Merge branch 'jonathan_f-main-patch-46264' into 'main'

[crackme] Add 2nd approach to get the canary See merge request !2

Merge branch 'jonathan_f-main-patch-46264' into 'main'
8d23820d · Marvin Weiler · 7aaaadf3 · 5181e772 · 8d23820d
Commit 8d23820d authored Feb 11, 2023 by Marvin Weiler
--- a/src/buffer_overflow.md
+++ b/src/buffer_overflow.md
@@ -52,6 +52,62 @@ Final command:
 // Response: Access granted! fl4g{bytewise_comparisons_or_static_canaries_weaken_security}
 ```

+### Alternative approach to get the canary
+An alternative method to get the canary is to use the tool [Ghidra](https://ghidra-sre.org/) to decompile the binary file to more readable C code.
+If analyzed by Ghidra, we can extract C code of the `crackme_32` main function:
+```c
+undefined4 main(void)
+{
+  [...]
+  
+  local_10 = &stack0x00000004;
+  apcStack_144[68] = (char *)0x11248;
+  apcStack_144[65] = "\n Enter the password: ";
+  FUN_000110c0();
+  apcStack_144[65] = local_28;
+  FUN_000110b0();
+  ppcVar1 = (char **)auStack_30;
+  if (local_19 == '\0') {
+    apcStack_144[65] = (undefined *)0xffffffff;
+    FUN_000110d0();
+    ppcVar1 = apcStack_144 + 0x41;
+  }
+  puVar3 = (undefined *)ppcVar1;
+  if (local_19 != 's') {
+    puVar3 = (undefined *)((int)ppcVar1 + -0x10);
+    *(char **)((int)ppcVar1 + -0x10) = "Canary changed at position 0!";
+    *(undefined4 *)((int)ppcVar1 + -0x14) = 0x11298;
+    FUN_000110c0();
+    
+    
+  [...]
+
+    if (local_13 != 'r') {
+    puVar3 = puVar2 + -0x10;
+    *(char **)(puVar2 + -0x10) = "Canary changed at position 6!";
+    *(undefined4 *)(puVar2 + -0x14) = 0x113f0;
+    FUN_000110c0();
+    *(undefined4 *)(puVar2 + -0x10) = 0xffffffff;
+    *(undefined4 *)(puVar2 + -0x14) = 0x113fd;
+    FUN_000110d0();
+  }
+  puVar2 = puVar3;
+  if (local_12 == '\0') {
+    puVar2 = puVar3 + -0x10;
+    *(undefined4 *)(puVar3 + -0x10) = 0xffffffff;
+    *(undefined4 *)(puVar3 + -0x14) = 0x1140f;
+    FUN_000110d0();
+  }
+  puVar3 = puVar2;
+  if (local_12 != 'y') {
+    puVar3 = puVar2 + -0x10;
+    *(char **)(puVar2 + -0x10) = "Canary changed at position 7!";
+    *(undefined4 *)(puVar2 + -0x14) = 0x11426;
+    
+  [...]
+```
+The source code contains a row of `if` statements comparing parts of a local array to chars, and these chars are `sfl_cnry`. So with this approach, we don't need to test each character, but can extract the canary directly from the binary.
+
 ### Sourcecode for the canary binary
 ```c
 #include <stdlib.h>