Crackme 9: ELF, Crackpass

Link: https://www.root-me.org/en/Challenges/Cracking/ELF-CrackPass (binary)

$ ./Crack 123
Is not the good password !

A quick disassembly shows a call to strcmp before branching to either displaying a success or error message:

08048617         call       j_strcmp                                            ; strcmp
0804861c         test       eax, eax
0804861e         jne        loc_8048632

08048620         mov        dword [esp+0x1098+var_1094], ebx
08048624         mov        dword [esp+0x1098+var_1098], aGoodWorkThePas        ; argument "__format" for method j_printf, "Good work, the password is : \\n\\n%s\\n"
0804862b         call       j_printf                                            ; printf
08048630         jmp        loc_804863e

                loc_8048632:
08048632         mov        dword [esp+0x1098+var_1098], aIsNotTheGoodPa        ; argument "__s" for method j_puts, "Is not the good password !", CODE XREF=sub_80485a5+121
08048639         call       j_puts  

If we break before the jump, in gdb, a surprise awaits:

gdb$ b *0x08048617
Breakpoint 1 at 0x8048617
gdb$ r 123
Starting program: ./Crack 123
Don't use a debuguer !

Program received signal SIGABRT, Aborted.

Let’s first break the debugging protection, and try again. Above, we find a call to ptrace(0,0,1,0) which calls abort if ptrace returns a negative number (Jump if Not Signed).

08048666         mov        dword [esp+12], 0x0
0804866e         mov        dword [esp+8], 0x1
08048676         mov        dword [esp+4], 0x0
0804867e         mov        dword [esp+0], 0x0                ; argument "__request" for method j_ptrace
08048685         call       j_ptrace                          ; ptrace
0804868a         test       eax, eax
0804868c         jns        loc_804869f

0804868e         mov        dword [esp+0], aDontUseADebugu    ; argument "__s" for method j_puts, "Don't use a debuguer !"
08048695         call       j_puts                            ; puts
0804869a         call       j_abort                           ; abort
                        ; endp

loc_804869f:

We can change the JNS into a JMP, disabling the test. JNS is 0x79, and JMP is 0xEB. We save the program, and try again:

gdb$ b *0x08048610
Breakpoint 1 at 0x8048610
gdb$ r 123
Starting program: ./Crack.dbg 123
--------------------------------------------------------------------------[regs]
    EAX: 0x00000000  EBX: 0xFFFFCCB0  ECX: 0x7FFFFFFD  EDX: 0x080487A4  o d I t S z a p c
    ESI: 0xFFFFCD30  EDI: 0xF7FCC000  EBP: 0xFFFFDD38  ESP: 0xFFFFCCA0  EIP: 0x08048610
    CS: 0023  DS: 002B  ES: 002B  FS: 0000  GS: 0063  SS: 002B
--------------------------------------------------------------------------[code]
=> 0x8048610:	mov    DWORD PTR [esp+0x4],esi
    0x8048614:	mov    DWORD PTR [esp],ebx
    0x8048617:	call   0x804842c <strcmp@plt>
    0x804861c:	test   eax,eax
    0x804861e:	jne    0x8048632
    0x8048620:	mov    DWORD PTR [esp+0x4],ebx
    0x8048624:	mov    DWORD PTR [esp],0x80487e8
    0x804862b:	call   0x804840c <printf@plt>
--------------------------------------------------------------------------------

Breakpoint 1, 0x08048610 in ?? ()

Let’s see what’s being compared.

gdb$ x/s $esi
0xffffcd30:	"123"
gdb$ x/s $ebx
0xffffccb0:	"ff07031d6fb052490149f44b1d5e94f1592b6bac93c06ca9"

Trying it:

# ./Crack ff07031d6fb052490149f44b1d5e94f1592b6bac93c06ca9
Good work, the password is :

ff07031d6fb052490149f44b1d5e94f1592b6bac93c06ca9