All writeups. Or maybe just CrackMe0x02?

This is a walkthrough for the CrackMe0x03 that was part of the Rensselaer Polytechnic Institute’s Binary Exploitation course in Spring 2015. You can follow along by downloading the challenges here. (mirror 1, mirror 2)

As usual let’s start by running the binary.

Huh. Same password as CrackMe0x02. But what’s the difference?

As usual, we’ll proceed with a gdb assembly dump.

Oh no 🙁 Where’s the cmp?

Unfortunately looks like we’ve lost our cmp 🙁 Anything else that looks interesting? What’s that function call on <main+116>? Test? Pretty sure that’s not a standard library function. Let’s check it out.

Oh yay! There’s our cmp at <test+9>. Now to do the same thing as CrackMe0x02 – setting breakpoints and finding the value of our registers.

Password is 338724 again 🙂 Not too different from CrackMe0x02 apart from doing the comparison in a separate function.

All too easy? Trust me, but CrackMe0x04 is quite annoying…