All writeups. Or maybe just CrackMe0x00B?

This is a walkthrough for the CrackMe0x01 that was part of the Rensselaer Polytechnic Institute’s Binary Exploitation course in Spring 2015. You can follow along by downloading the challenges here. (mirror 1, mirror 2)

As usual let’s start by running the binary.

Once again, looks to be the same as usual. There’s a new welcome message though. Additionally, instead of prompting for a new password, this time it immediately exits after one bad password.

Again we’re all lazy programmers – but unfortunately nothing pops up when we use strings or xxd. Back to radare2 we go.

$ r2 ./crackme0x01
[0x08048330]> vpp

Damn, no strings with the password 🙁

However, something interesting is happening on 0x0804842b. It’s not calling strcmp or wcscmp like the earlier CrackMes. Instead it’s using the instruction cmp, which in x86 is used to compare two values. Could the answer be ‘0x149a’?

Unfortunately not. It’s not that easy 🙂 Or is it? Remember that cmp compares two values – but when we are using scanf (0x08048426) and looking for numbers, we don’t usually input hexadecimal values… Instead we use decimal….

So by using an online calculator, gdb, or whatever we want, we find that 0x149a in hex is equivalent to 5274.

Easy 🙂 The password ended up being 5274.

Unfortunately life gets (slightly) harder with CrackMe0x02.