This time I’m tackling this crackme called Mexican. In order to solve this, we will use radare2’s to analyze the binary and find the flag. Then we’ll have to patch the binary in order for it to output the flag. Let’s jump right in!
If we open the binary using radare2 and go to the main function we see a call to the flag function… but something is odd 🤔
After executing __main it compares the value 0xC1 with itself (lines 0x0040163a and 0x00401642) and it will call the flag function only if 0xc1 is bigger than 0xc1. This will, of course never happen so, in order to get the flag we could one of the following:
- Go to the flag function and gather the flag directly from the code
- Patch the binary to make the condition working
Solution 2: Extracting the flag form the code
In order to do this, we need to use the repetitive pattern used in the binary to our advantage.
We can see each instruction loading a char into the string is
mov byte [eax], XX and the bytecode for each one of those instructions is
c600XX being XX the hex value of the character.
So, if we search for
c600 then extract the following byte we will get our flag char by char, same method as it is built inside the function. Here’s a python script using r2pipe which does just that:
Solution 2: Binary patching
In this case, we can use r2pipe to go to the “problematic” instruction and change just one bit. The comparison is being made between *var_1ch (which we know is 0xc1 from the previous line) and a hardcoded value 0xc1. Wouldn’t it be great if we could change the hardcoded value to 0xc0, effectively inverting the condition?
Of course! Now, how do we do this using r2pipe? I wrote the following script that does the job:
Now if we execute the cracked binary we get the flag instead of the “try harder” message. Here you can see both scripts in action and the difference between the original and the cracked binary: