Crackme challenge 30 pts

Binary

$ file re3022
re3022: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.18, BuildID[sha1]=e4f10202a245d933c0146596eab6d2ff114c8b4e, stripped

Binary download
Binary BinaryNinja file download


$ ./re30
Usage: ./crackme password

$ ./re30 AAAA
KO

Disassembly

main

Pretty much every noteworthy event is documented in this screenshot or the binary ninja file.
The binary takes input upon starting. There is one input length check, which results in a password length of 8.

Afterwards the password is calculated from a simple formula:

  • Take round key (0,10,20,…,80)
  • xor that one with current user input byte
  • compare that result to a hardcoded value
  • repeat 8 times

Since we don’t know the user input obviously, we have to change the formula a bit:

#!/usr/bin/env python

import operator as op
import sys

static_bytes = [0x67, 0x39, 0x66, 0x2e, 0x46, 0x03, 0x51, 0x76]


def main():
    round_key = 0
    password = ''
    for e in static_bytes:
        res = op.xor(e, round_key)
        password += unichr(res)
        round_key += 0xa
    print(password)


if __name__ == '__main__':
    main()
    sys.exit(0)

This works since a xor b = c is the same as b xor c = a.

$ python solve.py
g3r0n1m0

And that’s it:

$ ./re g3r0n1m0
OK

Comments