At start-up, the password.exe application writes two files to a temporary directory: SinglePWD.exe and USB20.dll. We used W32Dasm, a disassembly and debugging program, to study the software. As expected, the executable is responsible for displaying the user interface while USB20.dll takes care of the communication with the stick. The structure of the DLL file was more surprising. Instead of low level commands such as SendToStick(), we could see routines such as GetWriteProtectState(), RefreshFileBrowser(), and the most significant one, VerifyPassWord().
Obviously, this routine caught most of our attention. We used the debugger to study it, and found that its result was passed to the main program using an EAX register. The debugger allowed us to place a breakpoint immediately after the call to VerifyPassWord(), upon which we entered a fictional password and changed the return value 0 in the register to 1. We continued to trace the program, hoping for an error that would provide us with a little more insight into the process. Unfortunately this was not the case. But wait, unfortunately? Actually, we got much more than we bargained for.