Writeup: Redpwn 2019 - Generic Crackme

(Updated: )
writeups
, , , ,

Information

  • category: reverse
  • points: 50

Description

Note: Enclose the flag with flag{}.

1 file : generic_crackme.bin

Writeup

Execute the program:

1
2
3
4
$ ./generic_crackme.bin
plz enter password plz:
hii
lolno

Mh… Using ltrace :

1
2
3
4
5
6
7
8
9
$ ltrace ./generic_crackme.bin                                                                                                                                             

puts("plz enter password plz:"plz enter password plz:
)                                                                                                                    = 24
fgets(hii
"hii\n", 100, 0x7f0f2442b860)                                                                                                                = 0x7ffffaa83bd0
puts("lolno"lolno
)                                                                                                                                      = 6
+++ exited (status 0) +++

Ok it doesn’t give the informations we need.

Let’s analyze the binary using radare2 :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
# r2 -d generic_crackme.bin
[0x7fc214358100]> aaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[Warning: Invalid range. Use different search.in=? or anal.in=dbg.maps.x
Warning: Invalid range. Use different search.in=? or anal.in=dbg.maps.x
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for objc references
[x] Check for vtables
[TOFIX: aaft can't run in debugger mode.ions (aaft)
[x] Type matching analysis for all functions (aaft)
[x] Use -AA or aaaa to perform additional experimental analysis.
[0x7fc214358100]> afl
0x561d89546060    1 46           entry0
0x561d89548fe0    1 4124         reloc.__libc_start_main
0x561d89546030    1 6            sym.imp.puts
0x561d89546040    1 6            sym.imp.__stack_chk_fail
0x561d89545000    3 404  -> 397  loc.imp._ITM_deregisterTMCloneTable
0x561d895451aa    5 32   -> 55   fcn.561d895451aa
0x561d89546050    1 6            sym.imp.fgets
0x561d8954621f    6 128          main
0x561d89546150    5 153  -> 60   entry.init0
0x561d89546100    5 65   -> 55   entry.fini0
0x561d89548ff8    1 4100         reloc.__cxa_finalize
0x561d89546090    4 41   -> 34   fcn.561d89546090
[0x7fc214358100]> s main
[0x561d8954621f]> pdf
/ (fcn) main 128
|   int main (int argc, char **argv, char **envp);
|           ; var int32_t var_70h @ rbp-0x70
|           ; var int32_t var_8h @ rbp-0x8
|           ; DATA XREF from entry0 @ 0x561d89546081
|           0x561d8954621f      55             push rbp
|           0x561d89546220      4889e5         mov rbp, rsp
|           0x561d89546223      4883ec70       sub rsp, 0x70           ; 'p'
|           0x561d89546227      64488b042528.  mov rax, qword fs:[0x28] ; [0x28:8]=-1 ; '(' ; 40
|           0x561d89546230      488945f8       mov qword [var_8h], rax
|           0x561d89546234      31c0           xor eax, eax
|           0x561d89546236      488d3dc70d00.  lea rdi, str.plz_enter_password_plz: ; 0x561d89547004 ; "plz enter password plz:"
|           0x561d8954623d      e8eefdffff     call sym.imp.puts       ; int puts(const char *s)
|           0x561d89546242      488b15f72d00.  mov rdx, qword [reloc.stdin_64] ; [0x561d89549040:8]=0
|           0x561d89546249      488d4590       lea rax, [var_70h]
|           0x561d8954624d      be64000000     mov esi, 0x64           ; 'd' ; 100
|           0x561d89546252      4889c7         mov rdi, rax
|           0x561d89546255      e8f6fdffff     call sym.imp.fgets      ; char *fgets(char *s, int size, FILE *stream)
|           0x561d8954625a      488d4590       lea rax, [var_70h]
|           0x561d8954625e      4889c7         mov rdi, rax
|           0x561d89546261      e802ffffff     call 0x561d89546168
|           0x561d89546266      84c0           test al, al
|       ,=< 0x561d89546268      740e           je 0x561d89546278
|       |   0x561d8954626a      488d3dab0d00.  lea rdi, str.good_job_kthxbye ; 0x561d8954701c ; "good job kthxbye"
|       |   0x561d89546271      e8bafdffff     call sym.imp.puts       ; int puts(const char *s)
|      ,==< 0x561d89546276      eb0c           jmp 0x561d89546284
|      |`-> 0x561d89546278      488d3dae0d00.  lea rdi, str.lolno      ; 0x561d8954702d ; "lolno"
|      |    0x561d8954627f      e8acfdffff     call sym.imp.puts       ; int puts(const char *s)
|      |    ; CODE XREF from main @ 0x561d89546276
|      `--> 0x561d89546284      b800000000     mov eax, 0
|           0x561d89546289      488b4df8       mov rcx, qword [var_8h]
|           0x561d8954628d      6448330c2528.  xor rcx, qword fs:[0x28]
|       ,=< 0x561d89546296      7405           je 0x561d8954629d
|       |   0x561d89546298      e8a3fdffff     call sym.imp.__stack_chk_fail ; void __stack_chk_fail(void)
|       `-> 0x561d8954629d      c9             leave
\           0x561d8954629e      c3             ret

Or visually :

We can see that before the puts("good job kthxbye"), the program calls a function 0x561d89546168 (I’m going to call this function flag) and if it returns 1 the program will print the good string. Let’s see what this function does :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
[0x561d89546168]> pdf
p: Cannot find function at 0x561d89546168
[0x561d89546168]> pd
            ; CALL XREF from main @ 0x561d89546261
            0x561d89546168      55             push rbp
            0x561d89546169      4889e5         mov rbp, rsp
            0x561d8954616c      4883ec08       sub rsp, 8
            0x561d89546170      48897df8       mov qword [rbp - 8], rdi
            0x561d89546174      488b45f8       mov rax, qword [rbp - 8]
            0x561d89546178      0fb600         movzx eax, byte [rax]
            0x561d8954617b      0fbec0         movsx eax, al
            0x561d8954617e      89c7           mov edi, eax
            0x561d89546180      e8d4ffffff     call 0x561d89546159
            0x561d89546185      83f865         cmp eax, 0x65           ; 'e' ; 101
        ,=< 0x561d89546188      740a           je 0x561d89546194
        |   0x561d8954618a      b800000000     mov eax, 0
       ,==< 0x561d8954618f      e989000000     jmp 0x561d8954621d
       |`-> 0x561d89546194      488b45f8       mov rax, qword [rbp - 8]
       |    0x561d89546198      4883c001       add rax, 1
       |    0x561d8954619c      0fb600         movzx eax, byte [rax]
       |    0x561d8954619f      0fbec0         movsx eax, al
       |    0x561d895461a2      89c7           mov edi, eax
       |    0x561d895461a4      e8b0ffffff     call 0x561d89546159
       |    0x561d895461a9      83f870         cmp eax, 0x70           ; 'p' ; 112
       |,=< 0x561d895461ac      7407           je 0x561d895461b5
       ||   0x561d895461ae      b800000000     mov eax, 0
      ,===< 0x561d895461b3      eb68           jmp 0x561d8954621d
      ||`-> 0x561d895461b5      488b45f8       mov rax, qword [rbp - 8]
      ||    0x561d895461b9      4883c002       add rax, 2
      ||    0x561d895461bd      0fb600         movzx eax, byte [rax]
      ||    0x561d895461c0      0fbec0         movsx eax, al
      ||    0x561d895461c3      89c7           mov edi, eax
      ||    0x561d895461c5      e88fffffff     call 0x561d89546159
      ||    0x561d895461ca      83f868         cmp eax, 0x68           ; 'h' ; 104
      ||,=< 0x561d895461cd      7407           je 0x561d895461d6
      |||   0x561d895461cf      b800000000     mov eax, 0
     ,====< 0x561d895461d4      eb47           jmp 0x561d8954621d
     |||`-> 0x561d895461d6      488b45f8       mov rax, qword [rbp - 8]
     |||    0x561d895461da      4883c003       add rax, 3
     |||    0x561d895461de      0fb600         movzx eax, byte [rax]
     |||    0x561d895461e1      0fbec0         movsx eax, al
     |||    0x561d895461e4      89c7           mov edi, eax
     |||    0x561d895461e6      e86effffff     call 0x561d89546159
     |||    0x561d895461eb      83f868         cmp eax, 0x68           ; 'h' ; 104
     |||,=< 0x561d895461ee      7407           je 0x561d895461f7
     ||||   0x561d895461f0      b800000000     mov eax, 0
    ,=====< 0x561d895461f5      eb26           jmp 0x561d8954621d
    ||||`-> 0x561d895461f7      488b45f8       mov rax, qword [rbp - 8]
    ||||    0x561d895461fb      4883c004       add rax, 4
    ||||    0x561d895461ff      0fb600         movzx eax, byte [rax]
    ||||    0x561d89546202      0fbec0         movsx eax, al
    ||||    0x561d89546205      89c7           mov edi, eax
    ||||    0x561d89546207      e84dffffff     call 0x561d89546159
    ||||    0x561d8954620c      83f87a         cmp eax, 0x7a           ; 'z' ; 122
    ||||,=< 0x561d8954620f      7407           je 0x561d89546218
    |||||   0x561d89546211      b800000000     mov eax, 0
   ,======< 0x561d89546216      eb05           jmp 0x561d8954621d
   |||||`-> 0x561d89546218      b801000000     mov eax, 1
   `````--> 0x561d8954621d      c9             leave
            0x561d8954621e      c3             ret

We have multiple if on our input.
If we try to write a pseudocode of this function we get:

1
2
3
4
5
6
7
8
9
10
11
12
int flag(char *string) == 0x561d89546168
{
    // somefunc() = 0x561d89546159
    if (somefunc(string[0]) == 'e')
        if(somefunc(string[1]) == 'p')
            if(somefunc(string[2]) == 'h')
                if(somefunc(string[3]) == 'h')
                    if(somefunc(string[4]) == 'z')
                        return 1;

    return 0;
}

Now what the function located at 0x561d89546159 (in our pseudocode somefunc) does :

1
2
3
4
5
6
7
8
9
[0x561d895461c5]> s 0x561d89546159
[0x561d89546159]> pd
            0x561d89546159      55             push rbp
            0x561d8954615a      4889e5         mov rbp, rsp
            0x561d8954615d      897dfc         mov dword [rbp - 4], edi
            0x561d89546160      8b45fc         mov eax, dword [rbp - 4]
            0x561d89546163      83c001         add eax, 1
            0x561d89546166      5d             pop rbp
            0x561d89546167      c3             ret

Psuedocode :

1
2
3
4
char somefunc(char c)
{
    return c + 1;
}

So what we have to do to print good job kthxbye ?

We need to take the string ephhz and substract to every character 1, in this way when the flag function will compare the result of somefunc char per char we will make all the if statements true:

“exploit.py” : 

1
2
3
4
5
6
s = 'ephhz'
payload = ''
for i in range(0, len(s)):
    payload += chr(ord(s[i])-1)

print(payload)

Output : doggy

1
2
3
4
$ ./generic_crackme.bin
plz enter password plz:
doggy
good job kthxbye

Flag

flag{doggy}