The goal of this project is to understand several binary files and then find a password to validate each of them.
-
Analyze the files:
- Understand how the binaries work using whatever tool (gdb is sugested).
-
Find the password:
- Use the tools to analyze each instruction and find the correct code for each program.
-
Patch:
- Add for each program a patch allowing to validate each program with any password.
-
Recreate:
- For each binary write a C program that should be a copy of the original.
docker
- Start container:
cd src && sudo docker compose up
- Enter the linux machine:
sudo docker exec -it linux bash
bash$ cd /levels/level1
bash$ ./level1
Please enter key: hello
Nope.- The program likely validates the input by comparing it to a stored string. Using
gdb, we analyze further:
bash$ gdb ./level1
<gdb output>
gdb-peda$- Disassembling the
mainfunction reveals astrcmpcall with two arguments in registersecxandedx:
gdb-peda$ disassemble main
<disassembled output>- Setting a breakpoint at
strcmpand running the program reveals:
ECX: 0xffc1267c ("hello")
EDX: 0xffc1266e ("__stack_check")- The correct code is
__stack_check:
Please enter key: __stack_check
Good job.Here is the recreated C program:
#include <stdio.h>
#include <string.h>
int main() {
char user_input[112];
printf("Please enter key: ");
scanf("%s", user_input);
if (strcmp(user_input, "__stack_check") == 0) {
printf("Good job.\n");
} else {
printf("Nope.\n");
}
return 0;
}To allow validation with any password:
- Open the binary using
radare2, identify the instruction and replace it to bypasse verification.cp level1 level1_patched // copy r2 -w level1_patched aa // analyze instructions /a cmp eax, 0 // find nearest instruction of that pattern s <address> // go to instruction wx 31c090 // xor eax, eax ; nop // overwrite instruction by clearing register used for checking qyy // save and quit
- Test.
Please enter key: anything
Good job.- Generate patch.
bsdiff level1 level1_patched level1.patch
- Get patched binary with the original and patch file.
bspatch level1 level1_patched level1.patch
- Using
gdb-peda, we find that the input passcode must start with"00"and is followed by a sequence of groups of three numbers. The program validates these groups against a string stored in memory, "delabere". - By analyzing the instructions in
gdband the decompiled code usingretdec, we confirm that the passcode00101108097098101114101satisfies these conditions, as each group corresponds to a character in "delabere".
- Using
radare2, locate the validation logic:
r2 ./level2
aaa
s main // go to main
pdf // show every instruction of main
s <address> // go to adress with an instruction of 5 bytes
wa jmp <address> // address where ok() will be called- Test.
Please enter key: anything
Good job.-
Generate patch.
bsdiff level1 level1_patched level1.patch
-
Get patched binary with the original and patch file.
bspatch level1 level1_patched level1.patch
- Run the binary:
bash$ cd /levels/level3
bash$ ./level3
Enter key: key123
Invalid key.- Using
gdbandradare2, we determine that the input key must start with"42". The rest of the string is processed in groups of three characters, each interpreted as an integer. These integers are stored in a buffer that is later matched against the string********. - By analyzing the instructions and logic using
gdbandradare2, we derive the key42042042042042042042042, where each group corresponds to the required values.
- Using
radare2, locate the validation logic. We bypass verifications using a jmp:
$> r2 ./level2
$> aaa
$> s main // go to main
$> pdf // show every instruction of main
$> s 0x00001369
$> pdi 2
0x00001369 b832000000 mov eax, 0x32
0x0000136e 39c8 cmp eax, ecx
$> wa jmp 0x000014a7
INFO: Written 5 byte(s) (jmp 0x000014a7) = wx e939010000 @ 0x00001369
$> pdi 2
0x00001369 e939010000 jmp 0x14a7
0x0000136e 39c8 cmp eax, ecx
$> qyy
- Test.
Please enter key: anything
Good job.-
Generate patch.
bsdiff level1 level1_patched level1.patch
-
Get patched binary with the original and patch file.
bspatch level1 level1_patched level1.patch