{"id":19544880,"url":"https://github.com/ariary/hack-weak-strcmp-code","last_synced_at":"2025-07-02T02:01:44.318Z","repository":{"id":109492951,"uuid":"151837357","full_name":"ariary/Hack-weak-strcmp-code","owner":"ariary","description":"A description of a basic hack over a C files using strcmp function","archived":false,"fork":false,"pushed_at":"2021-05-01T18:30:21.000Z","size":8,"stargazers_count":8,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-02-26T05:42:24.586Z","etag":null,"topics":["hack","reverse-engineering","security"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ariary.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-10-06T12:22:11.000Z","updated_at":"2024-11-09T01:59:41.000Z","dependencies_parsed_at":null,"dependency_job_id":"c43791bb-a6d1-45a1-afcf-40c3b3796ced","html_url":"https://github.com/ariary/Hack-weak-strcmp-code","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/ariary/Hack-weak-strcmp-code","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ariary%2FHack-weak-strcmp-code","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ariary%2FHack-weak-strcmp-code/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ariary%2FHack-weak-strcmp-code/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ariary%2FHack-weak-strcmp-code/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ariary","download_url":"https://codeload.github.com/ariary/Hack-weak-strcmp-code/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ariary%2FHack-weak-strcmp-code/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":263061400,"owners_count":23407604,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["hack","reverse-engineering","security"],"created_at":"2024-11-11T03:32:52.444Z","updated_at":"2025-07-02T02:01:43.101Z","avatar_url":"https://github.com/ariary.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Hack-weak-strcmp-code\nA description of a basic hack over a C files using strcmp function. The source file *password.c* is just here to document and is not supposed to be in the possession of the attacker. We will explain how to hack the executable *a.out*. When we execute we see that we are asked to enter a password and (if you do not have the *password.c* file) you will failed to log in:\n\n You failed to log in. Try again :-(\n\n**So how to pass this password barrier?**\n\n## Get the assembly code\nAs we have a binary file we want to examine it. A good way to do that is to get the assembly code.\n### Using objdumps\nLinux's objdump tool displays information from an object or program including functions and read-only data. The command we run is:\n\n objdump -d -j.text a.out\nthis command will enable us to access to the assembly code. Option `-d` disasssembles the data to make it more accessible and `-j`enables selection of specific data for review.\nHere is the interesting snipset of the output in which we can see the call of `strcmp`:\n\n 400690:\te8 8b fe ff ff \tcallq 400520 \u003cstrcmp@plt\u003e\n 400695:\t85 c0 \ttest %eax,%eax\n 400697:\t75 0c \tjne 4006a5 \u003cmain+0x5f\u003e\n 400699:\tbf 80 07 40 00 \tmov $0x400780,%edi\n\n### Using gdb\nWe launch the debbugger on the binary:\n\n gdb -q a.out\nWe launch the program with a breakpoint on the main function:\n\n (gdb) break main\n Breakpoint 1 at 0x40064a\n (gdb) run\n Starting program: /path/to/file/a.out \n \n Breakpoint 1, 0x000000000040064a in main ()\n (gdb)\nWe can thus disassemble the code:\n\n (gdb) disas main\n Dump of assembler code for function main:\n ...\n 0x0000000000400688 \u003c+66\u003e:\tmov %rax,%rsi\n 0x000000000040068b \u003c+69\u003e:\tmov $0x400776,%edi\n 0x0000000000400690 \u003c+74\u003e:\tcallq 0x400520 \u003cstrcmp@plt\u003e\n 0x0000000000400695 \u003c+79\u003e:\ttest %eax,%eax\n 0x0000000000400697 \u003c+81\u003e:\tjne 0x4006a5 \u003cmain+95\u003e\n 0x0000000000400699 \u003c+83\u003e:\tmov $0x400780,%edi\n 0x000000000040069e \u003c+88\u003e:\tcallq 0x4004f0 \u003cputs@plt\u003e\n 0x00000000004006a3 \u003c+93\u003e:\tjmp 0x4006af \u003cmain+105\u003e\n 0x00000000004006a5 \u003c+95\u003e:\tmov $0x4007a0,%edi\n ... \n End of assembler dump.\n\n## Modify it\n### Using Hexedit\n*Hexedit* is a tool that allows you to edit and analyze file in hexadecimal. \nThe aim is to change the `jne` code (`0x75`) to the `je` code (`0x74`) in order to override the conditionnal stop after the `strcmp`.\n### Using gdb\nWe see at 0x0000000000400690 `strcmp`, ie a string comparison function, then a test and a conditional jump (`jne`). We can try to transform the `jne` (jump if not equal) into `je` (jump if equal) and then continue the program. The code of `jne` is `0x75`, and that of je is `0x74`:\n\n (gdb) set {char}0x0000000000400697=0x74\n (gdb) continue\n\t Continuing.\n\t Please enter the password:\n\t wecantapeanythingevenwrongpwd\n\t Congratulations you are log in\n\t [Inferior 1 (process 3577) exited normally]\nTo note that another technique is to observe which strings are comparated by strcmp by putting breakpoint and manipulating register. Here we just bybass the comparaison mechanism\n\n## Other Way\n### Using strings\n**Strings** is a Unix program for finding character strings in binary files.\n\n strings a.out -d\nAnd here is the output:\n\n /lib64/ld-linux-x86-64.so.2\n libc.so.6\n __isoc99_scanf\n puts\n __stack_chk_fail\n strcmp\n __libc_start_main\n __gmon_start__\n GLIBC_2.7\n GLIBC_2.4\n GLIBC_2.2.5\n UH-P\n AWAVA\n AUATL\n []A\\A]A^A_\n Please enter the password:\n hackm3\n Congratulations you are log in\n You failed to log in. Try again :-(\n ;*3$\"\nYou can write a script testing all the possibilities. It is not the most powerful attack because if there is a locking access for too many incorrect passwords, then hacking will be delayed a bit.\n\n### Using ltrace\n**ltrace** is a debugging utility in Linux, used to display the calls a userspace application makes to shared libraries.\n\n ltrace ./a.out \nHere the output:\n\n __libc_start_main(0x400646, 1, 0x7ffdb5632e68, 0x4006d0 \u003cunfinished ...\u003e\n puts(\"Please enter the password:\"Please enter the password:\n ) = 27\n __isoc99_scanf(0x400773, 0x7ffdb5632d60, 0x7fc613a0b780, 0x7fc61373c6e0\nI enter \"test\":\n\n test\n ) = 1\n strcmp(\"hackm3\", \"test\") = -12\n puts(\"You failed to log in. Try again \"...You failed to log in. Try again :-(\n ) = 36\n\nWe see that the `strcmp(\"hackm3\", \"test\")` is exposed in clear and so we can retrieve the password.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fariary%2Fhack-weak-strcmp-code","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fariary%2Fhack-weak-strcmp-code","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fariary%2Fhack-weak-strcmp-code/lists"}