- category : reverse
- points : 89
A really simple crackme to get started ;) Your goal is to find the correct
input so that the program return 1. The correct input will be the flag.
1 file: main.asm
We have an asm file:
The code is so short that is easy to work directly on it.
Analyzing the code:
Two arrays are defined: some_array and the_second_array.
some_array db 10,2,30,15,3,7,4,2,1,24,5,11,24,4,14,13,5,6,19,20,23,9,10,2,30,15,3,7,4,2,1,24
Entering the main, a control about number of parameters is executed.
If it’s different from 2, it jump to exit.
In the label ‘l1’ it’s computed the length of the string passed as parameter.
At the end of this loop we have the length value stored in RCX.
The important part of the program is the
follow_the_label uses the parameter string (we would call it StrPar) and
The sum of StrPar[ECX-1] and some_array[ECX-1] is stored in AL and then it’s xored with 42.
The result of these operations is compared with the value of the_second_array[ECX-1].
If they are different the program will jump to exit, otherwise ECX is compared by 0.
If it match the program will jump to ‘win’ otherwise ECX is decremented and the loop in
follow_the_label is repeated.
mov r10, the_second_array
In the ‘win’ label the program returns 1.
The goal is to find the right string that passed as parameter to the program, ensure us
to continue the loop in
follow_the_label until all the values of
some_array are processed,
in order to jump at
This string will be the flag.
Summarising the operations made inside ‘follow_the_label’(knowing that StrPar would be the flag):
(flag[i] + some_array[i] ) ^ 42 == the_second_array[i]
By developing the equation:
Flag[i] + some_array[i] = the_second_array[i] ^ 42
So we just have to write a little exploit:
some_array = [10,2,30,15,3,7,4,2,1,24,5,11,24,4,14,13,5,6,19,20,23,9,10,2,30,15,3,7,4,2,1,24]
We can check that the flag is correct by submitting it to the program as parameter:
$ nasm -f elf64 main.asm