Dear Reader,
Hello and welcome to this post, I will discuss my adventures on a Rust CrackMe I saw in a Reverse Engineering Discord server, this CrackMe as you may know already is powered by the Rust Lang, This language is AMAZING and it’s really close to C++.
Hello Rust! Nice to Meet You!
So, I downloaded the CrackMe and quickly went into my good ol’ bud x64DBG, which is the one I commonly use for my RE projects… Started analyzing it and… Wait what? as soon as I hit the OEP I start seeing a bounch of weird things (being new to a Rust binary, that’s quite understandable), eg. instead of having a normal control flow, I started seeing how I had to keep on going further deep in between calls and things like that. So that was quite painful to go through, Also I couldn’t trace step out because it would obivously would skip the calls and then I would be out of luck, and also couldn’t trace call stack because it showed no hints what so ever of what was being called, it would always show calls from kernel and stuff, but not from the internal binary.
IDA to the rescue!
So as I called it a defeat with x64DBG, I called in IDA, and started working on it, IDA has cool graphs and plugins that will help you setup your pace back on tracks and will allow you to have a more broader approach when analyzing something…
So once I started working on it, I noticed where the binary had some interesting strings showing up, so I went there and lo’ and behold there they were!
So I went to where it was being used, and here we are, finally!
So I quickly assumed this was the main function where everything was going down, so I love the renaming feature of IDA so why not use it? 😜
So, not only I noticed that Rust does all those weird things with the control flow as I mentioned before, but also the compiler adds a bunch of other junk stuff, however thankfully, now that I got the main function, I can call it a day and skip all the junk stuff, and just focus on this part only.
CrackMe, What’s your sorcery?
So this CrackMe, (skipping ahead some prior reversing) was relatively simpe as the name suggests, not minding any of the junk stuff compiler adds, I just had to focus on this part:
This is where the meat is, more importantly inside checkPwdHash at 0xE11411 function that you see there, is where the actual algorithm that checks password is.
and it’s as simple as, getting all the bytes in a byte arry, and sum them all together, the output will be the checksum for the string, viola!
so in python it would be someting like this:
1 | def calc_checksum(the_bytes): |
Run it here! / Grab a more dedicated source HERE
Wrap Up!
This was a really a really cool excercise and it was the very first Rust CrackMe I ever did!
So, first, I’m sorry if I didn’t provided the actual method to crack this down, but as the title suggested it was just a reversing session, I wasn’t aiming to crack the actual password because the bruteforce would just take a lot of time.
Second, shout out and thanks to the author (mgostIH#0245) of the CrackMe who obviously the one who provided it first.
And that’s it, I’m out!