Reverse of a vm for finding the password

Score 500
Link http://quals.nuitduhack.com/files/attachments/crackme.zip

The program was an elf x86_64, statically linked executable. When launching the crackme it just prints some stuff, then asks for a password on the standart input and finally writes “Bad Password”.

When launching the command file on the crackme we first obtained the following response:

corrupted section header size

The same warning occurs with readelf on a more verbose way:

readelf: Warning: possibly corrupt ELF file header - it has a non-zero
section header offset, but no section headers

IDA puts some warning too when opening the file even though it doesn’t impact it, however, gdb doesn’t like it at all and refuses to load the file.

Looking in the elf header we can see that the offset given for the section header offset was 1337, just put it all at 0 and everything goes back in order.

Now that this is fixed we can look into the code. The program starts with some init: just printing the first string and then initializing the vm.

After some time spent understanding how the vm worked I was able to find a comparaison between two numbers, if the test failed the program was printing “Bad Password” and exited. The first number was 9 and the second the size of my entry including the ‘\n’. So we know now that the password had 8 letters.

If the test was a success we entered in a loop which xored the value of the letters and a value at an address, and then compared them with an other value. When the test was a success the program continued, else it printed “Bad Password” and then exited. If all the tests were a success it printed “Good Password” and exited.

Dumping the values with which the letter xored we obtained:

0x12
0x21
0x02
0x19
0x25
0x34
0x29
0x11

And dumping the values which was compared:

0x53
0x5b
0x4b
0x29
0x52
0x76
0x5a
0x49

In order to obtain the password in clear we just had to xor them and we obtained the key :

```text AzI0wBsX