0

I have this piece of code from a binary file that asks for user and password, I managed to find the user "mari" and the password "luig" but it says wrong userName here is the code : 

undefined8 main(void)
{
  int iVar1;
  undefined4 local_96;
  undefined2 local_92;
  undefined local_90;
  undefined4 local_8f;
  undefined2 local_8b;
  undefined local_89;
  char local_88 [64];
  char local_48 [64];

  local_8f = 0x6769756c;
  local_8b = 0x3169;
  local_89 = 0;
  local_96 = 0x6972616d;
  local_92 = 0x316f;
  local_90 = 0;
  printf("enter username :");
  __isoc99_scanf(&DAT_00102019,local_48);
  iVar1 = strcmp(local_48,(char *)&local_96);
  if (iVar1 == 0) {
    printf("enter password :");
    __isoc99_scanf(&DAT_00102019,local_88);
    iVar1 = strcmp(local_88,(char *)&local_8f);
    if (iVar1 == 0) {
      printf("welldone use it to submit the flag :D");
    }
    else {
      printf("wrong password");
    }
  }
  else {
    printf("wrong username");
  }
  return 0;
}

why "mari" as user and "luig" as password doesn't work ?

Steve Friedl
  • 3,929
  • 1
  • 23
  • 30
Mazen Al-ali
  • 3
  • 4
  • `0x6769756c` is not null terminated. `strcmp` will not consider it equal to `luig` – Paul Ogilvie Apr 25 '20 at 13:59
  • If you would use a debugger and inspect the variables, you would see this. – Paul Ogilvie Apr 25 '20 at 14:01
  • @PaulOgilvie i actually did with ghidra it shows me that the value is "luig" but in case you said its not null terminated so what strcmp will consider it ? – Mazen Al-ali Apr 25 '20 at 14:04
  • It will consider it greater. Step the code and inspect the variables, including the `strcmp` return value. – Paul Ogilvie Apr 25 '20 at 14:04
  • @PaulOgilvie sorry if i sound stupid but am new to this world , the code is clear and its comparing between my input and the Local variable which is have the value of "mari" , so by inspecting am not sure what you mean .. again sorry but am really new – Mazen Al-ali Apr 25 '20 at 14:12
  • I find the code not very clear. I have never heard of `__isoc99_scanf` and what is variable `DAT_00102019` or type `undefined4`? – Paul Ogilvie Apr 25 '20 at 14:16
  • ok sorry i found it at the end it was "mario1" and "luigi1" :D , yes its a little weird thats because its an ELF file written in assembly language , thanks any way – Mazen Al-ali Apr 25 '20 at 14:19

1 Answers1

0

The user name and password to compare with are stored in integer variables as hex:

  local_8f = 0x6769756c;  // 4 byte variable: g i u l
  local_8b = 0x3169;      // 2 byte variable: 1 i
  local_89 = 0;           // 1 byte variable: \0

  local_96 = 0x6972616d;  // 4 byte variable: i r a m
  local_92 = 0x316f;      // 2 byte variable: 1 o
  local_90 = 0;           // 1 byte variable: \0

These variables are stored in memory with the bytes reversed.

So variable local_8f when interpreted as a string in memory, actually reads luigi1\0 and variable local_96 when interpreted as a string in memory, actually reads mario1\0. And those are the uid/pwd you must enter.

Paul Ogilvie
  • 25,048
  • 4
  • 23
  • 41