My Avatar

Shilong ZHAO

Nuit du Hack CTF Matriochka

2016-07-24 00:00:00 +0200

In case you have any questions or suggestions, you can leave comments HERE . Thanks!

Question description: “Can you help me? Recently, I found an executable binary.

As I’m a true newbie, Certainly, to solve it, I will have difficulties. Keep in mind, the first step is quite easy. Maybe the last one will be quite tricky. Emulating it could be a good idea.”

The challenge is available at : http://static.quals.nuitduhack.com/stage1.bin

Step 1

Description

Can you help me?
Recently, I found an executable binary.
As I'm a true newbie,
Certainly, to solve it, I will have difficulties.
Keep in mind, the first step is quite easy.
Maybe the last one will be quite tricky.
Emulating it could be a good idea.

URL: http://static.quals.nuitduhack.com/stage1.bin

Solution:

$ objdump -d stage1.bin
…
000000000040064d <main>:
  40064d:    55                 push   %rbp
  40064e:    48 89 e5           mov %rsp,%rbp
  400651:    48 83 ec 20        sub $0x20,%rsp
  400655:    89 7d ec           mov %edi,-0x14(%rbp)
  400658:    48 89 75 e0        mov %rsi,-0x20(%rbp)
  40065c:    83 7d ec 02        cmpl   $0x2,-0x14(%rbp)
  400660:    74 25              je  400687 <main+0x3a>
  400662:    48 8b 45 e0        mov -0x20(%rbp),%rax
  400666:    48 8b 10           mov (%rax),%rdx
  400669:    48 8b 05 f0 e9 20 00     mov 0x20e9f0(%rip),%rax     # 60f060 <stdout@@GLIBC_2.2.5>
  400670:    be 67 e0 40 00     mov $0x40e067,%esi
  400675:    48 89 c7           mov %rax,%rdi
  400678:    b8 00 00 00 00     mov $0x0,%eax
  40067d:    e8 ae fe ff ff     callq  400530 <fprintf@plt>
  400682:    e9 0f 01 00 00     jmpq   400796 <main+0x149>
  400687:    48 8b 45 e0        mov -0x20(%rbp),%rax
  40068b:    48 83 c0 08        add $0x8,%rax
  40068f:    48 8b 00           mov (%rax),%rax
  400692:    be 79 e0 40 00     mov $0x40e079,%esi
  400697:    48 89 c7           mov %rax,%rdi
  40069a:    e8 81 fe ff ff     callq  400520 <strcmp@plt>
  40069f:    85 c0              test   %eax,%eax
  4006a1:    0f 85 cc 00 00 00     jne 400773 <main+0x126>
  4006a7:    48 8b 05 b2 e9 20 00     mov 0x20e9b2(%rip),%rax     # 60f060 <stdout@@GLIBC_2.2.5>

Program calls strcmp , the two parameters are stored in register rax and and 0x40e079 .

$ objdump -s stage1.bin 
…
 40e070 203c7061 73733e0a 004d7563 685f7365   <pass>..Much_se
 40e080 63757265 5f5f536f 5f736166 655f5f57  cure__So_safe__W
 40e090 6f770047 6f6f6420 676f6f64 210a0054  ow.Good good!..T
 40e0a0 72792061 6761696e 2e2e2e0a 00       ry again..... 
…

The string stored at 0x40e079 is “Much_secure__So_safe__Wow”.

$ ./stage1.bin Much_secure__So_safe__Wow > output.txt  2>stage2.base64

output.txt have “Good good” and stage2.base64 has base64 coded content

$ cat stage2.basee64 | base64 -d > stage2

Step2

$ file stage2
stage2: POSIX tar archive (GNU)

$ tar -xvf stage2
stage2.bin

$ ./stage2.bin
Usage: ./stage2.bin <pass>

The symbols like <main> are stripped in this binary.

__libc_start_main will call our missing main function. and note the 3 registers, rdi, rcx, r8.

rdi contains the address of the main function which is $0x4006f2

$ objdump -d stage2.bin
...
0000000000400560 <.text>:
  400560:    31 ed                   xor    %ebp,%ebp
  400562:    49 89 d1                mov    %rdx,%r9
  400565:    5e                      pop    %rsi
  400566:    48 89 e2                mov    %rsp,%rdx
  400569:    48 83 e4 f0             and    $0xfffffffffffffff0,%rsp
  40056d:    50                      push   %rax
  40056e:    54                      push   %rsp
  40056f:    49 c7 c0 30 0a 40 00     mov   $0x400a30,%r8
  400576:    48 c7 c1 c0 09 40 00     mov   $0x4009c0,%rcx
  40057d:    48 c7 c7 f2 06 40 00     mov   $0x4006f2,%rdi
  400584:    e8 97 ff ff ff          callq  400520 <__libc_start_main@plt>
..

program main entry:

 4006f2:    55                 push   %rbp
  4006f3:    48 89 e5           mov %rsp,%rbp
  4006f6:    53                 push   %rbx
  4006f7:    48 83 ec 28        sub $0x28,%rsp
  4006fb:    89 7d dc           mov %edi,-0x24(%rbp)
  4006fe:    48 89 75 d0        mov %rsi,-0x30(%rbp)
  400702:    83 7d dc 02        cmpl   $0x2,-0x24(%rbp)
  400706:    74 25              je  40072d <fwrite@plt+0x1dd>

Main function has two arguments,  first is argument count argc and second is argument vector argv,  if argc == 2 , go to 0x40072d

  40072d:    c7 45 ec 01 00 00 00     movl   $0x1,-0x14(%rbp)
  400734:    48 8b 45 d0        mov -0x30(%rbp),%rax
  400738:    48 83 c0 08        add $0x8,%rax // rax = argv[1], pass
  40073c:    48 8b 00           mov (%rax),%rax
  40073f:    48 89 c7           mov %rax,%rdi
  400742:    e8 c9 fd ff ff     callq  400510 <strlen@plt>; rax = len
  400747:    48 8d 50 01        lea 0x1(%rax),%rdx ; rdx = len +1
  40074b:    48 89 d0           mov %rdx,%rax ; rax = len + 1;
  40074e:    48 c1 e0 02        shl $0x2,%rax ; rax = 4*(len+1)
  400752:    48 01 d0           add %rdx,%rax ; rax = 5*(len + 1)
  400755:    48 c1 e0 02        shl $0x2,%rax ; rax = 20 * (len+1)
  400759:    48 01 d0           add %rdx,%rax ; rax = 21(len+1)
  40075c:    48 01 c0           add %rax,%rax ; rax = 42(len+1)
  40075f:    48 3d f8 01 00 00     cmp $0x1f8,%rax ; rax = 504? len = 11?
  400765:    0f 85 2f 02 00 00     jne 40099a <fwrite@plt+0x44a>
  40076b:    c7 45 ec 01 00 00 00     movl   $0x1,-0x14(%rbp)
  400772:    48 8b 45 d0        mov -0x30(%rbp),%rax ; argv
  400776:    48 83 c0 08        add $0x8,%rax ; argv[1]
  40077a:    48 8b 00           mov (%rax),%rax
  40077d:    0f b6 00           movzbl (%rax),%eax ; argv[1][0]
  400780:    3c 50              cmp $0x50,%al
  400782:    74 07              je  40078b <fwrite@plt+0x23b>
  400784:    c7 45 ec 00 00 00 00     movl   $0x0,-0x14(%rbp)

argv[1][0] == 0x50? no, set rbp-16/flag to 0; yes, continue; argv[1][0] == P

40078b:    48 8b 45 d0        mov -0x30(%rbp),%rax
  40078f:    48 83 c0 08        add $0x8,%rax
  400793:    48 8b 00           mov (%rax),%rax
  400796:    48 83 c0 03        add $0x3,%rax
  40079a:    0f b6 00           movzbl (%rax),%eax
  40079d:    0f be c0           movsbl %al,%eax
  4007a0:    01 c0              add %eax,%eax
  4007a2:    3d c8 00 00 00     cmp $0xc8,%eax
  4007a7:    74 07              je  4007b0 <fwrite@plt+0x260>
  4007a9:    c7 45 ec 00 00 00 00     movl   $0x0,-0x14(%rbp)

argv[1][3] == 0xc8/2? no, set rbp-16 to 0; yes, continue; d

4007b0:    48 8b 45 d0        mov -0x30(%rbp),%rax
  4007b4:    48 83 c0 08        add $0x8,%rax
  4007b8:    48 8b 00           mov (%rax),%rax
  4007bb:    0f b6 00           movzbl (%rax),%eax
  4007be:    0f be c0           movsbl %al,%eax
  4007c1:    8d 50 10           lea 0x10(%rax),%edx  ; edx = argv[1][0] + 0x10
  4007c4:    48 8b 45 d0        mov -0x30(%rbp),%rax
  4007c8:    48 83 c0 08        add $0x8,%rax
  4007cc:    48 8b 00           mov (%rax),%rax
  4007cf:    48 83 c0 06        add $0x6,%rax ; eax = argv[1][6]
  4007d3:    0f b6 00           movzbl (%rax),%eax 
  4007d6:    0f be c0           movsbl %al,%eax
  4007d9:    83 e8 10           sub $0x10,%eax ; eax = argv[1][6] - 0x10
  4007dc:    39 c2              cmp %eax,%edx;  
  4007de:    74 07              je  4007e7 <fwrite@plt+0x297>
  4007e0:    c7 45 ec 00 00 00 00     movl   $0x0,-0x14(%rbp)

argv[1][6] -0x10 = argv[1][0] + 0x10?  p

  4007e7:    48 8b 45 d0        mov -0x30(%rbp),%rax
  4007eb:    48 83 c0 08        add $0x8,%rax
  4007ef:    48 8b 00           mov (%rax),%rax
  4007f2:    48 83 c0 05        add $0x5,%rax
  4007f6:    0f b6 00           movzbl (%rax),%eax
  4007f9:    48 0f be d8        movsbq %al,%rbx // rbx = argv[1][5]
  4007fd:    48 8b 45 d0        mov -0x30(%rbp),%rax
  400801:    48 83 c0 08        add $0x8,%rax
  400805:    48 8b 00           mov (%rax),%rax
  400808:    48 89 c7           mov %rax,%rdi
  40080b:    e8 00 fd ff ff     callq  400510 <strlen@plt> 
  400810:    48 89 c2           mov %rax,%rdx // rdx = strlen(pass) = 11
  400813:    48 89 d0           mov %rdx,%rax 
  400816:    48 c1 e0 03        shl $0x3,%rax // rax = 11 * 8
  40081a:    48 01 d0           add %rdx,%rax // 11*9
  40081d:    48 83 e8 04        sub $0x4,%rax // 11*9 - 0x4
  400821:    48 39 c3           cmp %rax,%rbx // argv[1][5] == 11*9 -4?
  400824:    74 07              je  40082d <fwrite@plt+0x2dd>
  400826:    c7 45 ec 00 00 00 00     movl   $0x0,-0x14(%rbp)

argv[1][5] == 11*9 -4? _

  40082d:    48 8b 45 d0        mov -0x30(%rbp),%rax
  400831:    48 83 c0 08        add $0x8,%rax
  400835:    48 8b 00           mov (%rax),%rax
  400838:    48 83 c0 01        add $0x1,%rax
  40083c:    0f b6 10           movzbl (%rax),%edx
  40083f:    48 8b 45 d0        mov -0x30(%rbp),%rax
  400843:    48 83 c0 08        add $0x8,%rax
  400847:    48 8b 00           mov (%rax),%rax
  40084a:    48 83 c0 07        add $0x7,%rax
  40084e:    0f b6 00           movzbl (%rax),%eax
  400851:    38 c2              cmp %al,%dl
  400853:    74 07              je  40085c <fwrite@plt+0x30c>
  400855:    c7 45 ec 00 00 00 00     movl   $0x0,-0x14(%rbp)

argv[1][1] == argv[1][7]?

  40085c:    48 8b 45 d0        mov -0x30(%rbp),%rax
  400860:    48 83 c0 08        add $0x8,%rax
  400864:    48 8b 00           mov (%rax),%rax
  400867:    48 83 c0 01        add $0x1,%rax
  40086b:    0f b6 10           movzbl (%rax),%edx
  40086e:    48 8b 45 d0        mov -0x30(%rbp),%rax
  400872:    48 83 c0 08        add $0x8,%rax
  400876:    48 8b 00           mov (%rax),%rax
  400879:    48 83 c0 0a        add $0xa,%rax // argv[1][10]
  40087d:    0f b6 00           movzbl (%rax),%eax
  400880:    38 c2              cmp %al,%dl
  400882:    74 07              je  40088b <fwrite@plt+0x33b>
  400884:    c7 45 ec 00 00 00 00     movl   $0x0,-0x14(%rbp)

argv[1][10] == argv[1] [1]?

  40088b:    48 8b 45 d0        mov -0x30(%rbp),%rax
  40088f:    48 83 c0 08        add $0x8,%rax
  400893:    48 8b 00           mov (%rax),%rax
  400896:    48 83 c0 01        add $0x1,%rax
  40089a:    0f b6 00           movzbl (%rax),%eax
  40089d:    0f be c0           movsbl %al,%eax // eax == argv[1][1]
  4008a0:    8d 50 ef           lea -0x11(%rax),%edx // edx = argv[1][1] - 0x11
  4008a3:    48 8b 45 d0        mov -0x30(%rbp),%rax
  4008a7:    48 83 c0 08        add $0x8,%rax
  4008ab:    48 8b 00           mov (%rax),%rax
  4008ae:    0f b6 00           movzbl (%rax),%eax
  4008b1:    0f be c0           movsbl %al,%eax
  4008b4:    39 c2              cmp %eax,%edx // argv[1][1] - 0x11 == argv[1][0] ?
  4008b6:    74 07              je  4008bf <fwrite@plt+0x36f>
  4008b8:    c7 45 ec 00 00 00 00     movl   $0x0,-0x14(%rbp)

argv[1][1] - 0x11 == argv[1][0] ?

  4008bf:    48 8b 45 d0        mov -0x30(%rbp),%rax
  4008c3:    48 83 c0 08        add $0x8,%rax
  4008c7:    48 8b 00           mov (%rax),%rax
  4008ca:    48 83 c0 03        add $0x3,%rax
  4008ce:    0f b6 10           movzbl (%rax),%edx // edx = argv[1][3] 
  4008d1:    48 8b 45 d0        mov -0x30(%rbp),%rax
  4008d5:    48 83 c0 08        add $0x8,%rax
  4008d9:    48 8b 00           mov (%rax),%rax
  4008dc:    48 83 c0 09        add $0x9,%rax
  4008e0:    0f b6 00           movzbl (%rax),%eax // argv[1][9]
  4008e3:    38 c2              cmp %al,%dl
  4008e5:    74 07              je  4008ee <fwrite@plt+0x39e>
  4008e7:    c7 45 ec 00 00 00 00     movl   $0x0,-0x14(%rbp)

argv[1][3] == argv[1][9] ?

4008ee:    48 8b 45 d0        mov -0x30(%rbp),%rax
  4008f2:    48 83 c0 08        add $0x8,%rax
  4008f6:    48 8b 00           mov (%rax),%rax
  4008f9:    48 83 c0 04        add $0x4,%rax
  4008fd:    0f b6 00           movzbl (%rax),%eax
  400900:    3c 69              cmp $0x69,%al
  400902:    74 07              je  40090b <fwrite@plt+0x3bb>
  400904:    c7 45 ec 00 00 00 00     movl   $0x0,-0x14(%rbp)

argv[1][4] == 0x69? i

  40090b:    48 8b 45 d0        mov -0x30(%rbp),%rax
  40090f:    48 83 c0 08        add $0x8,%rax
  400913:    48 8b 00           mov (%rax),%rax
  400916:    48 83 c0 02        add $0x2,%rax
  40091a:    0f b6 00           movzbl (%rax),%eax
  40091d:    0f be d0           movsbl %al,%edx // edx = argv[1][2]
  400920:    48 8b 45 d0        mov -0x30(%rbp),%rax
  400924:    48 83 c0 08        add $0x8,%rax
  400928:    48 8b 00           mov (%rax),%rax
  40092b:    48 83 c0 01        add $0x1,%rax
  40092f:    0f b6 00           movzbl (%rax),%eax
  400932:    0f be c0           movsbl %al,%eax // eax = argv[1][1]
  400935:    29 c2              sub %eax,%edx
  400937:    89 d0              mov %edx,%eax
  400939:    83 f8 0d           cmp $0xd,%eax // argv[1][2] - argv[1][1] = 0xd?
  40093c:    74 07              je  400945 <fwrite@plt+0x3f5>
  40093e:    c7 45 ec 00 00 00 00     movl   $0x0,-0x14(%rbp)

argv[1][2] - argv[1][1] = 0xd? argv[1][2] = 0x6e; n

  400945:    48 8b 45 d0        mov -0x30(%rbp),%rax
  400949:    48 83 c0 08        add $0x8,%rax
  40094d:    48 8b 00           mov (%rax),%rax
  400950:    48 83 c0 08        add $0x8,%rax
  400954:    0f b6 00           movzbl (%rax),%eax
  400957:    0f be d0           movsbl %al,%edx // edx = argv[1][8]
  40095a:    48 8b 45 d0        mov -0x30(%rbp),%rax
  40095e:    48 83 c0 08        add $0x8,%rax
  400962:    48 8b 00           mov (%rax),%rax
  400965:    48 83 c0 07        add $0x7,%rax 
  400969:    0f b6 00           movzbl (%rax),%eax
  40096c:    0f be c0           movsbl %al,%eax // eax = argv[1][7] 
  40096f:    29 c2              sub %eax,%edx 
  400971:    89 d0              mov %edx,%eax
  400973:    83 f8 0d           cmp $0xd,%eax // argv[1][8] - argv[1][7] == 0xd?
  400976:    74 07              je  40097f <fwrite@plt+0x42f>
  400978:    c7 45 ec 00 00 00 00     movl   $0x0,-0x14(%rbp)

argv[1][8] == 0x6e? n

Password = Pandi_panda

$ ./stage2.bin Pandi_panda > /dev/null 2>stage3.base64
$  cat stage3.base64 | base64 -d > stage3
$ file stage3
stage3: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=2ea586c925bc94d07d2d3087837dac6ef32a180c, stripped

Step 3

main function

  4010f1:    55                 push   %rbp
  4010f2:    48 89 e5           mov %rsp,%rbp
  4010f5:    48 83 ec 20        sub $0x20,%rsp
  4010f9:    89 7d ec           mov %edi,-0x14(%rbp)
  4010fc:    48 89 75 e0        mov %rsi,-0x20(%rbp)
  401100:    83 7d ec 02        cmpl   $0x2,-0x14(%rbp)
  401104:    74 1b              je  401121 <fwrite@plt+0xa21>

argc == 2?

 401121:    48 8b 45 e0        mov -0x20(%rbp),%rax
  401125:    48 83 c0 08        add $0x8,%rax
  401129:    48 8b 00           mov (%rax),%rax // rax = argv[1] 
  40112c:    ba ff 03 00 00     mov $0x3ff,%edx // number of chars to copy 1023?
  401131:    48 89 c6           mov %rax,%rsi
  401134:    bf c0 40 60 00     mov $0x6040c0,%edi // copy argv[1] to $0x6040c0
  401139:    e8 12 f5 ff ff     callq  400650 <strncpy@plt> 
  40113e:    b8 00 00 00 00     mov $0x0,%eax
  401143:    e8 38 f5 ff ff     callq  400680 <getpid@plt>  
  401148:    89 45 fc           mov %eax,-0x4(%rbp) // pid in rpb-4
  40114b:    be fd 07 40 00     mov $0x4007fd,%esi // signal handler for signal 0xb 
  401150:    bf 0b 00 00 00     mov $0xb,%edi 
  401155:    e8 66 f5 ff ff     callq  4006c0 <signal@plt>
  40115a:    be 50 10 40 00     mov $0x401050,%esi //signal handler for signal 0x8
  40115f:    bf 08 00 00 00     mov $0x8,%edi
  401164:    e8 57 f5 ff ff     callq  4006c0 <signal@plt>
  401169:    c7 45 f8 00 00 00 00     movl   $0x0,-0x8(%rbp) // ?
  401170:    eb 13              jmp 401185 <fwrite@plt+0xa85> // ?
  401172:    8b 45 fc           mov -0x4(%rbp),%eax // eax = pid
  401175:    be 0b 00 00 00     mov $0xb,%esi // signum = 0xb
  40117a:    89 c7              mov %eax,%edi 
  40117c:    e8 5f f5 ff ff     callq  4006e0 <kill@plt> 
  401181:    83 45 f8 01        addl   $0x1,-0x8(%rbp)  // rbp-8 += 1
  401185:    81 7d f8 ff 03 00 00         cmpl   $0x3ff,-0x8(%rbp) // 1023 
  40118c:    7e e4              jle 401172 <fwrite@plt+0xa72> // loop 1023
  40118e:    bf 7f 2d 40 00     mov $0x402d7f,%edi
  401193:    e8 c8 f4 ff ff     callq  400660 <puts@plt>
  401198:    b8 01 00 00 00     mov $0x1,%eax
  40119d:    c9                 leaveq
  40119e:    c3                 retq  

In this part of code, we see two signal handlers at address 0x4007fd and 0x401050 are set for signals 0xb and 0x8 respectively. Ant then it loops until 1023 to send signal 0xb to this process, and note that in later we will see, for each loop the signal handler is changed.
The pseudocode for main function

int __fastcall main(int a1, char **a2, char **a3)
{
  int result; // eax@2
  signed int i; // [sp+18h] [bp-8h]@3
  __pid_t pid; // [sp+1Ch] [bp-4h]@3

  if ( a1 == 2 )
  {
    strncpy(&dest, a2[1], 0x3FFuLL);
    pid = getpid();
    signal(11, (__sighandler_t)sub_4007FD);
    signal(8, sub_401050);
    for ( i = 0; i <= 1023; ++i )
      kill(pid, 11);
    puts("Try again!");
    result = 1;
  }
  else
  {
    result = printf("Usage: %s <pass>\n", *a2, a3, a2);
  }
  return result;
}

signal handler for 0xb

  4007fd:    55                 push   %rbp
  4007fe:    48 89 e5           mov %rsp,%rbp
  400801:    48 83 ec 20        sub $0x20,%rsp
  400805:    89 7d ec           mov %edi,-0x14(%rbp)
  400808:    0f b6 05 b1 38 20 00     movzbl 0x2038b1(%rip),%eax     # 6040c0 <stdout+0x20> // 0x6040c0 is the strncpy destination
  40080f:    0f be c0           movsbl %al,%eax // eax = first char U
  400812:    89 45 fc           mov %eax,-0x4(%rbp) 
  400815:    8b 45 fc           mov -0x4(%rbp),%eax
  400818:    69 c8 e8 03 00 00     imul   $0x3e8,%eax,%ecx // ecx = U * 1000
  40081e:    ba 79 78 78 78     mov $0x78787879,%edx
  400823:    89 c8              mov %ecx,%eax // 
  400825:    f7 ea              imul   %edx // 
  400827:    c1 fa 05           sar $0x5,%edx // arithmetic shift right
  40082a:    89 c8              mov %ecx,%eax
  40082c:    c1 f8 1f           sar $0x1f,%eax
  40082f:    29 c2              sub %eax,%edx
  400831:    89 d0              mov %edx,%eax
  400833:    89 45 fc           mov %eax,-0x4(%rbp)
  400836:    81 7d fc e7 03 00 00     cmpl   $0x3e7,-0x4(%rbp) // 999
  40083d:    7e 09              jle 400848 <fwrite@plt+0x148>
  40083f:    81 7d fc e8 03 00 00     cmpl   $0x3e8,-0x4(%rbp) // 1000
  400846:    7e 02              jle 40084a <fwrite@plt+0x14a>
  400848:    eb 10              jmp 40085a <fwrite@plt+0x15a>
  40084a:    be 5c 08 40 00     mov $0x40085c,%esi // call 0x40085c when sig=0xb
  40084f:    bf 0b 00 00 00     mov $0xb,%edi
  400854:    e8 67 fe ff ff     callq  4006c0 <signal@plt>
  400859:    90                 nop
  40085a:    c9                 leaveq
  40085b:    c3                 retq  

It’s difficult to understand the assembly code, seems some calculation and then register another signal handler at 0x40085c, it is actually has some optimization for the divide operation. Just generate pseudocode with IDA Pro 6.8:

void sub_4007FD()
{
  signed int v0; // ecx@1

  v0 = 1000 * dest;
  if ( v0 / 68 > 999 && v0 / 68 <= 1000 )
    signal(11, (__sighandler_t)handler);
}

argv[1][0] = 68

Similarly, and now we have

void handler()
{
  signed int v0; // ecx@1
  v0 = 1000 * byte_6040C1;
  if ( v0 / 105 > 999 && v0 / 105 <= 1000 )
    signal(11, (__sighandler_t)sub_4008C7);
}

argv[1][1] = 105

void sub_4008C7()
{
  signed int v0; // ecx@1
  v0 = 1000 * byte_6040C2;
  if ( v0 / 100 > 999 && v0 / 100 <= 1000 )
    signal(11, (__sighandler_t)sub_400926);
}

argv[1][2] == 100

void sub_400926()
{
  signed int v0; // ecx@1
  v0 = 1000 * byte_6040C3;
  if ( v0 / 95 > 999 && v0 / 95 <= 1000 )
    signal(11, (__sighandler_t)sub_40098A);
}

argv[1][3] == 95

void sub_40098A()
{
  signed int v0; // ecx@1
  v0 = 1000 * byte_6040C4;
  if ( v0 / 121 > 999 && v0 / 121 <= 1000 )
    signal(11, sub_4009E8);
}

argv[1][4] == 121

finally the password is

Did_you_like_signals?

References

objdump http://www.thegeekstuff.com/2012/09/objdump-examples/?utm_source=feedburner