Reverse Engineer the EasyPass Challenge

Posted on August 27, 2020 • 3 min read • 581 words

programming hacking cybersecurity

In this short tutorial, we will see how to use radare2 to reverse engineer the EasyPass challenge from HTB. Let’s start by looking what the program does.

Apparently, the program just wants a password. With my trial of “test” I just got a message with the text “Wrong password”.

So, let’s load up the binary in r2.

1r2 EasyPass.exe

Now, we are ready to start our analysis using reverse engineering. First, let radare2 do the difficult job of analyzing the program structure and discovering functions.

 1peter@terra> r2 EasyPass.exe
 2 -- Your problems are solved in an abandoned branch somewhere
 3[0x00454450]> aav
 4[x] Finding xrefs in noncode section with anal.in=io.maps
 5[x] Analyze value pointers (aav)
 6[x] Value from 0x00454600 to 0x00455000 (aav)
 7[x] 0x00454600-0x00455000 in 0x454600-0x455000 (aav)
 8[x] 0x00454600-0x00455000 in 0x401000-0x454600 (aav)
 9[x] Value from 0x00401000 to 0x00454600 (aav)
10[x] 0x00401000-0x00454600 in 0x454600-0x455000 (aav)
11[x] 0x00401000-0x00454600 in 0x401000-0x454600 (aav)    
12[0x00454450]> s entry0

Finding the right place

Well, we are now at the entry point of the program. However, this program will at startup only construct the window and draw it to the display. That’s something we are not really interested in. We are looking for the password check. So, let’s try to find this section by searching for strings in the binary which contain the string Password.

1[0x004540e1]> izz | grep Pass
22814 0x0002a105 0x0042ad05 13  14   CODE    ascii   \fPasswordChar
35490 0x00053600 0x00454200 15  16   CODE    ascii   Wrong Password!
47078 0x000622ad 0x004682ad 14  15   .rsrc   ascii   Enter Password
57090 0x0006232e 0x0046832e 23  24   .rsrc   ascii   Check Password\bTabOrder

As „Wrong Password” was the text on the message we got with our wrong trial, this might be a good starting point.

1[0x00454450]> s 0x454200

Let’s switch into the visual mode V and have a look what we find at this position. You can use p or P to cycle between different views.

If we scroll up a bit, we can see in the hexdump another string. “Good job.“ sounds exactly like what we are looking for.

Hence, we search for “Good” and note its location. Now, we have already seen that we are actually in a data section of the binary which only contains string, no code. Hence, we must find the point of code which references this string.

1[0x004541dc]> axt 0x4541dc
2(nofunc) 0x454138 [DATA] mov eax, 0x4541dc

With axt (A cross(X)-reference To) we find this location. Let’s again jump into the visual mode and have a look at the disassembly.

Disassembly at the interesting location.

Understanding the challenge

There are two times calls to fcn.00427a30. The second one in the last row and the first row some rows before. In both cases immediately before these function calls, an address to a string is written to eax. radare2 was able to identify the last string (“Wrong password”), while we also already know the address for the first call. It’s the address we found for the “Good job“ string. So, the interesting point is now to understand when is which part called. Right before the first mov+call sequence, there is a comparison jne which would skip the “Good job“ string. You can see this by the drawing radare2 made for us or by having a look on the jump address. Scrolling just a bit further up, we see a series of calls to the same function (at 0x4042b4) and the xref lookup in the beginning (aav) also dereferenced some characters for us. Do we already have our password?

Finding xrefs is a very helpful trick in understanding this crackme!

Enumeration of your Web Servers

Methods to Assess Cybersecurity Risks

On this page

Nextlevel v/Peter Schneider

I work on everything cyber security and development, CVR: 42051993, mail: info@nextlevel-blog.de, phone: 60 59 76 35