Hacking Series Part 21
Category: reverse engineering
We are given an ELF named “PowerFul_Crackme”. After opening it in IDA, you see that the program enters in main and prints “The magic string: ” with printf.
It then goes on to initialize a counter at loc_11B3 from 0–9, which is stored in var_4. If the counter is below 9, scanf is called and the counter is incremented. Since this occurs 10 times, we can assume the magic string is 10 characters long. Next, execution jumps to loc_11FC, where another counter is initialized from 0–9. This counter is stored in var_8.
If the counter is greater than 6, execution jumps to loc_11E1and if it’s less than 6, execution continues. In these two blocks of assembly, there is most likely some processing going on with the previously inputted characters which can be worried about later if needed. However, with either stream, the counter in var_8 is incremented by 1 and eventually moves on to loc_1242.
Here, another counter from 0–9 is initialized, this time storing the counter in var_C. If the counter is less than 9, execution jumps to loc_1213, where a cmp instruction is found that compares al and dl.
If the characters in al and dl are the same, the counter is incremented and the same assembly is run again. This means that the program is checking the magic string character by character at this cmp instruction. If all 10 characters are the same, the success message is printed.
After opening the program in gdb, breaking at the cmp instruction, and checking the registers, you notice that the first char it looks for is a “b”.
