All Writeups. Or maybe just CrackMe0x00A?

This is a walkthrough for the CrackMe0x00B that was part of the Rensselaer Polytechnic Institute’s Binary Exploitation course in Spring 2015. You can follow along by downloading the challenges here. (mirror 1, mirror 2)

As usual let’s start by running the binary.

Once again, it seems like it’s a simple branch statement with the program doing something different if the correct password is inputted.

Let’s try the same things in CrackMe0x00A. Unfortunately strings this time does not show us anything useful. So let’s look at this visually in radare2.

$ r2 ./crackme0x00b
[0x080483e0]> vpp

Easy peasy – password is shown to be “w0wgreat”.

I don’t know about you but this feels kinda unsatisfying – so let’s go through why this is different from CrackMe0x00A.

If you look at address 0x080484ce in the above screenshot, you’ll notice that instead of strcmp, we are now using wcscmp in CrackMe0x00B. A quick google shows that this is used to compare wide strings. gdb shows us the same thing and gives us a memory address that we should probably look at.

$ gdb ./crackme0x00b
(gdb) disass main
Dump of assembler code for function main:
   0x08048494 <+0>:	push   ebp
   0x08048495 <+1>:	mov    ebp,esp
   0x08048497 <+3>:	and    esp,0xfffffff0
   0x0804849a <+6>:	add    esp,0xffffff80
   0x0804849d <+9>:	mov    eax,0x80485d0
   0x080484a2 <+14>:	mov    DWORD PTR [esp],eax
   0x080484a5 <+17>:	call   0x8048380 <printf@plt>
   0x080484aa <+22>:	mov    eax,0x80485e1
   0x080484af <+27>:	lea    edx,[esp+0x1c]
   0x080484b3 <+31>:	mov    DWORD PTR [esp+0x4],edx
   0x080484b7 <+35>:	mov    DWORD PTR [esp],eax
   0x080484ba <+38>:	call   0x80483d0 <__isoc99_scanf@plt>
   0x080484bf <+43>:	lea    eax,[esp+0x1c]
   0x080484c3 <+47>:	mov    DWORD PTR [esp+0x4],eax
   0x080484c7 <+51>:	mov    DWORD PTR [esp],0x804a040
   0x080484ce <+58>:	call   0x8048390 <wcscmp@plt>
   0x080484d3 <+63>:	test   eax,eax
   0x080484d5 <+65>:	jne    0x80484eb <main+87>
   0x080484d7 <+67>:	mov    DWORD PTR [esp],0x80485e5
   0x080484de <+74>:	call   0x80483a0 <puts@plt>
   0x080484e3 <+79>:	nop
   0x080484e4 <+80>:	mov    eax,0x0
   0x080484e9 <+85>:	leave  
   0x080484ea <+86>:	ret    
   0x080484eb <+87>:	mov    DWORD PTR [esp],0x80485ef
   0x080484f2 <+94>:	call   0x80483a0 <puts@plt>
   0x080484f7 <+99>:	jmp    0x804849d <main+9>
End of assembler dump.
(gdb) x/s 0x804a040
0x804a040 <pass.1964>:	"w"

We used the same command as last time – but why does printing 0x804a040 as a string result in the string “w”? According to a quick google search – wide strings are stored as two bytes per character (rather than the typical one byte) and are followed by two bytes of zeros at the end of each character. We can observe this by printing a series of bytes.

(gdb) x/s 0x804a040
0x804a040 <pass.1964>:	"w"
(gdb) x/30b 0x804a040
0x804a040 <pass.1964>:	"w"
0x804a042 <pass.1964+2>:	""
0x804a043 <pass.1964+3>:	""
0x804a044 <pass.1964+4>:	"0"
0x804a046 <pass.1964+6>:	""
0x804a047 <pass.1964+7>:	""
0x804a048 <pass.1964+8>:	"w"
0x804a04a <pass.1964+10>:	""
0x804a04b <pass.1964+11>:	""
0x804a04c <pass.1964+12>:	"g"
0x804a04e <pass.1964+14>:	""
0x804a04f <pass.1964+15>:	""
0x804a050 <pass.1964+16>:	"r"
0x804a052 <pass.1964+18>:	""
0x804a053 <pass.1964+19>:	""
0x804a054 <pass.1964+20>:	"e"
0x804a056 <pass.1964+22>:	""
0x804a057 <pass.1964+23>:	""
0x804a058 <pass.1964+24>:	"a"
0x804a05a <pass.1964+26>:	""
0x804a05b <pass.1964+27>:	""
0x804a05c <pass.1964+28>:	"t"
0x804a05e <pass.1964+30>:	""
0x804a05f <pass.1964+31>:	""
0x804a060 <pass.1964+32>:	""
0x804a061 <pass.1964+33>:	""
0x804a062 <pass.1964+34>:	""
0x804a063 <pass.1964+35>:	""
0x804a064 <completed.6086>:	""
0x804a065:	""

Alternatively we could’ve just allowed gdb to interpret it as a wide string.

(gdb) x/ws 0x804a040
0x804a040 <pass.1964>:	U"w0wgreat"

Now’s as good time as another to introduce another tool which may be of use in your binary exploit adventures – xxd. It provides a hex dump of a program which could show some interesting information. A bit of scrolling and you’ll see ‘w0wgreat’ expressed as a wide string.

$ xxd ./crackme0x00b

Had enough of string comparisons? Head onto CrackMe0x01!