[CrackMe] BabyELF Revenge

elf
linux
binary
reverseengineering

#1

BabyELF Revenge


Description

A BabyELF sequel since @0x00pf and @Leeky nailed it in no time (I hope this one cannot be solved the same way :sweat_smile:).


Rules

  • Make the binary display Congrats!
  • Patch more than 4 bits and you’re disqualified. Don’t patch any instruction!

Binary

base64 -d dump | gunzip > babyelf_revenge
H4sICFCLM1sAA2JhYnllbGYA7VlfbBTHGZ9dn80Bl/NiTAM2LRcwjUlhsYlxIWkbDvswprYB+0xV
pbCs79bew/fH2dujdopaksMQ4lpBbZSXPkAUNe0DEZUiRahtiKkJLgoPLqUvVdSkIlHPjVPRhlIe
XK7fNzO7N3c4Uvtcj/V55jffb75v/u59O/uDUMcuSZKIk2RSRhBNZz3eJsjDK1l9EwmQxaSerCGr
SQXFIMeBAxKABijlUOcBKcN2gMPPebwoywEv5zqJC03QFsWzCHSLWHuiML23EuSsx4uCtutAKrhe
hqwa9NWgQ8kBRqngPlBM4JvgG6UVcKug2/exHfUB2XfS40XZCHUbBf1+0JN5UgVzT7pBL/bvHtTd
E8a3OR7r2xyPborHkplhNZ1StzCdwvVtXb18rpnNAG9bzecO9ZcOf/GllU+8+KebiZfuX2j8y5Fv
vPHoe8hfxG3QuQrQprTujW/emijt71ahXAXSUILXlOCaEtwlYHT0tRL9UpDZUVg/yJfh6GDcERxv
M9Ha92ppOxpLapm0ESVDGTtNNKjRI4NaxBzU+vVYnFiGHiVp24okhkCJjZFh2VpCjyWhZiCRSvIa
jbR1tO9s0baoTW6pgc0h7liZltjeYrnC+1kdiz2Es3qQ1ykUy2SA6+dg/SpgMn3nPN5FMBAFczBX
jTksxkpevxpzWKye7Kw3NwUNn5ucWk3IWHYun8+PTtjlOQsqs1e8T08WrUF+qwda5td74T/F69GT
icWZD6Fpfj16NFE3M00xejaxqzMTFGMPTDyFM7+gGHti4nLMnKMYR9B/xvHX+Omh03/OfnR7X7jb
nIa1MYfg3/4D5nsn4Jy8A/w7/WfEv7HVdZMivvgVML+pHv5l71UcrbmINmF4y3pPf5ydrTZRkZ/O
XlGufTZ5Ztz+MrlY7/Av35NP/+byX9dI07+7Z9f+kja8YVfRhso+1vIGa4kNx3/9KFKOfx0VJLOc
8ry5Y9DFq+VYJwER+qPA8MaU0RuZ8k9+PH6UOHb/wTq0j5mcyUCz8Y46D4w8/8wc6PaD0ngVT9Tp
0J3GianQLDacCt3GLDvrOVIxHprdd4Tkvnc/nwcTp0O5sVAum5OutpbPAsFr3oaJQ06unTFGJzJV
2VmfeQfqcwar+0TBmvtY08Nq6ISN9d4xHl+BzmFfPAaKsc65a+P6HIyn91sHenKnoOq5yVM12BPf
WLwuMP6mDwaQO/tvGEXWC8UNVy/fl0fv2usb8+Nv8S7n7bqNKL35l3+FnOyUBA63/ytzK3vF9/Qh
7eAkzM9nk3yPrqM+1tXwTVnGz8agMUhaUskBS7fTj5CwNRIwdStqWI+gvrbsyXrCnkVh6Ao+M98B
M7hbo+DwZcivQP4hYc8qTNKz3UQ65pVqfR7PCxJ7TsC5IF5ofxgJfu8uv29P5VLbM0yeqnnysS11
a9HHDpC9YPs15LT6JNKmlMsZ0lJZljlWIZ+BiuC7LWBzN6jjIL8FLp5hEvR7R+Wg33eqLOhXTnqC
/upseZc/EPPXtfrrW/0bg/6GTn+gzV8dnPQrwat+X3DK7w2+6/ew84/r8z7YkslCWkgLaSEtpIW0
kP7f0zmIj4+fYDG6847qA2mA92B4YSA3IcZbRdg7Xy1hMRK+L/kAr+b4n/fzqfPwvonvZh3Pw3sF
5NcBL4H8GcLelzAGWcF9llHHHi/GIhgTYUy1DORh9AN+sUwgx3ct7NhynkP4kpoG+xCKpbCftyG/
9Dzr+/+a8P3ZKR8FXydBXgF5HeStbEHX1tLyRKC+ty+TtDOBrWqT2rCpOUNR4/cbm9WGJnX7BlYf
2NLQ2NzQ3LB9Xn94H8DGzm4BTBeziOwFF9PZIedd7KH4uovpGzCdZ4bp7QC55OJFFE+7mA8l6+DF
FHpdvITiBhcvpfiwi30UT7j4IWbfxX6KcZ8wXElxzsXsjRTvGximq0u2ubiK9eesg5czvotZxK24
mO2iahd/geI5Fz/MxnvOwewiJ+DiVRTXu1h8+0dcW7inIbi//573Cf4l8I8WFH5mZBg/nosdAlYh
Py7gVu6Pna8a0iOMT4LxPUvYOXT4J4X5kGA+flrSn9L+XcDCKYdfRd4u6S8p4V8T/OPp+qMwnxLM
5y3BP+rvksL64UldLBXmV4L5XQMY37lxJ1dB/zcLHcTVDZbg/QIOgCQQn2D3KVWyn/xcKqxXAGY7
KxXWSwG8QSrstyrYby+W2H9daI/8N0v0kyX+b+A9G+cvk1eRD6Ti+52/lbRfCgPF64WDfLx/gHyj
66+GnJcK5wP1tTI7D469tbI4nhqiAsZ7itc4/3G5uH9tAh/711OiXyEXzm8Vnt+IZaftTH+/GiGa
tqelW+to7wlrGoH3XWMglrYNS7MTWiSeShp4PRVNaQPxVJ8e16J2ykpremaYRFKJobhhG1H1q1vg
kTYvSeuPJWOabln6iGYkbWuE9Ft6wtCimURiBJoISAOmXUTt0/tGjDjr4q7uYGdIC3W1Qh9Zh51y
UbMo0Vq/3RXsbG8p1tCrMqhq6+rVQru5td2t3URr69i7M9ih7d21qycU1sLBnR0hzblyi6QzdAD8
Jm7HjsL9Gl7QiVhrD3dqhckLd7bg1IX1vrgB1oa3NasDhq0NRTTbzCQH1b5hohlR3dYfuPorGG3C
KQUK7zxeFBZ5LL4EBG46pZl6Mooei+8YH7hBLLbjjhUnjGj9Q5r5XajuS6e5a3bpuOeo1s2H1xLX
02m6MWCgzkrgDMw7fqKmRxK23ge5bbHcdEqxJLCHiJpM2YYa3Nm+ydYHOBpIZtS+TCwe3RSLEopM
PW0SNTqSBHssty2mOWpY6VgqWQQ00FlGHHmsMBS30SGMEYvqQAoKtjEM/+kiq1aKrohqmHxfmlGr
gFhTtp9YC6d8JGLR3uiJWISgWeaJGYNZJCoclQTsafJfJ/y9wEcKHmP6rUAi/FePJedxs46wO27k
0Tt9fs/kJA/PGwUexhF4H1U3Dw9/h+5CzIQ8jC/Oc3vlAg8F77+XcnsYd1wH3nHC7uwlUrjTP0BY
LIc8jEc6ZBbvlY7jEEie+8U45ZLM2jt+ZS6DhMV4WMb4ZVpmd/eiX0z4e7mYt6FxTRmLD8VxIM5y
3k7C4h1vGYs3kbdS4P2Q20c/+BxtKGNzXzp/pwQexkeHgXdY4Cmc+yOBh3HTBO+fk5zyTwQe/l5M
A0+Wi+1helXg4e/ezfLCPaTYv5+Rwr7C35sc8NbOw7sg8Oi3oAr2HaiU97bAw3htG/Cuz8PDzwIY
BeJeoN+GKgs6kfd7kErOw/jD9zm8D7hf5GEco3wO7yM+J8ij38QqC9/DHB7O9SuCPYwT5+axh/Kp
wKPxjfLgeUO5K/Awzggoxevr2J7j/pGHv9/1SrFf53zgZ0gsO9+pkNdUwkNZ5vSNp3YIdZdIxTwn
F+95v6PgJ0dCvgTlzaRwfheX2HsfNlVCaOjEmf8BBpNyJiwdAAA=

(Community & PR manager) #2

@Leeky and @0x00pf solved it in no time? hmmmm… I might just look into the first one aswell.


#3

Don’t confuse difficulty with skills. Anybody who has an in-depth knowledge of the ELF can solve it in no time.


(Community & PR manager) #4

I recently began reading up on the ELF format thanks to @ricksanchez’s article. This might be a fun exercise


(pico) #5

Thanks for the challenge mate. Pretty cool.

I believe it is actually a 2 bits patch :slight_smile:.

echo -ne “\x01” | dd of=test1 seek=$((0x308 + 0x5)) bs=1 count=1 conv=notrunc

I believe I just get home earlier than @Leeky :wink:


#6

The ELF wizard strikes back! :clap:

Indeed the intended patch is 2 bits but I thought I’d be really messing with someone’s creativity/mind if I were to be that precise.

Clean and elegant solution as always. I give up on trying to trick you with ELF shenanigans :raised_hands:


(N3utr0n) #7

Nice Crackme, I great way of learning while playing with the ELF format :slight_smile:

0804a00c 00000107 R_386_JUMP_SLOT 00000000 [email protected]_2.0


#8

Thank you for the feedback! I figured code patching has already been quite overused in crackmes so why not add a twist that requires a different kind of binary mastery :wink:

Good job on solving it! :clap:


#9

I’m a bit sad that I didn’t found an alternative solution, but whatever. Was fun :smiley:

echo -ne “\x01” | dd of=babyelf_revenge seek=781 bs=1 count=1 conv=notrunc
with the “password” of “kek”.


#10

If we check the .dynsym sections again in readelf we can see that [email protected]_2.0 is actually there but the .rel.plt section looks a bit cranky. We gotta fix that first puts Info field with the correct value. In our case there should be an Info 00000107 instead of the 00000407 :slight_smile:

Relocation section '.rel.plt' at offset 0x308 contains 5 entries:
 Offset     Info    Type            Sym.Value  Sym. Name
0804a00c  00000107 R_386_JUMP_SLOT   00000000   [email protected]_2.0
[...]