Finally! I have some spare time to test out the new RE tool (Ghidra) and writing this story after finished my Final Year Project. Today, i will demonstrate on the basic function of the Ghidra and radare2 in solving a simple reverse challenge from crackmes.one.
Objective:
Find the password that leads to the strings “Login Successful”.
Topic Covered:
1. Basic Ghidra function (Static Analysis)
2. Radare2 (Dynamic Analysis)
Descriptions:
First go to the Windows > Defined Strings to check all the strings list contained inside the binary file.
It can see that there is a “Login successful” & “Login failed” in the strings list. Let’s click on it and look at the disassembled code section.
It leaded us to the data segment (DS) register of the code, then check the references segment to that “Login Successful” address.
Then, continue to search for the reference call to this function.
Tada!! It redirect us into the main function of the program. From there, we can see the overall structure of the binary in the decompile code windows on right hand side of the figure above.
Overview of code structure:
- Get input
- Stored Password (Encrypted)
- Check Input Length
- Validate Password
- Print “Login successful” or “Login failed”
For the ease of understanding:
Inside the password::password function some random strings and a password with hex number of 0x42 (‘B’) were found.
In the password::checkPasswordfunction, it was found that user input strings XOR with some random strings then the XORed strings compare with some strings copy from another segment of codes.
However, it still lack of the length of the password, XOR strings used and copied strings. Therefore, I perform a dynamic analysis by using Radare2 to gather all those leftover informations.
Length of password:
eax = 0x7 (7 in decimal)
The password strings to be compared with:
rdx = .-8.4.p
It also has length of 7.
XOR key:
eax = 0x42 (‘B’ in ascii)
Simple python script will do for the XOR task. Flag Get !!
Thank you 3000, Ghidra and radare2 :D
References:
