Strings3

The main function is a little more complex than the previous challenges. We can make use of radare2 decompiler plugin r2dec to get pseudo-code (that’s pretty similar to C) using the pdd option:

We can check the official Microsoft documentation for the LoadStringA and FindResourceA functions to understand how it works.

This one is also useful if you are trying to understand what a “resource” is in this context and which type of resource is being fetched by this binary:

After reading the docs we can translate the parameters to their actual meaning.

HRSRC FindResourceA(

HMODULE 0x00, // from this binary

LPCSTR "rc.rc", // from .rsrc section

LPCSTR 272 // string-table entry

); int LoadStringA(

HINSTANCE 0x00, // load from this binary

UINT 0x06, // string identifier

LPSTR &buffer,

int 0x3ff // size of the buffer

);

The interesting part is this, where eax gets set up with the string identifier 0x110 (272):

0x004022da b801000000 mov eax, 1

0x004022df c1e008 shl eax, 8

0x004022e2 33d2 xor edx, edx

0x004022e4 42 inc edx

0x004022e5 c1e204 shl edx, 4

0x004022e8 0bc2 or eax, edx

Looking into the resources entries using the resource hacker tool we can easily find the corresponding resource for the identifier 272