Modern Binary
Exploitation Writeups-0x03

This is the 3rd writeup of Tools and Basic Reverse Engineering by RPISEC, a subpart of Modern Binary Exploitation Course.

Link of lectures:- http://security.cs.rpi.edu/courses/binexp-spring2015/

All the lecture materials and other necessary files are available on the above link to check it out.

⬅️ Previous writeup__________________________________ Next WriteUp ➡️


crackme0x01

$./crackme0x01
crackme0x01

Cracking using radare2

radare2 crackme0x01 
[0x08048330]> aaa
[0x08048330]> pdf @ main
  • aa:- analyze all.
  • aaa:- analyze all with more info.
  • pdf:- print disassemble function.
radare2
main in radare2

At the location 0x0804842b there is cmp(compare) of local_4h with 0x149a. local_4h is a variable in which we store the input(password).

Conversion

Input the 0x149a(comapred value) as a int(5274).

Binary file

Cracking using gdb

$gdb crackme0x01
gdb-peda$ disassemble main
gdb-peda$ break *0x0804842b
Breakpoint 1 at 0x804842b
gdb-peda$ run

0x804842b cmp DWORD PTR [ebp-0x4],0x149a. PTR [ebp-0x4] is the variable which take the input(password) and compare with the 0x149a.

DWORD:- it refers to the double word, doubleword is 32 bit or 4 bytes(8 bit =1 byte).

PTR:- Abbreviation of Pointer.

[ebp-0x4]:- subtract 4 bytes from the ebp(base pointer) register, so now it is pointing to the first local variable of the subroutine.

Conversion
$p/d 0x149a
  • p:- print command (abbreviated p )
  • d:- Print as an integer in signed decimal.
$p/u 0x149a
  • p:- print command (abbreviated p )
  • u:- Print as an integer in unsigned decimal.

Converting ‘0x149a’ using python

$ python -c "print 0x149a"

Special thanks to Aleksey Covacevice for helping me.

Thanks for reading! If you enjoyed this story, please click the 👏 button and share to help others! Feel free to leave a comment 💬 below. Have feedback? Let’s connect on Twitter.

❤️ by inc0gnito