ker2x's guild hall adventure Ch.1

Author:
ker2x

Language:
C/C++

Upload:
2019-06-23 15:58

Download

Platform:
Unix/linux etc.

Difficulty:
1.2

Quality:
4.4

Arch:
x86-64

Downloads:
13

Size:
8.34 KB

Writeups:
11

Comments:
19

Description

Friendly greetings ! It *should* be very easy (hopefully). It's a 2 step adventure. I didn't hide anything, didn't try to obfuscate anything. The code might be a little confusing with some branching and a bunch of check and verbosity. But it's good old C that's not trying anything tricky. I'm planning to write a full text adventure that's impossible to solve without disassembling, for fun. =^_^= Please let me know what you think. it's hard to evaluate the difficulty of disassembling when you already know the C source ...

Comments (19)
Writeups (11)

You must be logged in to post a comment

ker2x on 2019-06-25 19:53: chapter 2 is almost completed :)

ze3lex on 2019-06-26 16:07: Nice one, I liked it :)

ker2x on 2019-06-26 16:34: thx

ker2x on 2019-07-01 15:59: Thx to everyone who posted a solution. the chapter 2 is still planned of course. Almost done (but i just discovered this game dota underlords...)

ker2x on 2019-07-04 18:49: Chapter 2 is online and include the chapter 1 (because it was missing a challenge, i uploaded the wrong binary version)

csgo on 2019-07-08 20:22: what are the passwords

ker2x on 2019-07-09 17:29: Yay ! 4 solutions

ker2x on 2019-07-09 17:29: Chapter 2 and 3 are online and i already have the main challenge idea for chapter 4 :]

NichtBesondres on 2019-09-02 16:36: Yo! Just wanted to say I had a super fun time with this challenge! I am still a novice so playing with gdb to solve this made for an excellent time! Please keep up the work! This was a lot of fun! :)

Sili on 2019-09-16 16:06: Yeah actually, pretty easy to bypass the verification first place. SPOILER !! I did it pretty quickly so i don't know all the algo behind it, but, first, lets just do: ~$ strings ./adventure We can see some strings, and also some called functions wrote in plain text. And we can note the use of "strlen" and "strncmp" Then it check if the argv length is 5 (expecting "hello"). // Here is the use of STRLEN function Then, we can see, it check if the string is good with "strncmp" function, but i don't know what with, and i will see later. (I'm at work, so, no time to go deep) We can also see that the "strncmp" func it's call at least 2 times when we run the bin in GDB or something. I try to rewrite the STRNCMP function and inject it, so: https://linux.die.net/man/3/strncmp int strncmp(char *str1, char *str2, size_t size) { return 0; } Compile with GCC, Inject it with LD_PRELOAD, and Then: ~$ LD_PRELOAD=./i_adventure.so ./adventure 12345 Friendly greetings to you, hacker from another world ! So, why are you here ? : whatever_you_want_it_wont_verify_it whatever_you_want_it_wont_verify_it ? good, good, welcome to the guild hall!

Senken on 2019-11-07 23:06: Uni student here, this is the first reverse engineering experience of mine ever. I have a few questions: Is the goal getting the good, good message? I understand using 2 arguments the second being hello are the requirements for verification. So do i just need to change the final jump condition from jnz to jn in IDA ?

Senken on 2019-11-07 23:07: from jnz to jz *

Senken on 2019-11-07 23:35: it worked! but can i change the first ever jump: jz short loc_84E to jz short loc_935 which is the wanted output ?

BitFriends on 2019-11-11 16:57: Thanks for the good adventure! Got confused at the second check cuz im a beginner, but then i solved it

tr3xd1n0 on 2019-11-18 17:12: @Sili thanks for explanation!

gwyn on 2020-03-26 11:50: Hi - nice starter - not 100% sure of the intent of the 2nd test, but if I've got it right, maybe there should have been a call to basename() or equivalent somewhere?

Helixx on 2020-07-27 23:11: I hope you make more of these, it was really fun to solve.

Shadorain on 2021-04-26 00:01: Sili I don't believe you are right, the first check you had a good explanation to, the second though you are wrong that there is no valid input. No crackme would ever need you to make your own special libraries to inject. Try an `ltrace` it will prove to you that it can work with some input ;)

bond_u on 2022-02-22 09:51: Guys, its very easy! The password is the first argument of the command line Ex: ./adventure hello // PASSWORD == ./adventure if /home/user/adventure // PASSWORD == /home/user/adventure

You must be logged in to submit a writeup

Solution by SYS_V on 2019-06-25 15:15:
Great crackme! PS, if you are into reverse engineering, check out https://reverseengineering.stackexchange.com/ . There I go by my real name, Julian.

Download

Solution by kawaii-flesh on 2019-06-25 18:29:
Solution with radare2

Download

Solution by paypain on 2019-06-27 00:13:
A hug from Mr.'Paypain'

Download

Solution by karubabu on 2019-07-05 22:55:
solution with ltrace

Download

Solution by D4RKFL0W on 2019-07-13 20:59:
Found this one a little tricky, nice crackme though

Download

Solution by jatm on 2019-10-12 02:19:
Just a simple solution, with a lot of comments and side-knowledge, to check that you will fully understand what is happening when you doing this. If noob, you will have a lot of additional reading for that but I think it will be worth. Best regards, jatm

Download

Solution by 4rr4y on 2020-02-24 09:13:
Fun crack me :)

Download

Solution by elprofesor on 2020-03-24 02:18:
only a pdf with some text and pictures. Thanks.

Download

Solution by Shadorain on 2021-04-26 01:23:
What a fun crackme! Here is my solution in markdown, if you would rather a rendered version on a pretty site here is a link:https://shadorain.github.io/blog/Security/Reversing/Crackme_gha1. Hope you enjoy!

Download

Solution by Kryptoenix on 2021-09-05 17:55:

Download

Solution by 2ourc3 on 2022-12-05 12:56:
write up by 2ourc3 (bushido-sec.com)

Download

crackmes.one

crackmes.one

ker2x's guild hall adventure Ch.1