In this article we'll be seeing yet another easy crackme... This crackme is another simple compare crackme but uses ints with C fuctions like scanf() etc..
For Earlier parts refer
Lets first run the program and see what it has to tell us..
Ok..So lets fire up GDB and lets crack this..
Now lets dissassemble the code in the intel syntax..
So if we see the source above ..
We can see that we have 3 int declarations at the top ..
These ints are defined above and are used to compare the pass we entered..
I tried to make the rest of code as simple as possible ...I hope you understand the source..
The main line of code is the compare statement
So basically we are comparing out input (ebp-0xC) and the int specified (ebp-0x8)
So lets see whats is ebp-0x8
So basically 0x5b1270 is the cd-key..
As we are inputing data in int(“%d”) format so we need to first convert this pass to int then test it aginst the program..
Lets do it..
0x5b1270 = 5968496 // in int format
Lets test it against the program
And again we did it!! WOW!!!!
Thanks for reading and stay tuned
For Earlier parts refer
- Basics of CrackMe With Sample and Example
- Basics of CrackMe With Sample and Example - Part 2
- Basics of CrackMe With Sample and Example - Part 3
Cracking
Lets first run the program and see what it has to tell us..
Code:
aneesh@aneesh-laptop:~$ '/home/aneesh/Desktop/mycrk' Type cd-key: Aneesh wrong!
Code:
aneesh@aneesh-laptop:~$ gdb '/home/aneesh/Desktop/mycrk' GNU gdb (GDB) 7.1-ubuntu Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i486-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /home/aneesh/Desktop/mycrk...done. (gdb)
Code: asm
(gdb) set disassembly-flavor intel
(gdb) disas main
Dump of assembler code for function main:
0x080483c4 <+0>: push ebp
0x080483c5 <+1>: mov ebp,esp
0x080483c7 <+3>: sub esp,0x18
0x080483ca <+6>: and esp,0xfffffff0
0x080483cd <+9>: mov eax,0x0
0x080483d2 <+14>: sub esp,eax
0x080483d4 <+16>: mov DWORD PTR [ebp-0x4],0x11e67
; some ints here
0x080483db <+23>: mov DWORD PTR [ebp-0x8],0x5b1270
; some int declarations
0x080483e2 <+30>: mov DWORD PTR [ebp-0x10],0x6
;
0x080483e9 <+37>: sub esp,0xc
0x080483ec <+40>: push 0x8048514
; The printf(“String”)
0x080483f1 <+45>: call 0x80482e4 <printf@plt>
; Call the printf
0x080483f6 <+50>: add esp,0x10
; Clean up the stack
0x080483f9 <+53>: sub esp,0x8
;
0x080483fc <+56>: lea eax,[ebp-0xc]
; load ebp-0xc it shpuld be the pre initialised int where the value entered by the user will be inputed
0x080483ff <+59>: push eax
; Push the syscall no
0x08048400 <+60>: push 0x8048522
; Push the string it is “%d” we'll check it
0x08048405 <+65>: call 0x80482c4 <scanf@plt>
;Call the scanf
0x0804840a <+70>: add esp,0x10
; Clear the stack
0x0804840d <+73>: mov eax,DWORD PTR [ebp-0x8]
;
0x08048410 <+76>: cmp eax,DWORD PTR [ebp-0xc] ;; its basically comparing the ont we inputed by the int declared already
0x08048413 <+79>: jne 0x8048432 <main+110>
; jmp to fail printf() and exit if we are unsuccessful
---Type <return> to continue, or q <return> to quit---
0x08048415 <+81>: mov edx,DWORD PTR [ebp-0x10]
; else
0x08048418 <+84>: lea eax,[ebp-0x4]
; Print the success string
0x0804841b <+87>: xor DWORD PTR [eax],edx
; eax = eax^edx
; This certainly means that
; ebp-0x4 = ebp-0x4 ^ ebp-0x10
0x0804841d <+89>: sub esp,0x8
; clear the stack
0x08048420 <+92>: push DWORD PTR [ebp-0x4]
; Push the xored output
0x08048423 <+95>: push 0x8048525
; Push %d
0x08048428 <+100>: call 0x80482e4 <printf@plt> ; Printf the string
0x0804842d <+105>: add esp,0x10
;Clear the stack
0x08048430 <+108>: jmp 0x8048442 <main+126>
; exit
0x08048432 <+110>: sub esp,0xc
0x08048435 <+113>: push 0x8048529
0x0804843a <+118>: call 0x80482e4 <printf@plt>
0x0804843f <+123>: add esp,0x10
0x08048442 <+126>: mov eax,0x0
0x08048447 <+131>: leave
0x08048448 <+132>: ret
End of assembler dump.
(gdb)
We can see that we have 3 int declarations at the top ..
These ints are defined above and are used to compare the pass we entered..
I tried to make the rest of code as simple as possible ...I hope you understand the source..
The main line of code is the compare statement
Code: asm
0x0804840d <+73>: mov eax,DWORD PTR [ebp-0x8]
;
0x08048410 <+76>: cmp eax,DWORD PTR [ebp-0xc] ;; its basically comparing the ont we inputed by the int declared already
So basically we are comparing out input (ebp-0xC) and the int specified (ebp-0x8)
So lets see whats is ebp-0x8
Code: asm
0x080483db <+23>: mov DWORD PTR [ebp-0x8],0x5b1270
; some int declarations
As we are inputing data in int(“%d”) format so we need to first convert this pass to int then test it aginst the program..
Lets do it..
0x5b1270 = 5968496 // in int format
Lets test it against the program
Code:
aneesh@aneesh-laptop:~$ '/home/aneesh/Desktop/mycrk' Type cd-key: 5968496 73313
Thanks for reading and stay tuned
