The basics of how a simple passworded file can be hacked using 4 different tools
12 min readFeb 28, 2016
Digital security has become very important in the past few years, with so many software being hacked everyday. This new trend has called the need for better security with additional layers. This article is a beginner’s guide to know how a simple file coded with c language, secured with a password, can be hacked using a number of different tools. The file we will use for this tutorial can be found here with the name a.out (this program was written in c and compiled with gcc).
So first of all lets try to enter a random password and see what happens.
$ ./a.out password
Access denied :(
See you next time hacker!Turns out if you enter a wrong password, the file deletes itself; that’s a neat trick, but then linux command chattr +i a.out comes to the rescue! This would prevent anyone from deleting a file, even a root user won’t have permission to delete it. (Unless you use chattr -i a.out)
$ chattr +i a.outFirst step is to check the file with the file command.
$ file a.out
a.out: ELF 64-bit LSB executable, x86–64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=ae99fe8f21f8d67f97ec804add59ccfc2eb6f406, not strippedLuckily, this file is not stripped (this makes things easier for us). Our first bet would be to use the strings command to print any printable characters in that file, then if the password is simply written as a string, we can get it out.
$ strings ./a.out
/lib64/ld-linux-x86–64.so.2
libc.so.6
puts
printf
execve
strcmp
__libc_start_main
__gmon_start__
GLIBC_2.2.5
UH-X
UH-X
[]A\A]A^A_
Usage: %s password
See you next time hacker!
/bin/rm
#cisfun! :);
Try again later
#cisfun
YES it is fun isn’t is? :)
But this is not the right password.
.symtab
Access granted \o/
Access denied :(
;*3$”
GCC: (Ubuntu 4.8.4–2ubuntu1~14.04) 4.8.4
GCC: (Ubuntu 4.8.2–19ubuntu1) 4.8.2
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.jcr
.dynamic
.got
.got.plt
.data
.bss
.comment
crtstuff.c
__JCR_LIST__
deregister_tm_clones
register_tm_clones
__do_global_dtors_aux
completed.6973
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
main.c
__FRAME_END__
__JCR_END__
__init_array_end
_DYNAMIC
__init_array_start
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
data_start
puts@@GLIBC_2.2.5
_edata
_fini
printf@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
execve@@GLIBC_2.2.5
__data_start
strcmp@@GLIBC_2.2.5
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
_end
_start
__bss_start
main
_Jv_RegisterClasses
__TMC_END__
_ITM_registerTMCloneTable
_initToo lazy to try all these manually? Lets write a simple bash script to brute force the password using the output of the strings command.
$ cat > script.sh
#!/bin/bash
for passwrd in $(strings ./a.out)
do
printf "Trying: %s \n" "$passwrd"
cp a.out temp.out
./temp.out $passwrd
printf "\n"
done$ chmod +x script.sh
But the output for this script is too long (not shown here), why can’t we just try our luck with one more step ahead? Lets change our script to this and run it:
$ cat > script2.sh
#!/bin/bash
for passwrd in $(strings ./a.out)
do
cp a.out temp.out
bilal=$(./temp.out $passwrd | grep -v "Access denied :(")
echo "Trying: $passwrd"
if [ "$bilal" != '' ]
then
printf "\nThe password is: %s\n" "$passwrd"
exit 0
fi
done$ chmod +x script2.sh$ ./script2.sh
Trying: /lib64/ld-linux-x86-64.so.2
Trying: libc.so.6
Trying: puts
Trying: printf
Trying: execve
Trying: strcmp
Trying: __libc_start_main
Trying: __gmon_start__
Trying: GLIBC_2.2.5
Trying: UH-X
Trying: UH-X
Trying: []A\A]A^A_
Trying: Usage:
Trying: %s
Trying: password
Trying: See
Trying: you
Trying: next
Trying: time
Trying: hacker!
Trying: /bin/rm
Trying: #cisfun!
Trying: :);
Trying: Try
Trying: again
Trying: later
Trying: #cisfun
Trying: YES
Trying: it
Trying: is
Trying: fun
Trying: isn't
Trying: is?
Trying: :)
Trying: But
Trying: this
Trying: is
Trying: not
Trying: the
Trying: right
Trying: password.
Trying: .symtabThe password is: .symtab
Tada! We have the password. But we are not going to stop here. Lets try this with some other tools. Moving to ltrace.
ltrace is a program that simply runs the specified command until it exits. It intercepts and records the dynamic library calls which are called by the exe‐
cuted process and the signals which are received by that process. It can also intercept and print the system calls executed by the program.
Lets try out ltrace on the file with a random password (also try with no password and see the output):
$ ltrace ./a.out whyyounoopen
__libc_start_main(0x40060d, 2, 0x7ffdd189dd88, 0x400760 <unfinished ...>
strcmp("whyyounoopen", "#cisfun") = 84
strcmp("whyyounoopen", ".symtab") = 73
puts("Access denied :("Access denied :(
) = 17
puts("See you next time hacker!"See you next time hacker!
) = 26
execve(0x400819, 0x7ffdd189dc90, 0x7ffdd189dda0, -1 <no return ...>
--- Called exec() ---
__libc_start_main(0x401bd0, 2, 0x7fff0bd615a8, 0x4096b0 <unfinished ...>
strrchr("-f", '/') = nil
setlocale(LC_ALL, "") = "en_US.UTF-8"
bindtextdomain("coreutils", "/usr/share/locale") = "/usr/share/locale"
textdomain("coreutils") = "coreutils"
__cxa_atexit(0x403510, 0, 0, 0x736c6974756572) = 0
isatty(0) = 1
getopt_long(2, 0x7fff0bd615a8, "dfirvIR", 0x40a1e0, nil) = -1
malloc(128) = 0xe76030
strlen("./a.out") = 7
realloc(0, 4352) = 0xe760c0
malloc(272) = 0xe771d0
memcpy(0xe772d8, "", 0) = 0xe772d8
strlen("./a.out") = 7
OUTPUT TRUNCATED TO NOT BORE YOU!The program is using strcmp twice to compare two predefined strings, “#cisfun” and “.symtab”, with the input password. That is very fishy. Upon trying them both, turns out .symtab is the password! (for readers who just jumped to this section out of nowhere)
Lets bring out the heavy weight champion gdb now. This is going to be fun!
$ gdb a.out
(gdb)Lets list all the functions used in the file.
(gdb) info functions
All defined functions:Non-debugging symbols:
0x0000000000400488 _init
0x00000000004004c0 puts@plt
0x00000000004004d0 printf@plt
0x00000000004004e0 __libc_start_main@plt
0x00000000004004f0 execve@plt
0x0000000000400500 strcmp@plt
0x0000000000400510 __gmon_start__@plt
0x0000000000400520 _start
0x0000000000400550 deregister_tm_clones
0x0000000000400580 register_tm_clones
0x00000000004005c0 __do_global_dtors_aux
0x00000000004005e0 frame_dummy
0x000000000040060d main
0x0000000000400760 __libc_csu_init
0x00000000004007d0 __libc_csu_fini
0x00000000004007d4 _fini
(gdb)
Using strcmp? That is of concern. Lets dig further. We should try disassembling the main function and start from there.
(gdb) disassemble main
Dump of assembler code for function main:
0x000000000040060d <+0>: push %rbp
0x000000000040060e <+1>: mov %rsp,%rbp
0x0000000000400611 <+4>: sub $0x30,%rsp
0x0000000000400615 <+8>: mov %edi,-0x14(%rbp)
0x0000000000400618 <+11>: mov %rsi,-0x20(%rbp)
0x000000000040061c <+15>: mov %rdx,-0x28(%rbp)
0x0000000000400620 <+19>: movq $0x4007e8,-0x10(%rbp)
0x0000000000400628 <+27>: mov -0x20(%rbp),%rax
0x000000000040062c <+31>: mov (%rax),%rax
0x000000000040062f <+34>: mov %rax,-0x8(%rbp)
0x0000000000400633 <+38>: cmpl $0x2,-0x14(%rbp)
0x0000000000400637 <+42>: je 0x400673 <main+102>
0x0000000000400639 <+44>: mov -0x20(%rbp),%rax
0x000000000040063d <+48>: mov (%rax),%rax
0x0000000000400640 <+51>: mov %rax,%rsi
0x0000000000400643 <+54>: mov $0x4007eb,%edi
0x0000000000400648 <+59>: mov $0x0,%eax
0x000000000040064d <+64>: callq 0x4004d0 <printf@plt>
0x0000000000400652 <+69>: mov $0x4007ff,%edi
0x0000000000400657 <+74>: callq 0x4004c0 <puts@plt>
0x000000000040065c <+79>: mov -0x28(%rbp),%rdx
0x0000000000400660 <+83>: lea -0x10(%rbp),%rax
— -Type <return> to continue, or q <return> to quit — -
0x0000000000400664 <+87>: mov %rax,%rsi
0x0000000000400667 <+90>: mov $0x400819,%edi
0x000000000040066c <+95>: callq 0x4004f0 <execve@plt>
0x0000000000400671 <+100>: jmp 0x4006b1 <main+164>
0x0000000000400673 <+102>: cmpl $0x62,-0x14(%rbp)
0x0000000000400677 <+106>: jne 0x4006b1 <main+164>
0x0000000000400679 <+108>: mov $0x400821,%edi
0x000000000040067e <+113>: mov $0x0,%eax
0x0000000000400683 <+118>: callq 0x4004d0 <printf@plt>
0x0000000000400688 <+123>: mov $0x40082e,%edi
0x000000000040068d <+128>: callq 0x4004c0 <puts@plt>
0x0000000000400692 <+133>: mov $0x4007ff,%edi
0x0000000000400697 <+138>: callq 0x4004c0 <puts@plt>
0x000000000040069c <+143>: mov -0x28(%rbp),%rdx
0x00000000004006a0 <+147>: lea -0x10(%rbp),%rax
0x00000000004006a4 <+151>: mov %rax,%rsi
0x00000000004006a7 <+154>: mov $0x400819,%edi
0x00000000004006ac <+159>: callq 0x4004f0 <execve@plt>
0x00000000004006b1 <+164>: mov -0x20(%rbp),%rax
0x00000000004006b5 <+168>: add $0x8,%rax
0x00000000004006b9 <+172>: mov (%rax),%rax
0x00000000004006bc <+175>: mov $0x40083e,%esi
0x00000000004006c1 <+180>: mov %rax,%rdi
— -Type <return> to continue, or q <return> to quit — -
0x00000000004006c4 <+183>: callq 0x400500 <strcmp@plt>
0x00000000004006c9 <+188>: test %eax,%eax
0x00000000004006cb <+190>: jne 0x400702 <main+245>
0x00000000004006cd <+192>: mov $0x400846,%edi
0x00000000004006d2 <+197>: callq 0x4004c0 <puts@plt>
0x00000000004006d7 <+202>: mov $0x400868,%edi
0x00000000004006dc <+207>: callq 0x4004c0 <puts@plt>
0x00000000004006e1 <+212>: mov $0x4007ff,%edi
0x00000000004006e6 <+217>: callq 0x4004c0 <puts@plt>
0x00000000004006eb <+222>: mov -0x28(%rbp),%rdx
0x00000000004006ef <+226>: lea -0x10(%rbp),%rax
0x00000000004006f3 <+230>: mov %rax,%rsi
0x00000000004006f6 <+233>: mov $0x400819,%edi
0x00000000004006fb <+238>: callq 0x4004f0 <execve@plt>
0x0000000000400700 <+243>: jmp 0x400758 <main+331>
0x0000000000400702 <+245>: mov -0x20(%rbp),%rax
0x0000000000400706 <+249>: add $0x8,%rax
0x000000000040070a <+253>: mov (%rax),%rax
0x000000000040070d <+256>: mov $0x40088c,%esi
0x0000000000400712 <+261>: mov %rax,%rdi
0x0000000000400715 <+264>: callq 0x400500 <strcmp@plt>
0x000000000040071a <+269>: test %eax,%eax
0x000000000040071c <+271>: jne 0x40072f <main+290>
— -Type <return> to continue, or q <return> to quit — -
0x000000000040071e <+273>: mov $0x400894,%edi
0x0000000000400723 <+278>: callq 0x4004c0 <puts@plt>
0x0000000000400728 <+283>: mov $0x0,%eax
0x000000000040072d <+288>: jmp 0x40075d <main+336>
0x000000000040072f <+290>: mov $0x4008a7,%edi
0x0000000000400734 <+295>: callq 0x4004c0 <puts@plt>
0x0000000000400739 <+300>: mov $0x4007ff,%edi
0x000000000040073e <+305>: callq 0x4004c0 <puts@plt>
0x0000000000400743 <+310>: mov -0x28(%rbp),%rdx
0x0000000000400747 <+314>: lea -0x10(%rbp),%rax
0x000000000040074b <+318>: mov %rax,%rsi
0x000000000040074e <+321>: mov $0x400819,%edi
0x0000000000400753 <+326>: callq 0x4004f0 <execve@plt>
0x0000000000400758 <+331>: mov $0x1,%eax
0x000000000040075d <+336>: leaveq
0x000000000040075e <+337>: retq
End of assembler dump.
(gdb)We have two function calls for strcmp in the function main, we should definitely investigate this further. Lets put a breakpoint on the addresses of both these instructions.
(gdb) b *0x00000000004006c4
Breakpoint 1 at 0x4006c4
(gdb) b *0x0000000000400715
Breakpoint 2 at 0x400715
(gdb)Lets run the program with some random password and stop at breakpoint 1. For a quick first look, our best bet would be to to check the values of the registers at each breakpoint.
(gdb) run thisbetterwork
Starting program: /home/user/a.out thisbetterworkBreakpoint 1, 0x00000000004006c4 in main ()(gdb) info reg
rax 0x7fffffffe83a 140737488349242
rbx 0x0 0
rcx 0x0 0
rdx 0x7fffffffe5f0 140737488348656
rsi 0x40083e 4196414
rdi 0x7fffffffe83a 140737488349242
rbp 0x7fffffffe4f0 0x7fffffffe4f0
rsp 0x7fffffffe4c0 0x7fffffffe4c0
r8 0x7ffff7dd4e80 140737351863936
r9 0x7ffff7dea560 140737351951712
r10 0x7fffffffe380 140737488348032
r11 0x7ffff7a36dd0 140737348070864
r12 0x400520 4195616
r13 0x7fffffffe5d0 140737488348624
r14 0x0 0
r15 0x0 0
rip 0x4006c4 0x4006c4 <main+183>
eflags 0x212 [ AF IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb)
I’ll just cut short and check the rsi register and continue to the next breakpoint and check the rsi register again.
(gdb) print (char *) $rsi
$1 = 0x40083e "#cisfun"
(gdb) continue
Continuing.Breakpoint 2, 0x0000000000400715 in main ()
(gdb) print (char *) $rsi
$2 = 0x40088c ".symtab"
(gdb)
You can see the password “.symtab” there!
Ok, that was a bit of luck. Lets do this again (start from the beginning with no breakpoints) and lets use some technical knowledge about assembly language. Scroll up and see right before the second strcmp call, it moves a value to the address 0x40088c from the esi register. This is the copy paste for those specific lines:
0x000000000040070d <+256>: mov $0x40088c,%esi
0x0000000000400712 <+261>: mov %rax,%rdi
0x0000000000400715 <+264>: callq 0x400500 <strcmp@plt>Lets put a breakpoint at 0x000000000040070d, and run the program with a random password and print the value of the address 0x40088c.
(gdb) b *0x000000000040070d
Breakpoint 1 at 0x40070d
(gdb) run hellofromtheotherside
Starting program: /home/user/a.out hellofromtheothersideBreakpoint 1, 0x000000000040070d in main ()
(gdb) print (char *) 0x40088c
$1 = 0x40088c ".symtab"
(gdb)
And we have that password again! Assembly is fun, right?
As the last tool, we are going to use objdump to find the password. Lets display the contents of the dynamic symbol table first.
$ objdump -T a.outa.out: file format elf64-x86–64DYNAMIC SYMBOL TABLE:
0000000000000000 DF *UND* 0000000000000000 GLIBC_2.2.5 puts
0000000000000000 DF *UND* 0000000000000000 GLIBC_2.2.5 printf
0000000000000000 DF *UND* 0000000000000000 GLIBC_2.2.5 __libc_start_main
0000000000000000 DF *UND* 0000000000000000 GLIBC_2.2.5 execve
0000000000000000 DF *UND* 0000000000000000 GLIBC_2.2.5 strcmp
0000000000000000 w D *UND* 0000000000000000 __gmon_start__
Again, strcmp is of importance to us. We should first try displaying the full contents of all the sections and manually inspect the output for any viable passwords in it. Who knows if we get lucky?
$ objdump -s a.outa.out: file format elf64-x86–64Contents of section .interp:
400238 2f6c6962 36342f6c 642d6c69 6e75782d /lib64/ld-linux-
400248 7838362d 36342e73 6f2e3200 x86–64.so.2.
Contents of section .note.ABI-tag:
400254 04000000 10000000 01000000 474e5500 …………GNU.
400264 00000000 02000000 06000000 18000000 …………….
Contents of section .note.gnu.build-id:
400274 04000000 14000000 03000000 474e5500 …………GNU.
400284 ae99fe8f 21f8d67f 97ec804a dd59ccfc ….!……J.Y..
400294 2eb6f406 ….
Contents of section .gnu.hash:
400298 01000000 01000000 01000000 00000000 …………….
4002a8 00000000 00000000 00000000 …………
Contents of section .dynsym:
4002b8 00000000 00000000 00000000 00000000 …………….
4002c8 00000000 00000000 0b000000 12000000 …………….
4002d8 00000000 00000000 00000000 00000000 …………….
4002e8 10000000 12000000 00000000 00000000 …………….
4002f8 00000000 00000000 25000000 12000000 ……..%…….
400308 00000000 00000000 00000000 00000000 …………….
400318 17000000 12000000 00000000 00000000 …………….
400328 00000000 00000000 1e000000 12000000 …………….
400338 00000000 00000000 00000000 00000000 …………….
400348 37000000 20000000 00000000 00000000 7… ………..
400358 00000000 00000000 ……..
Contents of section .dynstr:
400360 006c6962 632e736f 2e360070 75747300 .libc.so.6.puts.
400370 7072696e 74660065 78656376 65007374 printf.execve.st
400380 72636d70 005f5f6c 6962635f 73746172 rcmp.__libc_star
400390 745f6d61 696e005f 5f676d6f 6e5f7374 t_main.__gmon_st
4003a0 6172745f 5f00474c 4942435f 322e322e art__.GLIBC_2.2.
4003b0 3500 5.
Contents of section .gnu.version:
4003b2 00000200 02000200 02000200 0000 …………..
Contents of section .gnu.version_r:
4003c0 01000100 01000000 10000000 00000000 …………….
4003d0 751a6909 00000200 46000000 00000000 u.i…..F…….
Contents of section .rela.dyn:
4003e0 f80f6000 00000000 06000000 06000000 ..`………….
4003f0 00000000 00000000 ……..
Contents of section .rela.plt:
4003f8 18106000 00000000 07000000 01000000 ..`………….
400408 00000000 00000000 20106000 00000000 …….. .`…..
400418 07000000 02000000 00000000 00000000 …………….
400428 28106000 00000000 07000000 03000000 (.`………….
400438 00000000 00000000 30106000 00000000 ……..0.`…..
400448 07000000 04000000 00000000 00000000 …………….
400458 38106000 00000000 07000000 05000000 8.`………….
400468 00000000 00000000 40106000 00000000 ……..@.`…..
400478 07000000 06000000 00000000 00000000 …………….
Contents of section .init:
400488 4883ec08 488b0565 0b200048 85c07405 H…H..e. .H..t.
400498 e8730000 004883c4 08c3 .s…H….
Contents of section .plt:
4004b0 ff35520b 2000ff25 540b2000 0f1f4000 .5R. ..%T. …@.
4004c0 ff25520b 20006800 000000e9 e0ffffff .%R. .h………
4004d0 ff254a0b 20006801 000000e9 d0ffffff .%J. .h………
4004e0 ff25420b 20006802 000000e9 c0ffffff .%B. .h………
4004f0 ff253a0b 20006803 000000e9 b0ffffff .%:. .h………
400500 ff25320b 20006804 000000e9 a0ffffff .%2. .h………
400510 ff252a0b 20006805 000000e9 90ffffff .%*. .h………
Contents of section .text:
400520 31ed4989 d15e4889 e24883e4 f0505449 1.I..^H..H…PTI
400530 c7c0d007 400048c7 c1600740 0048c7c7 ….@.H..`.@.H..
400540 0d064000 e897ffff fff4660f 1f440000 ..@…….f..D..
400550 b85f1060 0055482d 58106000 4883f80e ._.`.UH-X.`.H…
400560 4889e577 025dc3b8 00000000 4885c074 H..w.]……H..t
400570 f45dbf58 106000ff e00f1f80 00000000 .].X.`……….
400580 b8581060 0055482d 58106000 48c1f803 .X.`.UH-X.`.H…
400590 4889e548 89c248c1 ea3f4801 d048d1f8 H..H..H..?H..H..
4005a0 75025dc3 ba000000 004885d2 74f45d48 u.]……H..t.]H
4005b0 89c6bf58 106000ff e20f1f80 00000000 …X.`……….
4005c0 803d910a 20000075 11554889 e5e87eff .=.. ..u.UH…~.
4005d0 ffff5dc6 057e0a20 0001f3c3 0f1f4000 ..]..~. ……@.
4005e0 48833d38 08200000 741eb800 00000048 H.=8. ..t……H
4005f0 85c07414 55bf200e 60004889 e5ffd05d ..t.U. .`.H….]
400600 e97bffff ff0f1f00 e973ffff ff554889 .{…….s…UH.
400610 e54883ec 30897dec 488975e0 488955d8 .H..0.}.H.u.H.U.
400620 48c745f0 e8074000 488b45e0 488b0048 H.E…@.H.E.H..H
400630 8945f883 7dec0274 3a488b45 e0488b00 .E..}..t:H.E.H..
400640 4889c6bf eb074000 b8000000 00e87efe H…..@…….~.
400650 ffffbfff 074000e8 64feffff 488b55d8 …..@..d…H.U.
400660 488d45f0 4889c6bf 19084000 e87ffeff H.E.H…..@…..
400670 ffeb3e83 7dec6275 38bf2108 4000b800 ..>.}.bu8.!.@…
400680 000000e8 48feffff bf2e0840 00e82efe ….H……@….
400690 ffffbfff 074000e8 24feffff 488b55d8 …..@..$…H.U.
4006a0 488d45f0 4889c6bf 19084000 e83ffeff H.E.H…..@..?..
4006b0 ff488b45 e04883c0 08488b00 be3e0840 .H.E.H…H…>.@
4006c0 004889c7 e837feff ff85c075 35bf4608 .H…7…..u5.F.
4006d0 4000e8e9 fdffffbf 68084000 e8dffdff @…….h.@…..
4006e0 ffbfff07 4000e8d5 fdffff48 8b55d848 ….@……H.U.H
4006f0 8d45f048 89c6bf19 084000e8 f0fdffff .E.H…..@……
400700 eb56488b 45e04883 c008488b 00be8c08 .VH.E.H…H…..
400710 40004889 c7e8e6fd ffff85c0 7511bf94 @.H………u…
400720 084000e8 98fdffff b8000000 00eb2ebf .@…………..
400730 a7084000 e887fdff ffbfff07 4000e87d ..@………@..}
400740 fdffff48 8b55d848 8d45f048 89c6bf19 …H.U.H.E.H….
400750 084000e8 98fdffff b8010000 00c9c390 .@…………..
400760 41574189 ff415649 89f64155 4989d541 AWA..AVI..AUI..A
400770 544c8d25 98062000 55488d2d 98062000 TL.%.. .UH.-.. .
400780 534c29e5 31db48c1 fd034883 ec08e8f5 SL).1.H…H…..
400790 fcffff48 85ed741e 0f1f8400 00000000 …H..t………
4007a0 4c89ea4c 89f64489 ff41ff14 dc4883c3 L..L..D..A…H..
4007b0 014839eb 75ea4883 c4085b5d 415c415d .H9.u.H…[]A\A]
4007c0 415e415f c366662e 0f1f8400 00000000 A^A_.ff………
4007d0 f3c3 ..
Contents of section .fini:
4007d4 4883ec08 4883c408 c3 H…H….
Contents of section .rodata:
4007e0 01000200 00000000 2d660055 73616765 ........-f.Usage
4007f0 3a202573 20706173 73776f72 640a0053 : %s password..S
400800 65652079 6f75206e 65787420 74696d65 ee you next time
400810 20686163 6b657221 002f6269 6e2f726d hacker!./bin/rm
400820 00236369 7366756e 21203a29 3b005472 .#cisfun! :);.Tr
400830 79206167 61696e20 6c617465 72002363 y again later.#c
400840 69736675 6e005945 53206974 20697320 isfun.YES it is
400850 66756e20 69736e27 74206973 3f203a29 fun isn’t is? :)
400860 00000000 00000000 42757420 74686973 ........But this
400870 20697320 6e6f7420 74686520 72696768 is not the righ
400880 74207061 7373776f 72642e00 2e73796d t password...sym
400890 74616200 41636365 73732067 72616e74 tab.Access grant
4008a0 6564205c 6f2f0041 63636573 73206465 ed \o/.Access de
4008b0 6e696564 203a2800 nied :(.
Contents of section .eh_frame_hdr:
4008b8 011b033b 34000000 05000000 f8fbffff …;4………..
4008c8 80000000 68fcffff 50000000 55fdffff ….h…P…U…
4008d8 a8000000 a8feffff c8000000 18ffffff …………….
4008e8 10010000 ….
Contents of section .eh_frame:
4008f0 14000000 00000000 017a5200 01781001 ………zR..x..
400900 1b0c0708 90010710 14000000 1c000000 …………….
400910 10fcffff 2a000000 00000000 00000000 ….*………..
400920 14000000 00000000 017a5200 01781001 ………zR..x..
400930 1b0c0708 90010000 24000000 1c000000 ……..$…….
400940 70fbffff 70000000 000e1046 0e184a0f p…p……F..J.
400950 0b770880 003f1a3b 2a332422 00000000 .w…?.;*3$”….
400960 1c000000 44000000 a5fcffff 52010000 ….D…….R…
400970 00410e10 8602430d 06034d01 0c070800 .A….C…M…..
400980 44000000 64000000 d8fdffff 65000000 D…d…….e…
400990 00420e10 8f02450e 188e0345 0e208d04 .B….E….E. ..
4009a0 450e288c 05480e30 8606480e 3883074d E.(..H.0..H.8..M
4009b0 0e406c0e 38410e30 410e2842 0e20420e .@l.8A.0A.(B. B.
4009c0 18420e10 420e0800 14000000 ac000000 .B..B………..
4009d0 00feffff 02000000 00000000 00000000 …………….
4009e0 00000000 ….
Contents of section .init_array:
600e10 e0054000 00000000 ..@…..
Contents of section .fini_array:
600e18 c0054000 00000000 ..@…..
Contents of section .jcr:
600e20 00000000 00000000 ……..
Contents of section .dynamic:
600e28 01000000 00000000 01000000 00000000 …………….
600e38 0c000000 00000000 88044000 00000000 ……….@…..
600e48 0d000000 00000000 d4074000 00000000 ……….@…..
600e58 19000000 00000000 100e6000 00000000 ……….`…..
600e68 1b000000 00000000 08000000 00000000 …………….
600e78 1a000000 00000000 180e6000 00000000 ……….`…..
600e88 1c000000 00000000 08000000 00000000 …………….
600e98 f5feff6f 00000000 98024000 00000000 …o……@…..
600ea8 05000000 00000000 60034000 00000000 ……..`.@…..
600eb8 06000000 00000000 b8024000 00000000 ……….@…..
600ec8 0a000000 00000000 52000000 00000000 ……..R…….
600ed8 0b000000 00000000 18000000 00000000 …………….
600ee8 15000000 00000000 00000000 00000000 …………….
600ef8 03000000 00000000 00106000 00000000 ……….`…..
600f08 02000000 00000000 90000000 00000000 …………….
600f18 14000000 00000000 07000000 00000000 …………….
600f28 17000000 00000000 f8034000 00000000 ……….@…..
600f38 07000000 00000000 e0034000 00000000 ……….@…..
600f48 08000000 00000000 18000000 00000000 …………….
600f58 09000000 00000000 18000000 00000000 …………….
600f68 feffff6f 00000000 c0034000 00000000 …o……@…..
600f78 ffffff6f 00000000 01000000 00000000 …o…………
600f88 f0ffff6f 00000000 b2034000 00000000 …o……@…..
600f98 00000000 00000000 00000000 00000000 …………….
600fa8 00000000 00000000 00000000 00000000 …………….
600fb8 00000000 00000000 00000000 00000000 …………….
600fc8 00000000 00000000 00000000 00000000 …………….
600fd8 00000000 00000000 00000000 00000000 …………….
600fe8 00000000 00000000 00000000 00000000 …………….
Contents of section .got:
600ff8 00000000 00000000 ……..
Contents of section .got.plt:
601000 280e6000 00000000 00000000 00000000 (.`………….
601010 00000000 00000000 c6044000 00000000 ……….@…..
601020 d6044000 00000000 e6044000 00000000 ..@…….@…..
601030 f6044000 00000000 06054000 00000000 ..@…….@…..
601040 16054000 00000000 ..@…..
Contents of section .data:
601048 00000000 00000000 00000000 00000000 …………….
Contents of section .comment:
0000 4743433a 20285562 756e7475 20342e38 GCC: (Ubuntu 4.8
0010 2e342d32 7562756e 7475317e 31342e30 .4–2ubuntu1~14.0
0020 34292034 2e382e34 00474343 3a202855 4) 4.8.4.GCC: (U
0030 62756e74 7520342e 382e322d 31397562 buntu 4.8.2–19ub
0040 756e7475 31292034 2e382e32 00 untu1) 4.8.2.
Have a look at the contents of the section of .rodata. We have the password in plain sight!
Note: This is a bad idea to use this function to password a file as you can see the password can be easily found by finding the strings that it compares. While it is comparing, we can easily dig through the registers to find them. As evident from the above tutorial, it didn’t need much time to hack it.
This article is for educational purposes only. Follow me on Github
