Aim: Given an executable of a program written in C, compiled with gcc – crack the Password

EQUIPMENTS:

ltrace

ldd

radare2

gdb

Procedure:

Runing the executable with and without input.

ltrace to check to intercepte any dynamic library calls

ldd to check the usage of any shared libraries by the program

Ok! It doesn’t use any special encryption related libraries.

Lets radar2 to get a better over view on the flow of the program.

We can predict the “c” version of the assembly code.

Following would be the approximate of the assembly to c code(nearly represented correctly block by block pieces of assembly to c)

int main(int argc, char * argv[]) { int a; if (argc != 2) { fprintf(stdout, "Usage %s password", argv[0]); return 0; } else { a = check_password(argv[1]); if (a == 1) { puts("Congratulations"); return 0; } else { puts("ko"); return 1; } } return 0; }

Lets look at the check_password function

whose “C” equivalent would be

the value of i is 71516737 whose hex code is 0x4434241 y is 255 whose hex code is 0xff.

So far we could guess the password length is 4

Now as we get the better picture of the outline/ flow of the program. we can use gdb to step through each comparison of the input string vs the expected password.

So all we need to to have a break point at the comparison and check the values, which are in ascii

So we understand our first character of the password is ascii 65 which is A

if we continue it we would be able to crack the password

So the Hex of the passwords is 65 66 67 04 whose Char’s are ABC<ctrl+d> or ABC<EOF>

So we have to figure out a way to provide EOF as the input. I came up with a bash script to print the password and unlock the crackme.

#!/bin/bash e=$(printf "\x41\x42\x43\x04") echo $e ./crackme3 $e

On executing the script.

Awesome stuff coming up!!