backdoorCTF 2013 - binary 100 Writeup (RE)
Small introduction to IDAPython
binary100 is a quite small ELF64 written in C++, from the backdoorCTF 2013.
You are prompted to enter not one but three passwords, then the program hashes it and tells you if this is the right password or not.
This is solvable by using
strings, but for the sake of training, let’s try to
do it without.
We open it in IDA, and get quickly the main function. It gets the 3 passwords,
generates a random number with
rand % (argc - 1) + 1 to choose which password
from the three to hash, put it in a dynamically allocated buffer, pass it in a
md5_custom function, and compare the result to a constant.
The hashing function is pretty complicated:
Okay… let’s check the check method then:
So yeah, there is no hashing and the string is directly compared to a buffer in memory.
Let’s launch IDAPython and get the pass now: