Go4Expert (http://www.go4expert.com/)
-   Ethical hacking Tips (http://www.go4expert.com/articles/ethical-hacking-tutorials/)
-   -   Basics of CrackMe With Sample and Example - Part 3 (http://www.go4expert.com/articles/basics-crackme-sample-example-part-3-t24955/)

lionaneesh 12Feb2011 20:14

Basics of CrackMe With Sample and Example - Part 3
In this tutorial we'll be looking at a somewhat difficult crackme ... In this we'll not get the ready-made password simply in the strings stored in the program but we have to calculate it...

This is not so tough to solve but yes its not that easy...

Don't miss on the earlier parts
  1. Basics of CrackMe With Sample and Example
  2. Basics of CrackMe With Sample and Example - Part 2


Lets just run the crackme to know whats happening :-


aneesh@aneesh-laptop:~/Desktop$ ./cm1eng

Password : pass

Ok that's simple and do not reveal some useful information about the program..
The Program promts for a password..

Now Lets display the useful contents of the different sections of the binary and see whats there for us..

This can be dony by :-


aneesh@aneesh-laptop:~/Desktop$ objdump -s cm1eng

cm1eng:    file format elf32-i386

Contents of section .text:
 8048080 b8040000 00bb0100 0000b9f8 900408ba  ................
 8048090 0d000000 cd80ba00 010000b9 1b910408  ................
 80480a0 bb000000 00b80300 0000cd80 be269104  .............&..
 80480b0 0889f731 dbfcac34 21aa4381 fb070000  ...1...4!.C.....
 80480c0 007402e2 f1be1b91 0408bf26 910408b9  .t.........&....
 80480d0 07000000 fcf3a675 16b80400 0000bb01  .......u........
 80480e0 000000b9 05910408 ba160000 00cd80b8  ................
 80480f0 01000000 cd80                        ......         
Contents of section .data:
 80490f8 0a506173 73776f72 64203a20 00477265  .Password : .Gre
 8049108 61742079 6f752064 69642069 7420213a  at you did it !:
 8049118 290a0a20 20202020 20202020 20005154  )..          .QT
 8049128 42584354 5500                        BXCTU.         
Contents of section .comment:
 0000 00546865 204e6574 77696465 20417373  .The Netwide ***
 0010 656d626c 65722030 2e39382e 333800    embler 0.98.38.

You see somethings useful..
  1. In the data sections we see some useful strings ... And at the end of the section a there is something interesting 'QTBXCTU' it seems to be the password..
  2. Lets try it..

aneesh@aneesh-laptop:~/Desktop$ ./cm1eng

Password : QTBXCTU

Oh!!! :( No success here...I told you its not that easy..

Now lets disassemble the program and see what is it doing..

Code: asm

aneesh@aneesh-laptop:~/Desktop$ objdump -d cm1eng

cm1eng:     file format elf32-i386

Disassembly of section .text:

08048080 <.text>:
 8048080:   b8 04 00 00 00         mov    $0x4,%eax ; write syscall
 8048085:   bb 01 00 00 00         mov    $0x1,%ebx ; fd STDOUT
 804808a:   b9 f8 90 04 08         mov    $0x80490f8,%ecx ; Its certainly the string..
 804808f:   ba 0d 00 00 00         mov    $0xd,%edx ; strlen()
 8048094:   cd 80                  int    $0x80 ; print out “Password :”
 8048096:   ba 00 01 00 00         mov    $0x100,%edx       ; bytes to read
 804809b:   b9 1b 91 04 08         mov    $0x804911b,%ecx    ; empty buffer to read into
 80480a0:   bb 00 00 00 00         mov    $0x0,%ebx   ; read from STDIN
 80480a5:   b8 03 00 00 00         mov    $0x3,%eax   ; read() syscall
 80480aa:   cd 80                  int    $0x80    ; read
 80480ac:   be 26 91 04 08         mov    $0x8049126,%esi    ; QTBXCTU to esi
 80480b1:   89 f7                  mov    %esi,%edi   ; esi = edi
 80480b3:   31 db                  xor    %ebx,%ebx   ; zero ebx
 80480b5:   fc                     cld                   ; clear the direction flag
 80480b6:   ac                     lods   %ds:(%esi),%al         ;this simply means 2 instructions in one first mov esi,al ;(The offset) and then set the byte of that location to ds..(i.e generally where the variables are set..)
 80480b7:   34 21                  xor    $0x21,%al   ; xor the al with 21
 80480b9:   aa                     stos   %al,%es:(%edi)         ; this istruction takes the value of 
al and puts it in the edi that is the destination string...es is just a segment register and must be pointing to the correct segment of memory..
 80480ba:   43                     inc    %ebx ; ebx++
 80480bb:   81 fb 07 00 00 00      cmp    $0x7,%ebx ;
 80480c1:   74 02                  je     0x80480c5     ; jump if ebx==0x7
 80480c3:   e2 f1                  loop   0x80480b6 ; keep looping until we for 7 chars
 80480c5:   be 1b 91 04 08         mov    $0x804911b,%esi ; The source string..Points to the QTBXCTU encrypted by the algorithm above
 80480ca:   bf 26 91 04 08         mov    $0x8049126,%edi ; our string(we entered)
 80480cf:   b9 07 00 00 00         mov    $0x7,%ecx  ; strlen() = 7
 80480d4:   fc                     cld   
 80480d5:   f3 a6                  repz cmpsb %es:(%edi),%ds:(%esi) ; Simply compare both strings
 80480d7:   75 16                  jne    0x80480ef  ; if not same
 80480d9:   b8 04 00 00 00         mov    $0x4,%eax  ; Print the 'Success' message 
 80480de:   bb 01 00 00 00         mov    $0x1,%ebx  
 80480e3:   b9 05 91 04 08         mov    $0x8049105,%ecx ; The success message
 80480e8:   ba 16 00 00 00         mov    $0x16,%edx ; strlen(The Success string)
 80480ed:   cd 80                  int    $0x80
 80480ef:   b8 01 00 00 00         mov    $0x1,%eax  ; exit
 80480f4:   cd 80                  int    $0x80

The above code is little difficult to understand for beginner assembly programmers because it has a lots of complex instructions ... But I tried my best to comment the code and make it as easy as possible..

So basically what program does is that...It takes the password stored in the data segment that is 'QTBXCTU' and then encrypts it with a quite simple algorithm using XOR with 0x21..
It takes every byte by byte and xor's it with 0x21..

We can calculate the encrypted password ourselves but why cook our brains out when computer is there at our service...So lets use a simple C Program..

Code: c

int main()
    char nonEncryptedPass[] = "QTBXCTU";
    char encryptedPass[8];
    int i=0;

            encryptedPass[i] = nonEncryptedPass[i]^0x21;

    encryptedPass[8] = '\0'; //add the null byte at
    printf("Encrypted Password : %s\n",encryptedPass);



gcc crack.c -o crack

aneesh@aneesh-laptop:~/Desktop$ ./crack

Encrypted Password : pucybut

Ok!! Now that we got the password lets test it!!

aneesh@aneesh-laptop:~/Desktop$ ./cm1eng

Password : pucybut

Great you did it !:)


WoW!! That feels great...
We did it again...

lionaneesh 15Feb2011 23:10

Re: Basics of CrackMe With Sample and Example - Part 3
Please post comments on what you feel about the article..

All times are GMT +5.5. The time now is 21:17.