Sunday, July 30, 2006

Crackmes: cli3nt’s mycrk

Language C
Linux x86/ELF


Difficulty: 1 - Very easy, for newbies
Platform: Unix/Linux, etc.
Language: C/C++


[Solving the Crackme]


As usual, we have to run the file first.



joset@kee:~/src/crackmes/mycrk$ ./mycrk
Type cd-key: eve
wrong!
joset@kee:~/src/crackmes/mycrk$

From this point we already know what the file needs, a correct key. I immediately disassembled the file without even bothering about its characteristics.



joset@kee:~/src/crackmes/mycrk$ objdump -d mycrk > temp.txt
joset@kee:~/src/crackmes/mycrk$ less temp.txt

The first trick, is to look for the disassembly of the main function. Here’s a portion of it.



...
 80483d4:       c7 45 fc 67 1e 01 00    movl   $0x11e67,0xfffffffc(%ebp)
 80483db:       c7 45 f8 70 12 5b 00    movl   $0x5b1270,0xfffffff8(%ebp)
 80483e2:       c7 45 f0 06 00 00 00    movl   $0x6,0xfffffff0(%ebp)
 80483e9:       83 ec 0c                sub    $0xc,%esp
 80483ec:       68 14 85 04 08          push   $0x8048514
 80483f1:       e8 ee fe ff ff          call   80482e4 <printf @plt>
 80483f6:       83 c4 10                add    $0x10,%esp
 80483f9:       83 ec 08                sub    $0x8,%esp
 80483fc:       8d 45 f4                lea    0xfffffff4(%ebp),%eax
 80483ff:       50                      push   %eax
 8048400:       68 22 85 04 08          push   $0x8048522
 8048405:       e8 ba fe ff ff          call   80482c4 <scanf @plt>
 804840a:       83 c4 10                add    $0x10,%esp
 804840d:       8b 45 f8                mov    0xfffffff8(%ebp),%eax
 8048410:       3b 45 f4                cmp    0xfffffff4(%ebp),%eax
 8048413:       75 1d                   jne    8048432 <main +0x6e>
 8048415:       8b 55 f0                mov    0xfffffff0(%ebp),%edx
 8048418:       8d 45 fc                lea    0xfffffffc(%ebp),%eax
 804841b:       31 10                   xor    %edx,(%eax)
 804841d:       83 ec 08                sub    $0x8,%esp


I am not going to provide a detailed information about this. Let’s observe the line there with a cmp, since lines with cmps usually attract crackers’ eyes at a first glance. ;) It is very obvious that a value is being compared with the content of the eax register and is obtained through a buffered input because the line is preceded with a call 80482c4 <scanf @plt>. How do we get the value of the eax register? Getting the idea? Of course, we will use gdb by setting a breakpoint where the line resides and displaying the value being held by the eax register.



joset@kee:~/src/crackmes/mycrk$ gdb ./mycrk
...
(gdb) b *0x8048410
Breakpoint 1 at 0x8048410
(gdb) r
Starting program: /home/joset/src/crackmes/mycrk/mycrk
warning: Unable to find dynamic linker breakpoint function.
GDB will be unable to debug shared library initializers
and track explicitly loaded dynamic code.
Type cd-key: eve
	
Breakpoint 1, 0x08048410 in main ()
(gdb) print $eax
$1 = 5968496
(gdb)

Looking back, we can see that it would jump to 8048432 <main +0x6e> if the values didn’t satisfy each other. Let’s see what it does from there.



...
 8048432:       83 ec 0c                sub    $0xc,%esp
 8048435:       68 29 85 04 08          push   $0x8048529
 804843a:       e8 a5 fe ff ff          call   80482e4 <printf @plt>
 804843f:       83 c4 10                add    $0x10,%esp
 8048442:       b8 00 00 00 00          mov    $0x0,%eax
 8048447:       c9                      leave
 8048448:       c3                      ret
...

There’s the presence of a call 80482e4 <printf @plt>. We can come up with an assumption that it is the notification being printed if an invalid key is entered. :) Therefore the key is the value being held by the eax register awhile ago. Let’s try it.



joset@kee:~/src/crackmes/mycrk$ ./mycrk
Type cd-key: 5968496
73313
joset@kee:~/src/crackmes/mycrk$

Done.

Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)