Last 22-24 October 2013 hack.lu was celebrated in Luxemburgo. Hack.lu is an open a security convention where usually there is a CTF (capture the flag) competition.
This year the competitors need to get two passwords of a program called RoboAuth.exe which can be downloaded here:
The flag to pass the test is: password1_password2
Ok. Let's go to try to get the first one. To achieve this purpose, we are going to use OllyDbg. Just open the file with this program and click on the play button to run the program.
We can see a MS-DOS windows which requests us the first Password.
One of the first things I usually do in these cases is to look at "All referenced test strings" in order to find something which draws my attention.
In this case, we can see the string "You passed level1!". We can suppose that just before that, the assemble code will compare our password with the real one.
To go to this string in the assemble code, we right-click on this line and select "Follow in Disassembler".
Now we can see the string mentioned above in the assemble code. Two lines before that, we can see the function "TEST EAX, EAX" wich will make a comparison between our password and the real one. Depending on the result, the program will make a decision. If the password is correct, we will pass the test, if not, the program will be closed.
We can set a breaking point at this point in order to stop the program just when the program is comparing the passwords in order to see the good one in the Stack. To do that, just right click on the line which contains "TEST EAX, EAX", select Breakpoint and select for example, "Memory, on access".
The next step is to write a password and wait until the program stops in the breakpoint.
In the end, we just need to see the Stack window which shows the state of the stack in memory for the thread being debugged. This window is at the bottom right. In the picture below you can see our password "COMPARE..." followed by other string "r0b0RUlez!". It seems to be the password.
If we go to our program and type the password "r0b0RUlez!" on the program, you can check that "You passed level1!".
I've spent some time trying to resolve the second Password but it is more complicated than the previous one. When I have some spare time, I will try it again and I will write a post with the solution.
0 comments:
Post a Comment