Hi there, In this blog i am going to explain how we can crack or reverse a simple password checker program. This blog is also for beginners who are new in reverse engineering.
Here we can see that when we exec this binary it ask for a argument called password. Our mission is to find password.
Wrong password, Lets debug this program with GDB and find the valid password.So type gdb then path to the binary (gdb passwd).
We know that every C program have a main function. So lets type disassemble main , this will display all assembler structures from the main function. Before disassemble i used set disassembly-flavor intel to filter all weird strings. Disassemble looks complicated but we can ignore most of it. We can see cmp which is 0x2 , its just 2 as i said we need to ignore most of the parts.
164 <+15>: cmp DWORD PTR [rbp-0x4],0x2
We can see 0x02 its means 2 tho something is checked if it is not 2 after that it jumps.
168 <+19>: jne 0x11c3 <main+110>
184 <+47>: call 0x1040 <[email protected]>
Call is the function to display text which is printf so we know at 184 it is printing something.
19e <+73>: call 0x1050 <[email protected]>
Then comes the string compare if you don’t know what string compare is then you can see man page of it.
man 3 strcmp
After that we can see test ; returns not equal to 0 if the same.
1a5 <+80>: jne 0x11b5 <main+96>
Here if something not equal then jump to 96
1b5 <+96>: lea rdi,[rip+0xe83]There are many things which may you should look. Here i am going to create a break point at main to do that type
1bc <+103>: call 0x1030 <[email protected]>
After creating break point we get
Breakpoint 1 at 0x1155 which is similar to the
155 <+0>: push rbp which is the starting point of the main function.Break point is set now we can
run and again we hit the break point. Break point is a stop where program stops running
Breakpoint 1, 0x0000555555555155 in main ()Now we can use
si to step one instructions.
0x0000555555555156 our address changed. Now we gonna use
If you see we hit many point and they are similar to our assembler dump. A function printf at
0x00005555555551ca and here it jump which is whatever was compare to 2 it is not 2, jmp point at
0x0000555555555168 then program prints puts function which was the last function.Now we know that we didn’t pass the password check now we can run program with random password argument.
After running do the same
ni and again we will hit the break point at
0x0000555555555168 in main ()
will we again jump this time?, no because jmp is equal to 2. So keep typing ni
Cool, another printf function and this printf is a function where password will be checked.
Again we jumped here that means password is wrong which is puts functions. So lets create break point where it is jumping. type
break *0x00005555555551a3 and run the program again. Now
continue this will run the program and break until we hit the next break point. Here we need to change the eax value to zero (eax just refers to the 32 bit of the 64 bit of registers.)
type set $eax=0 then
info registers. now type ni again to continue the program.
And boom we bypassed the password verify 🙂
C code: https://pastebin.com/raw/8zahDYNu
Thanks for reading