Post

Cracking cbm-hackers's 'easy_reverse' Crackme | Simple C/C++ Challenge Walkthrough

Posted
By fr0stb1rd
views 2 min read
Cracking cbm-hackers's 'easy_reverse' Crackme | Simple C/C++ Challenge Walkthrough

Video Tutorial

Introduction

Today, we’ll solve a simple crackme challenge called “rev50_linux64-bit” by cbm-hackers using Ghidra, a powerful reverse engineering tool developed by the NSA. This is a basic reverse engineering challenge that tests our understanding of C/C++ programs and string manipulation.

Prerequisites

Before you begin, ensure you have:

Challenge Information

  • Author: cbm-hackers
  • Language: C/C++
  • Platform: Unix/Linux
  • Difficulty: 1.3/5
  • Quality: 4.7/5
  • Architecture: x86-64
  • Upload Date: January 9, 2018, 6:54 AM
  • Original Name: easy_reverse

Analysis

Step 1: Initial Program Run

First, let’s try running the program to see its behavior:

1
2
3
4

┌──(kali㉿kali)-[~/ctf]
└─$ ./rev50_linux64-bit fr0stb1rd
USAGE: ./rev50_linux64-bit <password>
try again!

Step 2: Ghidra Analysis

Now, let’s analyze the program using Ghidra:

  1. Open Ghidra and create a new project
  2. Import the rev50_linux64-bit binary
  3. Let Ghidra analyze the binary
  4. Find and analyze the main function

Here’s the decompiled main function:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

undefined8 main(int param_1, undefined8 *param_2) {
  size_t sVar1;
  
  if (param_1 == 2) {
    sVar1 = strlen((char *)param_2[1]);
    if (sVar1 == 10) {
      if (*(char *)(param_2[1] + 4) == '@') {
        puts("Nice Job!!");
        printf("flag{%s}\n", param_2[1]);
      }
      else {
        usage(*param_2);
      }
    }
    else {
      usage(*param_2);
    }
  }
  else {
    usage(*param_2);
  }
  return 0;
}

Solution

The program has three main checks:

  1. The program must be run with exactly one argument (param_1 == 2)
  2. The argument must be exactly 10 characters long
  3. The 5th character (index 4) must be ‘@’

To solve this challenge, we need to provide a 10-character string where the 5th character is ‘@’. For example:

1
2
3
4

┌──(kali㉿kali)-[~/ctf]
└─$ ./rev50_linux64-bit "fr0s@tb1rd"
Nice Job!!
flag{fr0s@tb1rd}

Code Analysis

Let’s break down how the program works:

  1. param_1 is the number of command-line arguments (including the program name)
  2. param_2[1] is the first argument (the string we provide)
  3. The program checks if our input is exactly 10 characters long
  4. It then checks if the 5th character (index 4) is ‘@’

Let’s look at the character position check in detail:

1

if (*(char *)(param_2[1] + 4) == '@')

This line is doing several things:

  • param_2[1] is our input string
  • + 4 moves the pointer 4 positions forward (to the 5th character, since indexing starts at 0)
  • (char *) casts the pointer to a character pointer
  • * dereferences the pointer to get the actual character
  • == '@' compares that character with ‘@’

For example, with our input “fr0s@tb1rd”:

  • Index 0: ‘f’
  • Index 1: ‘r’
  • Index 2: ‘0’
  • Index 3: ‘s’
  • Index 4: ‘@’ ← This is what the program checks
  • Index 5: ‘t’
  • Index 6: ‘b’
  • Index 7: ‘1’
  • Index 8: ‘r’
  • Index 9: ‘d’
  1. If all conditions are met, it prints “Nice Job!!” and shows the flag
Reverse Engineering, CTF, Tutorial
reverse-engineering crackme ctf tutorial c++ ghidra
This post is licensed under CC BY 4.0 by the author.