Sunday, July 30, 2006

Crackmes: cli3nt’s mycrk

Language C
Linux x86/ELF


Difficulty: 1 - Very easy, for newbies
Platform: Unix/Linux, etc.
Language: C/C++


[Solving the Crackme]


As usual, we have to run the file first.



joset@kee:~/src/crackmes/mycrk$ ./mycrk
Type cd-key: eve
wrong!
joset@kee:~/src/crackmes/mycrk$

From this point we already know what the file needs, a correct key. I immediately disassembled the file without even bothering about its characteristics.



joset@kee:~/src/crackmes/mycrk$ objdump -d mycrk > temp.txt
joset@kee:~/src/crackmes/mycrk$ less temp.txt

The first trick, is to look for the disassembly of the main function. Here’s a portion of it.



...
80483d4: c7 45 fc 67 1e 01 00 movl $0x11e67,0xfffffffc(%ebp)
80483db: c7 45 f8 70 12 5b 00 movl $0x5b1270,0xfffffff8(%ebp)
80483e2: c7 45 f0 06 00 00 00 movl $0x6,0xfffffff0(%ebp)
80483e9: 83 ec 0c sub $0xc,%esp
80483ec: 68 14 85 04 08 push $0x8048514
80483f1: e8 ee fe ff ff call 80482e4 <printf @plt>
80483f6: 83 c4 10 add $0x10,%esp
80483f9: 83 ec 08 sub $0x8,%esp
80483fc: 8d 45 f4 lea 0xfffffff4(%ebp),%eax
80483ff: 50 push %eax
8048400: 68 22 85 04 08 push $0x8048522
8048405: e8 ba fe ff ff call 80482c4 <scanf @plt>
804840a: 83 c4 10 add $0x10,%esp
804840d: 8b 45 f8 mov 0xfffffff8(%ebp),%eax
8048410: 3b 45 f4 cmp 0xfffffff4(%ebp),%eax
8048413: 75 1d jne 8048432 <main +0x6e>
8048415: 8b 55 f0 mov 0xfffffff0(%ebp),%edx
8048418: 8d 45 fc lea 0xfffffffc(%ebp),%eax
804841b: 31 10 xor %edx,(%eax)
804841d: 83 ec 08 sub $0x8,%esp


I am not going to provide a detailed information about this. Let’s observe the line there with a cmp, since lines with cmps usually attract crackers’ eyes at a first glance. ;) It is very obvious that a value is being compared with the content of the eax register and is obtained through a buffered input because the line is preceded with a call 80482c4 <scanf @plt>. How do we get the value of the eax register? Getting the idea? Of course, we will use gdb by setting a breakpoint where the line resides and displaying the value being held by the eax register.



joset@kee:~/src/crackmes/mycrk$ gdb ./mycrk
...
(gdb) b *0x8048410
Breakpoint 1 at 0x8048410
(gdb) r
Starting program: /home/joset/src/crackmes/mycrk/mycrk
warning: Unable to find dynamic linker breakpoint function.
GDB will be unable to debug shared library initializers
and track explicitly loaded dynamic code.
Type cd-key: eve

Breakpoint 1, 0x08048410 in main ()
(gdb) print $eax
$1 = 5968496
(gdb)

Looking back, we can see that it would jump to 8048432 <main +0x6e> if the values didn’t satisfy each other. Let’s see what it does from there.



...
8048432: 83 ec 0c sub $0xc,%esp
8048435: 68 29 85 04 08 push $0x8048529
804843a: e8 a5 fe ff ff call 80482e4 <printf @plt>
804843f: 83 c4 10 add $0x10,%esp
8048442: b8 00 00 00 00 mov $0x0,%eax
8048447: c9 leave
8048448: c3 ret
...

There’s the presence of a call 80482e4 <printf @plt>. We can come up with an assumption that it is the notification being printed if an invalid key is entered. :) Therefore the key is the value being held by the eax register awhile ago. Let’s try it.



joset@kee:~/src/crackmes/mycrk$ ./mycrk
Type cd-key: 5968496
73313
joset@kee:~/src/crackmes/mycrk$

Done.

Saturday, July 29, 2006

A palindrome checker in 16-bit DOS assembly

A good morning to start off is to get this simple program working. This is an improvement of the previous palindrome checker posted. What can we benefit from this anyway? :)



; palindrome checker

start:
mov ah, 0ah
lea dx, strptr
int 21h

lea di, string
lea si, strlen
mov cl, [si]
xor ch, ch
mov bx, cx
lea si, string
shr cl, 1

check:
mov dl, [si]
mov dh, [di+bx-1]
cmp dl, dh
jne notpal
inc si
dec di

loop check

cmp dl, dh
je pal

notpal:
mov ah, 09h
lea dx, msg2
int 21h
int 20h

pal:
mov ah, 09h
lea dx, msg1
int 21h
int 20h

strptr label byte
maxlen db 49
strlen db ?
string db 50 dup ('$')
msg1 db '',10,'string is a palindrome!$'
msg2 db '',10,'string is not a palindrome!$'

“If God’s people which are called by His name, will humble themselves and pray, and seek His face, and turn from their wicked ways; then He will hear from heaven, and will forgive their sins, and will heal their land.” - 2 Chron 7:14

A case inverter in 16-bit DOS assembly

This is a simple case inverter, if you want to try this out download the a86 assembler here. It works like a charm in dosemu-freedos.



; case inverter

start:
mov ah, 0ah
lea dx, strptr
int 21h

lea si, string
mov cl, [strlen]

check:
mov al, [si]
cmp al, 'Z'
ja lowercase
cmp al, 'a'
jb uppercase

lowercase:
cmp al, 'a'
jb traverse
cmp al, 'z'
jbe toupper

uppercase:
cmp al, 'Z'
ja traverse
cmp al, 'A'
jae tolower

toupper:
sub al, 32
mov [si], al
jmp traverse

tolower:
add al, 32
mov [si], al

traverse:
inc si

loop check

mov ah, 02h
mov dl, 10
int 21h

mov ah, 09h
lea dx, string
int 21h
int 20h

strptr label byte
maxlen db 49
strlen db ?
string db 50 dup ('$')

“Fortune favors the prepared mind.” - Louis Pasteur

Tuesday, July 25, 2006

Crackmes: lord’s easy Linux crackme

crackme will print text under certain conditions
what are the conditions? ;) sorry for my bad english
- lord


Difficulty: 1 - very easy, for newbies
Platform: Unix/Linux, etc.
Language: Assembler


[Solving the Crackme]


An initiative would be running the file:



joset@kee:~/src/crackmes$ ./blah
joset@kee:~/src/crackmes$

It didn’t print anything at all. So the conditions aren’t met. I’ve been using gdb and objdump for quite some time now. Since there is no form of corruption in the file, these tools will be more than enough. Here’s the disassembly of the file in objdump:



blah: file format elf32-i386

Disassembly of section .text:

08048094 < .text>:
8048094: 31 c0 xor %eax,%eax
8048096: b8 2f 00 00 00 mov $0x2f,%eax
804809b: cd 80 int $0x80
804809d: 3d ad de 00 00 cmp $0xdead,%eax
80480a2: 75 16 jne 0x80480ba
80480a4: b8 04 00 00 00 mov $0x4,%eax
80480a9: bb 01 00 00 00 mov $0x1,%ebx
80480ae: b9 c4 90 04 08 mov $0x80490c4,%ecx
80480b3: ba 06 00 00 00 mov $0x6,%edx
80480b8: cd 80 int $0x80
80480ba: 31 c0 xor %eax,%eax
80480bc: 40 inc %eax
80480bd: 31 db xor %ebx,%ebx
80480bf: cd 80 int $0x80

The first 3 lines tell us that it will call getgid (47 in /usr/include/asm/unistd.h). The system call returns the group id of the user running the file. The next 2 lines are straightforward. The execution jumps to 0x80480ba if eax is not equal to 0xdead. Here’s what will happen from 0x80480ba onward:


1. eax will be cleared out (eax = 0)
2. eax will have a new value of 1 (exit system call)
3. ebx will be cleared out (ebx = 0)


For a clearer view, try echo $? after running the file and you’ll get a 0. Here’s how I did it. I patched the file. Take a loot at 0x80480a2, we can find the conditional jump there. I just changed the opcodes jne (75) 0x80480ba (16) to nop (90).



joset@kee:~/src/crackmes$ gdb --write -nx -q blah
(no debugging symbols found)
Using host libthread_db library "/lib/libthread_db.so.1".
(gdb) x/x 0x80480a2
0x80480a2: 0x04b81675
(gdb) set {int} 0x80480a2 = 0x04b89090
(gdb) q
joset@kee:~/src/crackmes$

There it is, 1675 to 9090. Now for the final shot,



joset@kee:~/src/crackmes$ ./blah
Okej!
joset@kee:~/src/crackmes$

Try running the file with a user under 0xdead perhaps it would also yield the same result. I haven’t tried it though.

Monday, July 24, 2006

Making you feel loved was the easiest thing I have ever done before. It’s just sad to think that things just changed. I wish I could turn back those days. The times when we sat down under a tree, observed the fading horizon, held hands and stared at the crimsoning sun. I know how destiny fools us. If destiny asserts that we are not for each other, then I would fight destiny just to have you in my arms forever. I love you my everdearest.


I’m sorry for what had happened to the rose. It’s not too late though, I can still take care another bud for you.

Saturday, July 22, 2006

Antidote for insanity

Simple programming stuffs save me from insanity. This a86 assembly program tells if str1 is a palindrome.



start:
cld
mov cx, 7
lea si, str1
lea di, temp

reverse:
mov al, [si+6]
mov [di], al
inc di
dec si
loop reverse

mov ah, 09h
lea dx, temp
int 21h

cld
mov cx, 4

compare:
lea di, temp
lea si, str1
repe cmpsb
jne exit

mov ah, 09h
lea dx, yes
int 21h

exit:
mov ah, 4Ch
mov al, 00
int 21h
int 20h

str1 db 'racecar$'
yes db '',10,'string is a palindrome!$'
temp db 8 dup ('$')

[Middle-East Crisis]


Israel, known as the chosen people of God called a thousand reservists in a possible prelude to a ground offensive against Lebanon. Accordingly, they have to clean up bunkers and tunnels that are invulnerable to air attacks. Isn’t it ironic for the Mossads to be called as the chosen people of God?

Sunday, July 09, 2006

Outdoorsman recall

I can still remember way back then, I was five years old when I had my primary hobbies, hunting, fishing, and shooting-range. Today, we went to Sinubung, a semi-dangerous place located in the far west coast of Zamboanga City and is known for its shore having huge waves and numerous sea urchins. We have gone fishing. It was fun riding my grandfather’s motor-operated vinta again though I am deeply saddened with what had happened today. The last time I set foot on that vinta was 15 years ago. I can still remember my grandfather pulling the nylon with a huge squid hooked up. Of course, the squid fired up a black tint. Because of that black tint, and the times when I threw up while riding the vinta, I have something now which I call memories worth remembering.


Awhile ago, we did the same but no squid and from what I have observed fishes are already scarce! We spent almost three hours, changing position from time to time on the sea. I was the one throwing and pulling the anchor everytime we shift locations but damn no fishes!


A very nice experience. The prize for the experience? Well, a swollen left foot, 5 thorns pierced from black sea urchins. It’s not a big deal though. The prize does not outweigh the experience. Waves were really strong awhile ago. I was a little nervous.


The truth is, I am sad today. It could be that I’ve lost someone very special.

Friday, July 07, 2006

Preparing for Muziklaban

Red Horse Muziklaban is fast approaching. Tomorrow will be the qualification or shall I say audition. One composition down. I am still trying to come up with a nice riff for the adlib. Hoping to impress the judges tomorrow.


[Programming]


I am just messing up with DOS Assembly. I started out programming in 32-bit protected mode, now broadening my knowledge by diving into 16-bit real mode. I have nothing new these days, just reviewing C++.


Signing off through a quote by Albert Einstein


“Information is not knowledge.”

Sunday, July 02, 2006

Victory!

Congratulations Manny Pacquiao!


He was once a singer of a local band in Gen. Santos City. Look at him now, he is the most influential person in our nation and probably one of the most influential persons around the globe. I was really fascinated by his fight with Oscar Larios. He has become faster than ever. Incomparable vigor that is! Raise it up Manny. More power and advertisements ahead.


On the other hand, I pity Oscar Larios, he was a great fighter. I admire his sportsmanship and humility. He is one of the cheerful and honest boxers I’ve ever seen. His courage is a deadly weapon that one shouldn’t take advantage of. Maintaining his mind in equilibrium state could have driven Manny on the floor.


[Globe Telecom]


What is happening? I couldn’t send and receive SMSs. Calling does not solve the issue either. Hoping for better services in the future.