bu5hv1p3r's site

Reverse Engineering the hard way.

, ,

Impossible Password

Impossible Password is a easy reversing challenge on Hack The Box. The description is “Are you able to cheat me and get the flag?”

Like in my previous posts the first thing I like to do is run the file command on the binary to see what we are working with.

We get a nice ELF binary. Now we can go ahead and open it up in Binary Ninja to see the inner workings.

Looking at the main function it looks pretty simple. I first notice an interesting string in strncpy and two string compares. Let’s start at the first one. It is very simple and just compares our input which is “var_28” with the string “SuperSeKretKey”. Let’s go ahead and run the program and put in that first answer.

Looks like it worked! Now to figure out the second string compare. It looks like our input is compared to the result of function “sub_20078d”. Let’s open that function up and check it out.

The first thing I notice is a call to srand and two calls to rand. The function returns “rax_9” which is made from random numbers. I am not much of a gambling man, so I do not think we are gonna get the right answer for that string compare, so maybe we can just skip it.

Going back to the main function, we can see that if the string compare is correct it calls another function. This might be the print flag function, so lets NOP the JNE which allows us to reach the other function.

And here is the assembly after NOPing the JNE.

Now we can run our patched version of the binary and see what we get back.

We get the flag! Looking back at the print flag function we can see it is a pretty simple XOR by 9 with that weird strncpy from earlier.

If we were not able to bypass the strcmp we could have also wrote a python script to decode it ourselves. Here is what mine looks like. 

encrypted = b"A]Kr=9k0=0o0;k1?k81t"
encryptedList = list(encrypted)
flag = []

for i in range(len(encryptedList)):
    temp = encryptedList[i] ^ 9
    flag.append(chr(temp))

print(''.join(flag))

And here was the result!

This is definitely one of the easiest challenges as long as you do not overthink if. I have been working on harder challenges recently so simply NOPing a JNE did not occur to me for a while and I was trying to figure out how to break the randomness to pass the string compare. Thanks for reading and happy reversing!

Leave a comment