HTB walkthrough : impossible password

Main Func() in assembly. (rasm2 is used)

main function in assembly code

Let’s use ghidra to better understand a program.

These code are translated in C from assembly.

main function in C

This is a simple authentication program with scanf() and strcmp().

  1. The first scanf() compares with scanf(local_28, &DAT_00400a82).
  2. Then it checks with strcmp(local_28,local_10).

We can assume that there is user input field being rendered by the program and filtered by an algorithm of a function.

Eye cacthing variable is local_10 defined was “SuperSekretKey”.

strcmp(local_28,local_10) is essentially a simple comparison if user input was “SuperSekretKey

Now we passed the first gate! :)

The following strcmp(local_28,__s2) seems to mean something. because __s2 derives from FUN_0040078d.

Have a look.

FUN_0040078d

What is this?

Your head is all caught up too much with these nonsensical looking variables and operations!

How about we go back?

What we understand this FUN_0040078d do is that returns pvVar3.

Will this variable be used again?

Let’s go back in our main function.

main function in C

We see this FUN_00400978 at the end.

local_48 is a parameter of the function. 0x41 = ‘A’

Let’s have a look.

FUN_00400978

This function does not refer any variable from outside functions.

So, pvVar3 from FUN_0040078d is not used. Okay.

function parameter is ‘A’ because it was local_10 = 0x41 at main().

Note that local_10 is a pointer.

Do you remember 20 variables from main() ?

The pointer points to the array of those…

{65,93,75,114,61,57,107,48,61,48,111,48,59,107,49,63,107,56,49,116}

We observe two major works here.

  1. XOR operation in put char((int)(char)(*local_10 ^ 9)
  2. Operation is repeated 14 times, while ((*local != 9 && (local_14 < 0x14))

Basically, the loop condition is

  • As long as the value pointed by the pointer is not 9
  • until local_14 is 20 (10)

I reworte the code in python just for why-not.

Python code

I left the code so you guys can still practice and understand what this code does.

Thank you for reading!