Download the file, extract it, check the file details using the 'file' command
It says 'not stripped' so let's try 'strings' command but it won't give out any flag.
Let's try to execute it from terminal
So our next option is to de-compile it. I used IDA. The assembly code of the main function gives as few clues on how to crack it.
#file four four: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0x899a337216c40966fb57583c9ff45fcac0384cbb, not stripped
It says 'not stripped' so let's try 'strings' command but it won't give out any flag.
Let's try to execute it from terminal
#./four Usage: ./four#./four abcd Sorry no flag for you
So our next option is to de-compile it. I used IDA. The assembly code of the main function gives as few clues on how to crack it.
public main .text:0804856C main proc near ; DATA XREF: _start+17 o .text:0804856C .text:0804856C arg_0= dword ptr 8 .text:0804856C arg_4= dword ptr 0Ch .text:0804856C .text:0804856C push ebp .text:0804856D mov ebp, esp .text:0804856F and esp, 0FFFFFFF0h .text:08048572 sub esp, 10h .text:08048575 cmp [ebp+arg_0], 2 .text:08048579 jz short loc_8048597 .text:0804857B mov eax, [ebp+arg_4] .text:0804857E mov eax, [eax] .text:08048580 mov [esp+4], eax .text:08048584 mov dword ptr [esp], offset format ; "Usage: %s\n" .text:0804858B call _printf .text:08048590 mov eax, 1 .text:08048595 jmp short locret_80485C8 .text:08048597 ; -------------------------------------------------------- .text:08048597 .text:08048597 loc_8048597: ; CODE XREF: main+D j .text:08048597 mov eax, [ebp+arg_4] .text:0804859A add eax, 4 .text:0804859D mov eax, [eax] .text:0804859F mov [esp], eax .text:080485A2 call check_key .text:080485A7 test eax, eax .text:080485A9 jnz short loc_80485B7 .text:080485AB call display_result .text:080485B0 mov eax, 0 .text:080485B5 jmp short locret_80485C8 .text:080485B7 ; ---------------------------------------------------------- .text:080485B7 .text:080485B7 loc_80485B7: ; CODE XREF: main+3D j .text:080485B7 mov dword ptr [esp], offset s ; "Sorry no flag for you" .text:080485BE call _puts .text:080485C3 mov eax, 2 .text:080485C8 .text:080485C8 locret_80485C8: ; CODE XREF: main+29 j .text:080485C8 ; main+49 j .text:080485C8 leave .text:080485C9 retn .text:080485C9 main endp .text:080485C9
We can see that there are call to few functions like 'check_key' and 'display_result'. 'check_key' is called before 'display_result'. So we can make a wild guess like the input what we enter will be validated using the 'check_key' function and if it's correct then 'display_result' will be executed and will give out the key.
So we have to get our execution to 'display_result' function but before that there is a 'JNZ' statement. It may be this line that will decide based on the result from 'check_key' whether 'display_result' must run or not.
Now while debugging when we reach the JNZ statement set the Zero flag to 1 so that that jump will not happen 'display_result' will get executed.
Luckily our guess is right and we got the file
0 comments:
Post a Comment