In this tutorial we'll be looking at a somewhat difficult crackme ... In this we'll not get the ready-made password simply in the strings stored in the program but we have to calculate it... This is not so tough to solve but yes its not that easy... Don't miss on the earlier parts Basics of CrackMe With Sample and Example Basics of CrackMe With Sample and Example - Part 2 Cracking Lets just run the crackme to know whats happening :- Code: aneesh@aneesh-laptop:~/Desktop$ ./cm1eng Password : pass aneesh@aneesh-laptop:~/Desktop$ Ok that's simple and do not reveal some useful information about the program.. The Program promts for a password.. Now Lets display the useful contents of the different sections of the binary and see whats there for us.. This can be dony by :- Code: aneesh@aneesh-laptop:~/Desktop$ objdump -s cm1eng cm1eng: file format elf32-i386 Contents of section .text: 8048080 b8040000 00bb0100 0000b9f8 900408ba ................ 8048090 0d000000 cd80ba00 010000b9 1b910408 ................ 80480a0 bb000000 00b80300 0000cd80 be269104 .............&.. 80480b0 0889f731 dbfcac34 21aa4381 fb070000 ...1...4!.C..... 80480c0 007402e2 f1be1b91 0408bf26 910408b9 .t.........&.... 80480d0 07000000 fcf3a675 16b80400 0000bb01 .......u........ 80480e0 000000b9 05910408 ba160000 00cd80b8 ................ 80480f0 01000000 cd80 ...... Contents of section .data: 80490f8 0a506173 73776f72 64203a20 00477265 .Password : .Gre 8049108 61742079 6f752064 69642069 7420213a at you did it !: 8049118 290a0a20 20202020 20202020 20005154 ).. .QT 8049128 42584354 5500 BXCTU. Contents of section .comment: 0000 00546865 204e6574 77696465 20417373 .The Netwide *** 0010 656d626c 65722030 2e39382e 333800 embler 0.98.38. aneesh@aneesh-laptop:~/Desktop$ You see somethings useful.. In the data sections we see some useful strings ... And at the end of the section a there is something interesting 'QTBXCTU' it seems to be the password.. Lets try it.. Code: aneesh@aneesh-laptop:~/Desktop$ ./cm1eng Password : QTBXCTU aneesh@aneesh-laptop:~/Desktop$ Oh!!! No success here...I told you its not that easy.. Now lets disassemble the program and see what is it doing.. Code: aneesh@aneesh-laptop:~/Desktop$ objdump -d cm1eng cm1eng: file format elf32-i386 Disassembly of section .text: 08048080 <.text>: 8048080: b8 04 00 00 00 mov $0x4,%eax ; write syscall 8048085: bb 01 00 00 00 mov $0x1,%ebx ; fd STDOUT 804808a: b9 f8 90 04 08 mov $0x80490f8,%ecx ; Its certainly the string.. 804808f: ba 0d 00 00 00 mov $0xd,%edx ; strlen() 8048094: cd 80 int $0x80 ; print out “Password :” 8048096: ba 00 01 00 00 mov $0x100,%edx ; bytes to read 804809b: b9 1b 91 04 08 mov $0x804911b,%ecx ; empty buffer to read into 80480a0: bb 00 00 00 00 mov $0x0,%ebx ; read from STDIN 80480a5: b8 03 00 00 00 mov $0x3,%eax ; read() syscall 80480aa: cd 80 int $0x80 ; read 80480ac: be 26 91 04 08 mov $0x8049126,%esi ; QTBXCTU to esi 80480b1: 89 f7 mov %esi,%edi ; esi = edi 80480b3: 31 db xor %ebx,%ebx ; zero ebx 80480b5: fc cld ; clear the direction flag 80480b6: ac lods %ds:(%esi),%al ;this simply means 2 instructions in one first mov esi,al ;(The offset) and then set the byte of that location to ds..(i.e generally where the variables are set..) 80480b7: 34 21 xor $0x21,%al ; xor the al with 21 80480b9: aa stos %al,%es:(%edi) ; this istruction takes the value of al and puts it in the edi that is the destination string...es is just a segment register and must be pointing to the correct segment of memory.. 80480ba: 43 inc %ebx ; ebx++ 80480bb: 81 fb 07 00 00 00 cmp $0x7,%ebx ; 80480c1: 74 02 je 0x80480c5 ; jump if ebx==0x7 80480c3: e2 f1 loop 0x80480b6 ; keep looping until we for 7 chars 80480c5: be 1b 91 04 08 mov $0x804911b,%esi ; The source string..Points to the QTBXCTU encrypted by the algorithm above 80480ca: bf 26 91 04 08 mov $0x8049126,%edi ; our string(we entered) 80480cf: b9 07 00 00 00 mov $0x7,%ecx ; strlen() = 7 80480d4: fc cld 80480d5: f3 a6 repz cmpsb %es:(%edi),%ds:(%esi) ; Simply compare both strings 80480d7: 75 16 jne 0x80480ef ; if not same 80480d9: b8 04 00 00 00 mov $0x4,%eax ; Print the 'Success' message 80480de: bb 01 00 00 00 mov $0x1,%ebx 80480e3: b9 05 91 04 08 mov $0x8049105,%ecx ; The success message 80480e8: ba 16 00 00 00 mov $0x16,%edx ; strlen(The Success string) 80480ed: cd 80 int $0x80 80480ef: b8 01 00 00 00 mov $0x1,%eax ; exit 80480f4: cd 80 int $0x80 The above code is little difficult to understand for beginner assembly programmers because it has a lots of complex instructions ... But I tried my best to comment the code and make it as easy as possible.. So basically what program does is that...It takes the password stored in the data segment that is 'QTBXCTU' and then encrypts it with a quite simple algorithm using XOR with 0x21.. It takes every byte by byte and xor's it with 0x21.. We can calculate the encrypted password ourselves but why cook our brains out when computer is there at our service...So lets use a simple C Program.. crack.c Code: #include<stdio.h> #include<string.h> int main() { char nonEncryptedPass[] = "QTBXCTU"; char encryptedPass[8]; int i=0; for(i=0;i<strlen(nonEncryptedPass);i++) { encryptedPass[i] = nonEncryptedPass[i]^0x21; } encryptedPass[8] = '\0'; //add the null byte at printf("Encrypted Password : %s\n",encryptedPass); return(0); } Compiling Code: gcc crack.c -o crack Running Code: aneesh@aneesh-laptop:~/Desktop$ ./crack Encrypted Password : pucybut Ok!! Now that we got the password lets test it!! Code: aneesh@aneesh-laptop:~/Desktop$ ./cm1eng Password : pucybut Great you did it !:) aneesh@aneesh-laptop:~/Desktop$ WoW!! That feels great... We did it again...