Hacking Series Part 17

Challenge: Impossible Password

Category: reverse engineering

We are given a file called “impossible_password.bin”. Using xxd, I looked at the header of the file and found out that it was actually an ELF which meant that it could be executed. When I set executing permissions and ran the file, it prompted me for an input, which I guessed would be a password.

Since there seemed to be no other features to the program, I opened it in IDA to try to discern what the first input should be. The first thing you see after entering main is a string called “SuperSeKretKey” being stored in a variable. Then, an array is being initialized with a few characters.

If you convert the first few hex values of the array into ASCII characters, they don’t seem to look like a flag so I ignored this for now. The next block of assembly is responsible for capturing the an input from the user and comparing it to the password. You can easily tell that the password is the string “SuperSeKretKey”, since that is being compared to the input.

If you get the password right, the next block of assembly scans for a second input and compares it to the value returned by sub_40078D. In this sub process, a string of random values is being generated then returned. The random function is being seeded with the current time, so even though it is possible to predict the value of the random string, it will be very time consuming and there is probably an easier way.

If you get the second password right sub_400978 is called, which is likely responsible for printing the flag. This means that it might be possible to call sub_400978 directly without having to guess the second password, or at least jump execution to somewhere near the sub process.

To do this, I opened the program with gdb and set a breakpoint at the strcmp function for the second input. I ran the program and answered the first input with the secret key string. Then I entered a random value for the second input. I then jumped to an area near the sub process that called the flag, in this case it was located at the address 0x40096a.

Execution continued into the needed sub process and the flag was printed.