After unzipping the folder using unzip 632cf67b33c5d4425e2cd501.zip and using the password crackmes.one we are given a .tar.7z file. I decompressed the files using:
7z e <filename>
followed by:
tar -xvf <filename>
This contained a folder findthepassword1
. After changing the directory into the folder we are met with 2 files.
- readme.asm
- Which is a text file that contains the assembly instructions for the program
- findthepassword1
- Which is an ELF 32-bit LSB executable that has been stripped
Running strings
on the file we get:
It looks like program will be printing out a header and asking for a password. Depending on if we get it correct there are two outcomes. We can also notice a 7 digit number 8675309
which is used in the song Jenny by Tommy Tutone. I wonder if that may be the password…
We did it!
Running the program in GDB
I wanted to continue to learn more using GDB, so I’m going to see if we can find the solution in the program itself.
Some useful information with GDB
- using the command
gdb <filename>
will load the program into gdb - I’m going to use the
start
command inside of gdb, because it will start the program and set a breakpoint atmain
. Simply using therun
command will not break and you will need to manually set a breakpoint. - Since we are looking at assembly code, I am going to use the command
ni
to move to the next instructions one at a time. After I have enteredni
, I can then simply useenter
to continue to move 1 instruction at a time without having to typeni
everytime.
At the beginning of the program it starts by loading 4 into register EAX, 1 into register EBX, the address of a string into ECX, and 0x18 (24) into EDX. At this point I am going to make a guess that it is going to print out 4 lines of 24 characters each, since looking at the string in ECX I noticed that from one \n
character to the next is 24 characters long.
We then hit an instruction int 0x80
. Looking into the Assembly language int
is for creating a software interrupt. According to Wikipedia int 0x80
in a Unix system is a system call, where the value in EAX is the system call being used.
Looking up the table, we see that it is calling sys_write
. Looking at what the registers are supposed to hold, EBX will hold the file descriptor for where to write, which was 1 in our case also known as stdout
. ECX will hold the string’s address and EDX will hold the size. It seems like my initial guess was incorrect about the meaning of EAX, but that is why we are learning!
Going back into the program we notice that it continues the same type of instructions, but it is moving the string’s address 0x18 to move to the next set of 24 characters it wants to print out. It does this 5 times to print out the lines and only needs to print out 10 characters for the last string "Password: "
It then uses syscall 3: sys_read
and it is taking input from stderr (EBX = 2) and writing it to our buffer at 0x804a0d0
and reading 0x20 characters.
The program then loads our input into EDI and another string into ESI. Places 0xa (10) into ECX and then runs the instruction repz cmps...
Where repz will continue to repeat the command cmps
while it returns 0. Where cmps will compare two strings together. This is the location of the check to see if our password is correct. (We can see in ESI the password we saw using strings
) The program will then jump if ECX is 0 (jecxz
), meaning all 10 characters were the same.
So again we see that the password must be 8675309!
We can see that using that password we jump to 0x80490b7
and start to print out the string with “Congratulations!” inside.
I hope you enjoyed reading this post and it helped you learn something new today!