Author: Andrii Yaroshevych
Variant:
51
The program accepts a password from the command line. Make it accept any password other than the one that was correct before modification.OS: Linux
- Linux operating system
cutter
- https://cutter.re/
-
Download the latest version of cutter for Linux from https://cutter.re/
-
Add execution permissions to the downloaded file
chmod +x Cutter*.AppImage
-
Run the file
./Cutter*.AppImage
Note
If you see the following error:
dlopen(): error loading libfuse.so.2 AppImages require FUSE to run.
Please install
fuse
package with the following command and try again:sudo apt-get install fuse libfuse2
-
Run
cutter
and open the binary fileprg_51.x
from the root folder of the repository -
Go to the
Disassembly
tab and find main function
Let's examine the code of the main function
; arg int argc @ rdi ; arg char **argv @ rsi
We see that password passed as a command line argument will be passed in
rsi
register.
We then see that content ofrsi
register is passed to therax
register.
Further examination:
Here we see that something is loaded from the memory address0x2022
and stored in thersi
register. Then, the content ofrax
register, where entered password is stored, is moved to therdi
register.
Then, thestrcmp
function is called. This function compares two strings and returns0
to theeax
register if strings are equal.
Let's take a look on what is going on later:We see that the
eax
register is compared with0
.jne
instruction means that if the content ofeax
register is not equal to0
, the program will jump to the address0x1258
. If the content ofeax
register is equal to0
, the program will say that password is correct, jump to the address0x12b5
, and leave. -
From the observation above, we can conclude that the password is stored in the memory address
0x2022
. Let's go to theHexdump
tab and find this address.On this screenshot, we can see that address
0x2022
contains a simple c-stringabc
.
Indeed, if we try to run the program with the passwordabc
, we will see that the program says that the password is correct. -
Let's make the program accept any password other than the one that was correct before modification.
Go back to theDisassembly
tab and findjump
instruction after thestrcmp
function call.
We see that the program jumps only if the password is incorrect. Let's change thejne
instruction toje
instruction. This will make the program jump if the password is correct.
Knowing thatjne
instruction is located at the address0x1248
, go to theHexdump
tab again and find this address:
Now we know, thatjne
instruction has the opcode75
. Let's find the opcode ofje
instruction for replacement - http://www.mathemainzel.info/.
We see thatje
instruction has the opcode74
. Let's replace75
with74
in theHexdump
tab:Note
Reopen the file in write mode if needed
-
Check the results
Now, try to run the program with the password
abc
:
Oooh, crap! This was scary)
Anyway, we see that the program says that the password is incorrect. Let's try to run the program with some different passwords to see if it actually works as expected:So, it works correctly.
Run the unmodified program with the password abc
:
./prg_51.x abc
or try to run it with any other password.
To make sure my solution works, you can run the modified program with some random password:
./prg_51_modified.x 123
or try to run it with password abc
.
The MIT License (MIT)
Copyright © 2022. Andrii Yaroshevych