Wednesday, 23 December 2009

bot1.exe part8 - hey command

The first command the message string is compared to, after checking if the first char of the channel message is a '.', 

00403985 8B 45 3C          mov     eax, [ebp+4Ch+var_10]
00403988 8D 48 01          lea     ecx, [eax+1]
0040398B 8A 00             mov     al, [eax]
0040398D 3A 05 90 70 45 00 cmp     al, byte ptr ds:a__2            ; "."
00403993 89 0F             mov     [edi], ecx
00403995 0F 85 B3 F9 FF FF jnz     loc_40334E

is 'hey':

0040399B                   loc_40399B:                          
0040399B 8B 3F             mov     edi, [edi]
0040399D 57                push    edi
0040399E 68 EC 4D 44 00    push    offset aHey                     ; "hey"
004039A3 89 7D 3C          mov     [ebp+4Ch+var_10], edi
004039A6 E8 05 E9 01 00    call    strcmp?
004039AB 85 C0             test    eax, eax
004039AD 59                pop     ecx
004039AE 59                pop     ecx
004039AF 0F 84 2C 70 00 00 jz      hey_cmd

If strcmp returns 0, the next token is compared against 'h4ckerr00lz'

0040AA1F FF 75 44          push    [ebp+4Ch+pwd_token_aux]
0040AA22 8B F8             mov     edi, eax
0040AA24 68 B0 70 45 00    push    offset aH4ckerr00lz             ; "h4ckerr00lz"
0040AA29 E8 82 78 01 00    call    strcmp?
0040AA2E 83 C4 20          add     esp, 20h
0040AA31 85 C0             test    eax, eax
0040AA33 74 45             jz      pwd_match

At pwd_match (0040AA7A) there is a call to validate_who_info which aparently checks whether the user info (unchk@foobar) matches the regex '*@*'. If it does a jump is taken to 0040AACF.
Here, the password token is compared against "h4ckerr00lz" once again, and if there is a match, then a jz is taken to 40AAFC.
Here, the nick is copied to arg_18, and a success message is sent back to the channel ('-main- Password accepted.').
arg_18 is an input/output argument. It fits the purpose of signaling if the user issuing the command has previously identified himself.
The first reference to arg_18 (inside the function that parses the irc command, and does all command flow control) is located at 403255:

00403255 8B 75 6C          mov     esi, [ebp+4Ch+arg_18]
00403258 C7 45 28 03 00 00+mov     [ebp+4Ch+var_24], 3
0040325F BF 80 00 00 00    mov     edi, 80h
00403264
00403264                   loc_403264:                             
00403264 8D 85 14 F2 FF FF lea     eax, [ebp+4Ch+var_E38]
0040326A 50                push    eax
0040326B 56                push    esi
0040326C E8 3F F0 01 00    call    strcmp?
00403271 85 C0             test    eax, eax
00403273 59                pop     ecx
00403274 59                pop     ecx
00403275 75 07             jnz     short loc_40327E
00403277 C7 45 38 01 00 00+mov     [ebp+4Ch+authenticated], 1

the variable authenticated is, in turn used as a verification, when the contents of the message start by '.' and the command is not 'hey':

004039CA 39 5D 38          cmp     [ebp+4Ch+authenticated], ebx
004039CD 75 17             jnz     short loc_4039E6
004039CF FF 75 AC          push    [ebp+4Ch+var_A0]
004039D2 68 40 4F 44 00    push    offset a332                     ; "332" - RPL_TOPIC?
004039D7 E8 D4 E8 01 00    call    strcmp?
004039DC 85 C0             test    eax, eax
004039DE 59                pop     ecx
004039DF 59                pop     ecx
004039E0 0F 85 2A 18 00 00 jnz     loc_405210       ; will lead to the ret

I haven't tried messing around with the topic message yet, so the jnz (who's path will lead to the matching of all other commands) is always taken, if the user hasn't already identified himself.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)