Skip to main content

Crackmes: lord’s easy Linux crackme

crackme will print text under certain conditions
what are the conditions? ;) sorry for my bad english - lord


Difficulty: 1 - very easy, for newbies
Platform: Unix/Linux, etc.
Language: Assembler


[Solving the Crackme]


An initiative would be running the file:



joset@kee:~/src/crackmes$ ./blah
joset@kee:~/src/crackmes$

It didn’t print anything at all. So the conditions aren’t met. I’ve been using gdb and objdump for quite some time now. Since there is no form of corruption in the file, these tools will be more than enough. Here’s the disassembly of the file in objdump:



  blah:     file format elf32-i386
	
Disassembly of section .text:
	
08048094 < .text>:
 8048094:       31 c0                   xor    %eax,%eax
 8048096:       b8 2f 00 00 00          mov    $0x2f,%eax
 804809b:       cd 80                   int    $0x80
 804809d:       3d ad de 00 00          cmp    $0xdead,%eax
 80480a2:       75 16                   jne    0x80480ba
 80480a4:       b8 04 00 00 00          mov    $0x4,%eax
 80480a9:       bb 01 00 00 00          mov    $0x1,%ebx
 80480ae:       b9 c4 90 04 08          mov    $0x80490c4,%ecx
 80480b3:       ba 06 00 00 00          mov    $0x6,%edx
 80480b8:       cd 80                   int    $0x80
 80480ba:       31 c0                   xor    %eax,%eax
 80480bc:       40                      inc    %eax
 80480bd:       31 db                   xor    %ebx,%ebx
 80480bf:       cd 80                   int    $0x80

The first 3 lines tell us that it will call getgid (47 in /usr/include/asm/unistd.h). The system call returns the group id of the user running the file. The next 2 lines are straightforward. The execution jumps to 0x80480ba if eax is not equal to 0xdead. Here’s what will happen from 0x80480ba onward:


1. eax will be cleared out (eax = 0)
2. eax will have a new value of 1 (exit system call)
3. ebx will be cleared out (ebx = 0)


For a clearer view, try echo $? after running the file and you’ll get a 0. Here’s how I did it. I patched the file. Take a loot at 0x80480a2, we can find the conditional jump there. I just changed the opcodes jne (75) 0x80480ba (16) to nop (90).



joset@kee:~/src/crackmes$ gdb --write -nx -q blah
(no debugging symbols found)
Using host libthread_db library "/lib/libthread_db.so.1".
(gdb) x/x 0x80480a2
0x80480a2:      0x04b81675
(gdb) set {int} 0x80480a2 = 0x04b89090
(gdb) q
joset@kee:~/src/crackmes$

There it is, 1675 to 9090. Now for the final shot,



joset@kee:~/src/crackmes$ ./blah
Okej!
joset@kee:~/src/crackmes$

Try running the file with a user under 0xdead perhaps it would also yield the same result. I haven’t tried it though.

Labels:

Comments

Post a Comment

Popular posts from this blog

Architecture Complexity

Here are the items to consider: Coding to an interface Service Oriented Architecture Automated Testing Domain Driven Design Custom Data Access Layer Layered architecture Complexity is relatively equal the number of lines of code. Note that complexity is not bad. It must be justified.
Post a Comment
Read more

Importance of daily meetings

Why are daily meetings important? Yes I know what you are thinking, to check if the schedule is on target, to spot showstoppers, roadblocks and whatnots. But aside from those, there are things that make daily meetings rewarding. Let’s face it, some people (including me) find it hard oftentimes to achieve a certain level of focus at work especially when multitasking is inevitable. Meetings will remind us of our commitments infront of our peers. Since most of us will be ashamed of not making any progress, it will trigger ourselves to do something about it. In my opinion, having daily meetings typically before the shift starts will help a lot of peers suffering from bad habits - procrastination. It is one way of invigorating those who have not found their way out yet. “Keep each other in the zone, what are teammates for?”
Post a Comment
Read more