Let’s say if we are provided again with an executable of a program written in C, compiled with gcc. And when we run the executable with the password it checks if its a valid password.
What if we couldn’t figure it out with the traditional methods like strings, ltrace because the password is not hardcoded in the executable. That just gives a clue of the password being validated on fly. As previously discussed we can hack the password if it is hardcoded in the program and strcmp (or similar) is used so the way to over come is to use a hash .
For the Experiment:The executable crackme is present over here
Things to try.. when an executable is given:
Run the executable with and without input.
strings -d ./crackme
No Luck! using strings. ltrace, strace. How about objdump? It is good, but radare2 gives the graphical representation of the flow of code along with the disassemble of code.
We see that there are couple of calls like printf, puts and what could be checksum (will be explained it later).
In general any password checker program would take an input and validate it against something.Lets take the words reverse engineering seriously !! How about creating the program equivalent to the program. But one problem at a time.
The skeleton of the program
What could be the condition. If we did have some unknown function checksum
First, What is CheckSum?
Checksum (As per Wikipedia): A checksum or hash sum is a small-size datum from a block of digital data for the purpose of detecting errors which may have been introduced during its transmission or storage .
Lets Assume if we had a checksum. The skeleton would now look like the following.
Now its the time to figure out what the checksum value is getting compare to?
Its write in there in the assembly 0xdee where compare is happening, whose decimal equivalent is 3566 .
understanding/interpreting the assembly we could create the checksum.
Our C program can be completed as below
We have the program , we know how to get the password 😉 . we can try the program with the inputs to satisfy checksum value to 3566
Isn’t it tedious to run the program to get the perfect checksum value .
How about creating the script hat generates a random valid password for
How about an infernum Challenge to Patch
crackme so that any password will work. The change should include least possible bytes.
We cannot just edit the executable code. If you still want to, the question would be where you want to? and How can you edit without corrupting the file.
one of the answer would be gdb
I found here a good documentation on the way to patch the executable using gdb .
Tada Congrats!!!! the cracked file is available here