CTF Series — Post #2
Throughout this series, I will share with you my solutions to CTF challenges that I dealt with.
To solve this CTF I used two different tools:
- PeStudio — a tool that offers static analysis capabilities for examining executables. It can detect anomalies, gather information on imports and exports, extract strings, retrieve scores from VirusTotal, and much more.
- IDA — IDA (Interactive Disassembler) is a disassembler, which converts machine language instructions to assembly language instructions. It offers advanced features like interactive debugging, automatic code analysis, and graphing tools to help visualize control flow and data structures.
Throughout my posts, I’ll be walking you through the strategies and steps I took to solve the challenges and how to reach for the key.
Keep in mind that my approach isn’t the only “right” solution, but I hope that my insights and methods will inspire you to learn something new and start exploring the world of CTFs.
This post’s CTF challenge is sourced from Crackmes.com, specifically from the Windows section of the site.
Author: dajoh
Challenge Name: CrackMe1 — For ultimate beginners
Solution
After downloading the file and extracting its contents (using the password “crackmes.one”) I see there is no README, we only have one exe (executable) file named: “CrackMe1”.
The next step is looking at the strings of the file. By doing that I can get some helpful insights into what I’m dealing with.
Two interesting strings I found are: “IsDebuggerPresent”, “Enter password”.
IsDebuggerPresent is a check the file is probably doing to detect debuggers, if it is found — the program will usually terminate itself to prevent further debugging.
It appears that in this challenge our ‘flag’ is going to be to find a password.
I opened the file with PeStudio, the file is a C++ program, 32 bit.
Moreover, it seems like the program could be malicious, based on VT results that we get:
Time to run the program. Since the program might be malicious I will run it on a virtual machine.
A console window opened, asking for a password:
I’ll open the executable file in IDA disassembler to watch the disassembled code.
From looking a bit on the main function, I came across the next offset “Enter Password:” and also the offset: “easypassword” which is being passed to ecx register.
In the following code block (loc_401146), I noticed that a comparison was being made between ecx and eax. Given the offsets involved in this comparison, is it possible that we have indeed discovered the password we’ve been searching for?
I will switch for pseudo code in IDA.
The code appears to be using the strcmp function to compare the value of var12 with “easypassword”.
If they are equal, the program will return “Congratulations! You entered the correct password.”.
Else, the program will enter a while loop and prompt the user to enter a password again until the correct one is entered.
Seems like it’s time to check this password on our program.
I hope this post was helpful to you and provided valuable insights into the process of solving CTF challenges. Best of luck as you continue your quest for uncovering more flags!