HackMe4 – Timing

Posted on Posted in Linux, Reverse Engineering, Windows No Comments

HackMe4:
This password crack should be hacked by timing analysis. A timing analysis is the time variation a program needs to check the password.

Download File: HackMe4(Linux)
Download File: HackMe4(Windows)


Theory:
Some password comparison functions are implemented by checking every single letter in a loop and abort it if a letter does not match. For example the c++ string compare function “strcmp” is implemented like this. This is shown in the following code examples.

#include "stdio.h"
#include "strings.h"

int main (void){
   char* inputpw = "passtest";
   char* rightpw = "password";
   int valid=0;
   valid = strcmp(inputpw, rightpw);

   if(0==valid){
      printf("Right password\n");
   }
   else
      printf("Wrong password\n");

   return 0;
}

The string compare function can be also written as below. With a for loop, which will be executed until the two strings do not match. As a result of this, it takes more time to compare two strings if they are matching at the beginning. It will loop until the fifth letter is compared (“t” differ “w”).

#include "stdio.h"
#include "strings.h"

int main (void){
   char* inputpw = "passtest";
   char* rightpw = "password";
   int valid=0;
   int i=0;   

   for(i=0; rightpw[i]!='\0'; i++){
      if(inputpw[i] != rightpw[i]){
         valid=1;
         break;
         // every loop needs time
      }
   }

   if(0==valid){
      printf("Right password\n");
   }
   else
      printf("Wrong password\n");

   return 0;
}

With the above shown example the following figure illustrates the behavior of a string compare fucntion.

blackbox_test_time

Linux:
With Linux it is possible to measure the execution time.

$ time ./hackme4_linux passwordtest
Copyright by NM-Projects.de
Input: "passwordtest"
Wrong password

real    0m0.001s
user    0m0.000s
sys     0m0.000s

Here we see, that the execution time is about 1 ms. By testing different inputs the execution time varies.

$ time ./hackme4_linux testpassword
Copyright by NM-Projects.de
Input: "testpassword"
Wrong password

real    0m0.101s
user    0m0.000s
sys     0m0.000s

With the letter “t” at the beginning it takes 100 ms longer to determine the answer. So with a script it is easy to find the right password.

It is possible to use a small python script to determine the timing. For other passwords change the password in the python script.


import os
import timeit

start = timeit.default_timer()

os.system("./hackme4_linux password")

stop = timeit.default_timer()

print stop - start

Windows:

C:\hackme4.exe passwordtest

 

Solution 
$ time ./hackme4_linux topsecret
Copyright by NM-Projects.de
Input: "topsecret"
Right password

real    0m0.902s
user    0m0.000s
sys     0m0.000s

Source code:

#include "stdio.h"
#include "strings.h"

int main(int argc, char **argv)
{
    char *password = "topsecret";
    int i=0;
    int valid=1;

    printf("Copyright by NM-Projects.de\n");
    printf("Input: \"%s\" \n", argv[1]);
    for(i=0; password[i]!='\0'; i++){
        if(password[i]!=argv[1][i]){
          valid=0;
          break;
       }
       usleep(100000);
    }

    if(1==valid){
       printf("Right password\n");
    }
    else{
      printf("Wrong password\n");
    }

    return 0;
}

Leave a Reply

Your email address will not be published. Required fields are marked *

*