Recover Passcode (attackdefense.com)
Using static analysis, figure out the passcode to run challenge successfully i.e. ./challenge CORRECT_PASSCODE .
If you get the right passcode, a flag will be printed.
First things first, let’s fire up gdb and disassemble main…
(gdb) x/s 0x6da0f0
0x6da0f0 <correct_password>: "hardbuteasy"
We think the password is “hardbuteasy”, right? Ok, let’s try.
Damn, no luck here, but wait, it must be this password so what the hell is going on? Let’s go back and look at the disassembly.
The CMP instruction compares two operands. It is generally used in conditional execution. This instruction basically subtracts one operand from the other for comparing whether the operands are equal or not. It does not disturb the destination or source operands. It is used along with the conditional jump instruction for decision making.
Let’s look at the disassembly for any CMP instructions.
We found the culprit, if the password is any longer than 9 bytes it will fail.
# if > 9 then it outputs "Wrong!!"
0x0000000000400daf <+129>: cmp $0x9, %rax
0x0000000000400db3 <+133>: ja 0x400de4 <main+182>
So let’s try our theory and only supply 9 bytes of the ‘correct password’ value.
Nice, it worked! This is a great example of how CTF style challenges and real world bugs may expect certain conditions to be true even if you do have the value the program expects, or at least the value it told you it expected. A good example of this are truncated passwords, they won’t fail but let’s say it’s truncated at 5bytes and that’s the only part compared, then even users with 6+ byte passwords are no safer.