Modern Binary
Exploitation Writeups 0x01
This is the 1st writeup of Tools and Basic Reverse Engineering by RPISEC, a subpart of the Modern Binary Exploitation Course.
Link of lectures:- http://security.cs.rpi.edu/courses/binexp-spring2015/
All the lecture materials and other necessary files are available on the above link to check it out.
_________________________________________________ Next WriteUp ➡️
crackme0x00a
Information gathering using the file command
$file crackme0x00a
![](https://miro.medium.com/v2/resize:fit:700/1*FiLssOdlKHS8z8kkTIyMtg.png)
- The file is 32-bit, LSB executable (least-significant byte).
- It means the file is a little-endian.
![](https://miro.medium.com/v2/resize:fit:700/1*JplF_zGNGx5NDTyHNoSKXw.png)
Information gathering using the rabin2 tool.
$rabin2 -I crackme0x00a
![](https://miro.medium.com/v2/resize:fit:700/1*zH7HLc-uGRMWqfHRKa7mKw.png)
![](https://miro.medium.com/v2/resize:fit:408/1*IjkAUH4NihjrlzHkkA5XSg.png)
Cracking the file using strings
$strings crackme00x0a
![](https://miro.medium.com/v2/resize:fit:700/1*pWT0Od6oUue-lUvnpHoVxA.png)
![](https://miro.medium.com/v2/resize:fit:564/1*j3W65qyW53lSNli-J7Ui5A.png)
![](https://miro.medium.com/v2/resize:fit:633/1*u8vsxFozuzJ8bP10XgOYPg.png)
Cracking the file using xxd
![](https://miro.medium.com/v2/resize:fit:700/1*YnTsw7ngCTt-jINtonDtVQ.png)
$xxd crackme0x00a
![](https://miro.medium.com/v2/resize:fit:689/1*t280RdHyNyF9j9QPDToauw.png)
![](https://miro.medium.com/v2/resize:fit:633/1*u8vsxFozuzJ8bP10XgOYPg.png)
Cracking the file using rabin2
![](https://miro.medium.com/v2/resize:fit:700/1*jSBJUj5rOCXXJwlU2Nmv1A.png)
![](https://miro.medium.com/v2/resize:fit:690/1*3YOYwh8EPqDQ8A0UCmuzZQ.png)
![](https://miro.medium.com/v2/resize:fit:633/1*u8vsxFozuzJ8bP10XgOYPg.png)
Cracking the file using ltracre
$ltrace ./crackme0x00a
![](https://miro.medium.com/v2/resize:fit:700/1*rnPbMvyGufowJBFB7DBfgg.png)
ltrace basically intercepts and print the system calls executed by the program.
![](https://miro.medium.com/v2/resize:fit:700/1*_R35MfziY-G4E5AKGlqXaQ.png)
Cracking the file using strace :(
strace ./crackme0x00a
![](https://miro.medium.com/v2/resize:fit:700/1*wKRwKG7E8qiYBR1SgxWqVA.png)
strace is used for tracing syscalls. It won’t ever trace a string compare like strncmp as that doesn’t require any syscalls.
Cracking the file using radare2
$radare2 crackme0x00a
[0x08048430]> aaa
[0x08048430]> pdf @ main
- aa:-analyze all.
- aaa:- analyze all with more info.
- pdf:- print disassemble function.
![](https://miro.medium.com/v2/resize:fit:668/1*mswF4djT3HzRa9DTOTvFuQ.png)
![](https://miro.medium.com/v2/resize:fit:700/1*LTCQ44Coy-c_B8y2Za_SvA.png)
radare2 give the view of the code.
- There is *s2 char type pointer which is pointing some strings i.e our input(password). *s1 is “g00dJ0B!”,in the next step both getting compared using strcmp.
![](https://miro.medium.com/v2/resize:fit:633/1*u8vsxFozuzJ8bP10XgOYPg.png)
Cracking the file using gdb-peda
gdb-peda is like an addon for gdb, you can install it from GitHub.
$gdb crackme0x00a
>gdb-peda$ disassemble main
The disassemble main will show the main function of the binary.
![](https://miro.medium.com/v2/resize:fit:570/1*Djxu4xL9IKLpG-IeQTxgoA.png)
There is an strcmp instruction on <+70>, so lets set the breakpoint at the location and run the program.
gdb-peda$ break *0x0804852a
gdb-peda$ run
Enter the password to test the program, in this case, I enter incognito as a password.
![](https://miro.medium.com/v2/resize:fit:1000/1*aaG80jVG2bhkCvB2hyecCg.png)
![](https://miro.medium.com/v2/resize:fit:700/1*hT2N_iAmjBi-7gryAzqjyQ.png)
“incognito” is compared with the “g00dj0B!”, gdb-peda also shows some guess arguments.
![](https://miro.medium.com/v2/resize:fit:633/1*u8vsxFozuzJ8bP10XgOYPg.png)