I'm playing around doing a few challenges of reverse engineering with ghidra.
I have analyzed a bin file, which should contain some information about a password. When you run the file, you can give it some input, and it will check if it's the correct password. Here is the pseudo-c code that is responsible for doing this (The comments are me):
__isoc99_scanf(&DAT_00400a82,local_28); // input scanned from user
__s2 = (char *)FUN_0040078d(0x14); // password retrieved from function
iVar1 = strcmp(local_28,__s2); // comparing strings
if (iVar1 == 0) { // if they are equal, do this
FUN_00400978(&local_48);
}
Ok, so i tried looking up the function FUN_0040078d:
void * FUN_0040078d(int param_1)
{
int iVar1;
time_t tVar2;
void *pvVar3;
int local_c;
tVar2 = time((time_t *)0x0);
DAT_00601074 = DAT_00601074 + 1;
srand(DAT_00601074 + (int)tVar2 * param_1);
pvVar3 = malloc((long)(param_1 + 1));
if (pvVar3 != (void *)0x0) {
local_c = 0;
while (local_c < param_1) {
iVar1 = rand();
*(char *)((long)local_c + (long)pvVar3) = (char)(iVar1 % 0x5e) + '!';
local_c = local_c + 1;
}
*(undefined *)((long)pvVar3 + (long)param_1) = 0;
return pvVar3;
}
/* WARNING: Subroutine does not return */
exit(1);
}
So theres a lot of information here. But overall, what I think happens is that an array of chars is constructed, by doing the operation:
(char)(iVar1 % 0x5e) + '!';
Which I have no idea what means (what does modulo on chars do? and does + '!' ) just mean concatenate a "!".
Overall I'm haivng some issues reading this, and I'm wondering if it's possible to predict what this function would output for specific inputs. In this case the function is given 14 as input.
Maybe the use of the rand() means that it cannot be deconstructed?
Can anyone give a guess/tell me whatthis function would likely output for input 14?
as per your previous comment, here's a simplified version of your function
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
long GLOBAL_COUNTER = 0;
typedef char undefined;
void * array_constructor(int size);
int main(int argc, char **argv)
{
char* random_string = (char*)array_constructor(0x14);
printf("%s", random_string);
free(random_string);
}
void * array_constructor(int size)
{
int random_value;
//time_t cur_time;
void *array;
int counter;
//cur_time = time(NULL);
GLOBAL_COUNTER = GLOBAL_COUNTER + 1;
srand(0);//srand(GLOBAL_COUNTER + (int)cur_time * param_1);
array = malloc((long)(size + 1));//returns a void array of param_1 + 1 elements
if (array == NULL)
exit(1);
counter = 0;
while (counter < size) {
random_value = rand();
int char_value = (char)(random_value % 0x5e) + '!';//Range of possible values 33-127
// This is due to the fact that random value can have any value given the seed
// but its truncated to a modulo 0x5e so its new range is 0 - 0x5e(94 in dec)
// and you add the bang symbol at the end so 0 + 33 = 33 and 94 + 33 = 127
*(char *)((long)counter + (long)array) = char_value;
// this statement is the same as
// array[counter] = char_value
counter++;
}
*(undefined *)((long)array + (long)size) = 0; //it puts the \0 at the end of the string
return array;
}
now the only problem that you had was with the undefined typedef. this code is a simplification of yours. but it works.