Linux - Simple reverse & crack

PreviousBinary Exploitation NextMemory Analysis

Last updated 3 years ago

Was this helpful?

Linux - Simple reverse & crack

Simple program exploitation

Imagine the following C program called license_1. A simple strcmp (string compare) that checks if input is a certain string.

Open software with GDB and start reversing

gdb license_1 #open up software in gdb
disassemble main #dis main
break *main #break at main entry

A lot of information like that can be overwhelming but we can simply focus on the code flow for now. Let's imagine we don't have the source code and try to understand what this program does.

I usually take a snippet of the function and paste it into mspaint then start following calls. Below is a screenshot of my manual analysis of the program execution.

This is nice but let's get through this, step-by-step.

First, it seems like the program checks for something that is equal to 2

At address 4005cc we can notice a CMP (compare) instruction, it compares it with a hard-coded value of 0x2, or in human readable format: 2 Then it slides to a JNE (Jump Not Equal) instruction, which basically checks if the value from previous compare instruction is 0 or not. If the instruction is 0, it means it is equal but if the result is anything but 0 it means the result is not equal. Basically, this checks if something is 2 and if it is not 2, it jumps because it is not equal.

Let's verify this. Let's run the program and look at the registers.

run
info registers
si #step instruction
info registers

By using SI we are single stepping into instructions, we want to use ni instead so we don't step into instructions such as puts, strcmp, print, etc.

We notice that we jumped directly to the end of the program when we followed the code flow. We also noticed that the program indicated us its "usage", meaning that we probably are missing an argument while running the program.

break *main+69 #lets skip the useless stuff and break at the compare
run turbo-key #this will run the program with turbo-key as arg

Now there are two ways I know of doing things, either try to recover the password/key/secret-info from the memory and register or bypass the mechanism itself.

The key is right here but let's just ni until we hit the end for now.

The program tells us that the key is wrong. We can rerun the program in gdb with bad as an argument, breakpoint at *main+69 and ni once to pass the "check license puts"

CMP subtracts the operands and sets the flags. Namely, it sets the zero flag if the difference is zero (operands are equal).

TEST sets the zero flag, ZF, when the result of the AND operation is zero. If two operands are equal, their bitwise AND is zero when both are zero. TEST also sets the sign flag, SF, when the most significant bit is set in the result, and the parity flag, PF, when the number of set bits is even.

https://stackoverflow.com/questions/13064809/the-point-of-test-eax-eax

in this particular case, TEST instruction performs a bitwise logical AND, discards the actual result and sets/unsets the ZF according to the result of the logical and: if the result is zero it sets ZF = 1, otherwise it sets ZF = 0. Conditional jump instructions like JE are designed to look at the ZF for jumping/notjumping so using TEST and JE together is equivalent to perform a conditional jump based on the value of a specific register:

So we could set the value of $eax to 0 and it would technically bypass the check.

set $eax=0
ni
ni
ni
ni

A few instructions later we notice that we hit another address in memory that executes the "Access Granted" prompt. We also notice that the path is 0x400610 which is what our manual analysis determined would be the good address to land on !