ker2x on 7:53 PM 06/25/2019: chapter 2 is almost completed :)
ze3lex on 4:07 PM 06/26/2019: Nice one, I liked it :)
ker2x on 4:34 PM 06/26/2019: thx
ker2x on 3:59 PM 07/01/2019: Thx to everyone who posted a solution. the chapter 2 is still planned of course. Almost done (but i just discovered this game dota underlords...)
ker2x on 6:49 PM 07/04/2019: Chapter 2 is online and include the chapter 1 (because it was missing a challenge, i uploaded the wrong binary version)
csgo on 8:22 PM 07/08/2019: what are the passwords
ker2x on 5:29 PM 07/09/2019: Yay ! 4 solutions
ker2x on 5:29 PM 07/09/2019: Chapter 2 and 3 are online and i already have the main challenge idea for chapter 4 :]
NichtBesondres on 4:36 PM 09/02/2019: Yo! Just wanted to say I had a super fun time with this challenge! I am still a novice so playing with gdb to solve this made for an excellent time! Please keep up the work! This was a lot of fun! :)
Sili on 4:06 PM 09/16/2019: Yeah actually, pretty easy to bypass the verification first place.
SPOILER !!
I did it pretty quickly so i don't know all the algo behind it, but, first, lets just do:
~$ strings ./adventure
We can see some strings, and also some called functions wrote in plain text.
And we can note the use of "strlen" and "strncmp"
Then it check if the argv length is 5 (expecting "hello"). // Here is the use of STRLEN function
Then, we can see, it check if the string is good with "strncmp" function, but i don't know what with, and i will see later. (I'm at work, so, no time to go deep)
We can also see that the "strncmp" func it's call at least 2 times when we run the bin in GDB or something.
I try to rewrite the STRNCMP function and inject it, so:
https://linux.die.net/man/3/strncmp
int strncmp(char *str1, char *str2, size_t size) { return 0; }
Compile with GCC, Inject it with LD_PRELOAD, and Then:
~$ LD_PRELOAD=./i_adventure.so ./adventure 12345
Friendly greetings to you, hacker from another world !
So, why are you here ? : whatever_you_want_it_wont_verify_it
whatever_you_want_it_wont_verify_it ? good, good, welcome to the guild hall!
Senken on 11:06 PM 11/07/2019: Uni student here, this is the first reverse engineering experience of mine ever.
I have a few questions:
Is the goal getting the good, good message?
I understand using 2 arguments the second being hello are the requirements for verification.
So do i just need to change the final jump condition from jnz to jn in IDA ?
Senken on 11:07 PM 11/07/2019: from jnz to jz *
Senken on 11:35 PM 11/07/2019: it worked! but can i change the first ever jump:
jz short loc_84E
to
jz short loc_935
which is the wanted output ?
BitFriends on 4:57 PM 11/11/2019: Thanks for the good adventure! Got confused at the second check cuz im a beginner, but then i solved it
tr3xd1n0 on 5:12 PM 11/18/2019: @Sili thanks for explanation!
gwyn on 11:50 AM 03/26/2020: Hi - nice starter - not 100% sure of the intent of the 2nd test, but if I've got it right, maybe there should have been a call to basename() or equivalent somewhere?
Helixx on 11:11 PM 07/27/2020: I hope you make more of these, it was really fun to solve.
Shadorain on 12:01 AM 04/26/2021: Sili I don't believe you are right, the first check you had a good explanation to, the second though you are wrong that there is no valid input. No crackme would ever need you to make your own special libraries to inject.
Try an `ltrace` it will prove to you that it can work with some input ;)
bond_u on 9:51 AM 02/22/2022: Guys, its very easy!
The password is the first argument of the command line
Ex: ./adventure hello // PASSWORD == ./adventure
if /home/user/adventure // PASSWORD == /home/user/adventure