Reversing simple program

Hi there, In this blog i am going to explain how we can crack or reverse a simple password checker program. This blog is also for beginners who are new in reverse engineering.

Here we can see that when we exec this binary it ask for a argument called password. Our mission is to find password.

Wrong password, Lets debug this program with GDB and find the valid password.So type gdb then path to the binary (gdb passwd).

We know that every C program have a main function. So lets type disassemble main , this will display all assembler structures from the main function. Before disassemble i used set disassembly-flavor intel to filter all weird strings. Disassemble looks complicated but we can ignore most of it. We can see cmp which is 0x2 , its just 2 as i said we need to ignore most of the parts.

164 <+15>: cmp    DWORD PTR [rbp-0x4],0x2

We can see 0x02 its means 2 tho something is checked if it is not 2 after that it jumps.

168 <+19>: jne    0x11c3 <main+110>184 <+47>: call   0x1040 <printf@plt>

Call is the function to display text which is printf so we know at 184 it is printing something.

19e <+73>: call   0x1050 <strcmp@plt>

Then comes the string compare if you don’t know what string compare is then you can see man page of it. man 3 strcmp

After that we can see test ; returns not equal to 0 if the same.

1a5 <+80>: jne    0x11b5 <main+96>

Here if something not equal then jump to 96

1b5 <+96>: lea    rdi,[rip+0xe83]
1bc <+103>: call   0x1030 <puts@plt>
There are many things which may you should look. Here i am going to create a break point at main to do that type break *main
After creating break point we get Breakpoint 1 at 0x1155 which is similar to the 155 <+0>: push   rbp which is the starting point of the main function.Break point is set now we can run and again we hit the break point. Break point is a stop where program stops running Breakpoint 1, 0x0000555555555155 in main ()Now we can use si to step one instructions. 0x0000555555555156 our address changed. Now we gonna use ni.

If you see we hit many point and they are similar to our assembler dump. A function printf at 0x00005555555551ca and here it jump which is whatever was compare to 2 it is not 2, jmp point at 0x0000555555555168 then program prints puts function which was the last function.Now we know that we didn’t pass the password check now we can run program with random password argument. run sdsdsds

After running do the same ni and again we will hit the break point at 0x0000555555555168 in main ()

will we again jump this time?, no because jmp is equal to 2. So keep typing ni

Cool, another printf function and this printf is a function where password will be checked.


Again we jumped here that means password is wrong which is puts functions. So lets create break point where it is jumping. type break *0x00005555555551a3 and run the program again. Now continue this will run the program and break until we hit the next break point. Here we need to change the eax value to zero (eax just refers to the 32 bit of the 64 bit of registers.) type set $eax=0 then info registers. now type ni again to continue the program.

And boom we bypassed the password verify 🙂

C code: https://pastebin.com/raw/8zahDYNu

Thanks for reading


Facebook


Twitter