Elf x86 — Basic Rootme ( Cracking )

Yet another easy challenge. So let’s directly get into the challenge. First, we will see what type of file it is.

This is a statically linked binary and it is not stripped. I used strings in this challenge and we get the answer :) But I’ll take a long way. I will open the binary with Cutter. Then we go to the decompiler section. Again as I said in previous blogs, I like to use ghidra. jsdec is annoying sometimes to analyze.

Let us analyze the code. We take the first input to iVar1 and then there is a string comparison. Then inside the “if” condition, we have second input by the user and stored into uVar3. The 2nd strcmp is clear. It compares uVar3 to “the ripper” and stores the result of strcmp to iVar1. But the first strcmp has one parameter missing.

There is no doubt it takes in arg_ch as the second parameter. But is this valid? So I tried using jdsec decompiler. You can choose decompiler type in Cutter by changing the option on the bottom right.

It used the second parameter here! I tried this in gdb and yeah it did use a second parameter :( ghidra decompiler let me down this time. But anyways we try giving “john” and “the ripper” as user input.

And we have our flag. Easy challenge but ghidra did confuse us.

Do check out my other blogs and give some claps if you reached here.
Goodbye!