NDH2k13 crackme500 writeup
Written by Bruno Pujos
1 2 3 4
Reverse of a vm for finding the password Score 500 Link http://quals.nuitduhack.com/files/attachments/crackme.zip
The program was an elf x86_64, statically linked executable. When launching the crackme it just prints some stuff, then asks for a password on the standart input and finally writes "Bad Password".
When launching the command file on the crackme we first obtained the following response:
corrupted section header size
The same warning occurs with readelf on a more verbose way:
readelf: Warning: possibly corrupt ELF file header - it has a non-zero section header offset, but no section headers
IDA puts some warning too when opening the file even though it doesn't impact it, however, gdb doesn't like it at all and refuses to load the file.
Looking in the elf header we can see that the offset given for the section header offset was 1337, just put it all at 0 and everything goes back in order.
Now that this is fixed we can look into the code. The program starts with some init: just printing the first string and then initializing the vm.
After some time spent understanding how the vm worked I was able to find a comparaison between two numbers, if the test failed the program was printing "Bad Password" and exited. The first number was 9 and the second the size of my entry including the '\n'. So we know now that the password had 8 letters.
If the test was a success we entered in a loop which xored the value of the letters and a value at an address, and then compared them with an other value. When the test was a success the program continued, else it printed "Bad Password" and then exited. If all the tests were a success it printed "Good Password" and exited.
Dumping the values with which the letter xored we obtained:
1 2 3 4 5 6 7 8
0x12 0x21 0x02 0x19 0x25 0x34 0x29 0x11
And dumping the values which was compared:
1 2 3 4 5 6 7 8
0x53 0x5b 0x4b 0x29 0x52 0x76 0x5a 0x49
In order to obtain the password in clear we just had to xor them and we obtained the key :
blog comments powered by Disqus