ELF ARM basic crackme

Root-me challenge: Constant time. Get the validation password.

  1. Decompile, for example with Ghidra, and find:

void FUN_00008470(int param_1,int param_2) {
 size_t __status;
 byte *__s;
 int __status_00;
 int local_14;
 
 if (param_1 != 2) {
        puts("Please input password");
                                        /* WARNING: Subroutine does not return */
        exit(1);
 }
 __s = *(byte **)(param_2 + 4);
 printf("Checking %s for password...\n",__s);
 __status = strlen((char *)__s);
 if (__status != 6) {
        puts("Loser...");
                                        /* WARNING: Subroutine does not return */
        exit(__status);
 }
 __status = strlen((char *)__s);
 local_14 = -__status + 6;
 if (*__s != __s[5]) {
        local_14 = -__status + 7;
 }
 if ((uint)*__s + 1 != (uint)__s[1]) {
        local_14 = local_14 + 1;
 }
 if ((uint)__s[3] + 1 != (uint)*__s) {
        local_14 = local_14 + 1;
 }
 if ((uint)__s[2] + 4 != (uint)__s[5]) {
        local_14 = local_14 + 1;
 }
 if ((uint)__s[4] + 2 != (uint)__s[2]) {
        local_14 = local_14 + 1;
 }
 __status_00 = local_14 + ((uint)__s[3] ^ 0x72) + (uint)__s[6];
 if (__status_00 == 0) {
        puts("Success, you rocks!");
                                        /* WARNING: Subroutine does not return */
        exit(0);
 }
 puts("Loser...");
                                        /* WARNING: Subroutine does not return */
 exit(__status_00);
}

  1. Analysis

  • The flag must be 6 characters => __s must be 0.

  • Assume the tests should not be checked => local_14 must also be 0.

  • __s[3] ^ 0x72 = 0x00

  • Walk through for each item of the array.

  • Convert.

Resources

Counter moves

A basic ARM crackme exposes its comparison plainly. Even simple obfuscation would have slowed this down. Seen from the other side, this sits in the blue notes on the application layer as a target.