1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Basics of CrackMe With Sample and Example - Part 2

Discussion in 'Unix' started by lionaneesh, Feb 2, 2011.

  1. lionaneesh

    lionaneesh Active Member

    Joined:
    Mar 21, 2010
    Messages:
    848
    Likes Received:
    224
    Trophy Points:
    43
    Occupation:
    Student
    Location:
    India
    As the title suggests it is continuation of Basics of CrackMe With Sample and Example. I assume a working knowledge of GDB and ASM as basics. In this article we'll be cracking a simple application that is more advanced to the previous one..

    In this article I take the cracking a step further by cracking applications on crackmes.de
    As we dont want to get stressed and jump of to the advanced level directly lets just start with a basic app ...We'll be using A Simple Crackme

    This app uses ptrace() syscall this is used to track the child processes by the parent the basic functionality can be checked out here or 'by checking out the header files'

    The ptrace header file can be found in /usr/include/sys/ptrace.h

    Let us start by running the app...

    Code:
    aneesh@aneesh-laptop:~$ '/home/aneesh/Desktop/crackme1' 
    
    [1]+  Stopped                 '/home/aneesh/Desktop/crackme1'
    
    OK We got not so much info about the app..But still we know that the app is running multiple processes (child and parent) as we received a message from the shell
    Code:
    [1]+  Stopped                 '/home/aneesh/Desktop/crackme1'
    
    Now , lets open the app in GDB and track it out...
    Code:
    aneesh@aneesh-laptop:~$ gdb '/home/aneesh/Desktop/crackme1' 
    
    GNU gdb (GDB) 7.1-ubuntu
    
    Copyright (C) 2010 Free Software Foundation, Inc.
    
    License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
    
    This is free software: you are free to change and redistribute it.
    
    There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
    
    and "show warranty" for details.
    
    This GDB was configured as "i486-linux-gnu".
    
    For bug reporting instructions, please see:
    
    <http://www.gnu.org/software/gdb/bugs/>...
    
    Reading symbols from /home/aneesh/Desktop/crackme1...done.
    
    (gdb)
    
    Now lets use our as usual routine of disassembling the app...(You should know this)
    Code:
    (gdb) set disassembly-flavor intel 
    
    (gdb) disas main 
    
    Dump of assembler code for function main:
    
       0x08048430 <+0>:	push   ebp
    
       0x08048431 <+1>:	mov    ebp,esp
    
       0x08048433 <+3>:	sub    esp,0x418
    
       0x08048439 <+9>:	mov    DWORD PTR [ebp-0x8],esi
    
       0x0804843c <+12>:	and    esp,0xfffffff0
    
       0x0804843f <+15>:	mov    DWORD PTR [ebp-0x4],edi
    
       0x08048442 <+18>:	mov    edi,0x80485d4
    
       0x08048447 <+23>:	call   0x804830c <getpid@plt>
    
       0x0804844c <+28>:	mov    DWORD PTR [esp+0x4],eax
    
       0x08048450 <+32>:	xor    ecx,ecx
    
       0x08048452 <+34>:	xor    edx,edx
    
       0x08048454 <+36>:	mov    DWORD PTR [esp+0xc],ecx
    
       0x08048458 <+40>:	mov    DWORD PTR [esp+0x8],edx
    
       0x0804845c <+44>:	mov    DWORD PTR [esp],0x0
    
       0x08048463 <+51>:	call   0x804832c <ptrace@plt>
    
       0x08048468 <+56>:	cld    
    
       0x08048469 <+57>:	mov    edx,DWORD PTR [ebp+0xc]
    
       0x0804846c <+60>:	mov    ecx,0xa
    
       0x08048471 <+65>:	mov    esi,DWORD PTR [edx+0x4]
    
       0x08048474 <+68>:	repz cmps BYTE PTR ds:[esi],BYTE PTR es:[edi]
    
       0x08048476 <+70>:	je     0x80484b0 <main+128>
    
       0x08048478 <+72>:	jmp    0x8048464 <main+52>
    
    ---Type <return> to continue, or q <return> to quit---
    
       0x0804847d <+77>:	call   0x804830c <getpid@plt>
    
       0x08048482 <+82>:	mov    DWORD PTR [esp+0x4],eax
    
       0x08048486 <+86>:	xor    edi,edi
    
       0x08048488 <+88>:	xor    esi,esi
    
       0x0804848a <+90>:	mov    DWORD PTR [esp+0xc],edi
    
       0x0804848e <+94>:	mov    DWORD PTR [esp+0x8],esi
    
       0x08048492 <+98>:	mov    DWORD PTR [esp],0x11
    
       0x08048499 <+105>:	call   0x804832c <ptrace@plt>
    
       0x0804849e <+110>:	mov    DWORD PTR [esp],0x0
    
       0x080484a5 <+117>:	call   0x804834c <exit@plt>
    
       0x080484aa <+122>:	lea    esi,[esi+0x0]
    
       0x080484b0 <+128>:	mov    DWORD PTR [esp],0x80485e3
    
       0x080484b7 <+135>:	call   0x804831c <puts@plt>
    
       0x080484bc <+140>:	jmp    0x804847d <main+77>
    
    End of assembler dump.
    
    Ok … So from the first few lines we know that the program is using the argument stack of the main program (The argv[]) … And after that we see some interesting syscalls one is to the getpid() this should be to check whether this is parent or child process..

    Another syscall is the ptrace() one... As we notice that the ptrace() is called while 4 arguments on the stack and all are 0..

    So the call actually means
    Code:
    ptrace(0,0,0,0);
    
    You should know what it means if you check out the man pages for ptrace()

    And while reading the rest of the code..You should have noticed that the program compares the 2 strings in esi and edi
    Code:
    0x08048474 <+68>:	repz cmps BYTE PTR ds:[esi],BYTE PTR es:[edi]
    
    and jumps if equal to the main+128
    Code:
    0x08048476 <+70>:	je     0x80484b0 <main+128>
    
    In main+128 you would have noticed a puts call and it seems this is where we have to jump... Let us verify.
    Code:
    0x080484b0 <+128>:	mov    DWORD PTR [esp],0x80485e3
    
    0x080484b7 <+135>:	call   0x804831c <puts@plt>
    
    To examine some registers and some addresses we have to run the program and break it at the beginning...because as it is running a ptrace() the program would not allow debugging after that instruction..

    Code:
    (gdb) break main
    
    Breakpoint 1 at 0x8048439
    
    (gdb) run hello hello
    
    Starting program: /home/aneesh/Desktop/crackme1 hello hello
    
    Breakpoint 1, 0x08048439 in main ()
    
    The code calls the puts() function with 0x80485e3 as argument this argument is likely to contain the string.. Let us examine.
    Code:
    (gdb) x/1s 0x80485e3
    
    0x80485e3:	 "[!] Solved!"
    
    Ok... SO we are on the right path all we have to do is that we have to match the strings in edi and esi...

    In the first few lines you all would have noticed
    Code:
    0x08048442 <+18>:	mov    edi,0x80485d4
    
    Lets check the address's value

    Code:
    (gdb) x/1s 0x80485d4
    
    0x80485d4:	 "__gmon_start__"
    
    Ok so we need __gmon_start__ in the esi too...

    Lets see what esi contains
    Code:
    0x08048471 <+65>:	mov    esi,DWORD PTR [edx+0x4]
    
    Ok now we have to track edx
    Code:
    0x08048469 <+57>:	mov    edx,DWORD PTR [ebp+0xc]
    
    So from this its quite basic that the esi is simply affected by the argument vector of the program (The argv[1])

    Let us do this

    Code:
    (gdb) run __gmon_start__
    
    The program being debugged has been started already.
    
    Start it from the beginning? (y or n) y
    
    Starting program: /home/aneesh/Desktop/crackme1 __gmon_start__
    
    Breakpoint 1, 0x08048439 in main ()
    
    (gdb) s
    
    Single stepping until exit from function main, 
    
    which has no line number information.
    
    [!] Solved!
    
    Program exited normally.
    
    (gdb) 
    
    And BOOOOM!!! We did it again!!!....
     
  2. lionaneesh

    lionaneesh Active Member

    Joined:
    Mar 21, 2010
    Messages:
    848
    Likes Received:
    224
    Trophy Points:
    43
    Occupation:
    Student
    Location:
    India
    Thanks for accepting...
    More articles in the series comming up...
    Please stay tuned viewers...
     

Share This Page