easy_crackme_2 by lord
Challenge description Link to heading
Title | Platform | Language | Difficulty |
---|---|---|---|
easy_crackme_2 by lord | Unix/Linux | Assembler | 1.0 |
Solution Link to heading
The first part consists to get informations about the file:
$ file cm1eng
cm1eng: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
It’s a basic 32 bit linux executable.
We can use Cutter
to obtain the disassembly of the code:
;-- section..text:
entry0();
# syscall
0x08048080 mov eax, 4 ; [00] -r-x section size 118 named .text
0x08048085 mov ebx, 1
0x0804808a mov ecx, str.Password_: ; segment.LOAD1
; 0x80490f8
0x0804808f mov edx, 0xd ; 13 -> size of the str print on the screen
0x08048094 int 0x80
# End of the syscall -> print "\npassword: "
0x08048096 mov edx, 0x100 ; 256
0x0804809b mov ecx, data.0804911b ; 0x804911b set wining sentence in ecx
0x080480a0 mov ebx, 0
0x080480a5 mov eax, 3
0x080480aa int 0x80
0x080480ac mov esi, str.QTBXCTU ; 0x8049126 -> set string QTBXCTU in esi
0x080480b1 mov edi, esi ; set value of esi in edi
0x080480b3 xor ebx, ebx ; set ebx=0
0x080480b5 cld ; clear direction flag
# Loop to create the password ans check the size
0x080480b6 lodsb al, byte [esi] ; put each byte of the password in
0x080480b7 xor al, 0x21 ; 33 -> xor the letter of QTBXCU with 0x21
0x080480b9 stosb byte es:[edi], al
0x080480ba inc ebx
0x080480bb cmp ebx, 7 ; 7 -> check the size of user entry = 7
0x080480c1 je 0x80480c5
0x080480c3 loop 0x80480b6
# End of the loop
# Set data and user entry in edi and esi
0x080480c5 mov esi, data.0804911b ; 0x804911b
0x080480ca mov edi, str.QTBXCTU ; 0x8049126
0x080480cf mov ecx, 7
0x080480d4 cld ; clear direction flag
# Compare str in each register byte by byte
0x080480d5 repe cmpsb byte [esi], byte ptr es:[edi]
0x080480d7 jne 0x80480ef ; if not equal then jump
# win syscall
0x080480d9 mov eax, 4
0x080480de mov ebx, 1
0x080480e3 mov ecx, str.Great_you_did_it__: ; 0x8049105
0x080480e8 mov edx, 0x16 ; 22
0x080480ed int 0x80
# End program
0x080480ef mov eax, 1
0x080480f4 int 0x80
The code is not so long, so we can analyse it.
As we can see we have the flag with the comparison.
We can use the basic string QTBXCTU
and xor each byte with 0x21
. We can use python to find the password:
>>> chr(ord('Q')^0x21) + chr(ord('T')^0x21) + chr(ord('B')^0x21) + chr(ord('X')^0x21) + chr(ord('C')^0x21) + chr(ord('T')^0x21) + chr(ord('U')^0x21)
'pucybut'
So, the flag is pucybut
.
We can check our result by executing the program:
$ ./cm1eng
Password : pucybut
Great you did it !:)
That’s All Falks