crackmes.de’s crackme_nasm by rezk2ll

The binary can be found on crackmes.one.

We have the binary. It’s an ELF 32-bit and it’s statically linked, so we will not be able to run ltrace(1) on it.

The binary ask for a flag, and prints a validation message. As we can see it loops while the given flag isn’t correct.


Let’s see what is going on under the hood.

We face 4 functions:

  • Entrypoint at 0x804880
  • Failure at 0x8048112
  • Success at 0x8048132
  • ClearTerminal at 0x804814f

It might be interesting to find where the functions success and failure are called.

So, if the registers EBX and ECX are not equal we jump to failure, otherwise we jump to success.

If you take a look two lines above, ECX register is filled with the address 0x80491b3 and EBX is filled with 0x80491a8. Those addresses are in data segement. One address probably contains the flag typed on stdin and other should contains the expected flag.

We have to find where the program gets the string from stdin.

Here, there is two syscalls, the first one is a sys_write. Which should print “Flag” because of the length passed in EDX.

The second, is more interesting it’s our sys_read. So, the string from stdin, will be stored at 0x80491a8 (EBX).

Now, we have to know whats ECX will contains before the comparison instruction. Because, we found earlier that ECX will be filled with 0x80491b3 address. Let’s find the first occurence of this address and follow it until the comparison instruction.

Ok, let’s explain the block above. After the first line, EAX will point to 0x80491b3. The next 21 lines move an ascii character into the addresses pointed by EAX then increments EAX by one. It does something like strcpy(3).

Now, we just had to show those ascii characters:

Done ✅