Basics of CrackMe With Sample and Example - Part 3

Discussion in 'Ethical hacking Tips' started by lionaneesh, Feb 12, 2011.

  1. lionaneesh

    lionaneesh Active Member

    Joined:
    Mar 21, 2010
    Messages:
    848
    Likes Received:
    224
    Trophy Points:
    43
    Occupation:
    Student
    Location:
    India
    In this tutorial we'll be looking at a somewhat difficult crackme ... In this we'll not get the ready-made password simply in the strings stored in the program but we have to calculate it...

    This is not so tough to solve but yes its not that easy...

    Don't miss on the earlier parts
    1. Basics of CrackMe With Sample and Example
    2. Basics of CrackMe With Sample and Example - Part 2

    Cracking



    Lets just run the crackme to know whats happening :-

    Code:
    aneesh@aneesh-laptop:~/Desktop$ ./cm1eng 
    
    Password : pass 
    aneesh@aneesh-laptop:~/Desktop$ 
    
    Ok that's simple and do not reveal some useful information about the program..
    The Program promts for a password..

    Now Lets display the useful contents of the different sections of the binary and see whats there for us..

    This can be dony by :-

    Code:
    aneesh@aneesh-laptop:~/Desktop$ objdump -s cm1eng 
    
    cm1eng:     file format elf32-i386 
    
    Contents of section .text: 
     8048080 b8040000 00bb0100 0000b9f8 900408ba  ................ 
     8048090 0d000000 cd80ba00 010000b9 1b910408  ................ 
     80480a0 bb000000 00b80300 0000cd80 be269104  .............&.. 
     80480b0 0889f731 dbfcac34 21aa4381 fb070000  ...1...4!.C..... 
     80480c0 007402e2 f1be1b91 0408bf26 910408b9  .t.........&.... 
     80480d0 07000000 fcf3a675 16b80400 0000bb01  .......u........ 
     80480e0 000000b9 05910408 ba160000 00cd80b8  ................ 
     80480f0 01000000 cd80                        ......          
    Contents of section .data: 
     80490f8 0a506173 73776f72 64203a20 00477265  .Password : .Gre 
     8049108 61742079 6f752064 69642069 7420213a  at you did it !: 
     8049118 290a0a20 20202020 20202020 20005154  )..          .QT 
     8049128 42584354 5500                        BXCTU.          
    Contents of section .comment: 
     0000 00546865 204e6574 77696465 20417373  .The Netwide *** 
     0010 656d626c 65722030 2e39382e 333800    embler 0.98.38. 
    aneesh@aneesh-laptop:~/Desktop$ 
    
    You see somethings useful..
    1. In the data sections we see some useful strings ... And at the end of the section a there is something interesting 'QTBXCTU' it seems to be the password..
    2. Lets try it..
    Code:
    aneesh@aneesh-laptop:~/Desktop$ ./cm1eng 
    
    Password : QTBXCTU 
    aneesh@aneesh-laptop:~/Desktop$ 
    
    Oh!!! :( No success here...I told you its not that easy..

    Now lets disassemble the program and see what is it doing..

    Code:
    aneesh@aneesh-laptop:~/Desktop$ objdump -d cm1eng 
    
    cm1eng:     file format elf32-i386 
    
    
    Disassembly of section .text: 
    
    08048080 <.text>: 
     8048080:	b8 04 00 00 00       	mov    $0x4,%eax ; write syscall
     8048085:	bb 01 00 00 00       	mov    $0x1,%ebx ; fd STDOUT
     804808a:	b9 f8 90 04 08       	mov    $0x80490f8,%ecx ; Its certainly the string..
     804808f:	ba 0d 00 00 00       	mov    $0xd,%edx ; strlen()
     8048094:	cd 80                	int    $0x80 ; print out “Password :”
     8048096:	ba 00 01 00 00       	mov    $0x100,%edx 		; bytes to read
     804809b:	b9 1b 91 04 08       	mov    $0x804911b,%ecx 	; empty buffer to read into
     80480a0:	bb 00 00 00 00       	mov    $0x0,%ebx 		; read from STDIN
     80480a5:	b8 03 00 00 00       	mov    $0x3,%eax 		; read() syscall
     80480aa:	cd 80                	int    $0x80 			; read
     80480ac:	be 26 91 04 08       	mov    $0x8049126,%esi 	; QTBXCTU to esi
     80480b1:	89 f7                	mov    %esi,%edi 		; esi = edi
     80480b3:	31 db                	xor    %ebx,%ebx 		; zero ebx
     80480b5:	fc                   	cld    					; clear the direction flag
     80480b6:	ac                   	lods   %ds:(%esi),%al 		;this simply means 2 instructions in one first mov esi,al ;(The offset) and then set the byte of that location to ds..(i.e generally where the variables are set..)
     80480b7:	34 21                	xor    $0x21,%al 		; xor the al with 21
     80480b9:	aa                   	stos   %al,%es:(%edi) 		; this istruction takes the value of  
    al and puts it in the edi that is the destination string...es is just a segment register and must be pointing to the correct segment of memory..
     80480ba:	43                   	inc    %ebx ; ebx++
     80480bb:	81 fb 07 00 00 00    	cmp    $0x7,%ebx ; 
     80480c1:	74 02                	je     0x80480c5     ; jump if ebx==0x7
     80480c3:	e2 f1                	loop   0x80480b6 ; keep looping until we for 7 chars
     80480c5:	be 1b 91 04 08       	mov    $0x804911b,%esi ; The source string..Points to the QTBXCTU encrypted by the algorithm above
     80480ca:	bf 26 91 04 08       	mov    $0x8049126,%edi ; our string(we entered) 
     80480cf:	b9 07 00 00 00       	mov    $0x7,%ecx  ; strlen() = 7
     80480d4:	fc                   	cld    
     80480d5:	f3 a6                	repz cmpsb %es:(%edi),%ds:(%esi) ; Simply compare both strings
     80480d7:	75 16                	jne    0x80480ef 	; if not same
     80480d9:	b8 04 00 00 00       	mov    $0x4,%eax	; Print the 'Success' message  
     80480de:	bb 01 00 00 00       	mov    $0x1,%ebx 	
     80480e3:	b9 05 91 04 08       	mov    $0x8049105,%ecx ; The success message 
     80480e8:	ba 16 00 00 00       	mov    $0x16,%edx ; strlen(The Success string)
     80480ed:	cd 80                	int    $0x80
     80480ef:	b8 01 00 00 00       	mov    $0x1,%eax  ; exit
     80480f4:	cd 80                	int    $0x80 
    
    The above code is little difficult to understand for beginner assembly programmers because it has a lots of complex instructions ... But I tried my best to comment the code and make it as easy as possible..

    So basically what program does is that...It takes the password stored in the data segment that is 'QTBXCTU' and then encrypts it with a quite simple algorithm using XOR with 0x21..
    It takes every byte by byte and xor's it with 0x21..

    We can calculate the encrypted password ourselves but why cook our brains out when computer is there at our service...So lets use a simple C Program..

    crack.c
    Code:
    #include<stdio.h>
    #include<string.h>
    int main()
    {
    	char nonEncryptedPass[] = "QTBXCTU";
    	char encryptedPass[8];
    	int i=0;
    
    	for(i=0;i<strlen(nonEncryptedPass);i++)
    	{
    			encryptedPass[i] = nonEncryptedPass[i]^0x21;
    	}
    
    	encryptedPass[8] = '\0'; //add the null byte at 
    	printf("Encrypted Password : %s\n",encryptedPass);
    
    	return(0);
    }
    
    Compiling
    Code:
    gcc crack.c -o crack
    
    Running
    Code:
    aneesh@aneesh-laptop:~/Desktop$ ./crack 
    
    Encrypted Password : pucybut
    
    Ok!! Now that we got the password lets test it!!
    Code:
    aneesh@aneesh-laptop:~/Desktop$ ./cm1eng 
    
    Password : pucybut
    
    Great you did it !:)
    
    aneesh@aneesh-laptop:~/Desktop$ 
    
    WoW!! That feels great...
    We did it again...
     
  2. lionaneesh

    lionaneesh Active Member

    Joined:
    Mar 21, 2010
    Messages:
    848
    Likes Received:
    224
    Trophy Points:
    43
    Occupation:
    Student
    Location:
    India
    Please post comments on what you feel about the article..
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice