0x04 - crackme01e by noracodes
| binary | crackme01e.64 |
|---|---|
| sha256 | f01baae9fbf1aaf67ea4fb79b85c6e31777f1056f8125b541f50bb4de97d33c7 |
This sample is just a variant of the last crackme I solved by noracodes, the original writeup of which can be found here. Again, this was built locally on my machine so the SHA256 will be different if you build it yourself.
And again, this is built using the same make process and so it’s a 64-bit ELF which is not stripped.
❯ file ./crackme01e.64
./crackme01e.64: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=cad300e0d35281b03b8dbf9fe9aabc29551ceed9, for GNU/Linux 3.2.0, not stripped
Let’s try the same trick that worked last time, and just check for suspicious looking strings:
❯ rabin2 -z ./crackme01e.64
[Strings]
nth paddr vaddr len size section type string
―――――――――――――――――――――――――――――――――――――――――――――――――――――――
0 0x00002004 0x00002004 26 27 .rodata ascii Need exactly one argument.
1 0x0000201f 0x0000201f 10 11 .rodata ascii slm!paas.k
2 0x0000202a 0x0000202a 23 24 .rodata ascii No, %s is not correct.\n
3 0x00002042 0x00002042 20 21 .rodata ascii Yes, %s is correct!\n
It works!
❯ ./crackme01e.64 slm\!paas\.k
Yes, slm!paas.k is correct!