1. We have moved from vBulletin to XenForo and you are viewing the site in the middle of the move. Though the functional aspect of everything is working fine, we are still working on other changes including the new design on Xenforo.
    Dismiss Notice

Basics of CrackMe With Sample and Example - Part 4

Discussion in 'Ethical hacking Tips' started by lionaneesh, Feb 12, 2011.

  1. lionaneesh

    lionaneesh New Member

    In this article we'll be seeing yet another easy crackme... This crackme is another simple compare crackme but uses ints with C fuctions like scanf() etc..

    For Earlier parts refer
    1. Basics of CrackMe With Sample and Example
    2. Basics of CrackMe With Sample and Example - Part 2
    3. Basics of CrackMe With Sample and Example - Part 3


    Lets first run the program and see what it has to tell us..

    aneesh@aneesh-laptop:~$ '/home/aneesh/Desktop/mycrk' 
    Type cd-key: Aneesh
    Ok..So lets fire up GDB and lets crack this..

    aneesh@aneesh-laptop:~$ gdb '/home/aneesh/Desktop/mycrk' 
    GNU gdb (GDB) 7.1-ubuntu
    Copyright (C) 2010 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
    and "show warranty" for details.
    This GDB was configured as "i486-linux-gnu".
    For bug reporting instructions, please see:
    Reading symbols from /home/aneesh/Desktop/mycrk...done.
    Now lets dissassemble the code in the intel syntax..
    (gdb) set disassembly-flavor intel 
    (gdb) disas main 
    Dump of assembler code for function main:
       0x080483c4 <+0>:	push   ebp
       0x080483c5 <+1>:	mov    ebp,esp
       0x080483c7 <+3>:	sub    esp,0x18
       0x080483ca <+6>:	and    esp,0xfffffff0
       0x080483cd <+9>:	mov    eax,0x0
       0x080483d2 <+14>:	sub    esp,eax
       0x080483d4 <+16>:	mov    DWORD PTR [ebp-0x4],0x11e67
    	; some ints here
       0x080483db <+23>:	mov    DWORD PTR [ebp-0x8],0x5b1270
    	; some int declarations 
       0x080483e2 <+30>:	mov    DWORD PTR [ebp-0x10],0x6
       0x080483e9 <+37>:	sub    esp,0xc
       0x080483ec <+40>:	push   0x8048514
    					; The printf(“String”)
       0x080483f1 <+45>:	call   0x80482e4 <printf@plt>
    			; Call the printf
       0x080483f6 <+50>:	add    esp,0x10
    					; Clean up the stack
       0x080483f9 <+53>:	sub    esp,0x8
       0x080483fc <+56>:	lea    eax,[ebp-0xc]
    	; load ebp-0xc it shpuld be the pre initialised int where the value entered by the user will be inputed
       0x080483ff <+59>:	push   eax
    			; Push the syscall no
       0x08048400 <+60>:	push   0x8048522
    	; Push the string it is “%d” we'll check it
       0x08048405 <+65>:	call   0x80482c4 <scanf@plt>
    	;Call the scanf
       0x0804840a <+70>:	add    esp,0x10
    			; Clear the stack
       0x0804840d <+73>:	mov    eax,DWORD PTR [ebp-0x8]
       0x08048410 <+76>:	cmp    eax,DWORD PTR [ebp-0xc]	;; its basically comparing the ont we inputed by the int declared already
       0x08048413 <+79>:	jne    0x8048432 <main+110>
     ; jmp to fail printf() and exit if we are unsuccessful
    ---Type <return> to continue, or q <return> to quit---
       0x08048415 <+81>:	mov    edx,DWORD PTR [ebp-0x10]
     ; else
       0x08048418 <+84>:	lea    eax,[ebp-0x4]
    			; Print the success string
       0x0804841b <+87>:	xor    DWORD PTR [eax],edx
    	; eax = eax^edx
    									; This certainly means that 
    									; ebp-0x4 = ebp-0x4 ^ ebp-0x10 
       0x0804841d <+89>:	sub    esp,0x8
    				; clear the stack
       0x08048420 <+92>:	push   DWORD PTR [ebp-0x4]
    	; Push the xored output
       0x08048423 <+95>:	push   0x8048525
    			; Push %d
       0x08048428 <+100>:	call   0x80482e4 <printf@plt>	; Printf the string
       0x0804842d <+105>:	add    esp,0x10
    			;Clear the stack
       0x08048430 <+108>:	jmp    0x8048442 <main+126>
    	; exit
       0x08048432 <+110>:	sub    esp,0xc
       0x08048435 <+113>:	push   0x8048529
       0x0804843a <+118>:	call   0x80482e4 <printf@plt>
       0x0804843f <+123>:	add    esp,0x10
       0x08048442 <+126>:	mov    eax,0x0
       0x08048447 <+131>:	leave  
       0x08048448 <+132>:	ret    
    End of assembler dump.
    So if we see the source above ..

    We can see that we have 3 int declarations at the top ..

    These ints are defined above and are used to compare the pass we entered..

    I tried to make the rest of code as simple as possible ...I hope you understand the source..

    The main line of code is the compare statement
    0x0804840d <+73>:	mov    eax,DWORD PTR [ebp-0x8]
    0x08048410 <+76>:	cmp    eax,DWORD PTR [ebp-0xc]	;; its basically comparing the ont we inputed by the int declared already
    So basically we are comparing out input (ebp-0xC) and the int specified (ebp-0x8)
    So lets see whats is ebp-0x8
       0x080483db <+23>:	mov    DWORD PTR [ebp-0x8],0x5b1270
    	; some int declarations 
    So basically 0x5b1270 is the cd-key..

    As we are inputing data in int(“%d”) format so we need to first convert this pass to int then test it aginst the program..

    Lets do it..

    0x5b1270 = 5968496 // in int format

    Lets test it against the program
    aneesh@aneesh-laptop:~$ '/home/aneesh/Desktop/mycrk' 
    Type cd-key: 5968496
    And again we did it!! WOW!!!!
    Thanks for reading and stay tuned
  2. lionaneesh

    lionaneesh New Member

    Thanks a ton for accepting.. I hope the viewers like it!!!!
  3. lionaneesh

    lionaneesh New Member

    The post is not related to the thread..
    I think shabbir you should check...
  4. shabbir

    shabbir Administrator Staff Member

    Please don't quote those post into your post or else I have to edit yours as well.
  5. lionaneesh

    lionaneesh New Member

    Hey Viewers :-

    I wanted to ask you guyz.. If you are liking my crackme's tutorials and want to view more..
    If yes please reply!!
  6. ishaqforu

    ishaqforu New Member

    Hello Everyone,

    Does 'CrackMe' can be used to get the keys for the trial softwares.

  7. lionaneesh

    lionaneesh New Member

    Yes! even the top Softs ca be cracked but it obviously increases the difficulty

Share This Page