EZwan2

crackmes.one (DirkD)

It's very similar to the previous chall. A big number containing the key is put in the stack, and a for loop checks the password. Again, the size is 8, but it's little bit different when the program checks the password.

local_38 = 0x75746172676e6f43;
local_30 = 0x20736e6f6974616c;
local_28 = 0x2064696420756f79;
local_20 = 0x217469;
local_40 = 0x32b6e514;

/* some code */

for (i = 0; i < 8; i = i + 1) {
  if (*(char *)((long)&local_38 + (long)(int)(char)((byte)local_40 & 0xf)) !=
      *(char *)((long)i + *(long *)(argv + 8))) {
    puts("Wrong Password , please try again! ");
    exit(0);
  }
  local_40 = local_40 >> 4;
}

local_38 to local_20 is our password, BUT it uses local_40 as an index to get some specific bytes from the memory. It also makes a bytes shifts to change the index. Let's make a small Python script to see the index more clearly. I'll get by hand the byte inside the local_38 after it. Remember, 0x43 is at index 0 and 0x75 at 7 ! So 0x6c from local_30 is at index 8.

index = 0x32b6e514
while index != 0:
    print(index & 0xf)
    index = index >> 4

4
1
5
14
6
11
2
3

Let's get the funny bytes and check what we got !

python -c 'print(chr(0x72) + chr(0x6f) + chr(0x61) + chr(0x73) + chr(0x74) + chr(0x69) + chr(0x6e) + chr(0x67))'

roasting