7rEnsdbAodQ7Mz011V29xvtOF++6Xbz9/AVDx8V6uUSxWmFFWK/XCvxdFIXCanu2h+258fLsI16ctvG8fYqr8Rj2bIbReILBYEgYYDKdIk1T5HmukGUZMlqruMXuufHq0xlek7o3nQ76to3A87BYLFRiFEUqOY5juKTe9zf7S6qiDM4JggCGcXKCZ80WjlstXJoCfpBASglBSNXlAmEYwXEceihARiqK4r4Fug1JkmwID6s1HLfbePKhjm8jgYt+hPMrk2Dh/HKO7z0fN5NYqWV1TJCTIl2iBj/MMA6qVTxtNnFUq+Gn5WI+l7j+9Ru92wlGMwcyyOF6ESzTVAqjOFVtYFXlslUPD4nocaOBA1I6FDOkgQfLMiGFiySOsFrmFGM4QsJxXRV5rQlY9a5SwyCFRqWCw1odt/YYCRG6Qqh+6EtcbpJslGXZvaO8v/B96m8I284hhCYkYx7UGujNJogXTCiVMWyET46zg+XR4chGMMIwpBirvDuFDxtN/OjdQNoWJI0OEzL4wi6hJivHvZKZ8KJPhI5JI+PBo1J0sp7Hu8H+C6nGtuQKHtUb+DqeYi58eFLAJQN0H8uE5ZHZV0g9PCJTrucWQvobXHJYksp/Kfwf4R/415H4abHONgAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/44a4531762bd9ccb381af93771fd11de/8ac56/client-windbg-001.webp 240w,\n/static/44a4531762bd9ccb381af93771fd11de/d3be9/client-windbg-001.webp 480w,\n/static/44a4531762bd9ccb381af93771fd11de/e46b2/client-windbg-001.webp 960w,\n/static/44a4531762bd9ccb381af93771fd11de/7ed23/client-windbg-001.webp 1011w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/44a4531762bd9ccb381af93771fd11de/8ff5a/client-windbg-001.png 240w,\n/static/44a4531762bd9ccb381af93771fd11de/e85cb/client-windbg-001.png 480w,\n/static/44a4531762bd9ccb381af93771fd11de/d9199/client-windbg-001.png 960w,\n/static/44a4531762bd9ccb381af93771fd11de/6bfd0/client-windbg-001.png 1011w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/44a4531762bd9ccb381af93771fd11de/d9199/client-windbg-001.png\"\n            alt=\"Launch DoPClient in WinDbg\"\n            title=\"Launch DoPClient in WinDbg\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>After making the above settings, leave [Record with Time Travel Debugging] unchecked and click the [Debug] button. The program starts, and the debugger attaches to it.</p>\n<p>Time Travel Debugging (TTD) <sup id=\"fnref-1\"><a href=\"#fn-1\" class=\"footnote-ref\">1</a></sup> is a powerful feature that captures a trace of process execution so that you can freely inspect register and memory state during execution, but we do not use it in this book.</p>\n<p>When a user-mode application is started by the debugger, execution is paused while processing is still inside the image loader (Ldr) in <code class=\"language-text\">ntdll.dll</code>, which is a user-mode system DLL, and the debugger attaches at that point.<sup id=\"fnref-2\"><a href=\"#fn-2\" class=\"footnote-ref\">2</a></sup></p>\n<p>At this point, the code implemented inside the program’s <code class=\"language-text\">main</code> function has not yet run.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/f370e5d59bc045603502660420830c0d/35252/client-windbg-002.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 51.25000000000001%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAA7DAAAOwwHHb6hkAAAB/ElEQVQoz42Sy4oaQRSGW4Mrb+hzuHMWI/gaE8gmmRnEleYdfIuErPIkMwtRAsIIaktrexm1qy/V3d7acbyMf6qOY8gmkIKfv+pAfXUupfzSBvj51ERtOIbr+TAcDtufwxZ7Z76AyT044my5HvzVmmLjGcOzwWDYHIy7YI4r9g5mlgOFOx72r1vYlgXuOJhMpmCMwRJn27Zp7/s+giCAXI1GA9mrK2SzWVznrpHL5ZDP55HJZFCpVKDMpgzc5XTZMk2YQp7nwRUvy9hms8Hx+CZ0JGC1WsWHcBjhd4VCIUQiESiKgmKxKDN04QrgfLEg0Gq1wuFwIJ1OJ1zWBViv1xGPx0mJRIKUSqUIWC6XoViibsYMKklmI7UQ8OVyCc45PbAO1hSX6+HhEbFYDNFolFwqmUwSsFQqQWGGCV3X0e/r6Ha7GAwGGA2H1LvxeEzORfnb7ZaAtVqNYP8EmqYtLo4wGo2gqiq0Xg96vy96aaHX00R8KLwPwzD+DzgTX6CnaQRqNp/QbrcFuIPpdIpWq0WPdDoqTf0CvPROgqSn0+n3Hn49ZyjLlGVrAix9MnmmLySzlpkZ4s95nvtnyvLy35LTll4oFKA4Ysq2nLS/xCp4wXqzRfCyw27/ht3hrP3hhNf9ecodVcPnL3dn3d4Lv8ftXQE3Hz/h2/cf+A3Lw1YBZFfE7wAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/f370e5d59bc045603502660420830c0d/8ac56/client-windbg-002.webp 240w,\n/static/f370e5d59bc045603502660420830c0d/d3be9/client-windbg-002.webp 480w,\n/static/f370e5d59bc045603502660420830c0d/e46b2/client-windbg-002.webp 960w,\n/static/f370e5d59bc045603502660420830c0d/01875/client-windbg-002.webp 1204w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/f370e5d59bc045603502660420830c0d/8ff5a/client-windbg-002.png 240w,\n/static/f370e5d59bc045603502660420830c0d/e85cb/client-windbg-002.png 480w,\n/static/f370e5d59bc045603502660420830c0d/d9199/client-windbg-002.png 960w,\n/static/f370e5d59bc045603502660420830c0d/35252/client-windbg-002.png 1204w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/f370e5d59bc045603502660420830c0d/d9199/client-windbg-002.png\"\n            alt=\"Screen immediately after WinDbg starts debugging\"\n            title=\"Screen immediately after WinDbg starts debugging\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Before resuming program execution, set a breakpoint at the call site of the <code class=\"language-text\">checkPassword</code> function used for password validation that we examined in Chapter 3.</p>\n<div class=\"gatsby-highlight\" data-language=\"nasm\"><pre class=\"language-nasm\"><code class=\"language-nasm\">14000198b  lea     <span class=\"token register variable\">rcx</span>, <span class=\"token operator\">[</span><span class=\"token register variable\">rsp</span><span class=\"token operator\">+</span><span class=\"token number\">0x40</span> {inputText}<span class=\"token operator\">]</span>\n<span class=\"token number\">140001990</span>  call    checkPassword</code></pre></div>\n<p>When using WinDbg, breakpoints can be set in various ways <sup id=\"fnref-3\"><a href=\"#fn-3\" class=\"footnote-ref\">3</a></sup>, but this time we will simply use the <code class=\"language-text\">bp</code> command to set a breakpoint at the specified address.</p>\n<p>Most Windows programs are relocated at runtime, so the virtual address (VA) that can be specified when setting a breakpoint with the <code class=\"language-text\">bp</code> command changes each time.</p>\n<p>Therefore, when setting a breakpoint, it is more convenient not to specify the virtual address directly, but instead to specify the executable’s image base address plus the relative virtual address (RVA).</p>\n<p>For example, if you want to set a breakpoint at the address shown as <code class=\"language-text\">0x140001990</code> in Binary Ninja with default settings, specify the program’s image base address, accessible as <code class=\"language-text\">DoPClient</code> (or <code class=\"language-text\">!DoPClient</code>), plus the relative virtual address <code class=\"language-text\">0x1990</code>, as shown below.</p>\n<div class=\"gatsby-highlight\" data-language=\"powershell\"><pre class=\"language-powershell\"><code class=\"language-powershell\">bp DoPClient+0x1990</code></pre></div>\n<p>After setting the breakpoint with the command above and resuming execution with <code class=\"language-text\">g</code>, DoPClient displays the screen asking the user to enter a password.</p>\n<p>Then, as confirmed in Chapter 3, if you enter a 45-character string such as <code class=\"language-text\">AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</code> and press Enter, execution stops again at the address <code class=\"language-text\">DoPClient+0x1990</code>, and you can confirm that debugger control is possible.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/09a0c0d27bae89e029da9941b2362179/60b8f/client-windbg-003.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 40%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAA7DAAAOwwHHb6hkAAAB/UlEQVQoz02QT0tiYRjFLxIEEaPbgiBXCYHTooVlrvoIwQS1aoppL7gZpS8wnyAHdfwMbodhmGmSqCYcLJ1S8981r3r/6L1qiMNvXm8OzAuH8zzP4rznHCn1M8OHL185z91TeqxSKNco1VQq9Rbluky1ofDUVqk3W7T1HlrXQuv1McwBhjWF+QJFNZAubjJ8Tv/g2/kZl1dXZH7dcHHZ4y4nC2TpqBqqrtHRNN5HIrzZ3eXw6Ih3x8e8FXw4xd7+PvFEAumxWOIhX+J3vk7hoUStWqXR0FGUNnK9jqqqtFstms0ma2uvkSSJmZkZHA6HPf+PYDCIdH//wO1tToi00DSdbreLYehCqCN2jdZUbHLf3t7G7XbjWVlhedmN1+tlcXERp8tpfxIOh5FkuUE+n6NSKSPLMuVyWYg/USwWxT2PrhuMRiPG4zEHBwesr6+ztbXF5uYmgUDA3l0ul+0wIiqxBa+vr8hms+RyedLpNBPXhUJBOL/DtCz+vZ2dHVZXV9nY8OHz+QRv4PF4cDpf2RWcnJy8CFZFbxN3iqLQ6XREZMOOOBwO6QvBSezx+A9+v5/Z2VmWlpbsqAsLC8zNzTE/P287DIVCSA25aXdlWX0G/QHPz882m6ZFr2cKNu15MBiSSqU4PY0Sj8eJxWICcRKJTySTSaLRj5x9P+MvOzrW2x6MYSwAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/09a0c0d27bae89e029da9941b2362179/8ac56/client-windbg-003.webp 240w,\n/static/09a0c0d27bae89e029da9941b2362179/d3be9/client-windbg-003.webp 480w,\n/static/09a0c0d27bae89e029da9941b2362179/e46b2/client-windbg-003.webp 960w,\n/static/09a0c0d27bae89e029da9941b2362179/ffb96/client-windbg-003.webp 1217w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/09a0c0d27bae89e029da9941b2362179/8ff5a/client-windbg-003.png 240w,\n/static/09a0c0d27bae89e029da9941b2362179/e85cb/client-windbg-003.png 480w,\n/static/09a0c0d27bae89e029da9941b2362179/d9199/client-windbg-003.png 960w,\n/static/09a0c0d27bae89e029da9941b2362179/60b8f/client-windbg-003.png 1217w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/09a0c0d27bae89e029da9941b2362179/d9199/client-windbg-003.png\"\n            alt=\"Set a breakpoint at the checkPassword call site\"\n            title=\"Set a breakpoint at the checkPassword call site\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>By the way, you can check the currently applied breakpoint settings with the <code class=\"language-text\">bl</code> command or in the Breakpoints window.</p>\n<p>Also, if you open WinDbg’s Disassembly window, the instruction currently being executed is marked in yellow, and the instruction set as a breakpoint is marked in red, so you can confirm the breakpoint there as well.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 593px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/831cbe19a2e8eb1e14f84a4a65e4dfc5/0b5b1/client-windbg-004.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 103.75000000000001%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAVCAYAAABG1c6oAAAACXBIWXMAAA7DAAAOwwHHb6hkAAAERklEQVQ4y2VUaY/bVBTN7wJaxAckfgISPw61dDaoUJsZikZAP1A6DFKTOIkTx2s273biLYmdbQ7Hb9oZJBw9Oc/vvrucc+5tfNds4tvLJr6+OMdnL17g6dnZ/To/xxO+vzg9xZPTM7GePuxP8aU4P8XnJydifcX9Ny9fouF7HsIwhGPbcB0HRV6gXG+wKgpsywrHwwG7bYn9thJ7jza+6yL0AyzjBYosR7Up8elpyHIf3W4Phq6j1+9BN0xMJmMEAS8sE2FUvzflGnEUwTItTKcz2K4NL/JR7ktUuwp3d3f3Di3LhEEn89mMznTM5szUdSC+m6YwTNMCVVUhyzK4nos4jVHuSoSrCEEeYlkscTweUbtsDIcDDAZDRjYhD2RY4wnUkQJZHjDLUER17A2K1ZEOl3TowfFs+GmAA+H471MHb/S6XbTbHWjqCB2pA1XTYZoG5vM5HMcVl6IowXq9ZukLZm4hJBx5mcNObMyTObzEExmKkk1mpuvGfcnEscZnxv8py9vtdjQ5IlmW2GzumGHCIA4DRDjs9jzff0wNjxiqzExVNUGEoijMzoKuqRgOFRHojr9imWNbHbFYxBhPCImuQtZlBHHEcMeH7ETJEststdvEbYRWq0U8FfTJtqppJGIrDD1/CyoGabJEGIfwMg9u5mKxXpKUAKtq9ehQ50VFGWFaR1ZVwfJ0OkEUxw+R82WBXXVghhHtpvC9AA7t6vd6tUZZlo8OTcMQspnNptDofDqbw7bnlEr2wF4SUeR0mKaJwC8rMhQUfrXd/p/lriSh05HIsipK7vVlyCy51+tjPB7jSKPYXaJa7xD4HkbEd+JMEbg+ncfY7rfY7x8Jog6HxKx/r0NZFp1SS0ho0xoLoyioyyLbyUKwrFs6JE2CTT16iYs0z1B+bL9GrauaWZu6qyU0tx3BeH3x8BHDJGU/M4HNesXLKeJ1jKRMsNpxX6ai/R5KrsurMzR0Dd1elxkaxFIVLfbpCb2czvbsHJcwWGKYiCHh+RwmPNusHx32+wN2CEvVLEhdmXIZ06FJvdkssRD9mUcZ9iw5CBYYUrMKS3acAAvq897RIzENy5Cgq//Ankow1FuMrRZm1gcog/fQRrdsFOpsYWG7cpAuddgzkmXy3HjPDjJ5HuLuEDysxqDbxEB6Bmv0I3qtZxjJZzCUC9jjJvLFH4x5C3dyjSR8S7avoMoXMJWfMLcukYU8P9wA23dcf4lF2fTRbvUxGupofZAwkDUM+goU7qWOjEWcIfVzrNMdPDckHGxR4j3QRzDtGfJViSMJO+zuV0O7uUXr59eQLt9AuvoVPb7br5pov77Czck53n//HP3Lt+i/vsbo+jdob/9E5/oXfPj9Cn9fvsS7H55Dab6B/OoKA66GyoEw4iCYUD7DWoccXwZFrvH7mHJakcUlBVxw+kS+D5MTSTNG6A2J/VjjnMxw5FTas2sOXP8C4Wz4FgZLhc8AAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/831cbe19a2e8eb1e14f84a4a65e4dfc5/8ac56/client-windbg-004.webp 240w,\n/static/831cbe19a2e8eb1e14f84a4a65e4dfc5/d3be9/client-windbg-004.webp 480w,\n/static/831cbe19a2e8eb1e14f84a4a65e4dfc5/ee627/client-windbg-004.webp 593w\"\n              sizes=\"(max-width: 593px) 100vw, 593px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/831cbe19a2e8eb1e14f84a4a65e4dfc5/8ff5a/client-windbg-004.png 240w,\n/static/831cbe19a2e8eb1e14f84a4a65e4dfc5/e85cb/client-windbg-004.png 480w,\n/static/831cbe19a2e8eb1e14f84a4a65e4dfc5/0b5b1/client-windbg-004.png 593w\"\n            sizes=\"(max-width: 593px) 100vw, 593px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/831cbe19a2e8eb1e14f84a4a65e4dfc5/0b5b1/client-windbg-004.png\"\n            alt=\"Inspect code around the breakpoint in the Disassembly window\"\n            title=\"Inspect code around the breakpoint in the Disassembly window\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>As you can see from the actual analysis results, the disassembly shown in WinDbg’s Disassembly window and by commands such as <code class=\"language-text\">u</code> and <code class=\"language-text\">ub</code> is less readable than output from analysis tools such as Binary Ninja.</p>\n<p>For that reason, when debugging a program without symbols in WinDbg, I recommend using another analysis tool like the one used in Chapter 3 together with it.</p>\n<h2 id=\"read-register-stack-and-memory-information\" style=\"position:relative;\"><a href=\"#read-register-stack-and-memory-information\" aria-label=\"read register stack and memory information permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Read Register, Stack, and Memory Information</h2>\n<p>Now that we have set a breakpoint at the <code class=\"language-text\">checkPassword</code> call site in WinDbg, let’s briefly introduce how to inspect registers, the stack, and memory.</p>\n<p>First, register state can be inspected with the <code class=\"language-text\">r</code> command <sup id=\"fnref-4\"><a href=\"#fn-4\" class=\"footnote-ref\">4</a></sup>.</p>\n<p>When you run the <code class=\"language-text\">r</code> command, the register state associated with the current thread context is displayed.</p>\n<p>You can also inspect only a specific register or flag with commands such as <code class=\"language-text\">r rax</code> or <code class=\"language-text\">r zf</code>, or arbitrarily replace the value of a specific register with <code class=\"language-text\">r eax = 10</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"powershell\"><pre class=\"language-powershell\"><code class=\"language-powershell\">0:000> r\nrax=000000000000002d rbx=0000028219807970 rcx=00000087212ffa70\nrdx=00007fff7cc0f490 rsi=0000000000000000 rdi=0000000000000000\nrip=00007ff6dd091990 rsp=00000087212ffa30 <span class=\"token function\">rbp</span>=0000000000000000\n r8=000000000000002e  r9=0000028219812fd0 r10=0000000000000058\nr11=0000000000000246 r12=0000000000000000 r13=0000000000000000\nr14=0000000000000000 r15=0000000000000000\niopl=0         <span class=\"token function\">nv</span> up ei pl zr na po nc\ncs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246\nDoPClient+0x1990:\n00007ff6`dd091990 e8cbf9ffff      call    DoPClient+0x1360 <span class=\"token punctuation\">(</span>00007ff6`dd091360<span class=\"token punctuation\">)</span>\n\n0:000> r rax\nrax=000000000000002d</code></pre></div>\n<p>By the way, if you want to inspect register state associated with another thread context while debugging a user-mode program, you can run <code class=\"language-text\">~2 r</code> using the thread number, or use <code class=\"language-text\">~* r</code> to inspect the register state of all threads.</p>\n<p>Next, let’s inspect memory information at a specified address with the Display Memory (<code class=\"language-text\">d</code>, <code class=\"language-text\">da</code>, <code class=\"language-text\">db</code>, <code class=\"language-text\">dc</code>, <code class=\"language-text\">dd</code>, <code class=\"language-text\">dD</code>, <code class=\"language-text\">df</code>, <code class=\"language-text\">dp</code>, <code class=\"language-text\">dq</code>, <code class=\"language-text\">du</code>, <code class=\"language-text\">dw</code>) commands <sup id=\"fnref-5\"><a href=\"#fn-5\" class=\"footnote-ref\">5</a></sup>.</p>\n<p>As confirmed in Chapter 3, the input string received by <code class=\"language-text\">fgets</code> is stored in the stack area, and its starting address is <code class=\"language-text\">RSP+0x40</code>.</p>\n<p>Below is the output when the address <code class=\"language-text\">RSP+0x40</code> is inspected with various commands.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 657px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/13e85eb3b20b46a553316d0b808df55a/a1253/client-windbg-005.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 115.83333333333334%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAXCAYAAAALHW+jAAAACXBIWXMAAA7DAAAOwwHHb6hkAAADdElEQVQ4y3VVB3LiQBDU/7/k40w2YIIiQhJRiGRjGwdwKMNc98BS+K6OqqkRi7a3Z7pnseq1mtzc3IjvB9JqtaTf74vneWLbtniup98Hg4HmJOnLcrmU5+dn2Ww253h8fDyHZdsdcV1XhsMRQD2ZzWaSZVOZTo+xweanpydsBAjyy8uLAl6CfHx8yOfnp4blg43v+wCay3g8Vgb9JJE5gMko0xzrb2E3kDSd6rPjOKjABfOBHA4HMR+Li4wsm4HlUBbzuebRaKSb0mmmzBMc0ul0tJLVaqXBcsmOgCaUIXvGUnnyLMuk2+1KFEXSvL2VBL1rtZq61um0FdiU+fX1pfGToedqyePJROI4lglyEAQAHynIcHTMFKXX6ynz9/d32W63GrvdTr6/v2W/32u2bhsNqdfruqkNlakoQRncnKapPpO9ZqyNT3k6TbUSEmDwUKvRqEu1WpUwDMVFz7hIcLIhc+YAYvCZ6wGy5/na3yjqSafdBqGGNJtNkBmKVavdSLVSwcuh2Gg6FQ7DnpbPU30ExaC12GtVF5nfeUAcJ2qvxWIh9/f3AISpybB7YhiBkW07Z3M7jquArVb7+AxGbQTXyDaDiHNYbg53rJarC1HQI57IF3gagy+ZoAuY7+7u5OHhQYMGp5kpDINinQEnk1QtQX+xXPaO31nGer2WNTKfd9hERff7w1nZy7BYAksjAEsxTI0gVJGZvUpwUBh2ta+s4PX1VVlyHE1YXSjYQ/9Yar+fnEtivnw2TJeogLPNz+WEnCeFl4MDETh69BYnhSw5o7QQfcg8hD/pUbIf4XcD+PfHorK0wBQzyw1LlGKMTSD2M4piLd14lPn/DDGf9B8BeSmkAArRM3qRtugByDvdSFwjAYp1QvyXIfsXcmYBFqmysd4oHDuuUX1z+7AVzHTCdruTt7c3DYpjwuKPvLLMlURxzAFU12SWybLZljWEWuHe5PsUjbePyValUpZSsah/ARSnC0vkr68xCbbk83npwFLFQkFntVQqIbf0SjuOXawgVN2EznIFsxzgBfaKLVBAABUARI8WiwUFKpePgGTJfpq78QdgGacW8gUFo8mZf11d6cbcr5w0caX9zuWkhisun7/WmyUGECtiK0yp5z8pMxXj8eSoMnzngBV75jrH/wzaKkJ5/CtgmTP0nGKx35dTwvgDSU2BicS0IhsAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/13e85eb3b20b46a553316d0b808df55a/8ac56/client-windbg-005.webp 240w,\n/static/13e85eb3b20b46a553316d0b808df55a/d3be9/client-windbg-005.webp 480w,\n/static/13e85eb3b20b46a553316d0b808df55a/b9f96/client-windbg-005.webp 657w\"\n              sizes=\"(max-width: 657px) 100vw, 657px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/13e85eb3b20b46a553316d0b808df55a/8ff5a/client-windbg-005.png 240w,\n/static/13e85eb3b20b46a553316d0b808df55a/e85cb/client-windbg-005.png 480w,\n/static/13e85eb3b20b46a553316d0b808df55a/a1253/client-windbg-005.png 657w\"\n            sizes=\"(max-width: 657px) 100vw, 657px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/13e85eb3b20b46a553316d0b808df55a/a1253/client-windbg-005.png\"\n            alt=\"Inspect the memory address at RSP+0x40\"\n            title=\"Inspect the memory address at RSP+0x40\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>In particular, if you run the command <code class=\"language-text\">da RSP+0x40</code>, which displays ASCII text at the specified address, you can confirm that the entered 45-character string has been obtained.</p>\n<p>If you run <code class=\"language-text\">du RSP+0x40</code>, the data at the specified address is interpreted as a Unicode string. (It becomes the character <code class=\"language-text\">0x4141</code> in UTF-16 encoding.)</p>\n<p>If memory contains Unicode text rather than ASCII text, use <code class=\"language-text\">du</code> instead of <code class=\"language-text\">da</code>.</p>\n<p>Note that this input string is written directly into the stack area.</p>\n<p>Values in the stack area can also be inspected with the Display Memory commands above, but for values stored on the stack, analysis is easier if they are read in units of the pointer size of the running architecture.</p>\n<p>Also, the stack area often contains pointer addresses to executable code.</p>\n<p>For that reason, when inspecting the stack area, the <code class=\"language-text\">dps</code> command <sup id=\"fnref-6\"><a href=\"#fn-6\" class=\"footnote-ref\">6</a></sup>, which displays values in memory in pointer-size units and shows symbol information when it can resolve them, is often useful.</p>\n<p>If you actually run the <code class=\"language-text\">dps rsp</code> command, you can confirm that the character <code class=\"language-text\">A(0x41)</code> is stored in the region starting at <code class=\"language-text\">RSP+0x40</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"powershell\"><pre class=\"language-powershell\"><code class=\"language-powershell\">0:000> dps rsp\n000000f9`7ecff6d0  00007ff6`0000000a\n000000f9`7ecff6d8  000002be`0c567970\n000000f9`7ecff6e0  00007fff`7cc0f490 ucrtbase!iob\n000000f9`7ecff6e8  00000000`00000000\n000000f9`7ecff6f0  00000000`00000002\n000000f9`7ecff6f8  00007fff`7cb41d56 ucrtbase!_set_new_mode+0x16\n000000f9`7ecff700  00000000`00000000\n000000f9`7ecff708  00000000`00000000\n000000f9`7ecff710  41414141`41414141\n000000f9`7ecff718  41414141`41414141\n000000f9`7ecff720  41414141`41414141\n000000f9`7ecff728  41414141`41414141\n000000f9`7ecff730  41414141`41414141\n000000f9`7ecff738  00000041`41414141\n000000f9`7ecff740  00008243`49734515\n000000f9`7ecff748  00000000`00000000</code></pre></div>\n<h2 id=\"resume-program-execution-in-the-debugger\" style=\"position:relative;\"><a href=\"#resume-program-execution-in-the-debugger\" aria-label=\"resume program execution in the debugger permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Resume Program Execution in the Debugger</h2>\n<p>Execution of the program paused at the configured breakpoint can be resumed with the <code class=\"language-text\">g</code> command <sup id=\"fnref-7\"><a href=\"#fn-7\" class=\"footnote-ref\">7</a></sup>.</p>\n<p>Also, step execution and trace execution correspond to the <code class=\"language-text\">p</code> command (or the F10 key) <sup id=\"fnref-8\"><a href=\"#fn-8\" class=\"footnote-ref\">8</a></sup> and the <code class=\"language-text\">t</code> command (or the F11 key) <sup id=\"fnref-9\"><a href=\"#fn-9\" class=\"footnote-ref\">9</a></sup>, respectively.</p>\n<p>The <code class=\"language-text\">p</code> command corresponds to the [Step Over] operation in the WinDbg GUI.</p>\n<p>So, for example, if you execute the <code class=\"language-text\">p</code> command on a line containing a <code class=\"language-text\">Call</code> instruction, execution advances to the instruction following that <code class=\"language-text\">Call</code>.</p>\n<p>On the other hand, the <code class=\"language-text\">t</code> command corresponds to [Step Into].</p>\n<p>If you execute it on a <code class=\"language-text\">Call</code> instruction line, unlike the <code class=\"language-text\">p</code> command, processing stops at the first address of the called function.</p>\n<p>In addition, it is useful to know how to use step and trace commands depending on the situation, such as <code class=\"language-text\">pa</code> and <code class=\"language-text\">ta</code>, which continue stepping or tracing until a specified address; <code class=\"language-text\">ph</code>, <code class=\"language-text\">th</code>, <code class=\"language-text\">pt</code>, and <code class=\"language-text\">tt</code>, which continue execution until the next branch or return instruction; and <code class=\"language-text\">pc</code> and <code class=\"language-text\">tc</code>, which continue execution until the next <code class=\"language-text\">Call</code> instruction.</p>\n<h2 id=\"statically-analyze-the-checkpassword-function\" style=\"position:relative;\"><a href=\"#statically-analyze-the-checkpassword-function\" aria-label=\"statically analyze the checkpassword function permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Statically Analyze the checkPassword Function</h2>\n<p>Now that we have introduced the minimum debugger commands we need, it is finally time to analyze the <code class=\"language-text\">checkPassword</code> function and identify the Flag.</p>\n<p>First, following the same procedure as in Chapter 3, use Binary Ninja to navigate to the address of the <code class=\"language-text\">checkPassword</code> function and perform a static analysis.</p>\n<p>Then, instead of the Graph view, switch the display to the Linear view and inspect the decompiled pseudo code under [Pseudo C].</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 615px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/3803bf8c1288f8d196e9cb900d35576f/f6b72/checkpassword-binaryninja-001.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 64.16666666666666%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAA7DAAAOwwHHb6hkAAABxklEQVQ4y5VS2XLbMAzU19SiTt4UqcNOlMSe6UxtzzTp/3/JFmDs1H2I0z6sSELEEotFcTwecT6f8fr6E7z/9faG8+mEw+GA/X7/3yhCCEgpYYwJcVowr88YdyvS8oBxmjDNE5btFt4Hgv8UzMNrUdc1tDMYlgQTHNquhzIWxjk4Oiut0DQtxTs0jLbLd5qWYoyupf8NmIdRlJsSfh7weHxBmAJEWcJaizAExDEixAFSa/TWQTpPq4UaInqlYIyGpjOTCyEyCv4opxF3I1WqUVUVNBEoSuDqrLOQSqKieyU9Jq64nMvLnvMYBQf8HLGe9kSaKLGCs+pDQkUQfPmy3ibf4hovRCmgvcX4tMAll4M1wVJftSUYA0+95JVl8iOfkV4IqWfJY/d9JWMGkiCQosfT44whRaSZ3Y/oqE+d7LMB/0zIprBka6mH1HBJBEyivCGS6qN31R3p75IDSV5nuOhIbp2TrergvEMvZY7V117eIXs3ZXNjyjbmYNs25LKksTB5hNj1r6T+VaEiA+LDCEuVsmRJVUmp8uAqo6gygc23zZdy/4zNRIP94xlxiflyHDyWeSR3PRkzYFomeBr0ru/ABdyr8DdezJtHnE+ZpwAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/3803bf8c1288f8d196e9cb900d35576f/8ac56/checkpassword-binaryninja-001.webp 240w,\n/static/3803bf8c1288f8d196e9cb900d35576f/d3be9/checkpassword-binaryninja-001.webp 480w,\n/static/3803bf8c1288f8d196e9cb900d35576f/26ec8/checkpassword-binaryninja-001.webp 615w\"\n              sizes=\"(max-width: 615px) 100vw, 615px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/3803bf8c1288f8d196e9cb900d35576f/8ff5a/checkpassword-binaryninja-001.png 240w,\n/static/3803bf8c1288f8d196e9cb900d35576f/e85cb/checkpassword-binaryninja-001.png 480w,\n/static/3803bf8c1288f8d196e9cb900d35576f/f6b72/checkpassword-binaryninja-001.png 615w\"\n            sizes=\"(max-width: 615px) 100vw, 615px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/3803bf8c1288f8d196e9cb900d35576f/f6b72/checkpassword-binaryninja-001.png\"\n            alt=\"Inspect the decompiled output of the checkPassword function in Binary Ninja\"\n            title=\"Inspect the decompiled output of the checkPassword function in Binary Ninja\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The code below extracts only the structural portions from that decompiled output.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token class-name\">int64_t</span> <span class=\"token function\">checkPassword</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span><span class=\"token operator\">*</span> arg1<span class=\"token punctuation\">)</span>\n\n<span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">void</span> var_f8<span class=\"token punctuation\">;</span>\n    <span class=\"token class-name\">int64_t</span> rax_1 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>__security_cookie <span class=\"token operator\">^</span> <span class=\"token operator\">&amp;</span>var_f8<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">char</span><span class=\"token operator\">*</span> r10 <span class=\"token operator\">=</span> arg1<span class=\"token punctuation\">;</span>\n    <span class=\"token class-name\">int64_t</span> rax_2 <span class=\"token operator\">=</span> <span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">do</span>\n    <span class=\"token punctuation\">{</span>\n        rax_2 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>rax_2 <span class=\"token operator\">+</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span> <span class=\"token keyword\">while</span> <span class=\"token punctuation\">(</span>arg1<span class=\"token punctuation\">[</span>rax_2<span class=\"token punctuation\">]</span> <span class=\"token operator\">!=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token class-name\">int32_t</span> rcx <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>rax_2 <span class=\"token operator\">!=</span> <span class=\"token number\">0x2d</span><span class=\"token punctuation\">)</span>\n    <span class=\"token punctuation\">{</span>\n        <span class=\"token function\">exit</span><span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token comment\">/* no return */</span>\n    <span class=\"token punctuation\">}</span>\n\n    <span class=\"token class-name\">int32_t</span> i <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n    <span class=\"token class-name\">int128_t</span> var_d8<span class=\"token punctuation\">;</span>\n    <span class=\"token class-name\">int32_t</span><span class=\"token operator\">*</span> r11 <span class=\"token operator\">=</span> <span class=\"token operator\">&amp;</span>var_d8<span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">do</span>\n    <span class=\"token punctuation\">{</span>\n        <span class=\"token class-name\">uint64_t</span> rdx_1 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">uint64_t</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">int32_t</span><span class=\"token punctuation\">)</span><span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">uint8_t</span><span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>r10<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>i <span class=\"token operator\">></span> <span class=\"token number\">0x16</span><span class=\"token punctuation\">)</span>\n        <span class=\"token punctuation\">{</span>\n            <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>i <span class=\"token operator\">></span> <span class=\"token number\">0x22</span><span class=\"token punctuation\">)</span>\n            <span class=\"token punctuation\">{</span>\n                <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>i <span class=\"token operator\">==</span> <span class=\"token number\">0x29</span><span class=\"token punctuation\">)</span>\n                <span class=\"token punctuation\">{</span>\n                    rcx <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">int32_t</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span>rdx_1 <span class=\"token operator\">+</span> <span class=\"token number\">0x5f6</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n                <span class=\"token punctuation\">}</span>\n                <span class=\"token keyword\">else</span> <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>i <span class=\"token operator\">==</span> <span class=\"token number\">0x2a</span><span class=\"token punctuation\">)</span>\n                <span class=\"token punctuation\">{</span>\n                    rcx <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>rdx_1 <span class=\"token operator\">*</span> <span class=\"token number\">0x21</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span> <span class=\"token number\">0x23</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n                <span class=\"token punctuation\">}</span>\n                <span class=\"token comment\">/* omitted */</span>\n                <span class=\"token keyword\">switch</span> <span class=\"token punctuation\">(</span>i<span class=\"token punctuation\">)</span>\n                <span class=\"token punctuation\">{</span>\n                    <span class=\"token keyword\">case</span> <span class=\"token number\">0x23</span><span class=\"token operator\">:</span>\n                    <span class=\"token punctuation\">{</span>\n                        rcx <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>rdx_1 <span class=\"token operator\">*</span> <span class=\"token number\">0x35</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span> <span class=\"token number\">0xdab8</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n                        <span class=\"token keyword\">break</span><span class=\"token punctuation\">;</span>\n                    <span class=\"token punctuation\">}</span>\n                    <span class=\"token comment\">/* omitted */</span>\n                <span class=\"token punctuation\">}</span>\n            <span class=\"token punctuation\">}</span>\n            <span class=\"token comment\">/* omitted */</span>\n        <span class=\"token punctuation\">}</span>\n\n        <span class=\"token comment\">/* omitted */</span>\n\n        <span class=\"token function\">__builtin_memcpy</span><span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span>var_d8<span class=\"token punctuation\">,</span> <span class=\"token string\">\"&lt;hardcoded byte sequence>\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xb4</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n        <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>rcx <span class=\"token operator\">!=</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">uint32_t</span><span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>r11<span class=\"token punctuation\">)</span>\n        <span class=\"token punctuation\">{</span>\n            <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Password is Wrong\\n\"</span><span class=\"token punctuation\">,</span> rdx_1<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n            <span class=\"token function\">exit</span><span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token punctuation\">}</span>\n\n        i <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>i <span class=\"token operator\">+</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        r10 <span class=\"token operator\">=</span> <span class=\"token operator\">&amp;</span>r10<span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n        r11 <span class=\"token operator\">=</span> <span class=\"token operator\">&amp;</span>r11<span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span> <span class=\"token keyword\">while</span> <span class=\"token punctuation\">(</span>i <span class=\"token operator\">&lt;</span> <span class=\"token number\">0x2d</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">__security_check_cookie</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>rax_1 <span class=\"token operator\">^</span> <span class=\"token operator\">&amp;</span>var_f8<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>You can see that the following code executed from <code class=\"language-text\">0x14000138a</code> to <code class=\"language-text\">0x140001392</code> is almost the same as the string-length verification code examined in Chapter 3.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">char</span><span class=\"token operator\">*</span> r10 <span class=\"token operator\">=</span> arg1<span class=\"token punctuation\">;</span>\n<span class=\"token class-name\">int64_t</span> rax_2 <span class=\"token operator\">=</span> <span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">do</span>\n<span class=\"token punctuation\">{</span>\n    rax_2 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>rax_2 <span class=\"token operator\">+</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span> <span class=\"token keyword\">while</span> <span class=\"token punctuation\">(</span>arg1<span class=\"token punctuation\">[</span>rax_2<span class=\"token punctuation\">]</span> <span class=\"token operator\">!=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n<span class=\"token class-name\">int32_t</span> rcx <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>rax_2 <span class=\"token operator\">!=</span> <span class=\"token number\">0x2d</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n    <span class=\"token function\">exit</span><span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>The <code class=\"language-text\">checkPassword</code> function receives, as its first argument (<code class=\"language-text\">arg1</code>), a pointer to the input string stored on the stack.</p>\n<p>After obtaining the length of this string in a loop, it checks again that the string length is 45 (<code class=\"language-text\">0x2d</code>) characters.</p>\n<p>Once the string-length check is passed, you can see that a loop containing complex conditional branches is implemented between <code class=\"language-text\">0x14000139b</code> and <code class=\"language-text\">0x1400017dd</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token class-name\">int32_t</span> i <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token class-name\">int128_t</span> var_d8<span class=\"token punctuation\">;</span>\n<span class=\"token class-name\">int32_t</span><span class=\"token operator\">*</span> r11 <span class=\"token operator\">=</span> <span class=\"token operator\">&amp;</span>var_d8<span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">do</span>\n<span class=\"token punctuation\">{</span>\n    <span class=\"token class-name\">uint64_t</span> rdx_1 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">uint64_t</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">int32_t</span><span class=\"token punctuation\">)</span><span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">uint8_t</span><span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>r10<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>i <span class=\"token operator\">></span> <span class=\"token number\">0x16</span><span class=\"token punctuation\">)</span>\n    <span class=\"token punctuation\">{</span>\n        <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>i <span class=\"token operator\">></span> <span class=\"token number\">0x22</span><span class=\"token punctuation\">)</span>\n        <span class=\"token punctuation\">{</span>\n            <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>i <span class=\"token operator\">==</span> <span class=\"token number\">0x29</span><span class=\"token punctuation\">)</span>\n            <span class=\"token punctuation\">{</span>\n                rcx <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">int32_t</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span>rdx_1 <span class=\"token operator\">+</span> <span class=\"token number\">0x5f6</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n            <span class=\"token punctuation\">}</span>\n            <span class=\"token comment\">/* omitted */</span>\n        <span class=\"token punctuation\">}</span>\n        <span class=\"token comment\">/* omitted */</span>\n    <span class=\"token punctuation\">}</span>\n    <span class=\"token comment\">/* omitted */</span>\n\n    <span class=\"token function\">__builtin_memcpy</span><span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span>var_d8<span class=\"token punctuation\">,</span> <span class=\"token string\">\"&lt;hardcoded byte sequence>\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xb4</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>rcx <span class=\"token operator\">!=</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">uint32_t</span><span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>r11<span class=\"token punctuation\">)</span>\n    <span class=\"token punctuation\">{</span>\n        <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Password is Wrong\\n\"</span><span class=\"token punctuation\">,</span> rdx_1<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token function\">exit</span><span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n\n    i <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>i <span class=\"token operator\">+</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    r10 <span class=\"token operator\">=</span> <span class=\"token operator\">&amp;</span>r10<span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n    r11 <span class=\"token operator\">=</span> <span class=\"token operator\">&amp;</span>r11<span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n\n<span class=\"token punctuation\">}</span> <span class=\"token keyword\">while</span> <span class=\"token punctuation\">(</span>i <span class=\"token operator\">&lt;</span> <span class=\"token number\">0x2d</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>If you look closely at this loop implementation, you can see that in each of the 45 (<code class=\"language-text\">0x2d</code>) iterations, something is validated by the code <code class=\"language-text\">if (rcx != *(uint32_t*)r11)</code>, and if it does not match, the string <code class=\"language-text\">Password is Wrong</code> is printed.</p>\n<p>Also, the <code class=\"language-text\">RCX</code> register being compared here seems to hold a transformed value of <code class=\"language-text\">rdx_1</code>, based on lines such as <code class=\"language-text\">rcx = ((int32_t)(rdx_1 + 0x5f6));</code>.</p>\n<p>On the line <code class=\"language-text\">uint64_t rdx_1 = ((uint64_t)((int32_t)*(uint8_t*)r10))</code>, <code class=\"language-text\">rdx_1</code> receives one character from the input string per loop iteration.</p>\n<p>Also, <code class=\"language-text\">r11</code> holds <code class=\"language-text\">int32</code> integer values taken in order from the hardcoded byte sequence <code class=\"language-text\">var_d8</code>.</p>\n<p>In other words, it seems reasonable to infer that <code class=\"language-text\">checkPassword</code> takes the input string from the beginning inside the loop, performs some calculation after passing through complex branching, checks whether the result matches the hardcoded byte sequence, and returns 0 only when validation succeeds for all characters.</p>\n<h2 id=\"dynamically-analyze-the-checkpassword-function\" style=\"position:relative;\"><a href=\"#dynamically-analyze-the-checkpassword-function\" aria-label=\"dynamically analyze the checkpassword function permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Dynamically Analyze the checkPassword Function</h2>\n<p>Now, let’s use the debugger to verify whether the above hypothesis is actually correct.</p>\n<p>First, run the following commands in the Command window in order.</p>\n<div class=\"gatsby-highlight\" data-language=\"powershell\"><pre class=\"language-powershell\"><code class=\"language-powershell\"><span class=\"token punctuation\">.</span>restart\nbp <span class=\"token operator\">!</span>DoPClient+0x13a2 <span class=\"token punctuation\">;</span> bp <span class=\"token operator\">!</span>DoPClient+0x17ca <span class=\"token punctuation\">;</span> g</code></pre></div>\n<p>Running the <code class=\"language-text\">.restart</code> command restarts the target program being debugged and also resets settings such as breakpoints.</p>\n<p>Then, <code class=\"language-text\">bp !DoPClient+0x13a2 ; bp !DoPClient+0x17ca ; g</code> sets two breakpoints in a one-liner and resumes program execution.</p>\n<p>In this way, WinDbg lets you execute multiple commands together by chaining them with semicolons (<code class=\"language-text\">;</code>).</p>\n<p>In the command above, breakpoints are set at two locations: the code that extracts one character from the input inside the loop, and the code that compares the result of some calculation on the input character with a hardcoded integer value.</p>\n<p>When you run the program and enter 45 <code class=\"language-text\">A(0x41)</code> characters, execution first pauses immediately before the code <code class=\"language-text\">movsx  edx,byte ptr [r10]</code>, which extracts one character from the input string.</p>\n<p>At this point, the <code class=\"language-text\">EDX</code> register contains the value <code class=\"language-text\">0x7cc0f490</code>, not the input character.</p>\n<div class=\"gatsby-highlight\" data-language=\"powershell\"><pre class=\"language-powershell\"><code class=\"language-powershell\">0:000> g\nBreakpoint 0 hit\nDoPClient+0x13a2:\n00007ff6`dd0913a2 410fbe12  movsx   edx<span class=\"token punctuation\">,</span>byte ptr <span class=\"token namespace\">[r10]</span> ds:000000bd`b9cffc80=41\n\n0:000> r edx\nedx=7cc0f490</code></pre></div>\n<p>If you step the program with the <code class=\"language-text\">p</code> command here, you can confirm that the first character <code class=\"language-text\">A(0x41)</code> is loaded into <code class=\"language-text\">EDX</code> from the address stored in <code class=\"language-text\">r10</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"powershell\"><pre class=\"language-powershell\"><code class=\"language-powershell\">0:000> p\nDoPClient+0x13a6:\n00007ff6`dd0913a6 4183f816        cmp     r8d<span class=\"token punctuation\">,</span>16h\n\n0:000> r edx\nedx=41</code></pre></div>\n<p>Next, if you resume program execution once more with the <code class=\"language-text\">g</code> command, execution pauses at the second breakpoint, <code class=\"language-text\">DoPClient+0x17ca</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"powershell\"><pre class=\"language-powershell\"><code class=\"language-powershell\">0:000> g\nBreakpoint 1 hit\nDoPClient+0x17ca:\n00007ff6`dd0917ca 413b0b          cmp     ecx<span class=\"token punctuation\">,</span>dword ptr <span class=\"token namespace\">[r11]</span> ds:00000055`a5effc90=000021a7</code></pre></div>\n<p>At this point, the <code class=\"language-text\">ECX</code> register contains the integer value 2076, but the pointer address referenced by the <code class=\"language-text\">R11</code> register, which is the comparison target, contains the integer value 8615.</p>\n<div class=\"gatsby-highlight\" data-language=\"powershell\"><pre class=\"language-powershell\"><code class=\"language-powershell\">0:000> r ecx\necx=2076\n\n0:000> dd r11 L1 <span class=\"token punctuation\">;</span> ? <span class=\"token variable\">$p</span>\n00000055`a5effc90  000021a7\nEvaluate expression: 8615 = 00000000`000021a7</code></pre></div>\n<p>Therefore, when the first input character is <code class=\"language-text\">A(0x41)</code>, validation by the code <code class=\"language-text\">if (rcx != *(uint32_t*)r11)</code> fails, and the program exits after outputting <code class=\"language-text\">Password is Wrong</code>.</p>\n<p>By the way, the command <code class=\"language-text\">dd r11 L1 ; ? $p</code> used here relies on WinDbg pseudo-registers <sup id=\"fnref-10\"><a href=\"#fn-10\" class=\"footnote-ref\">10</a></sup>.</p>\n<p>A pseudo-register is a value used to hold specific data inside the debugger.</p>\n<p>And the pseudo-register <code class=\"language-text\">$p</code> stores the value output by the most recent Display Memory command.</p>\n<p>Therefore, by evaluating <code class=\"language-text\">? $p</code> after running <code class=\"language-text\">dd r11 L1</code>, the DWORD-sized value pointed to by the <code class=\"language-text\">R11</code> register can be output as the decimal integer 8615 instead of <code class=\"language-text\">0x21a7</code>.</p>\n<p>This kind of syntax using pseudo-registers is useful to remember, because it can be applied when writing one-liner commands or scripts.</p>\n<h2 id=\"analyze-the-behavior-when-entering-the-correct-string\" style=\"position:relative;\"><a href=\"#analyze-the-behavior-when-entering-the-correct-string\" aria-label=\"analyze the behavior when entering the correct string permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Analyze the Behavior When Entering the Correct String</h2>\n<p>Although a breakpoint was set at the location that appears to validate password characters, when <code class=\"language-text\">AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</code> was used as the input string, the validation could not be passed.</p>\n<p>So next, let’s run the program again using the 45-character string <code class=\"language-text\">FLAG{ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklm}</code>, which satisfies the correct Flag format, as the input value.</p>\n<p>Then, at the code for the first breakpoint (<code class=\"language-text\">movsx  edx,byte ptr [r10]</code>), the value stored in the <code class=\"language-text\">EDX</code> register changes from <code class=\"language-text\">A(0x41)</code> to <code class=\"language-text\">F(0x46)</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"powershell\"><pre class=\"language-powershell\"><code class=\"language-powershell\">0:000> g\nBreakpoint 0 hit\nDoPClient+0x13a2:\n00007ff6`dd0913a2 410fbe12        movsx   edx<span class=\"token punctuation\">,</span>byte ptr <span class=\"token namespace\">[r10]</span> ds:0000001a`ed4ffaf0=46\n\n0:000> p\nDoPClient+0x13a6:\n00007ff6`dd0913a6 4183f816        cmp     r8d<span class=\"token punctuation\">,</span>16h\n\n0:000> r edx\nedx=46</code></pre></div>\n<p>And at the line configured as the second breakpoint, the value of the <code class=\"language-text\">ECX</code> register matches the integer value pointed to by the <code class=\"language-text\">R11</code> register, which tells us that when the first character is <code class=\"language-text\">F(0x46)</code>, the first validation can pass.</p>\n<div class=\"gatsby-highlight\" data-language=\"powershell\"><pre class=\"language-powershell\"><code class=\"language-powershell\">0:000> g\nBreakpoint 1 hit\nDoPClient+0x17ca:\n00007ff6`dd0917ca 413b0b          cmp     ecx<span class=\"token punctuation\">,</span>dword ptr <span class=\"token namespace\">[r11]</span> ds:0000001a`ed4ff9d0=000021a7\n\n0:000> r ecx\necx=21a7\n\n0:000> dd r11 L1 <span class=\"token punctuation\">;</span> ? <span class=\"token variable\">$p</span>\n0000001a`ed4ff9d0  000021a7\nEvaluate expression: 8615 = 00000000`000021a7</code></pre></div>\n<p>This also supports the hypothesis that, inside the 45 (<code class=\"language-text\">0x2d</code>) iterations of the <code class=\"language-text\">checkPassword</code> function, the input string is taken one character at a time, some calculation is applied to it, and the result is checked against a hardcoded integer value.</p>\n<p>If you continue execution after that, the program passes the validation performed by <code class=\"language-text\">if (rcx != *(uint32_t*)r11)</code> five times, then fails on the sixth validation and exits.</p>\n<p>It seems very likely that the first five characters of the input string, <code class=\"language-text\">FLAG{</code>, matched the correct password, which is why the first five validations succeeded and the sixth failed.</p>\n<h2 id=\"use-javascript-based-debugger-scripts\" style=\"position:relative;\"><a href=\"#use-javascript-based-debugger-scripts\" aria-label=\"use javascript based debugger scripts permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Use JavaScript-based Debugger Scripts</h2>\n<p>To obtain the correct Flag, let’s investigate in a bit more detail how DoPClient behaves when it validates the password.</p>\n<p>Specifically, I want to determine whether Flag validation is performed one character at a time from the beginning of the input string.</p>\n<p>To do that, the following operations need to be performed with the debugger.</p>\n<ol>\n<li>Set a breakpoint at <code class=\"language-text\">DoPClient+0x13a6</code>, immediately after one character is extracted from the input string, and confirm whether characters are being taken from the beginning of the string throughout the 45 iterations of the loop.</li>\n<li>Set a breakpoint at <code class=\"language-text\">DoPClient+0x17cd</code>, immediately after the result of some calculation on the input character is compared, and confirm whether the validation passes.</li>\n<li>If validation fails for an input character, tamper with the zero flag so that the loop continues without letting the program terminate.</li>\n</ol>\n<p>To perform the operations above, this time we will automate WinDbg command handling.</p>\n<p>WinDbg provides several ways to automate debugging operations, but first we will use the JavaScript-based debugger scripts available in the current WinDbg <sup id=\"fnref-11\"><a href=\"#fn-11\" class=\"footnote-ref\">11</a></sup>.</p>\n<p>Recent WinDbg versions can use JavaScript-based debugger scripts by default, but to be safe, let’s confirm that the script provider is loaded in the debugger.</p>\n<p>In the currently running WinDbg, execute the <code class=\"language-text\">.scriptproviders</code> command. If <code class=\"language-text\">JavaScript (extension '.js')</code> appears in the list, you can conclude that the script provider is loaded in the debugger.</p>\n<div class=\"gatsby-highlight\" data-language=\"powershell\"><pre class=\"language-powershell\"><code class=\"language-powershell\">0:000> <span class=\"token punctuation\">.</span>scriptproviders\nAvailable Script Providers:\n    NatVis <span class=\"token punctuation\">(</span>extension <span class=\"token string\">'.NatVis'</span><span class=\"token punctuation\">)</span>\n    JavaScript <span class=\"token punctuation\">(</span>extension <span class=\"token string\">'.js'</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>When using JavaScript-based debugger scripts, you need to load a JavaScript file created in advance with the <code class=\"language-text\">.scriptload</code> or <code class=\"language-text\">.scriptrun</code> command.</p>\n<p>Before creating a script that actually analyzes the challenge binary, let’s try running the following sample script.</p>\n<div class=\"gatsby-highlight\" data-language=\"javascript\"><pre class=\"language-javascript\"><code class=\"language-javascript\"><span class=\"token string\">\"use strict\"</span><span class=\"token punctuation\">;</span>\n\n<span class=\"token keyword\">function</span> <span class=\"token function\">initializeScript</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n    host<span class=\"token punctuation\">.</span>diagnostics<span class=\"token punctuation\">.</span><span class=\"token function\">debugLog</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"RunCommands>; initializeScript was called \\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token keyword\">function</span> <span class=\"token function\">invokeScript</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n    host<span class=\"token punctuation\">.</span>diagnostics<span class=\"token punctuation\">.</span><span class=\"token function\">debugLog</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"RunCommands>; invokeScript was called \\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token keyword\">function</span> <span class=\"token function\">uninitializeScript</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n    host<span class=\"token punctuation\">.</span>diagnostics<span class=\"token punctuation\">.</span><span class=\"token function\">debugLog</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"RunCommands>; uninitialize was called\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token keyword\">function</span> <span class=\"token function\">RunCommands</span><span class=\"token punctuation\">(</span><span class=\"token parameter\">cmd</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n<span class=\"token keyword\">var</span> ctl <span class=\"token operator\">=</span> host<span class=\"token punctuation\">.</span>namespace<span class=\"token punctuation\">.</span>Debugger<span class=\"token punctuation\">.</span>Utility<span class=\"token punctuation\">.</span>Control<span class=\"token punctuation\">;</span>   \n<span class=\"token keyword\">var</span> output <span class=\"token operator\">=</span> ctl<span class=\"token punctuation\">.</span><span class=\"token function\">ExecuteCommand</span><span class=\"token punctuation\">(</span>cmd<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\nhost<span class=\"token punctuation\">.</span>diagnostics<span class=\"token punctuation\">.</span><span class=\"token function\">debugLog</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"RunCommands> Displaying command output \\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n<span class=\"token keyword\">for</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">var</span> line <span class=\"token keyword\">of</span> output<span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\nhost<span class=\"token punctuation\">.</span>diagnostics<span class=\"token punctuation\">.</span><span class=\"token function\">debugLog</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"  \"</span><span class=\"token punctuation\">,</span> line<span class=\"token punctuation\">,</span> <span class=\"token string\">\"\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\nhost<span class=\"token punctuation\">.</span>diagnostics<span class=\"token punctuation\">.</span><span class=\"token function\">debugLog</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"RunCommands> Exiting RunCommands Function \\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>This sample script can also be downloaded from the following GitHub repository.</p>\n<br>\n<p>RunCommands.js:</p>\n<p><a href=\"https://github.com/kash1064/ctf-and-windows-debug/blob/main/RunCommands.js\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https://github.com/kash1064/ctf-and-windows-debug/</a></p>\n<br>\n<p>After saving this sample script to the virtual machine as <code class=\"language-text\">C:\\CTF\\RunCommands.js</code>, try running the <code class=\"language-text\">.scriptrun</code> command in WinDbg.</p>\n<p>The <code class=\"language-text\">.scriptrun</code> command loads the script and then executes the root code, followed by the <code class=\"language-text\">initializeScript</code> and <code class=\"language-text\">invokeScript</code> functions in order.</p>\n<p>Therefore, when you execute <code class=\"language-text\">.scriptrun C:\\CTF\\RunCommands.js</code>, the <code class=\"language-text\">debugLog</code> calls defined in the <code class=\"language-text\">initializeScript</code> and <code class=\"language-text\">invokeScript</code> functions run as shown below, and you can also confirm with the <code class=\"language-text\">.scriptlist</code> command that the script has been loaded into the debugger.</p>\n<div class=\"gatsby-highlight\" data-language=\"powershell\"><pre class=\"language-powershell\"><code class=\"language-powershell\">0:000> <span class=\"token punctuation\">.</span>scriptrun C:\\CTF\\RunCommands<span class=\"token punctuation\">.</span>js\nRunCommands><span class=\"token punctuation\">;</span> initializeScript was called \nJavaScript script successfully loaded <span class=\"token keyword\">from</span> <span class=\"token string\">'C:\\CTF\\RunCommands.js'</span>\nRunCommands><span class=\"token punctuation\">;</span> invokeScript was called\n\n0:000> <span class=\"token punctuation\">.</span>scriptlist\nCommand Loaded Scripts:\n    <span class=\"token punctuation\">{</span>omitted<span class=\"token punctuation\">}</span>\n    JavaScript script <span class=\"token keyword\">from</span> <span class=\"token string\">'C:\\CTF\\RunCommands.js'</span>\nOther Clients' Scripts:\n    &lt;None Loaded></code></pre></div>\n<p>Next, after unloading the script with the <code class=\"language-text\">.scriptunload C:\\CTF\\RunCommands.js</code> command, let’s try loading it this time with <code class=\"language-text\">.scriptload C:\\CTF\\RunCommands.js</code>.</p>\n<p>When the <code class=\"language-text\">.scriptunload C:\\CTF\\RunCommands.js</code> command is executed, the <code class=\"language-text\">uninitializeScript</code> function runs as the unload routine.</p>\n<p>And when the <code class=\"language-text\">.scriptload</code> command is executed, only the <code class=\"language-text\">initializeScript</code> function runs.</p>\n<div class=\"gatsby-highlight\" data-language=\"powershell\"><pre class=\"language-powershell\"><code class=\"language-powershell\">0:000> <span class=\"token punctuation\">.</span>scriptunload C:\\CTF\\RunCommands<span class=\"token punctuation\">.</span>js\nRunCommands><span class=\"token punctuation\">;</span> uninitialize was called\nJavaScript script unloaded <span class=\"token keyword\">from</span> <span class=\"token string\">'C:\\CTF\\RunCommands.js'</span>\n\n0:000> <span class=\"token punctuation\">.</span>scriptload C:\\CTF\\RunCommands<span class=\"token punctuation\">.</span>js\nRunCommands><span class=\"token punctuation\">;</span> initializeScript was called \nJavaScript script successfully loaded <span class=\"token keyword\">from</span> <span class=\"token string\">'C:\\CTF\\RunCommands.js'</span></code></pre></div>\n<p>Since the script file loaded successfully, let’s execute the custom <code class=\"language-text\">RunCommands</code> function from the debugger.</p>\n<p>This function runs the debugger command passed as an argument in WinDbg and displays the output on the console.</p>\n<div class=\"gatsby-highlight\" data-language=\"javascript\"><pre class=\"language-javascript\"><code class=\"language-javascript\"><span class=\"token keyword\">function</span> <span class=\"token function\">RunCommands</span><span class=\"token punctuation\">(</span><span class=\"token parameter\">cmd</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n<span class=\"token keyword\">var</span> ctl <span class=\"token operator\">=</span> host<span class=\"token punctuation\">.</span>namespace<span class=\"token punctuation\">.</span>Debugger<span class=\"token punctuation\">.</span>Utility<span class=\"token punctuation\">.</span>Control<span class=\"token punctuation\">;</span>   \n<span class=\"token keyword\">var</span> output <span class=\"token operator\">=</span> ctl<span class=\"token punctuation\">.</span><span class=\"token function\">ExecuteCommand</span><span class=\"token punctuation\">(</span>cmd<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\nhost<span class=\"token punctuation\">.</span>diagnostics<span class=\"token punctuation\">.</span><span class=\"token function\">debugLog</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"RunCommands> Displaying command output \\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n<span class=\"token keyword\">for</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">var</span> line <span class=\"token keyword\">of</span> output<span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\nhost<span class=\"token punctuation\">.</span>diagnostics<span class=\"token punctuation\">.</span><span class=\"token function\">debugLog</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"  \"</span><span class=\"token punctuation\">,</span> line<span class=\"token punctuation\">,</span> <span class=\"token string\">\"\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\nhost<span class=\"token punctuation\">.</span>diagnostics<span class=\"token punctuation\">.</span><span class=\"token function\">debugLog</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"RunCommands> Exiting RunCommands Function \\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>Use the <code class=\"language-text\">dx</code> command to access functions loaded into the debugger.</p>\n<p>To execute the <code class=\"language-text\">RunCommands</code> function, run <code class=\"language-text\">dx Debugger.State.Scripts.RunCommands.Contents.RunCommands(\"&lt;command>\")</code>.</p>\n<p>Below are the results of executing <code class=\"language-text\">RunCommands(\"lm\")</code> and <code class=\"language-text\">RunCommands(\"~k\")</code>.</p>\n<p>You can see that the same results are obtained as when you run the <code class=\"language-text\">lm</code> and <code class=\"language-text\">~k</code> commands directly from the WinDbg Command window.</p>\n<div class=\"gatsby-highlight\" data-language=\"powershell\"><pre class=\"language-powershell\"><code class=\"language-powershell\">0:000> dx Debugger<span class=\"token punctuation\">.</span>State<span class=\"token punctuation\">.</span>Scripts<span class=\"token punctuation\">.</span>RunCommands<span class=\"token punctuation\">.</span>Contents<span class=\"token punctuation\">.</span>RunCommands<span class=\"token punctuation\">(</span><span class=\"token string\">\"lm\"</span><span class=\"token punctuation\">)</span>\nRunCommands> Displaying command output \n  <span class=\"token function\">start</span>             <span class=\"token keyword\">end</span>                 module name\n  00007ff6`dd090000 00007ff6`dd099000   DoPClient C <span class=\"token punctuation\">(</span>no symbols<span class=\"token punctuation\">)</span>           \n  00007fff`675f0000 00007fff`6760d000   VCRUNTIME140   <span class=\"token punctuation\">(</span>deferred<span class=\"token punctuation\">)</span>             \n  00007fff`7cb20000 00007fff`7cc20000   ucrtbase   <span class=\"token punctuation\">(</span>deferred<span class=\"token punctuation\">)</span>             \n  00007fff`7cc20000 00007fff`7cf16000   KERNELBASE   <span class=\"token punctuation\">(</span>deferred<span class=\"token punctuation\">)</span>             \n  00007fff`7d080000 00007fff`7d0a7000   bcrypt     <span class=\"token punctuation\">(</span>deferred<span class=\"token punctuation\">)</span>             \n  00007fff`7dc90000 00007fff`7ddb3000   RPCRT4     <span class=\"token punctuation\">(</span>deferred<span class=\"token punctuation\">)</span>             \n  00007fff`7deb0000 00007fff`7df4e000   msvcrt     <span class=\"token punctuation\">(</span>deferred<span class=\"token punctuation\">)</span>             \n  00007fff`7e610000 00007fff`7e6b0000   sechost    <span class=\"token punctuation\">(</span>deferred<span class=\"token punctuation\">)</span>             \n  00007fff`7e970000 00007fff`7ea2d000   KERNEL32   <span class=\"token punctuation\">(</span>deferred<span class=\"token punctuation\">)</span>             \n  00007fff`7eb90000 00007fff`7ec40000   ADVAPI32   <span class=\"token punctuation\">(</span>deferred<span class=\"token punctuation\">)</span>             \n  00007fff`7f130000 00007fff`7f328000   ntdll      <span class=\"token punctuation\">(</span>pdb symbols<span class=\"token punctuation\">)</span>          C:\\ProgramData\\Dbg\\sym\\ntdll<span class=\"token punctuation\">.</span>pdb\\1669C503FDE3540E0A2FBE91C81204361\\ntdll<span class=\"token punctuation\">.</span>pdb\nRunCommands> Exiting RunCommands <span class=\"token keyword\">Function</span> \nDebugger<span class=\"token punctuation\">.</span>State<span class=\"token punctuation\">.</span>Scripts<span class=\"token punctuation\">.</span>RunCommands<span class=\"token punctuation\">.</span>Contents<span class=\"token punctuation\">.</span>RunCommands<span class=\"token punctuation\">(</span><span class=\"token string\">\"lm\"</span><span class=\"token punctuation\">)</span>\n\n0:000> dx Debugger<span class=\"token punctuation\">.</span>State<span class=\"token punctuation\">.</span>Scripts<span class=\"token punctuation\">.</span>RunCommands<span class=\"token punctuation\">.</span>Contents<span class=\"token punctuation\">.</span>RunCommands<span class=\"token punctuation\">(</span><span class=\"token string\">\"~k\"</span><span class=\"token punctuation\">)</span>\nRunCommands> Displaying command output \n   <span class=\"token comment\"># Child-SP          RetAddr               Call Site</span>\n  00 00000024`05cff758 00007fff`7f1fca0e     ntdll!DbgBreakPoint\n  01 00000024`05cff760 00007fff`7e987344     ntdll!DbgUiRemoteBreakin+0x4e\n  02 00000024`05cff790 00007fff`7f1826b1     KERNEL32!BaseThreadInitThunk+0x14\n  03 00000024`05cff7c0 00000000`00000000     ntdll!RtlUserThreadStart+0x21\nRunCommands> Exiting RunCommands <span class=\"token keyword\">Function</span> \nDebugger<span class=\"token punctuation\">.</span>State<span class=\"token punctuation\">.</span>Scripts<span class=\"token punctuation\">.</span>RunCommands<span class=\"token punctuation\">.</span>Contents<span class=\"token punctuation\">.</span>RunCommands<span class=\"token punctuation\">(</span><span class=\"token string\">\"~k\"</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>Incidentally, it is inconvenient to execute <code class=\"language-text\">Debugger.State.Scripts.RunCommands.Contents.RunCommands(\"&lt;command>\")</code> every time you want to run a custom function.</p>\n<p>For that reason, it is convenient to register the loaded script information (<code class=\"language-text\">Debugger.State.Scripts.RunCommands.Contents</code>) as a custom variable using the <code class=\"language-text\">dx</code> command.</p>\n<p>To register <code class=\"language-text\">RunCommands.js</code> as a variable, execute the command <code class=\"language-text\">dx @$runCommand = Debugger.State.Scripts.RunCommands.Contents</code>.</p>\n<p>This makes it possible to run the custom <code class=\"language-text\">RunCommands</code> function by executing <code class=\"language-text\">dx @$runCommand.RunCommands(\"lm\")</code> or <code class=\"language-text\">dx @$runCommand.RunCommands(\"~k\")</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"powershell\"><pre class=\"language-powershell\"><code class=\"language-powershell\">0:000> dx @<span class=\"token variable\">$runCommand</span> = Debugger<span class=\"token punctuation\">.</span>State<span class=\"token punctuation\">.</span>Scripts<span class=\"token punctuation\">.</span>RunCommands<span class=\"token punctuation\">.</span>Contents\n@<span class=\"token variable\">$runCommand</span> = Debugger<span class=\"token punctuation\">.</span>State<span class=\"token punctuation\">.</span>Scripts<span class=\"token punctuation\">.</span>RunCommands<span class=\"token punctuation\">.</span>Contents                 : <span class=\"token namespace\">[object Object]</span>\n    host             : <span class=\"token namespace\">[object Object]</span>\n\n0:000> dx @<span class=\"token variable\">$runCommand</span><span class=\"token punctuation\">.</span>RunCommands<span class=\"token punctuation\">(</span><span class=\"token string\">\"lm\"</span><span class=\"token punctuation\">)</span>\nRunCommands> Displaying command output \n  <span class=\"token function\">start</span>             <span class=\"token keyword\">end</span>                 module name\n  00007ff6`dd090000 00007ff6`dd099000   DoPClient C <span class=\"token punctuation\">(</span>no symbols<span class=\"token punctuation\">)</span>           \n  00007fff`675f0000 00007fff`6760d000   VCRUNTIME140   <span class=\"token punctuation\">(</span>deferred<span class=\"token punctuation\">)</span>             \n  00007fff`7cb20000 00007fff`7cc20000   ucrtbase   <span class=\"token punctuation\">(</span>deferred<span class=\"token punctuation\">)</span>             \n  00007fff`7cc20000 00007fff`7cf16000   KERNELBASE   <span class=\"token punctuation\">(</span>deferred<span class=\"token punctuation\">)</span>             \n  00007fff`7d080000 00007fff`7d0a7000   bcrypt     <span class=\"token punctuation\">(</span>deferred<span class=\"token punctuation\">)</span>             \n  00007fff`7dc90000 00007fff`7ddb3000   RPCRT4     <span class=\"token punctuation\">(</span>deferred<span class=\"token punctuation\">)</span>             \n  00007fff`7deb0000 00007fff`7df4e000   msvcrt     <span class=\"token punctuation\">(</span>deferred<span class=\"token punctuation\">)</span>             \n  00007fff`7e610000 00007fff`7e6b0000   sechost    <span class=\"token punctuation\">(</span>deferred<span class=\"token punctuation\">)</span>             \n  00007fff`7e970000 00007fff`7ea2d000   KERNEL32   <span class=\"token punctuation\">(</span>pdb symbols<span class=\"token punctuation\">)</span>          C:\\ProgramData\\Dbg\\sym\\kernel32<span class=\"token punctuation\">.</span>pdb\\B07C97792B439ABC0DF83499536C7AE51\\kernel32<span class=\"token punctuation\">.</span>pdb\n  00007fff`7eb90000 00007fff`7ec40000   ADVAPI32   <span class=\"token punctuation\">(</span>deferred<span class=\"token punctuation\">)</span>             \n  00007fff`7f130000 00007fff`7f328000   ntdll      <span class=\"token punctuation\">(</span>pdb symbols<span class=\"token punctuation\">)</span>          C:\\ProgramData\\Dbg\\sym\\ntdll<span class=\"token punctuation\">.</span>pdb\\1669C503FDE3540E0A2FBE91C81204361\\ntdll<span class=\"token punctuation\">.</span>pdb\nRunCommands> Exiting RunCommands <span class=\"token keyword\">Function</span> \n@<span class=\"token variable\">$runCommand</span><span class=\"token punctuation\">.</span>RunCommands<span class=\"token punctuation\">(</span><span class=\"token string\">\"lm\"</span><span class=\"token punctuation\">)</span>\n\n0:000> dx @<span class=\"token variable\">$runCommand</span><span class=\"token punctuation\">.</span>RunCommands<span class=\"token punctuation\">(</span><span class=\"token string\">\"~k\"</span><span class=\"token punctuation\">)</span>\nRunCommands> Displaying command output \n   <span class=\"token comment\"># Child-SP          RetAddr               Call Site</span>\n  00 00000024`05cffb08 00007fff`7f1fca0e     ntdll!DbgBreakPoint\n  01 00000024`05cffb10 00007fff`7e987344     ntdll!DbgUiRemoteBreakin+0x4e\n  02 00000024`05cffb40 00007fff`7f1826b1     KERNEL32!BaseThreadInitThunk+0x14\n  03 00000024`05cffb70 00000000`00000000     ntdll!RtlUserThreadStart+0x21\nRunCommands> Exiting RunCommands <span class=\"token keyword\">Function</span> \n@<span class=\"token variable\">$runCommand</span><span class=\"token punctuation\">.</span>RunCommands<span class=\"token punctuation\">(</span><span class=\"token string\">\"~k\"</span><span class=\"token punctuation\">)</span></code></pre></div>\n<h2 id=\"automate-debugger-operations-with-a-script\" style=\"position:relative;\"><a href=\"#automate-debugger-operations-with-a-script\" aria-label=\"automate debugger operations with a script permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Automate Debugger Operations with a Script</h2>\n<p>Now that JavaScript-based debugger scripts are available, let’s create a script that automates the following operations mentioned earlier.</p>\n<ol>\n<li>Set a breakpoint at <code class=\"language-text\">DoPClient+0x13a6</code>, immediately after one character is extracted from the input string, and confirm whether the string is being read from the beginning throughout the 45 iterations of the loop.</li>\n<li>Set a breakpoint at <code class=\"language-text\">DoPClient+0x17cd</code>, immediately after the result of some calculation on the input character is compared, and confirm whether the validation passes.</li>\n<li>If validation fails for an input character, tamper with the zero flag so that the loop continues without letting the program terminate.</li>\n</ol>\n<p>To automate the operations above, I created the following JavaScript.</p>\n<div class=\"gatsby-highlight\" data-language=\"javascript\"><pre class=\"language-javascript\"><code class=\"language-javascript\"><span class=\"token comment\">// .scriptrun C:\\CTF\\Autorun.js</span>\n<span class=\"token comment\">// FLAG{AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA}</span>\n<span class=\"token string\">\"use strict\"</span><span class=\"token punctuation\">;</span>\n\n<span class=\"token keyword\">let</span> word <span class=\"token operator\">=</span> <span class=\"token string\">\"\"</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">let</span> a1 <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n\n<span class=\"token keyword\">function</span> <span class=\"token function\">RunCommands</span><span class=\"token punctuation\">(</span><span class=\"token parameter\">cmd</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n<span class=\"token keyword\">let</span> ctl <span class=\"token operator\">=</span> host<span class=\"token punctuation\">.</span>namespace<span class=\"token punctuation\">.</span>Debugger<span class=\"token punctuation\">.</span>Utility<span class=\"token punctuation\">.</span>Control<span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">let</span> output <span class=\"token operator\">=</span> ctl<span class=\"token punctuation\">.</span><span class=\"token function\">ExecuteCommand</span><span class=\"token punctuation\">(</span>cmd<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n<span class=\"token keyword\">for</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">let</span> line <span class=\"token keyword\">of</span> output<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\nhost<span class=\"token punctuation\">.</span>diagnostics<span class=\"token punctuation\">.</span><span class=\"token function\">debugLog</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"  \"</span><span class=\"token punctuation\">,</span> line<span class=\"token punctuation\">,</span> <span class=\"token string\">\"\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token keyword\">return</span> output<span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token keyword\">function</span> <span class=\"token function\">SetBreakPoints</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n<span class=\"token keyword\">let</span> ctl <span class=\"token operator\">=</span> host<span class=\"token punctuation\">.</span>namespace<span class=\"token punctuation\">.</span>Debugger<span class=\"token punctuation\">.</span>Utility<span class=\"token punctuation\">.</span>Control<span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">let</span> breakpoint<span class=\"token punctuation\">;</span>\n\nbreakpoint <span class=\"token operator\">=</span> ctl<span class=\"token punctuation\">.</span><span class=\"token function\">SetBreakpointAtOffset</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"DoPClient\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x13a6</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\nbreakpoint<span class=\"token punctuation\">.</span>Command <span class=\"token operator\">=</span> <span class=\"token string\">\"dx -r1 @$autoRun.CheckPoint1() ; g\"</span><span class=\"token punctuation\">;</span>\n\nbreakpoint <span class=\"token operator\">=</span> ctl<span class=\"token punctuation\">.</span><span class=\"token function\">SetBreakpointAtOffset</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"DoPClient\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x17cd</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\nbreakpoint<span class=\"token punctuation\">.</span>Command <span class=\"token operator\">=</span> <span class=\"token string\">\"dx -r1 @$autoRun.CheckPoint2() ; r zf = 1 ; g\"</span><span class=\"token punctuation\">;</span>\n\n<span class=\"token keyword\">return</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token keyword\">function</span> <span class=\"token function\">Result</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n<span class=\"token keyword\">for</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">let</span> line <span class=\"token keyword\">of</span> a1<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\nhost<span class=\"token punctuation\">.</span>diagnostics<span class=\"token punctuation\">.</span><span class=\"token function\">debugLog</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"\"</span><span class=\"token punctuation\">,</span> line<span class=\"token punctuation\">,</span> <span class=\"token string\">\"\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n<span class=\"token keyword\">return</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token keyword\">function</span> <span class=\"token function\">CheckPoint1</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n<span class=\"token keyword\">let</span> context <span class=\"token operator\">=</span> host<span class=\"token punctuation\">.</span>namespace<span class=\"token punctuation\">.</span>Debugger<span class=\"token punctuation\">.</span>State<span class=\"token punctuation\">.</span>DebuggerVariables<span class=\"token punctuation\">.</span>curthread<span class=\"token punctuation\">.</span>Registers<span class=\"token punctuation\">.</span>User<span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">let</span> edxValue <span class=\"token operator\">=</span> context<span class=\"token punctuation\">.</span>edx<span class=\"token punctuation\">;</span>\nword <span class=\"token operator\">=</span> String<span class=\"token punctuation\">.</span><span class=\"token function\">fromCodePoint</span><span class=\"token punctuation\">(</span>edxValue<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">return</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token keyword\">function</span> <span class=\"token function\">CheckPoint2</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n<span class=\"token keyword\">let</span> context <span class=\"token operator\">=</span> host<span class=\"token punctuation\">.</span>namespace<span class=\"token punctuation\">.</span>Debugger<span class=\"token punctuation\">.</span>State<span class=\"token punctuation\">.</span>DebuggerVariables<span class=\"token punctuation\">.</span>curthread<span class=\"token punctuation\">.</span>Registers<span class=\"token punctuation\">.</span>User<span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">var</span> memory <span class=\"token operator\">=</span> host<span class=\"token punctuation\">.</span>memory<span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">let</span> edxValue <span class=\"token operator\">=</span> context<span class=\"token punctuation\">.</span>ecx<span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">let</span> r11Value <span class=\"token operator\">=</span> context<span class=\"token punctuation\">.</span>r11<span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">let</span> int32Value <span class=\"token operator\">=</span> memory<span class=\"token punctuation\">.</span><span class=\"token function\">readMemoryValues</span><span class=\"token punctuation\">(</span>r11Value<span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">4</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\na1<span class=\"token punctuation\">.</span><span class=\"token function\">push</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Result: Word is \"</span> <span class=\"token operator\">+</span> word <span class=\"token operator\">+</span> <span class=\"token string\">\" EDX = \"</span> <span class=\"token operator\">+</span> edxValue<span class=\"token punctuation\">.</span><span class=\"token function\">toString</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span> <span class=\"token string\">\" R11 = \"</span> <span class=\"token operator\">+</span> int32Value<span class=\"token punctuation\">.</span><span class=\"token function\">toString</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span> <span class=\"token string\">\" IsValid = \"</span> <span class=\"token operator\">+</span> <span class=\"token punctuation\">(</span><span class=\"token function\">parseInt</span><span class=\"token punctuation\">(</span>edxValue<span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> <span class=\"token function\">parseInt</span><span class=\"token punctuation\">(</span>int32Value<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span><span class=\"token function\">toString</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">return</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token keyword\">function</span> <span class=\"token function\">initializeScript</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n<span class=\"token keyword\">return</span> <span class=\"token punctuation\">[</span>\n<span class=\"token keyword\">new</span> <span class=\"token class-name\">host<span class=\"token punctuation\">.</span>apiVersionSupport</span><span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">7</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n<span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token keyword\">function</span> <span class=\"token function\">invokeScript</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n<span class=\"token function\">RunCommands</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"dx @$autoRun = Debugger.State.Scripts.Autorun.Contents\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token function\">RunCommands</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"dx @$autoRun.SetBreakPoints()\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token function\">RunCommands</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"g\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">return</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>This code can be downloaded as <code class=\"language-text\">Autorun.js</code> from the following GitHub repository.</p>\n<br>\n<p>Autorun.js:</p>\n<p><a href=\"https://github.com/kash1064/ctf-and-windows-debug/blob/main/Autorun.js\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https://github.com/kash1064/ctf-and-windows-debug/blob/main/Autorun.js</a></p>\n<br>\n<p>When you load this code with the <code class=\"language-text\">.scriptrun C:\\CTF\\Autorun.js</code> command, the <code class=\"language-text\">initializeScript</code> function and the <code class=\"language-text\">invokeScript</code> function are executed first.</p>\n<p>In <code class=\"language-text\">initializeScript</code>, the API version to use is declared with <code class=\"language-text\">new host.apiVersionSupport(1, 7)</code>.</p>\n<p>Then, in <code class=\"language-text\">invokeScript</code>, the <code class=\"language-text\">@$autoRun</code> object is defined and the <code class=\"language-text\">SetBreakPoints</code> function is executed.</p>\n<p>In <code class=\"language-text\">SetBreakPoints</code>, <code class=\"language-text\">Debugger.Utility.Control</code>’s <code class=\"language-text\">SetBreakpointAtOffset</code> is used to set breakpoints at <code class=\"language-text\">DoPClient+0x13a6</code> and <code class=\"language-text\">DoPClient+0x17cd</code>.</p>\n<p>Also, by specifying the <code class=\"language-text\">Command</code> property, you can specify the command to be executed when the breakpoint is hit.</p>\n<div class=\"gatsby-highlight\" data-language=\"javascript\"><pre class=\"language-javascript\"><code class=\"language-javascript\"><span class=\"token keyword\">function</span> <span class=\"token function\">SetBreakPoints</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n<span class=\"token keyword\">let</span> ctl <span class=\"token operator\">=</span> host<span class=\"token punctuation\">.</span>namespace<span class=\"token punctuation\">.</span>Debugger<span class=\"token punctuation\">.</span>Utility<span class=\"token punctuation\">.</span>Control<span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">let</span> breakpoint<span class=\"token punctuation\">;</span>\n\nbreakpoint <span class=\"token operator\">=</span> ctl<span class=\"token punctuation\">.</span><span class=\"token function\">SetBreakpointAtOffset</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"DoPClient\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x13a6</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\nbreakpoint<span class=\"token punctuation\">.</span>Command <span class=\"token operator\">=</span> <span class=\"token string\">\"dx -r1 @$autoRun.CheckPoint1() ; g\"</span><span class=\"token punctuation\">;</span>\n\nbreakpoint <span class=\"token operator\">=</span> ctl<span class=\"token punctuation\">.</span><span class=\"token function\">SetBreakpointAtOffset</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"DoPClient\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x17cd</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\nbreakpoint<span class=\"token punctuation\">.</span>Command <span class=\"token operator\">=</span> <span class=\"token string\">\"dx -r1 @$autoRun.CheckPoint2() ; r zf = 1 ; g\"</span><span class=\"token punctuation\">;</span>\n\n<span class=\"token keyword\">return</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>If you run the <code class=\"language-text\">bl</code> command after this script is executed, you can confirm that breakpoints with commands have been defined.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/06d7818537330fb97c6fa4483f1699ae/b12f7/client-windbg-006.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 6.25%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAABCAYAAADeko4lAAAACXBIWXMAAA7DAAAOwwHHb6hkAAAARElEQVQI1y3GMQqAMAxAUe9/ww62CYQGTIpkcvwWcXjwjoiL1u7tQYYzRkdViQj62Zlz4u6ICCr6XfflZ2ZkJmstqooXk4BJf7fXftgAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/06d7818537330fb97c6fa4483f1699ae/8ac56/client-windbg-006.webp 240w,\n/static/06d7818537330fb97c6fa4483f1699ae/d3be9/client-windbg-006.webp 480w,\n/static/06d7818537330fb97c6fa4483f1699ae/e46b2/client-windbg-006.webp 960w,\n/static/06d7818537330fb97c6fa4483f1699ae/52c2b/client-windbg-006.webp 1020w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/06d7818537330fb97c6fa4483f1699ae/8ff5a/client-windbg-006.png 240w,\n/static/06d7818537330fb97c6fa4483f1699ae/e85cb/client-windbg-006.png 480w,\n/static/06d7818537330fb97c6fa4483f1699ae/d9199/client-windbg-006.png 960w,\n/static/06d7818537330fb97c6fa4483f1699ae/b12f7/client-windbg-006.png 1020w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/06d7818537330fb97c6fa4483f1699ae/d9199/client-windbg-006.png\"\n            alt=\"Breakpoints set by the script\"\n            title=\"Breakpoints set by the script\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>At present, there is not much documentation for convenient commands such as <code class=\"language-text\">Debugger.Utility.Control.SetBreakpointAtOffset</code>.</p>\n<p>However, by using the <code class=\"language-text\">dx</code> command in WinDbg to inspect object information, for example with <code class=\"language-text\">dx -r1 Debugger.Utility.Control</code>, you can view detailed descriptions of each command.</p>\n<div class=\"gatsby-highlight\" data-language=\"powershell\"><pre class=\"language-powershell\"><code class=\"language-powershell\">0:000> dx <span class=\"token operator\">-</span>r1 Debugger<span class=\"token punctuation\">.</span>Utility<span class=\"token punctuation\">.</span>Control\n               \nExecuteCommand   <span class=\"token namespace\">[ExecuteCommand(command) - Method which executes a debugger command and returns a collection of strings representing the lines of output of the command execution]</span>\n\nSetBreakpointAtSourceLocation <span class=\"token namespace\">[SetBreakpointAtSourceLocation(source_file, source_line, (opt) module_name) - Method which sets a breakpoint at a source line location and returns it as an object in order to be able to control its options]</span>\n\nSetBreakpointAtOffset <span class=\"token namespace\">[SetBreakpointAtOffset(function_name, function_offset, (opt) module_name) - Method which sets a breakpoint at an offset and returns it as an object in order to be able to control its options]</span>\n\nSetBreakpointForReadWrite <span class=\"token namespace\">[SetBreakpointForReadWrite(address, (opt) type, (opt) size) - Method which sets a breakpoint on read/write (default) at a certain address and returns it as an object in order to be able to control its options]</span>\n\nChangeRegisterContext <span class=\"token namespace\">[ChangeRegisterContext(inheritUnspecifiedValues, pc, sp, [fp], [regCtx]) | ChangeRegisterContext(inheritUnspecifiedValues, regCtx) - Changes the active register context with a given abstract pc, sp, and optional fp or an optional object which contains named registers and values.  This is largely equivalent to having done .cxr in the debugger.  It does *NOT* change the register values of the thread/processor, only the debugger's current view of them]</span>\n\nWalkStackForRegisterContext <span class=\"token namespace\">[WalkStackForRegisterContext(inheritUnspecifiedValues, pc, sp, [fp], [regCtx]) | WalkStackForRegisterContext(inheritUnspecifiedValues, regCtx) - Performs a stack walk given the incoming abstract pc, sp, and optional fp or an optional object which contains named registers and values.  The returned stack walk is of the same form as &lt;ThreadObject>.Stack]</span></code></pre></div>\n<p>After loading this debugger script, run the program and enter a 45-character dummy Flag such as <code class=\"language-text\">FLAG{AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA}</code>. Then execution reaches the first breakpoint <code class=\"language-text\">DoPClient+0x13a6</code>, and <code class=\"language-text\">dx -r1 @$autoRun.CheckPoint1() ; g</code> is executed.</p>\n<p>In the <code class=\"language-text\">CheckPoint1</code> function that runs here, the value of the <code class=\"language-text\">EDX</code> register at the moment execution paused is stored as an ASCII character in the global variable <code class=\"language-text\">word</code>.</p>\n<p>If the analysis in this chapter so far is correct, this <code class=\"language-text\">word</code> should receive the user’s input password string one character at a time.</p>\n<div class=\"gatsby-highlight\" data-language=\"javascript\"><pre class=\"language-javascript\"><code class=\"language-javascript\"><span class=\"token keyword\">function</span> <span class=\"token function\">CheckPoint1</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n<span class=\"token keyword\">let</span> context <span class=\"token operator\">=</span> host<span class=\"token punctuation\">.</span>namespace<span class=\"token punctuation\">.</span>Debugger<span class=\"token punctuation\">.</span>State<span class=\"token punctuation\">.</span>DebuggerVariables<span class=\"token punctuation\">.</span>curthread<span class=\"token punctuation\">.</span>Registers<span class=\"token punctuation\">.</span>User<span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">let</span> edxValue <span class=\"token operator\">=</span> context<span class=\"token punctuation\">.</span>edx<span class=\"token punctuation\">;</span>\nword <span class=\"token operator\">=</span> String<span class=\"token punctuation\">.</span><span class=\"token function\">fromCodePoint</span><span class=\"token punctuation\">(</span>edxValue<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">return</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>Because the command configured for the first breakpoint is <code class=\"language-text\">dx -r1 @$autoRun.CheckPoint1() ; g</code>, the program resumes execution with the <code class=\"language-text\">g</code> command after the <code class=\"language-text\">CheckPoint1</code> function runs, so the program does not stay paused.</p>\n<p>As a result, it immediately reaches the second breakpoint, <code class=\"language-text\">DoPClient+0x17cd</code>, and executes <code class=\"language-text\">dx -r1 @$autoRun.CheckPoint2() ; r zf = 1 ; g</code>.</p>\n<p>Then, in the <code class=\"language-text\">CheckPoint2</code> function that runs next, the value of the <code class=\"language-text\">ECX</code> register at <code class=\"language-text\">DoPClient+0x17cd</code> and the 32-bit integer at the address pointed to by the <code class=\"language-text\">R11</code> register are obtained as shown below, and the result is added to the <code class=\"language-text\">a1</code> array.</p>\n<p>Also, in JavaScript-based debugger scripts, a value at a specific memory address can be obtained with <code class=\"language-text\">host.memory.readMemoryValues(location, numElements, [elementSize], [isSigned], [contextInheritor])</code> <sup id=\"fnref-12\"><a href=\"#fn-12\" class=\"footnote-ref\">12</a></sup>.</p>\n<p>In other words, <code class=\"language-text\">memory.readMemoryValues(r11Value, 1, 4)</code> reads one 4-byte value from the pointer address stored in the <code class=\"language-text\">R11</code> register.</p>\n<div class=\"gatsby-highlight\" data-language=\"javascript\"><pre class=\"language-javascript\"><code class=\"language-javascript\"><span class=\"token keyword\">function</span> <span class=\"token function\">CheckPoint2</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n<span class=\"token keyword\">let</span> context <span class=\"token operator\">=</span> host<span class=\"token punctuation\">.</span>namespace<span class=\"token punctuation\">.</span>Debugger<span class=\"token punctuation\">.</span>State<span class=\"token punctuation\">.</span>DebuggerVariables<span class=\"token punctuation\">.</span>curthread<span class=\"token punctuation\">.</span>Registers<span class=\"token punctuation\">.</span>User<span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">var</span> memory <span class=\"token operator\">=</span> host<span class=\"token punctuation\">.</span>memory<span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">let</span> edxValue <span class=\"token operator\">=</span> context<span class=\"token punctuation\">.</span>ecx<span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">let</span> r11Value <span class=\"token operator\">=</span> context<span class=\"token punctuation\">.</span>r11<span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">let</span> int32Value <span class=\"token operator\">=</span> memory<span class=\"token punctuation\">.</span><span class=\"token function\">readMemoryValues</span><span class=\"token punctuation\">(</span>r11Value<span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">4</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\na1<span class=\"token punctuation\">.</span><span class=\"token function\">push</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Result: Word is \"</span> <span class=\"token operator\">+</span> word <span class=\"token operator\">+</span> <span class=\"token string\">\" EDX = \"</span> <span class=\"token operator\">+</span> edxValue<span class=\"token punctuation\">.</span><span class=\"token function\">toString</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span> <span class=\"token string\">\" R11 = \"</span> <span class=\"token operator\">+</span> int32Value<span class=\"token punctuation\">.</span><span class=\"token function\">toString</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span> <span class=\"token string\">\" IsValid = \"</span> <span class=\"token operator\">+</span> <span class=\"token punctuation\">(</span><span class=\"token function\">parseInt</span><span class=\"token punctuation\">(</span>edxValue<span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> <span class=\"token function\">parseInt</span><span class=\"token punctuation\">(</span>int32Value<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span><span class=\"token function\">toString</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">return</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>As confirmed earlier, at the second breakpoint, the command <code class=\"language-text\">r zf = 1</code> is executed after the <code class=\"language-text\">CheckPoint2</code> function runs.</p>\n<p>This causes 1 to be set in the zero flag regardless of the comparison result at the immediately preceding <code class=\"language-text\">cmp   ecx, dword [r11]</code>, so the loop continues to the end whether the input character is correct or not.</p>\n<p>In fact, if you run <code class=\"language-text\">dx -r1 @$autoRun.Result()</code> after the program finishes executing, the information collected by the <code class=\"language-text\">CheckPoint2</code> function is output as shown below.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 531px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/e41782217e14cfad814313a6ce6feb44/d4713/client-windbg-007.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 142.5%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAdCAYAAACqhkzFAAAACXBIWXMAAA7DAAAOwwHHb6hkAAAEWUlEQVRIx22W2ZqqSgyFff/n6kFAQAaZFLUHex7sfoGc9afA3hfngg+EVCpZQ8rFep1bUZQ2jqN1bWd5ntsqWVldVVbpWq/X9vDwaK+vr/b4+Ginpyf9frC3tzd7fn7W+zf7+fmx8/lsX19ftmibje2UrO86a9vWTqeTNU1rh/3eNptaCQvdNzb0g213O6vr2uIksWEYrCxLOxyPvgHrvr+/bRFHSyur2vIsszRNbTts7fZ26ckSLVze3nrS3XZrURR7xctlZKOSZ1pzOj3Zx8eHX1S5GIbeRlVDwFaLaGujKg6Hg/V97zCM4z5Aot/EkPR4vLOd1lAhLQMB1yJJYlXTGFgSSBCVdW1j6WplNze3VhaFuqiUbLCV3vmlmFzxtTrZ1BtfR+sLqhnUJvg1TWN32jHPcgVsnZg8X3ulR70virWuwuMGVQq2D+ro5eVF+J3th5bZnVZaVUTgXu0XwgwIKm1Ggl6EhISFx4E1cTyzFuy+xbCznGepNcKpLAtvjUBvuWsddJ5hHQz5DVlRHDuWdV35piSC4Uk2jT6KEMmA1u7u7qwqKzuKlEYtlXoed6O/z1RZLxLBeq/vbMJmJLskTOIokJL/kYI8GukziiKL42QiZGvX19ciIveq0zTzd7QPGRdhdyJj65IJFd7f37tDDgcJW9UjZKoCQzCGKAgkGXdIQWqfn59B2LTR6ENVla582khXaq3vvOIkSV0e+/3BpbXSt0p4Y9FeMEEUKrkkLBTUdb2LOVR2cC8jeGQSqeVCCRA/m9JugKdweICD++dEzAKsIIWK8DOtkXi/H11nmRbjW97P0kLM3OmG6iDsUiFerqX0PM9cFmCDl2EYR1xf31iiu8tJcol1EXd1deUJk1XikGE/J2Xog5d3k5dhDCKOk5crDY5O1VMF3ytnPEwdcD0eD4Ks8+HgFa60A2yC1ywbMIR9JMFkAXiXiCpFSiRdLpeCoHNYWPf+PiXcSO1gNOMDVrS0m6ohGOvRMu+JAR4YBnOqZcqQ7By8vP5fL1MpCcERJlECA2HGFocQj9TQIeq4k4YXabpSy60V0/gC6FhOwZK07EO1CBvkk5syTaNC92YSPmYAw/f39z+n0OIwebmuAimtCz4441Fk+bOStF3AjljgIuHv7+9ECgMWUv4dsPE0YFMG7PJyiEEOVeLvMMpaX0NiKrwcUjDYO46tfyx8jI0+nrAaBxTzkWoqH7q5bwyerHl5edbv0ZMuOJyg32ebgn3uaZJgPVzCYhYFSyaOG6TAMs+snV3iFdJqKwbnhLAcqprP6MQXkZDzBxL8HBKR4A5hkPHPuRwGLBWhKydlOvXwOdoDjsPkJshgY9rneXYL+g1e1oCtN8HLMzazlxn1VEMChgdkrHVo4ZZRGLN2VMKzEl2sx9kBoH8D9k82VFD7qRikAWb4dp40rKEynHJpOcumAVuGAUurPmC7bpJI7NMI1qNo6Zsg+DB09179k/7jzKT8B4oKAQPT9BrhAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/e41782217e14cfad814313a6ce6feb44/8ac56/client-windbg-007.webp 240w,\n/static/e41782217e14cfad814313a6ce6feb44/d3be9/client-windbg-007.webp 480w,\n/static/e41782217e14cfad814313a6ce6feb44/a33a1/client-windbg-007.webp 531w\"\n              sizes=\"(max-width: 531px) 100vw, 531px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/e41782217e14cfad814313a6ce6feb44/8ff5a/client-windbg-007.png 240w,\n/static/e41782217e14cfad814313a6ce6feb44/e85cb/client-windbg-007.png 480w,\n/static/e41782217e14cfad814313a6ce6feb44/d4713/client-windbg-007.png 531w\"\n            sizes=\"(max-width: 531px) 100vw, 531px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/e41782217e14cfad814313a6ce6feb44/d4713/client-windbg-007.png\"\n            alt=\"Script execution result\"\n            title=\"Script execution result\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>From this result, you can confirm that the user-entered string <code class=\"language-text\">FLAG{AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA}</code> is validated one character at a time from the beginning, and that only the initial <code class=\"language-text\">FLAG{</code> and the final <code class=\"language-text\">}</code> succeed in password validation.</p>\n<p>In other words, it seems that the correct Flag can be identified by brute-forcing the input characters one at a time from the beginning and using the debugger to identify the character that succeeds in the validation performed by <code class=\"language-text\">cmp     ecx, dword [r11]</code>.</p>\n<h2 id=\"identify-the-correct-flag-by-brute-force\" style=\"position:relative;\"><a href=\"#identify-the-correct-flag-by-brute-force\" aria-label=\"identify the correct flag by brute force permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Identify the Correct Flag by Brute Force</h2>\n<p>From the analysis results so far, we know that the correct password string is 45 characters long.</p>\n<p>Also, because the Flag format is <code class=\"language-text\">^FLAG\\{[\\x20-\\x7E]+\\}$</code>, if we identify the Flag by brute-forcing from the beginning, the number of trials required is expected to be at most about 3666, which is 39 characters multiplied by the number of printable ASCII characters (<code class=\"language-text\">0x7E-0x20</code>).</p>\n<p>Naturally, it is not realistic to perform debugger operations manually that many times, so we want to automate the brute-force attack through debugger operations.</p>\n<p>However, operations like the one in this case, where rerunning the program is required in order to brute-force the password, are not a good fit for scripts that are loaded into WinDbg, such as the JavaScript-based debugger script in the previous section.</p>\n<p>There are several ways to do this, but this time I decided to automate both program execution and debugger control from the outside with a Python script.</p>\n<p>In this book, to automate program execution and debugger operations, I take a somewhat brute-force approach and use the command-line debugger <code class=\"language-text\">cdb.exe</code> from a Python script rather than a dedicated interface.</p>\n<p><code class=\"language-text\">cdb.exe</code> is a CLI-based debugger included in the Windows SDK, and it can execute the same debugger commands as WinDbg.</p>\n<p>To obtain the Flag from DoPClient by brute force, I created the following Python script.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">import</span> subprocess\n\ncdb_path <span class=\"token operator\">=</span> <span class=\"token string\">\"C:\\\\Program Files (x86)\\\\Windows Kits\\\\10\\\\Debuggers\\\\x64\\\\cdb.exe\"</span>\nexe_path <span class=\"token operator\">=</span> <span class=\"token string\">\"C:\\\\CTF\\\\DoPClient.exe\"</span>\nflag_path <span class=\"token operator\">=</span> <span class=\"token string\">\"C:\\\\CTF\\\\input.txt\"</span>\nscript_path <span class=\"token operator\">=</span> <span class=\"token string\">\"C:\\\\CTF\\\\script.txt\"</span>\n\ndbg_cmd <span class=\"token operator\">=</span> <span class=\"token string-interpolation\"><span class=\"token string\">f\"$$&lt; </span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>script_path<span class=\"token punctuation\">}</span></span><span class=\"token string\">\"</span></span>\n\n<span class=\"token keyword\">with</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span>script_path<span class=\"token punctuation\">,</span><span class=\"token string\">\"w\"</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> f<span class=\"token punctuation\">:</span>\n    cmd <span class=\"token operator\">=</span> <span class=\"token string\">\"\"</span>\n    cmd <span class=\"token operator\">+=</span> <span class=\"token string\">\"g ;\"</span>\n    cmd <span class=\"token operator\">+=</span> <span class=\"token string\">\"p ;\"</span>\n    cmd <span class=\"token operator\">+=</span> <span class=\"token string\">\".if (@zf == 1) { .printf \\\"Solver: R8 is %d\\\\n\\\", @r8 ; \"</span> <span class=\"token operator\">+</span> <span class=\"token string-interpolation\"><span class=\"token string\">f\"$$&lt; </span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>script_path<span class=\"token punctuation\">}</span></span><span class=\"token string\">\"</span></span> <span class=\"token operator\">+</span> <span class=\"token string\">\" } .else { .echo \\\"Fail.\\\" ; .kill }\"</span>\n    f<span class=\"token punctuation\">.</span>write<span class=\"token punctuation\">(</span>cmd<span class=\"token punctuation\">)</span>\n\ncommand <span class=\"token operator\">=</span> <span class=\"token string-interpolation\"><span class=\"token string\">f\"\\\"</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>cdb_path<span class=\"token punctuation\">}</span></span><span class=\"token string\">\\\" -G -o -kqm -c \\\"bp !DoPClient+0x17ca ; </span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>dbg_cmd<span class=\"token punctuation\">}</span></span><span class=\"token string\">\\\" \\\"</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>exe_path<span class=\"token punctuation\">}</span></span><span class=\"token string\">\\\" &lt; \\\"</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>flag_path<span class=\"token punctuation\">}</span></span><span class=\"token string\">\\\"\"</span></span>\n\ni <span class=\"token operator\">=</span> <span class=\"token number\">4</span>\nflag <span class=\"token operator\">=</span> <span class=\"token string\">r\"FLAG{\"</span>\n<span class=\"token keyword\">while</span><span class=\"token punctuation\">(</span>i <span class=\"token operator\">&lt;</span> <span class=\"token number\">44</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">for</span> j <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x20</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x7e</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">with</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span>flag_path<span class=\"token punctuation\">,</span><span class=\"token string\">\"w\"</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> f<span class=\"token punctuation\">:</span>\n            word <span class=\"token operator\">=</span> <span class=\"token string\">\"\"</span>\n            word <span class=\"token operator\">+=</span> flag\n            word <span class=\"token operator\">+=</span> <span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span>j<span class=\"token punctuation\">)</span>\n            word <span class=\"token operator\">+=</span> <span class=\"token string\">\"A\"</span><span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token number\">45</span> <span class=\"token operator\">-</span> <span class=\"token punctuation\">(</span><span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">)</span><span class=\"token operator\">+</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n            word <span class=\"token operator\">+=</span> <span class=\"token string\">\"\\n\"</span>\n            f<span class=\"token punctuation\">.</span>write<span class=\"token punctuation\">(</span>word<span class=\"token punctuation\">)</span>\n\n        process <span class=\"token operator\">=</span> subprocess<span class=\"token punctuation\">.</span>Popen<span class=\"token punctuation\">(</span>command<span class=\"token punctuation\">,</span> shell<span class=\"token operator\">=</span><span class=\"token boolean\">True</span><span class=\"token punctuation\">,</span> stdout<span class=\"token operator\">=</span>subprocess<span class=\"token punctuation\">.</span>PIPE<span class=\"token punctuation\">,</span> stderr<span class=\"token operator\">=</span>subprocess<span class=\"token punctuation\">.</span>PIPE<span class=\"token punctuation\">)</span>\n        stdout<span class=\"token punctuation\">,</span> stderr <span class=\"token operator\">=</span> process<span class=\"token punctuation\">.</span>communicate<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n        <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"\"</span><span class=\"token punctuation\">)</span>\n        <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"============================================================\"</span><span class=\"token punctuation\">)</span>\n\n        <span class=\"token keyword\">for</span> line <span class=\"token keyword\">in</span> stdout<span class=\"token punctuation\">.</span>decode<span class=\"token punctuation\">(</span><span class=\"token string\">\"utf-8\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>split<span class=\"token punctuation\">(</span><span class=\"token string\">\"\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n            <span class=\"token keyword\">if</span> line<span class=\"token punctuation\">.</span>startswith<span class=\"token punctuation\">(</span><span class=\"token string\">\"Solver:\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n                <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>line<span class=\"token punctuation\">)</span>\n            \n            <span class=\"token keyword\">if</span> line<span class=\"token punctuation\">.</span>startswith<span class=\"token punctuation\">(</span><span class=\"token string\">\"Solver: R8 is\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n                t <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>line<span class=\"token punctuation\">.</span>split<span class=\"token punctuation\">(</span><span class=\"token string\">\" \"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n\n        <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"============================================================\"</span><span class=\"token punctuation\">)</span>\n\n        <span class=\"token keyword\">if</span> t <span class=\"token operator\">></span> i<span class=\"token punctuation\">:</span>\n            i <span class=\"token operator\">=</span> t\n            flag <span class=\"token operator\">+=</span> <span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span>j<span class=\"token punctuation\">)</span>\n            <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"Flag: </span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>flag<span class=\"token punctuation\">}</span></span><span class=\"token string\">, i: </span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>i<span class=\"token punctuation\">}</span></span><span class=\"token string\">\"</span></span><span class=\"token punctuation\">)</span>\n            <span class=\"token keyword\">break</span>\n        \n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">)</span></code></pre></div>\n<p>This script can be downloaded as <code class=\"language-text\">Stage1_Solver_1.py</code> from the following repository.</p>\n<br>\n<p><code class=\"language-text\">Stage1_Solver_1.py</code>:</p>\n<p><a href=\"https://github.com/kash1064/ctf-and-windows-debug/blob/main/Stage1_Solver_1.py\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https://github.com/kash1064/ctf-and-windows-debug/</a></p>\n<br>\n<p>When this script is executed, it first runs the following command by using <code class=\"language-text\">subprocess.Popen</code>, a standard library function in Python.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token string\">\"C:\\Program Files (x86)\\Windows Kits\\10\\Debuggers\\x64\\cdb.exe\"</span> <span class=\"token operator\">-</span>G <span class=\"token operator\">-</span>o <span class=\"token operator\">-</span>kqm <span class=\"token operator\">-</span>c <span class=\"token string\">\"bp !DoPClient+0x17ca ; $$&lt; C:\\CTF\\script.txt\"</span> <span class=\"token string\">\"C:\\CTF\\DoPClient.exe\"</span> <span class=\"token operator\">&lt;</span> <span class=\"token string\">\"C:\\CTF\\input.txt\"</span></code></pre></div>\n<p>This command starts <code class=\"language-text\">cdb.exe</code> with the option arguments <code class=\"language-text\">-G -o -kqm</code> <sup id=\"fnref-13\"><a href=\"#fn-13\" class=\"footnote-ref\">13</a></sup> and begins debugging <code class=\"language-text\">C:\\CTF\\DoPClient.exe</code>. (The password to brute-force is redirected into the program from <code class=\"language-text\">\"C:\\CTF\\input.txt\"</code>.)</p>\n<p>It also uses <code class=\"language-text\">-c \"bp !DoPClient+0x17ca ; $$&lt; C:\\CTF\\script.txt\"</code> to set a breakpoint at <code class=\"language-text\">!DoPClient+0x17ca</code> at startup and execute the debugger script <code class=\"language-text\">C:\\CTF\\script.txt</code>.</p>\n<p>The debugger script used here differs from the JavaScript-based debugger script in the previous section. Instead, it is simply a script file that contains debugger commands you could execute manually.</p>\n<p>WinDbg and CDB provide a feature that lets you load and execute a debugger script file containing multiple debug commands.<sup id=\"fnref-14\"><a href=\"#fn-14\" class=\"footnote-ref\">14</a></sup></p>\n<p>In the Python script above, the following debug commands are saved to <code class=\"language-text\">C:\\CTF\\script.txt</code>, then automatically executed with the <code class=\"language-text\">$$&lt; C:\\CTF\\script.txt</code> command.</p>\n<div class=\"gatsby-highlight\" data-language=\"powershell\"><pre class=\"language-powershell\"><code class=\"language-powershell\">g <span class=\"token punctuation\">;</span>p <span class=\"token punctuation\">;</span><span class=\"token punctuation\">.</span><span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>@zf == 1<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span> <span class=\"token punctuation\">.</span>printf <span class=\"token string\">\"Solver: R8 is %d\\n\"</span><span class=\"token punctuation\">,</span> @r8 <span class=\"token punctuation\">;</span> $$&lt; C:\\CTF\\script<span class=\"token punctuation\">.</span>txt <span class=\"token punctuation\">}</span> <span class=\"token punctuation\">.</span><span class=\"token keyword\">else</span> <span class=\"token punctuation\">{</span> <span class=\"token punctuation\">.</span><span class=\"token function\">echo</span> <span class=\"token string\">\"Fail.\"</span> <span class=\"token punctuation\">;</span> <span class=\"token punctuation\">.</span><span class=\"token function\">kill</span> <span class=\"token punctuation\">}</span></code></pre></div>\n<p>In this command, <code class=\"language-text\">g</code> first resumes program execution until the breakpoint at <code class=\"language-text\">DoPClient+0x17ca</code> is reached.</p>\n<p>At <code class=\"language-text\">DoPClient+0x17ca</code>, the value in the <code class=\"language-text\">ECX</code> register, which holds the result of applying some calculation to the input character, is compared with the hardcoded 32-bit integer at the address pointed to by the <code class=\"language-text\">R11</code> register.</p>\n<p>Here, if the input character is correct, the validation succeeds and the zero flag becomes 1.</p>\n<div class=\"gatsby-highlight\" data-language=\"powershell\"><pre class=\"language-powershell\"><code class=\"language-powershell\">1400017ca  cmp     ecx<span class=\"token punctuation\">,</span> dword <span class=\"token namespace\">[r11]</span>\n1400017cd  jne     0x1400017fa\n\n1400017cf  inc     r8d\n1400017d2  inc     r10\n1400017d5  add     r11<span class=\"token punctuation\">,</span> 0x4\n1400017d9  cmp     r8d<span class=\"token punctuation\">,</span> 0x2d\n1400017dd  jl      0x1400013a2</code></pre></div>\n<p>Then, the <code class=\"language-text\">.if (@zf == 1) { omitted } .else { omitted }</code> syntax executed afterwards checks whether the zero flag is 1 immediately after that validation.</p>\n<p>If the correct character has been entered, the zero flag becomes 1 after <code class=\"language-text\">cmp   ecx, dword [r11]</code> executes, so the debugger command <code class=\"language-text\">.printf \"Solver: R8 is %d\\n\", @r8 ; $$&lt; C:\\CTF\\script.txt</code> runs.</p>\n<p>In this command, the value of the <code class=\"language-text\">R8</code> register is substituted into <code class=\"language-text\">%d</code>, the string <code class=\"language-text\">Solver: R8 is %d\\n</code> is displayed, and then the commands defined in the debugger script <code class=\"language-text\">C:\\CTF\\script.txt</code> are executed once again.</p>\n<p>In other words, the operation of resuming program execution and checking the validation result of the next character is repeated until either validation succeeds for all 45 characters or an incorrect character is entered.</p>\n<p>As described above, in this Python script, the input string is brute-forced from the beginning by repeatedly debugging with <code class=\"language-text\">cdb.exe</code> while specifying debugger commands.</p>\n<p>If validation of a correct password character succeeds, a string beginning with <code class=\"language-text\">Solver: R8 is</code> is written to standard output, so the correct input character can be identified from whether that output appears.</p>\n<p>If you actually run this script, it takes a very long time to finish, but in the end it lets you determine that <code class=\"language-text\">FLAG{You_can_use_debug_script_in_WinDbg_Next}</code> is the correct first Flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 480px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/c69c358a133a373a0b3aa02d3565c150/e85cb/client-solver-001.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 79.16666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAQCAYAAAAWGF8bAAAACXBIWXMAAA7DAAAOwwHHb6hkAAABLUlEQVQ4y62USZODIBCFvbpcJu6OC6JxJyb+///2phtni1VzmODhVdNQ9dGPBqxpmlCWJapKQMoaQgiEYQjHceB53r9lLctCIAlR12jbBpKiEVAp9QvYom0axHEM27ZfA7JltlmJ3XJN4DiOXgeyZYYIUaOh6hgeBIHBGc7zucCZgAzZgZLghl0+As+7NmdZVoemMNzo2jx3WWqoEXB+6rLUL8Xs2lCFDNvfstRiIFfouu63HNf5GdNmf8lii0VR0AdR6YbwR5EkCS5vFwKHGu77wWf0tXjMa1EU7Qr3yPPWuq7orld0fQe2z+95mmbc1IJxHLFtm47DMECpG9jR/f6g+Qf6ftDPNYpi5FQUn72VpSlSEie8C8eE8iLP9fhLvJZl79pNlmU6P9rn/ANF94mJwYnRSgAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/c69c358a133a373a0b3aa02d3565c150/8ac56/client-solver-001.webp 240w,\n/static/c69c358a133a373a0b3aa02d3565c150/d3be9/client-solver-001.webp 480w\"\n              sizes=\"(max-width: 480px) 100vw, 480px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/c69c358a133a373a0b3aa02d3565c150/8ff5a/client-solver-001.png 240w,\n/static/c69c358a133a373a0b3aa02d3565c150/e85cb/client-solver-001.png 480w\"\n            sizes=\"(max-width: 480px) 100vw, 480px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/c69c358a133a373a0b3aa02d3565c150/e85cb/client-solver-001.png\"\n            alt=\"Run the solver and identify the Flag\"\n            title=\"Run the solver and identify the Flag\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>If you enter the Flag (the correct password) identified by this script into DoPClient from the Command Prompt, you can reach the code that displays the string <code class=\"language-text\">Clear Stage1</code>.</p>\n<p>For that reason, we can conclude that the first Flag identified here is indeed correct.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 448px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/71c48cea47498ea143c91576cd5de0c4/33b38/client-solver-002.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 91.25000000000001%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAASCAYAAABb0P4QAAAACXBIWXMAAA7DAAAOwwHHb6hkAAACeElEQVQ4y5VU23baQAz0WwMJ2A4Xc7OBAuZyGmzAdxPI///UVCNiCmmatg86u7J2xzOSVka/18NwOMB4PFbzPA+DwQCj0QjNZhOPj49qT09P1/UrMxqNxvWSWr1+5zN+C/Y3UGM6naDTaWPkunDFZvM5yNpxevg+m8H3fXQ7nX9ip4C3DtlQZuODb5rm3aWvwI3bYF3kPjx805Xfm00TrednjdVqNYk93IF9BmxUAV6wbUsKNEKr1dKgbduwhB1Z9iQNLBbZ8uyfQI0LkI3lcoXtyxan0xn7XSgAjh62LBszyWWSZkiTBGG4g+eOVMVnoEar3UGapjiWRxyPR2RZhiIvUBQlokOEw36PspR9FMm5BFEc4+18FgL+HdMrIA9kPCgXMgGOxc/zDIfDAXlR6BpFB/1RGIbCNBUFOyVBZbdMFfAkf0sTAc1zBeRaClAs8sg4kTWJIxxfX7ETwFdJyS4MZD3BX8y1UHeAmcgjYBwnIjVXpmVZYC9Sryko8is4geJoj/PbGyZj7zfZxg8pRJ6lCIJAZVAWcxUEofqRsGMxyJg/SyQWSwoIbr4/zTtA07Swk5xkWa7JJyNK54VcGOfFJQVaOGFJ6UdRMPa8z4uiTSwb1/WwWq2URbDdKgBZs0iXImTy4xD+cqn9WjV5/cPbN6rHzwAbms3rdLvo9/vazH3xB7LnFKJvWaY+STY4zZJKV3s+AGO7fcF6vcZisYAjF5arNTbiT6ZTBacNh0PMZWhwdQV4PL6MuIkMlvnCx0JibH4OGeNFAPmBoJvNRpk5joN2u32VQfaVtGpfGfNYq/2KGwTxhR0BmbP+uzyOMjLq/Mfoov0EEnPb7lfyGB8AAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/71c48cea47498ea143c91576cd5de0c4/8ac56/client-solver-002.webp 240w,\n/static/71c48cea47498ea143c91576cd5de0c4/76be4/client-solver-002.webp 448w\"\n              sizes=\"(max-width: 448px) 100vw, 448px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/71c48cea47498ea143c91576cd5de0c4/8ff5a/client-solver-002.png 240w,\n/static/71c48cea47498ea143c91576cd5de0c4/33b38/client-solver-002.png 448w\"\n            sizes=\"(max-width: 448px) 100vw, 448px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/71c48cea47498ea143c91576cd5de0c4/33b38/client-solver-002.png\"\n            alt=\"Enter the correct password into DoPClient\"\n            title=\"Enter the correct password into DoPClient\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Note that although the string <code class=\"language-text\">Clear Stage1</code> is displayed in the screen above, registration of the driver using the <code class=\"language-text\">OpenSCManager</code> function still seems to fail. (See Chapter 3 for DoPClient behavior.)</p>\n<p>If you enable test-signing mode in the virtual machine by following the procedure described in Chapter 1, place <code class=\"language-text\">DoPClient.exe</code> and <code class=\"language-text\">DoPDriver.sys</code> in the same folder, and then run DoPClient from an administrator Command Prompt, DoPDriver can be loaded into the system when the correct password is entered, as shown below.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 474px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/ad71f16a69db4433005c74e1eeb6f88f/5595f/client-solver-004.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 99.16666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAACXBIWXMAAA7DAAAOwwHHb6hkAAAC6klEQVQ4y61UXVPaUBDN+KKG7y8DBIEQKAJiSEhICNDfoNSX+qTOyA/tTPs36lPVotWZjq893V2Nldbal2Zm2bt79549u+y9yoePn/D5/BxXy2tcXF7i+uYGy+sbspf4dnuH27s7fLm4xNXXJb7f34O/H/j7p7w/OsLJ8TEWiwUWZ2c4Izk9PcXJyTHezeeYHxxgf38fByRzsg8PD18VRVlbox/l/4nRMKFtbaFarYrUajWUy2URs9lCo2Egm8shmUwilUr9U5RMNodEIoF0Oi2SzWblsKwJKPdox+PxJ4nFYiv2c1Fi8YQEsKiqio2NDdEsETDvbW5uQo2p/wRVEskUYnSYDzBAoVAQzawzmczTWtM0Aee4COwlUEUlZyqdQbvdhuM4eDubwtrbQ57K5QAG6nR7mJF/OByi2+lIr7iCCDT2HLBAB1zXQxiGmEynGHkuwgnpkYeh6xKII3u8HnkexuOA9kbENvWM4S+miu0MKWhMoK5oz2U7JM3AIQYDC0EwFmCPkjm2LXFGvSbl/1HydDajAwF8P5DAIPAxJkYj35cyHccm5jP4xNgnn0/seG9Mcczs9z4qDjOjTdt25MDQcQScmUwmE2HKjH1/JH4uO6DE/d3eUx9XAN/s7BCTGQHaVOKEgAbClJlx76RvrIkZ+5nhlHpdLpdeLlmlH9NsygHOHDCT4KHxDBiSjxkyWxZuD9+el9hx+QK4vr4uM9ega8hj0SbWPDo8Sr1el2RXbMMwkKaR4Xj1cXYjiRIoJbqzRRqdfD4vV227UkGpVJL5KxaLonW9gkpFl6HXtKLcfY322KfrD1Kg8wyqWAMbA2uPhreLWr2OVquFHWLIjwPf6xwl2SIAtjkpr0VLQk38TIBjpeROryelmKaJfr8vrJgpsxBGZPOVi+54VF5UKvtXSu5bFlrNJup1Axatm7RmBgzMmUuPTOOvvDArf0qDAKrVbejUOwbT+S0kIAYt6w99i8YjepVeA/0JBfBKmwbflQ4AAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/ad71f16a69db4433005c74e1eeb6f88f/8ac56/client-solver-004.webp 240w,\n/static/ad71f16a69db4433005c74e1eeb6f88f/01944/client-solver-004.webp 474w\"\n              sizes=\"(max-width: 474px) 100vw, 474px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/ad71f16a69db4433005c74e1eeb6f88f/8ff5a/client-solver-004.png 240w,\n/static/ad71f16a69db4433005c74e1eeb6f88f/5595f/client-solver-004.png 474w\"\n            sizes=\"(max-width: 474px) 100vw, 474px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/ad71f16a69db4433005c74e1eeb6f88f/5595f/client-solver-004.png\"\n            alt=\"Confirm that DoPClient loads the driver\"\n            title=\"Confirm that DoPClient loads the driver\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"speed-up-the-brute-force-script\" style=\"position:relative;\"><a href=\"#speed-up-the-brute-force-script\" aria-label=\"speed up the brute force script permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Speed Up the Brute-force Script</h2>\n<p>Using <code class=\"language-text\">Stage1_Solver_1.py</code> from the previous section allowed us to obtain the correct Flag, but it takes a very long time for this script to determine the full Flag.</p>\n<p>The actual time required for brute force depends on the environment, but when I ran it in my environment, it took roughly 40 minutes.</p>\n<p>If the script can ultimately identify the correct Flag, you might think the execution time does not matter, but in a CTF there are various disadvantages to having a long-running flag-retrieval script, such as rivals solving it first or it taking longer to notice bugs in the script.</p>\n<p>For that reason, when solving challenges that require brute-forcing a Flag like this, it is also important to think about better algorithms for shortening script runtime.</p>\n<p>For example, <code class=\"language-text\">Stage1_Solver_1.py</code> used in the previous section identifies the correct password by brute-forcing one character at a time from the beginning.</p>\n<p>Since the Flag format is <code class=\"language-text\">^FLAG\\{[\\x20-\\x7E]+\\}$</code> and the correct password length is known to be 45 characters, the worst-case number of validation attempts required for brute force is 3705.<sup id=\"fnref-15\"><a href=\"#fn-15\" class=\"footnote-ref\">15</a></sup></p>\n<p>In the script this time, DoPClient has to be restarted for each brute-force attempt, so the overhead per character validation is fairly large.</p>\n<p>For that reason, if we can reduce the number of validation attempts even a little, it should lead to a significant reduction in execution time.</p>\n<p>So, to speed up brute-force execution, I rewrote the script as follows.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">import</span> subprocess\n\ncdb_path <span class=\"token operator\">=</span> <span class=\"token string\">\"C:\\\\Program Files (x86)\\\\Windows Kits\\\\10\\\\Debuggers\\\\x64\\\\cdb.exe\"</span>\nexe_path <span class=\"token operator\">=</span> <span class=\"token string\">\"C:\\\\CTF\\\\DoPClient.exe\"</span>\nflag_path <span class=\"token operator\">=</span> <span class=\"token string\">\"C:\\\\CTF\\\\input.txt\"</span>\nscript_path <span class=\"token operator\">=</span> <span class=\"token string\">\"C:\\\\CTF\\\\script.txt\"</span>\n\ndbg_cmd <span class=\"token operator\">=</span> <span class=\"token string-interpolation\"><span class=\"token string\">f\"$$&lt; </span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>script_path<span class=\"token punctuation\">}</span></span><span class=\"token string\">\"</span></span>\n\n<span class=\"token keyword\">with</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span>script_path<span class=\"token punctuation\">,</span><span class=\"token string\">\"w\"</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> f<span class=\"token punctuation\">:</span>\n    cmd <span class=\"token operator\">=</span> <span class=\"token string\">\"\"</span>\n    cmd <span class=\"token operator\">+=</span> <span class=\"token string\">\"g ;\"</span>\n    cmd <span class=\"token operator\">+=</span> <span class=\"token string\">\"p ;\"</span>\n    cmd <span class=\"token operator\">+=</span> <span class=\"token string\">\".if (@zf == 1) { .printf \\\"Solver: Correct word in %d\\\\n\\\", @r8 ; \"</span> <span class=\"token operator\">+</span> <span class=\"token string-interpolation\"><span class=\"token string\">f\"$$&lt; </span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>script_path<span class=\"token punctuation\">}</span></span><span class=\"token string\">\"</span></span> <span class=\"token operator\">+</span> <span class=\"token string\">\" } .else { r zf=1 ; \"</span> <span class=\"token operator\">+</span> <span class=\"token string-interpolation\"><span class=\"token string\">f\"$$&lt; </span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>script_path<span class=\"token punctuation\">}</span></span><span class=\"token string\">\"</span></span> <span class=\"token operator\">+</span> <span class=\"token string\">\"}\"</span>\n    f<span class=\"token punctuation\">.</span>write<span class=\"token punctuation\">(</span>cmd<span class=\"token punctuation\">)</span>\n\ncommand <span class=\"token operator\">=</span> <span class=\"token string-interpolation\"><span class=\"token string\">f\"\\\"</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>cdb_path<span class=\"token punctuation\">}</span></span><span class=\"token string\">\\\" -G -o -kqm -c \\\"bp !DoPClient+0x17ca ; </span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>dbg_cmd<span class=\"token punctuation\">}</span></span><span class=\"token string\">\\\" \\\"</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>exe_path<span class=\"token punctuation\">}</span></span><span class=\"token string\">\\\" &lt; \\\"</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>flag_path<span class=\"token punctuation\">}</span></span><span class=\"token string\">\\\"\"</span></span>\n\n\nflag <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token string\">\"\"</span> <span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">45</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span>\n\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"============================================================\"</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x20</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x7e</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">with</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span>flag_path<span class=\"token punctuation\">,</span><span class=\"token string\">\"w\"</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> f<span class=\"token punctuation\">:</span>\n        word <span class=\"token operator\">=</span> <span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span>i<span class=\"token punctuation\">)</span><span class=\"token operator\">*</span><span class=\"token number\">45</span>\n        word <span class=\"token operator\">+=</span> <span class=\"token string\">\"\\n\"</span>\n        f<span class=\"token punctuation\">.</span>write<span class=\"token punctuation\">(</span>word<span class=\"token punctuation\">)</span>\n\n    process <span class=\"token operator\">=</span> subprocess<span class=\"token punctuation\">.</span>Popen<span class=\"token punctuation\">(</span>command<span class=\"token punctuation\">,</span> shell<span class=\"token operator\">=</span><span class=\"token boolean\">True</span><span class=\"token punctuation\">,</span> stdout<span class=\"token operator\">=</span>subprocess<span class=\"token punctuation\">.</span>PIPE<span class=\"token punctuation\">,</span> stderr<span class=\"token operator\">=</span>subprocess<span class=\"token punctuation\">.</span>PIPE<span class=\"token punctuation\">)</span>\n    stdout<span class=\"token punctuation\">,</span> stderr <span class=\"token operator\">=</span> process<span class=\"token punctuation\">.</span>communicate<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n    <span class=\"token keyword\">for</span> line <span class=\"token keyword\">in</span> stdout<span class=\"token punctuation\">.</span>decode<span class=\"token punctuation\">(</span><span class=\"token string\">\"utf-8\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>split<span class=\"token punctuation\">(</span><span class=\"token string\">\"\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>          \n        <span class=\"token keyword\">if</span> line<span class=\"token punctuation\">.</span>startswith<span class=\"token punctuation\">(</span><span class=\"token string\">\"Solver: Correct word\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n            t <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>line<span class=\"token punctuation\">.</span>split<span class=\"token punctuation\">(</span><span class=\"token string\">\" \"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n            flag<span class=\"token punctuation\">[</span>t<span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span>i<span class=\"token punctuation\">)</span>\n            <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"flag[</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>t<span class=\"token punctuation\">}</span></span><span class=\"token string\">] is </span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span><span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span>i<span class=\"token punctuation\">)</span><span class=\"token punctuation\">}</span></span><span class=\"token string\">\"</span></span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"============================================================\"</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"\"</span><span class=\"token punctuation\">.</span>join<span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>This script can be downloaded as <code class=\"language-text\">Stage1_Solver_2.py</code> from the following repository.</p>\n<br>\n<p><code class=\"language-text\">Stage1_Solver_2.py</code>:</p>\n<p><a href=\"https://github.com/kash1064/ctf-and-windows-debug/blob/main/Stage1_Solver_2.py\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https://github.com/kash1064/ctf-and-windows-debug/</a></p>\n<br>\n<p>In the new script, processing is made more efficient by taking advantage of the fact that password validation can be bypassed by forcing the zero flag to 1 in the debugger, making it possible to obtain the correct Flag in at most 95 executions (the number of printable ASCII characters).</p>\n<p>In this script, the debugger command script used during execution changes its commands to the following.</p>\n<div class=\"gatsby-highlight\" data-language=\"powershell\"><pre class=\"language-powershell\"><code class=\"language-powershell\">g <span class=\"token punctuation\">;</span>p <span class=\"token punctuation\">;</span><span class=\"token punctuation\">.</span><span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>@zf == 1<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span> <span class=\"token punctuation\">.</span>printf <span class=\"token string\">\"Solver: Correct word in %d\\n\"</span><span class=\"token punctuation\">,</span> @r8 <span class=\"token punctuation\">;</span> $$&lt; C:\\CTF\\script<span class=\"token punctuation\">.</span>txt <span class=\"token punctuation\">}</span> <span class=\"token punctuation\">.</span><span class=\"token keyword\">else</span> <span class=\"token punctuation\">{</span> r zf=1 <span class=\"token punctuation\">;</span> $$&lt; C:\\CTF\\script<span class=\"token punctuation\">.</span>txt<span class=\"token punctuation\">}</span></code></pre></div>\n<p>The handling when the zero flag is 1 after <code class=\"language-text\">cmp   ecx, dword [r11]</code> executes (that is, when the input character is correct) is almost the same as before, but the command executed when the zero flag is 0 (that is, when the input character is incorrect) has been changed significantly.</p>\n<p>In the previous section, when the input character was incorrect, the program’s debugging session was terminated with the <code class=\"language-text\">.kill</code> command and a new brute-force test was started.</p>\n<p>By contrast, in the current script, the <code class=\"language-text\">r zf=1</code> command forces the zero flag to 1, so program execution continues to the end regardless of the result of the input-character validation.</p>\n<p>In other words, in a single program execution, all 45 character positions can be tested at once to see whether a given character matches the correct password.</p>\n<p>As a result, whereas the script used in the previous section required as many as 3705 program executions in the worst case for brute force, the script this time can identify the correct Flag in at most 95 executions.</p>\n<p>If you actually run this script, it can identify the correct Flag in about one minute, achieving a speedup of several tens of times compared with the script used in the previous section.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 494px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/ab7c5cf658d45fc27c3dfc58537bde3c/d72d4/client-solver-003.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 71.25%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAA7DAAAOwwHHb6hkAAABJUlEQVQ4y62TWW+DMBCEeQyE+woJDgaHOxFHE/7/T5t6TVP1rVLdh5EtrTT7eWdttP2AeZ4hqhKMMcRxBMuyYNv2n2Qs6we2bUPbNqiqClGkadgPI6ZpAi8KRRiGoZ7hLAlfrxduQijC+D8I13VFyQvkOYPneTgej3qEz+cTQlQ7YRxrEo53LMsizfaUg8DXI5zmFZucYdPUKMtSn3CQhDRDSjlnNENXl3BRhpQyl4RBEMDSMRzuDxUKGV6vV7XY2oS0hyoUaeg4Dg6HA0zT/FU0658iEKNuWozjqALhnONyuSDLMpzPZ5xOJ3Wnk/SuZdleS5LkW2mawvd9GEI+Vcj9K2QoZEjhCHGTf7vdm3w1onrf9+i6DnVdg+U5PNdTJm+5rotPPU5U/Yw77J4AAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/ab7c5cf658d45fc27c3dfc58537bde3c/8ac56/client-solver-003.webp 240w,\n/static/ab7c5cf658d45fc27c3dfc58537bde3c/d3be9/client-solver-003.webp 480w,\n/static/ab7c5cf658d45fc27c3dfc58537bde3c/32f69/client-solver-003.webp 494w\"\n              sizes=\"(max-width: 494px) 100vw, 494px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/ab7c5cf658d45fc27c3dfc58537bde3c/8ff5a/client-solver-003.png 240w,\n/static/ab7c5cf658d45fc27c3dfc58537bde3c/e85cb/client-solver-003.png 480w,\n/static/ab7c5cf658d45fc27c3dfc58537bde3c/d72d4/client-solver-003.png 494w\"\n            sizes=\"(max-width: 494px) 100vw, 494px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/ab7c5cf658d45fc27c3dfc58537bde3c/d72d4/client-solver-003.png\"\n            alt=\"Run the optimized solver and identify the Flag\"\n            title=\"Run the optimized solver and identify the Flag\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>In this way, by using debugger commands to alter program behavior arbitrarily, you can sometimes make brute-force and similar attacks much more efficient with simple changes.</p>\n<h2 id=\"chapter-4-summary\" style=\"position:relative;\"><a href=\"#chapter-4-summary\" aria-label=\"chapter 4 summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Chapter 4 Summary</h2>\n<p>In this chapter, by using JavaScript-based debugger scripts and debugger-command execution from external scripts via <code class=\"language-text\">cdb.exe</code>, we identified an unknown password with a brute-force attack.</p>\n<p>Up to this point, we have analyzed DoPClient, which is a user-mode application, but from Chapter 5 onward we will step further into analysis of DoPDriver, which is a kernel driver module.</p>\n<h2 id=\"links-to-each-chapter\" style=\"position:relative;\"><a href=\"#links-to-each-chapter\" aria-label=\"links to each chapter permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Links to Each Chapter</h2>\n<ul>\n<li><a href=\"/magical-windbg-vol2-00-en\">Preface</a></li>\n<li><a href=\"/magical-windbg-vol2-01-en\">Chapter 1: Environment Setup</a></li>\n<li><a href=\"/magical-windbg-vol2-02-en\">Chapter 2: Surface Analysis of DoPClient and DoPDriver</a></li>\n<li><a href=\"/magical-windbg-vol2-03-en\">Chapter 3: Static Analysis of DoPClient</a></li>\n<li><a href=\"/magical-windbg-vol2-04-en\">Chapter 4: Dynamic Analysis of DoPClient</a></li>\n<li><a href=\"/magical-windbg-vol2-05-en\">Chapter 5: Static Analysis of DoPDriver</a></li>\n<li><a href=\"/magical-windbg-vol2-06-en\">Chapter 6: Dynamic Analysis of DoPDriver</a></li>\n</ul>\n<div class=\"footnotes\">\n<hr>\n<ol>\n<li id=\"fn-1\">\n<p>Time Travel Debugging <a href=\"https://learn.microsoft.com/ja-jp/windows-hardware/drivers/debuggercmds/time-travel-debugging-overview\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https://learn.microsoft.com/ja-jp/windows-hardware/drivers/debuggercmds/time-travel-debugging-overview</a></p>\n<a href=\"#fnref-1\" class=\"footnote-backref\">↩</a>\n</li>\n<li id=\"fn-2\">\n<p>Inside Windows, 7th Edition, Vol. 1, p.171 (by Pavel Yosifovich, Alex Ionescu, Mark E. Russinovich, and David A. Solomon / translated by Kazuaki Yamauchi / Nikkei BP / 2018)</p>\n<a href=\"#fnref-2\" class=\"footnote-backref\">↩</a>\n</li>\n<li id=\"fn-3\">\n<p>Methods of Controlling Breakpoints <a href=\"https://learn.microsoft.com/ja-jp/windows-hardware/drivers/debugger/methods-of-controlling-breakpoints\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https://learn.microsoft.com/ja-jp/windows-hardware/drivers/debugger/methods-of-controlling-breakpoints</a></p>\n<a href=\"#fnref-3\" class=\"footnote-backref\">↩</a>\n</li>\n<li id=\"fn-4\">\n<p>r (Registers) <a href=\"https://learn.microsoft.com/ja-jp/windows-hardware/drivers/debuggercmds/r--registers-\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https://learn.microsoft.com/ja-jp/windows-hardware/drivers/debuggercmds/r—registers-</a></p>\n<a href=\"#fnref-4\" class=\"footnote-backref\">↩</a>\n</li>\n<li id=\"fn-5\">\n<p>d, da, db, dc, dd, dD, df, dp, dq, du, dw (Display Memory) <a href=\"https://learn.microsoft.com/ja-jp/windows-hardware/drivers/debuggercmds/d--da--db--dc--dd--dd--df--dp--dq--du--dw--dw--dyb--dyd--display-memor\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https://learn.microsoft.com/ja-jp/windows-hardware/drivers/debuggercmds/d—da—db—dc—dd—dd—df—dp—dq—du—dw—dw—dyb—dyd—display-memor</a></p>\n<a href=\"#fnref-5\" class=\"footnote-backref\">↩</a>\n</li>\n<li id=\"fn-6\">\n<p>dds, dps, dqs (Display Words and Symbols) <a href=\"https://learn.microsoft.com/ja-jp/windows-hardware/drivers/debuggercmds/dds--dps--dqs--display-words-and-symbols-\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https://learn.microsoft.com/ja-jp/windows-hardware/drivers/debuggercmds/dds—dps—dqs—display-words-and-symbols-</a></p>\n<a href=\"#fnref-6\" class=\"footnote-backref\">↩</a>\n</li>\n<li id=\"fn-7\">\n<p>g (Go) <a href=\"https://learn.microsoft.com/ja-jp/windows-hardware/drivers/debuggercmds/g--go-\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https://learn.microsoft.com/ja-jp/windows-hardware/drivers/debuggercmds/g—go-</a></p>\n<a href=\"#fnref-7\" class=\"footnote-backref\">↩</a>\n</li>\n<li id=\"fn-8\">\n<p>p (Step) <a href=\"https://learn.microsoft.com/ja-jp/windows-hardware/drivers/debuggercmds/p--step-\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https://learn.microsoft.com/ja-jp/windows-hardware/drivers/debuggercmds/p—step-</a></p>\n<a href=\"#fnref-8\" class=\"footnote-backref\">↩</a>\n</li>\n<li id=\"fn-9\">\n<p>t (Trace) <a href=\"https://learn.microsoft.com/ja-jp/windows-hardware/drivers/debuggercmds/t--trace-\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https://learn.microsoft.com/ja-jp/windows-hardware/drivers/debuggercmds/t—trace-</a></p>\n<a href=\"#fnref-9\" class=\"footnote-backref\">↩</a>\n</li>\n<li id=\"fn-10\">\n<p>Pseudo-Register Syntax <a href=\"https://learn.microsoft.com/ja-jp/windows-hardware/drivers/debuggercmds/pseudo-register-syntax\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https://learn.microsoft.com/ja-jp/windows-hardware/drivers/debuggercmds/pseudo-register-syntax</a></p>\n<a href=\"#fnref-10\" class=\"footnote-backref\">↩</a>\n</li>\n<li id=\"fn-11\">\n<p>JavaScript Debugger Scripting <a href=\"https://learn.microsoft.com/ja-jp/windows-hardware/drivers/debugger/javascript-debugger-scripting\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https://learn.microsoft.com/ja-jp/windows-hardware/drivers/debugger/javascript-debugger-scripting</a></p>\n<a href=\"#fnref-11\" class=\"footnote-backref\">↩</a>\n</li>\n<li id=\"fn-12\">\n<p>Native Debugger Objects in JavaScript Extensions <a href=\"https://learn.microsoft.com/ja-jp/windows-hardware/drivers/debugger/native-objects-in-javascript-extensions-debugger-objects\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https://learn.microsoft.com/ja-jp/windows-hardware/drivers/debugger/native-objects-in-javascript-extensions-debugger-objects</a></p>\n<a href=\"#fnref-12\" class=\"footnote-backref\">↩</a>\n</li>\n<li id=\"fn-13\">\n<p>CDB Command-Line Options <a href=\"https://learn.microsoft.com/ja-jp/windows-hardware/drivers/debugger/cdb-command-line-options\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https://learn.microsoft.com/ja-jp/windows-hardware/drivers/debugger/cdb-command-line-options</a></p>\n<a href=\"#fnref-13\" class=\"footnote-backref\">↩</a>\n</li>\n<li id=\"fn-14\">\n<p><span class=\"katex\"><span class=\"katex-mathml\"><math xmlns=\"http://www.w3.org/1998/Math/MathML\"><semantics><mrow><mo>&lt;</mo><mo separator=\"true\">,</mo></mrow><annotation encoding=\"application/x-tex\">&lt;,</annotation></semantics></math></span><span class=\"katex-html\" aria-hidden=\"true\"><span class=\"base\"><span class=\"strut\" style=\"height:0.5782em;vertical-align:-0.0391em;\"></span><span class=\"mrel\">&lt;</span></span><span class=\"base\"><span class=\"strut\" style=\"height:0.3em;vertical-align:-0.1944em;\"></span><span class=\"mpunct\">,</span></span></span></span>>&#x3C;, <span class=\"katex\"><span class=\"katex-mathml\"><math xmlns=\"http://www.w3.org/1998/Math/MathML\"><semantics><mrow><mo>&lt;</mo><mo separator=\"true\">,</mo></mrow><annotation encoding=\"application/x-tex\">&lt;,</annotation></semantics></math></span><span class=\"katex-html\" aria-hidden=\"true\"><span class=\"base\"><span class=\"strut\" style=\"height:0.5782em;vertical-align:-0.0391em;\"></span><span class=\"mrel\">&lt;</span></span><span class=\"base\"><span class=\"strut\" style=\"height:0.3em;vertical-align:-0.1944em;\"></span><span class=\"mpunct\">,</span></span></span></span>>&#x3C;, $$ >a&#x3C; (Run Script File) <a href=\"https://learn.microsoft.com/ja-jp/windows-hardware/drivers/debuggercmds/-----------------------a---run-script-file-\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https://learn.microsoft.com/ja-jp/windows-hardware/drivers/debuggercmds/-----------------------a---run-script-file-</a></p>\n<a href=\"#fnref-14\" class=\"footnote-backref\">↩</a>\n</li>\n<li id=\"fn-15\">\n<p>95 (number of printable ASCII characters) x 39 (45 characters minus the 6 characters in <code class=\"language-text\">FLAG{}</code>) = 3705</p>\n<a href=\"#fnref-15\" class=\"footnote-backref\">↩</a>\n</li>\n</ol>\n</div>","fields":{"slug":"/magical-windbg-vol2-04-en","tagSlugs":["/tag/magical-win-dbg/","/tag/windows/","/tag/win-dbg/","/tag/english/"]},"frontmatter":{"date":"2024-05-26","description":"This is the web edition of Magical WinDbg 2 - Learn User-Mode & Kernel Debugging Through CTFs -, distributed at Tech Book Fest 16.","tags":["Magical WinDbg","Windows","WinDbg","English"],"title":"Magical WinDbg VOL.2 [Chapter 4: Dynamic Analysis of DoPClient]","socialImage":{"publicURL":"/static/e9bfc3718fd53ab58623a496fc9a302e/magical-windbg-vol2.png"}}}},"pageContext":{"slug":"/magical-windbg-vol2-04-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}