Crackme 10: ELF, ExploitMe

Mar 18, 2018

Link: https://www.root-me.org/en/Challenges/Cracking/ELF-ExploitMe (binary)

# ./Exploit_Me\(if_you_can\) 123
Vérification de votre mot de passe..
(!) L'authentification a échoué.
 Try again !

The program starts with a check on argc, and continues to a block calling malloc with 0x1d as its parameter. It copies a reference to the auth function into a local variable, and eventually calls it:

mov        eax, auth
mov        dword [function_ptr.2175], eax ; function_ptr.2175
[...]
mov        edx, dword [function_ptr.2175] ; function_ptr.2175
mov        eax, dword [ebp-8]
mov        dword [esp+0x30+var_2C], eax
mov        dword [esp+0x30+var_30], buffer.2176
call       edx

The auth function compares two strings:

mov        eax, dword [ebp+arg_4]
mov        dword [esp+0x8+var_4], eax ; argument "__s2" for method j_strcmp
mov        eax, dword [ebp+arg_0]
mov        dword [esp+0x8+var_8], eax ; argument "__s1" for method j_strcmp
call       j_strcmp     ; strcmp
test       eax, eax
jne        loc_8048723 ; jumps to a procedure printing the failure message

If we change the JNE call to JE and save the binary:

# ./em.je 123
Vérification de votre mot de passe..
[+] Felicitation password de validation de l'épreuve:: 25260060504_VE_T25_*t*_