Another day another write up. I’ll migrate all my write ups slowly to this new blog, since I have the feeling the readibilty here is way better.
re50: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=0333e23e0d2046a0ceb6b920faebaa0b6ee45f15, stripped
So nothing crazy for this one. The binary is stripped and hence we have to do a little more work to figure out the symbol names.
$ ./crackme Usage : ./crackme password
It seems to be a classic crackme where the password has to be provided upon execution.
The binary itself does not provide much to fiddle around with.
The main function first checks if we did provide a password upon starting the crackme. If not it exits right away. We already observed that during our first execution before.
If we did provide a password we directly get to the only operation routine which we need to solve.
First what was meant to be a password length check takes places to see if our input has 0x15 (21) characters. This check is broken in my binary. Maybe i fetched a broken version (check
Next up we land in a loop which does mainly 2 things:
The binary loads the address
0x8048550 into eax and adds the current loop counter on it.
So depending on the loop iteration we end up with
0x8048552, … , until
We always check the contents at the new address and take the LSB of it.
We take a byte of our user provided input and XOR it against some hard coded stored values at
Afterwards we compare that result against the value of the first step above. This happens in each round until a length of 21 characters.
The math to do
What it comes down to in the end is:
which_user_input XORed content_byte_at_calculated_round_address = hard_coded_round_byte_value
Luckily we can transform the xor math like this:
? xor b = c equals b xor c = ?
Since we can read out the values for b adn c from memory we can write a simple python script to calculate the correct input:
And that’s it! Here is the solution to the problem above:
$ python solve.py a_Mad_mAn_vv1tH_a_60X
Let’s check for correctness:
$ ./re50 a_Mad_mAn_vv1tH_a_60X Congrats!
That’s it for now folks!