easy_reverse - Crackmes Write-Up
A write-up of "easy_reverse" on Crackmes.
Hello 👋 Today we are going to reverse engineer “easy_reverse” from cbm-hackers.
NOTE: Please try to solve this challenge by yourself first before looking at the solution. If you have tried your best and can’t solve it then please don’t just take the answer and leave immediately because that is not how you learn reverse engineering.
Prerequisites:
- Ghidra
- easy_reverse executable (unzip with password “crackmes.one”)
What does it do?
So the program is very simple it just asks us to provide a password when running it.
Decompiling with Ghidra
Now we will just open it up in Ghidra and analyze it, we’ll only enable the “Decompiler Parameter ID” and let the rest be on default.
Once analyzed the main function should automatically pop up in the Decompiled window, if it hasn’t you can find it manually by going to the symbol tree and search for it.
Now we can take a look at the code.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
undefined8 main(int param_1,undefined8 *param_2)
{
size_t sVar1;
if (param_1 == 2) {
sVar1 = strlen((char *)param_2[1]);
if (sVar1 == 10) {
if (*(char *)(param_2[1] + 4) == '@') {
puts("Nice Job!!");
printf("flag{%s}\n",param_2[1]);
}
else {
usage(*param_2);
}
}
else {
usage(*param_2);
}
}
else {
usage(*param_2);
}
return 0;
}
Analyzing the code
We see that it checks if our input (param_1) meets the correct conditions. So this should be pretty straight forward 😀
First it checks if our input is 10 characters long.
1
if (sVar1 == 10) {
If our input is 10 characters long, it will check if the 5th character in our input is a ‘@’ if it is we get the flag.
1
2
3
4
if (*(char *)(param_2[1] + 4) == '@') {
puts("Nice Job!!");
printf("flag{%s}\n",param_2[1]);
}
Running it with the correct password
So now we can construct a password that meets the correct conditions.
It works! I hope you learned something new, don’t forget to check me out on Youtube where I have some great videos.