j333
Challenge description Link to heading
| Title | Platform | Language | Difficulty |
|---|---|---|---|
| j333 | Unix/Linux | Assembler | 1.0 |
Solution Link to heading
The first part is to get informations about the file:
$ file j333
j333: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, no section header
The second part is to use Ghidra to get assembly of the program:
; print all prog info
08048074 b9 f7 90 MOV ECX,s_Crackme_333_Josep_080490f7 = "Crackme 333 Josep\n"
08048079 ba 13 00 MOV EDX,0x13
0804807e e8 67 00 CALL FUN_sys_write undefined FUN_sys_write()
; ask the password
08048083 b9 0a 91 MOV ECX,s_Password:_0804910a = "Password: "
08048088 ba 0b 00 MOV EDX,0xb
0804808d e8 58 00 CALL FUN_sys_write undefined FUN_sys_write()
;sysread function -> read user entry
08048092 b8 03 00 MOV EAX,0x3
08048097 bb 01 00 MOV EBX,0x1
0804809c b9 46 91 MOV ECX,s_velvet_08049146 = "velvet"
080480a1 ba 06 00 MOV EDX,0x6
080480a6 cd 80 INT 0x80
;endsysread
; get password and get user entry then compare
080480a8 56 PUSH ESI
080480a9 57 PUSH EDI
080480aa b9 06 00 MOV ECX,0x6
080480af be 3f 91 MOV ESI,s_246581_0804913f = "246581"
080480b4 bf 46 91 MOV EDI,s_velvet_08049146 = "velvet"
080480b9 f3 a6 CMPSB.REPE ES:EDI=>s_velvet_08049146,ESI=>s_246581_0804913f => cmp "velvet" = "246581"
080480bb 74 13 JZ LAB_080480d0
; bad comparison
080480bd 5f POP EDI
080480be 5e POP ESI
080480bf b9 21 91 MOV ECX,s_Bad_password._Try_again!_08049121 = "Bad password. Try again!\n"
080480c4 ba 1a 00 MOV EDX,0x1a
080480c9 e8 1c 00 CALL FUN_sys_write undefined FUN_sys_write()
080480ce eb 11 JMP FUN_sys_exit undefined FUN_sys_exit()
; good comparison
-- Flow Override: CALL_RETURN (CALL_TERMINATOR)
LAB_080480d0 XREF[1]: 080480bb(j)
080480d0 5f POP EDI
080480d1 5e POP ESI
080480d2 b9 15 91 MOV ECX,s_Well_done!_08049115 = "Well done!\n"
080480d7 ba 0c 00 MOV EDX,0xc
080480dc e8 09 00 CALL FUN_sys_write undefined FUN_sys_write()
**************************************************************
* FUNCTION *
**************************************************************
undefined FUN_sys_exit()
undefined AL:1 <RETURN>
FUN_sys_exit XREF[1]: entry:080480ce(c)
080480e1 b8 01 00 MOV EAX,0x1
00 00
080480e6 31 db XOR EBX,EBX
080480e8 cd 80 INT 0x80
**************************************************************
* FUNCTION *
**************************************************************
undefined FUN_sys_write()
undefined AL:1 <RETURN>
FUN_sys_write XREF[4]: entry:0804807e(c),
entry:0804808d(c),
entry:080480c9(c),
entry:080480dc(c)
080480ea b8 04 00 MOV EAX,0x4
00 00
080480ef bb 01 00 MOV EBX,0x1
00 00
080480f4 cd 80 INT 0x80
080480f6 c3 RET
Just above there is the code of the deompiled program.
As we can see Ghidra propose a very good disassembly for this chall.
We can see the program check if the password is 246581.
We can check if our analyze is good:
$ ./j333
Crackme 333 Josep
Password: 246581
Well done!
That’s All Falks!