koppian adventures

Rpisec Mbe Crackmes

Introduction

In Spring 2015 there was a course called Modern Binary Exploitation at Rensselaer Polytechnic Institute. This course was organized by the rpisec team. They published the course material, so anyone can look at them and educate themselves. In this post I am going to look at the crackme challenges which you can find here or on a local mirror.

crackme0x00a

The first crackme is fairly easy. We use the command strings to look for ASCII-strings in the binary

$ strings crackme0x00a 
/lib/ld-linux.so.2
__gmon_start__
libc.so.6
...
UWVS
[^_]
Enter password: 
Congrats!
Wrong!
;*2$"
g00dJ0B!
GCC: (Ubuntu/Linaro 4.6.1-9ubuntu3) 4.6.1
.symtab
.strtab
...

The string g00dJ0B! looks suspicious. So let us try it.

$ ./crackme0x00a 
Enter password: g00dJ0B!
Congrats!

crackme0x00b

This does not work so trivial anymore, but in the slides of the lecture there is the tip to use a different encoding. After a little bit of testing we come to the following result.

$ strings -e L crackme0x00b 
w0wgreat

The switch -e specifies the encoding and L means 32-bit littleendian.

$ ./crackme0x00b 
Enter password: w0wgreat
Congrats!

Nice Challenge.

crackme0x01

On to some oldschool command-line disassembling. The command objdump displays various information about object files, like their disassembly.

	$ objdump -d crackme0x01
	...
	080483e4 <main>:
	80483e4:	55                   	push   %ebp
	80483e5:	89 e5                	mov    %esp,%ebp
	80483e7:	83 ec 18             	sub    $0x18,%esp
	80483ea:	83 e4 f0             	and    $0xfffffff0,%esp
	80483ed:	b8 00 00 00 00       	mov    $0x0,%eax
	80483f2:	83 c0 0f             	add    $0xf,%eax
	80483f5:	83 c0 0f             	add    $0xf,%eax
	80483f8:	c1 e8 04             	shr    $0x4,%eax
	80483fb:	c1 e0 04             	shl    $0x4,%eax
	80483fe:	29 c4                	sub    %eax,%esp
	8048400:	c7 04 24 28 85 04 08 	movl   $0x8048528,(%esp)
	8048407:	e8 10 ff ff ff       	call   804831c <printf@plt>
	804840c:	c7 04 24 41 85 04 08 	movl   $0x8048541,(%esp)
	8048413:	e8 04 ff ff ff       	call   804831c <printf@plt>
	8048418:	8d 45 fc             	lea    -0x4(%ebp),%eax
	804841b:	89 44 24 04          	mov    %eax,0x4(%esp)
	804841f:	c7 04 24 4c 85 04 08 	movl   $0x804854c,(%esp)
	8048426:	e8 e1 fe ff ff       	call   804830c <scanf@plt>
	804842b:	81 7d fc 9a 14 00 00 	cmpl   $0x149a,-0x4(%ebp)
	8048432:	74 0e                	je     8048442 <main+0x5e>
	8048434:	c7 04 24 4f 85 04 08 	movl   $0x804854f,(%esp)
	804843b:	e8 dc fe ff ff       	call   804831c <printf@plt>
	8048440:	eb 0c                	jmp    804844e <main+0x6a>
	8048442:	c7 04 24 62 85 04 08 	movl   $0x8048562,(%esp)
	8048449:	e8 ce fe ff ff       	call   804831c <printf@plt>
	804844e:	b8 00 00 00 00       	mov    $0x0,%eax
	8048453:	c9                   	leave  
	8048454:	c3                   	ret
	...

At the adress 804842b something on the stack is compared with 0x149a. Then there is a jump if the values are equal (je). Let us compute this back to hex and try it as a password.

$ echo $((0x149a))
5274
$ ./crackme0x01 
IOLI Crackme Level 0x01
Password: 5274
Password OK :)

Oh, it is the IOLI-crackme. We know them from a previous post already. Interestingly the following crackmes of RPISEC are the other IOLI-crackmes. So, we are done, since i have already covered them in a previous post.

Published

09 April 2017

Category

Walkthrough

Tags