Mar 10, 2014

Download the file, extract it, check the file details using the 'file'  command
#file four
four: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0x899a337216c40966fb57583c9ff45fcac0384cbb, not stripped

It says 'not stripped' so let's try 'strings' command but it won't give out any flag.
Let's try to execute it from terminal
Usage: ./four 

#./four abcd
Sorry no flag for you

So our next option is to de-compile it. I used IDA. The assembly code of the main function gives as few clues on how to crack it.
 public main
.text:0804856C main proc near                      ; DATA XREF: _start+17 o
.text:0804856C arg_0= dword ptr  8
.text:0804856C arg_4= dword ptr  0Ch
.text:0804856C push    ebp
.text:0804856D mov     ebp, esp
.text:0804856F and     esp, 0FFFFFFF0h
.text:08048572 sub     esp, 10h
.text:08048575 cmp     [ebp+arg_0], 2
.text:08048579 jz      short loc_8048597
.text:0804857B mov     eax, [ebp+arg_4]
.text:0804857E mov     eax, [eax]
.text:08048580 mov     [esp+4], eax
.text:08048584 mov     dword ptr [esp], offset format ; "Usage: %s \n"
.text:0804858B call    _printf
.text:08048590 mov     eax, 1
.text:08048595 jmp     short locret_80485C8
.text:08048597 ; --------------------------------------------------------
.text:08048597 loc_8048597:                          ; CODE XREF: main+D j
.text:08048597 mov     eax, [ebp+arg_4]
.text:0804859A add     eax, 4
.text:0804859D mov     eax, [eax]
.text:0804859F mov     [esp], eax
.text:080485A2 call    check_key
.text:080485A7 test    eax, eax
.text:080485A9 jnz     short loc_80485B7
.text:080485AB call    display_result
.text:080485B0 mov     eax, 0
.text:080485B5 jmp     short locret_80485C8
.text:080485B7 ; ----------------------------------------------------------
.text:080485B7 loc_80485B7:                          ; CODE XREF: main+3D j
.text:080485B7 mov     dword ptr [esp], offset s ; "Sorry no flag for you"
.text:080485BE call    _puts
.text:080485C3 mov     eax, 2
.text:080485C8 locret_80485C8:                       ; CODE XREF: main+29 j
.text:080485C8                                       ; main+49 j
.text:080485C8 leave
.text:080485C9 retn
.text:080485C9 main endp

We can see that there are call to few functions like 'check_key' and 'display_result'. 'check_key' is called before 'display_result'. So we can make a wild guess like the input what we enter will be validated using the 'check_key' function and if it's correct then 'display_result' will be executed and will give out the key.
So we have to get our execution to  'display_result' function but before that there is a 'JNZ' statement. It may be this line that will decide based on the result from 'check_key' whether 'display_result' must run or not. 
Now while debugging when we reach the JNZ statement set the Zero flag to 1 so that that jump will not happen 'display_result'  will get executed. 
Luckily our guess is right and we got the file

Categories: ,


Post a Comment