{"id":10755,"date":"2021-03-21T11:12:06","date_gmt":"2021-03-21T11:12:06","guid":{"rendered":"http:\/\/www.max-sperling.bplaced.net\/?p=10755"},"modified":"2024-02-16T10:16:29","modified_gmt":"2024-02-16T10:16:29","slug":"crackmes-example-1","status":"publish","type":"post","link":"http:\/\/www.max-sperling.bplaced.net\/?p=10755","title":{"rendered":"crackmes.one (Example 1)"},"content":{"rendered":"<p><strong>Setup<\/strong><\/p>\n<p><u>Data<\/u><\/p>\n<ul>\n<li>URL: <a href=\"https:\/\/crackmes.one\/crackme\/5c11e2f333c5d41e58e0057a\">nutcake&#8217;s WhiteRabbit<\/a><\/li>\n<li>Language: C\/C++<\/li>\n<li>Platform: Unix\/Linux (ELF64)<\/li>\n<li>Description: &#8220;Can you find the rabbit hole cof cof, I mean, the hidden function?&#8221;<\/li>\n<\/ul>\n<p><u>Output<\/u><\/p>\n<pre>\r\n$ .\/hidden\r\nThe only way out is inward\r\n\r\n\r\n\r\n\r\n\r\n...Voce consegue achar a funcao escondida?\r\n<\/pre>\n<hr>\n<p><strong>Analysis<\/strong><\/p>\n<p><u>Tools<\/u><br \/>\nCutter\/Radare2<\/p>\n<p><u>Disassembly<\/u> (Origin)<\/p>\n<pre class=\"brush: plain; gutter: false; title: ; notranslate\" title=\"\">\r\n144: secret ();\r\n; var int64_t var_fh @ rbp-0xf\r\n; var int64_t var_eh @ rbp-0xe\r\n; var int64_t var_dh @ rbp-0xd\r\n; var int64_t var_ch @ rbp-0xc\r\n; var int64_t var_8h @ rbp-0x8\r\n; var int64_t var_4h @ rbp-0x4\r\n0x00001145      push    rbp\r\n0x00001146      mov     rbp, rsp\r\n0x00001149      sub     rsp, 0x10\r\n0x0000114d      mov     dword [var_4h], 5\r\n0x00001154      mov     dword [var_8h], 3\r\n0x0000115b      mov     dword [var_ch], 4\r\n0x00001162      mov     byte [var_dh], 0x73 ; &#039;s&#039;\r\n0x00001166      mov     byte [var_eh], 0x64 ; &#039;d&#039;\r\n0x0000116a      mov     byte [var_fh], 0x63 ; &#039;c&#039;\r\n0x0000116e      movsx   r9d, byte [var_dh]\r\n0x00001173      mov     eax, dword [var_4h]\r\n0x00001176      sub     eax, dword [var_ch]\r\n0x00001179      mov     r8d, eax\r\n0x0000117c      movsx   edi, byte [var_eh]\r\n0x00001180      mov     eax, dword [var_4h]\r\n0x00001183      sub     eax, dword [var_ch]\r\n0x00001186      mov     esi, eax\r\n0x00001188      movsx   r10d, byte [var_eh]\r\n0x0000118d      movsx   ecx, byte [var_fh]\r\n0x00001191      movsx   edx, byte [var_dh]\r\n0x00001195      mov     eax, dword [var_8h]\r\n0x00001198      push    0\r\n0x0000119a      push    0\r\n0x0000119c      push    r9\r\n0x0000119e      push    0\r\n0x000011a0      push    r8\r\n0x000011a2      mov     r8d, dword [var_ch]\r\n0x000011a6      push    r8\r\n0x000011a8      mov     r8d, dword [var_8h]\r\n0x000011ac      push    r8\r\n0x000011ae      push    0\r\n0x000011b0      push    rdi\r\n0x000011b1      push    rsi\r\n0x000011b2      mov     r9d, r10d\r\n0x000011b5      mov     r8d, 0\r\n0x000011bb      mov     esi, eax\r\n0x000011bd      lea     rdi, str.flag__d_c_c_dn_c_d_c_d__dh_M_d_ds_G_d_ct_dS_d ; 0x2008 ; const char *format\r\n0x000011c4      mov     eax, 0\r\n0x000011c9      call    printf     ; sym.imp.printf ; int printf(const char *format)\r\n0x000011ce      add     rsp, 0x50\r\n0x000011d2      nop\r\n0x000011d3      leave\r\n0x000011d4      ret\r\n52: int main (int argc, char **argv, char **envp);\r\n0x000011d5      push    rbp\r\n0x000011d6      mov     rbp, rsp\r\n0x000011d9      lea     rdi, str.The_only_way_out_is_inward ; 0x2038 ; const char *s\r\n0x000011e0      call    puts       ; sym.imp.puts ; int puts(const char *s)\r\n0x000011e5      lea     rdi, [0x00002058] ; const char *format\r\n0x000011ec      mov     eax, 0\r\n0x000011f1      call    printf     ; sym.imp.printf ; int printf(const char *format)\r\n0x000011f6      lea     rdi, str.Voce_consegue_achar_a_funcao_escondida ; 0x2060 ; const char *s\r\n0x000011fd      call    puts       ; sym.imp.puts ; int puts(const char *s)\r\n0x00001202      mov     eax, 0\r\n0x00001207      pop     rbp\r\n0x00001208      ret\r\n<\/pre>\n<p><u>Conclusion<\/u><br \/>\nThe disassembly shows that there is a function straight above the main function, which isn&#8217;t getting called. So let&#8217;s modify the main function that it calls the secret function.<\/p>\n<hr>\n<p><strong>Solution<\/strong><\/p>\n<p><u>Disassembly<\/u> (Patched)<\/p>\n<pre class=\"brush: plain; gutter: false; title: ; notranslate\" title=\"\">\r\n52: int main (int argc, char **argv, char **envp);\r\n0x000011d5      push    rbp\r\n0x000011d6      mov     rbp, rsp\r\n0x000011d9      lea     rdi, str.The_only_way_out_is_inward ; 0x2038 ; const char *s\r\n0x000011e0      call    puts       ; sym.imp.puts ; int puts(const char *s)\r\n0x000011e5      lea     rdi, [0x00002058] ; const char *format\r\n0x000011ec      mov     eax, 0\r\n0x000011f1      call    secret     ; sym.secret\r\n0x000011f6      nop\r\n0x000011f7      nop\r\n0x000011f8      nop\r\n0x000011f9      nop\r\n0x000011fa      nop\r\n0x000011fb      nop\r\n0x000011fc      nop\r\n0x000011fd      nop\r\n0x000011fe      nop\r\n0x000011ff      nop\r\n0x00001200      nop\r\n0x00001201      nop\r\n0x00001202      nop\r\n0x00001203      nop\r\n0x00001204      nop\r\n0x00001205      nop\r\n0x00001206      nop\r\n0x00001207      pop     rbp\r\n0x00001208      ret\r\n<\/pre>\n<p><u>Output<\/u><\/p>\n<pre>\r\n$ .\/hidden\r\nThe only way out is inward\r\n\r\n\r\n\r\n\r\n\r\nflag{3sc0nd1d0_3h_M41s_G0st0S0}\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Setup Data URL: nutcake&#8217;s WhiteRabbit Language: C\/C++ Platform: Unix\/Linux (ELF64) Description: &#8220;Can you find the rabbit hole cof cof, I<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false},"categories":[39],"tags":[],"_links":{"self":[{"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=\/wp\/v2\/posts\/10755"}],"collection":[{"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=10755"}],"version-history":[{"count":1,"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=\/wp\/v2\/posts\/10755\/revisions"}],"predecessor-version":[{"id":16713,"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=\/wp\/v2\/posts\/10755\/revisions\/16713"}],"wp:attachment":[{"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=10755"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=10755"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=10755"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}