Hacking Series Part 21
Category: reverse engineering
We are given an ELF named “PowerFul_Crackme”. After opening it in IDA, you see that the program enters in main
and prints “The magic string: ” with printf
.
It then goes on to initialize a counter at loc_11B3
from 0–9, which is stored in var_4
. If the counter is below 9, scanf
is called and the counter is incremented. Since this occurs 10 times, we can assume the magic string is 10 characters long. Next, execution jumps to loc_11FC
, where another counter is initialized from 0–9. This counter is stored in var_8
.
If the counter is greater than 6, execution jumps to loc_11E1
and if it’s less than 6, execution continues. In these two blocks of assembly, there is most likely some processing going on with the previously inputted characters which can be worried about later if needed. However, with either stream, the counter in var_8
is incremented by 1 and eventually moves on to loc_1242
.
Here, another counter from 0–9 is initialized, this time storing the counter in var_C
. If the counter is less than 9, execution jumps to loc_1213
, where a cmp
instruction is found that compares al
and dl
.
If the characters in al
and dl
are the same, the counter is incremented and the same assembly is run again. This means that the program is checking the magic string character by character at this cmp
instruction. If all 10 characters are the same, the success message is printed.
After opening the program in gdb, breaking at the cmp
instruction, and checking the registers, you notice that the first char it looks for is a “b”.