Basics of CrackMe With Sample and Example - Part 4

Discussion in 'Ethical hacking Tips' started by lionaneesh, Feb 12, 2011.

  1. lionaneesh

    lionaneesh Active Member

    Joined:
    Mar 21, 2010
    Messages:
    848
    Likes Received:
    224
    Trophy Points:
    43
    Occupation:
    Student
    Location:
    India
    In this article we'll be seeing yet another easy crackme... This crackme is another simple compare crackme but uses ints with C fuctions like scanf() etc..

    For Earlier parts refer
    1. Basics of CrackMe With Sample and Example
    2. Basics of CrackMe With Sample and Example - Part 2
    3. Basics of CrackMe With Sample and Example - Part 3

    Cracking



    Lets first run the program and see what it has to tell us..

    Code:
    aneesh@aneesh-laptop:~$ '/home/aneesh/Desktop/mycrk' 
    
    Type cd-key: Aneesh
    
    wrong!
    
    
    Ok..So lets fire up GDB and lets crack this..

    Code:
    aneesh@aneesh-laptop:~$ gdb '/home/aneesh/Desktop/mycrk' 
    
    GNU gdb (GDB) 7.1-ubuntu
    
    Copyright (C) 2010 Free Software Foundation, Inc.
    
    License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
    
    This is free software: you are free to change and redistribute it.
    
    There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
    
    and "show warranty" for details.
    
    This GDB was configured as "i486-linux-gnu".
    
    For bug reporting instructions, please see:
    
    <http://www.gnu.org/software/gdb/bugs/>...
    
    Reading symbols from /home/aneesh/Desktop/mycrk...done.
    
    (gdb) 
    
    Now lets dissassemble the code in the intel syntax..
    Code:
    (gdb) set disassembly-flavor intel 
    
    (gdb) disas main 
    
    Dump of assembler code for function main:
    
       0x080483c4 <+0>:	push   ebp
    
       0x080483c5 <+1>:	mov    ebp,esp
    
       0x080483c7 <+3>:	sub    esp,0x18
    
       0x080483ca <+6>:	and    esp,0xfffffff0
    
       0x080483cd <+9>:	mov    eax,0x0
    
       0x080483d2 <+14>:	sub    esp,eax
    
       0x080483d4 <+16>:	mov    DWORD PTR [ebp-0x4],0x11e67
    	; some ints here
       0x080483db <+23>:	mov    DWORD PTR [ebp-0x8],0x5b1270
    	; some int declarations 
       0x080483e2 <+30>:	mov    DWORD PTR [ebp-0x10],0x6
    	;
       0x080483e9 <+37>:	sub    esp,0xc
    
       0x080483ec <+40>:	push   0x8048514
    					; The printf(“String”)
       0x080483f1 <+45>:	call   0x80482e4 <printf@plt>
    			; Call the printf
       0x080483f6 <+50>:	add    esp,0x10
    					; Clean up the stack
       0x080483f9 <+53>:	sub    esp,0x8
    						;
       0x080483fc <+56>:	lea    eax,[ebp-0xc]
    	; load ebp-0xc it shpuld be the pre initialised int where the value entered by the user will be inputed
       0x080483ff <+59>:	push   eax
    			; Push the syscall no
       0x08048400 <+60>:	push   0x8048522
    	; Push the string it is “%d” we'll check it
       0x08048405 <+65>:	call   0x80482c4 <scanf@plt>
    	;Call the scanf
       0x0804840a <+70>:	add    esp,0x10
    			; Clear the stack
       0x0804840d <+73>:	mov    eax,DWORD PTR [ebp-0x8]
    	; 
       0x08048410 <+76>:	cmp    eax,DWORD PTR [ebp-0xc]	;; its basically comparing the ont we inputed by the int declared already
    
       0x08048413 <+79>:	jne    0x8048432 <main+110>
     ; jmp to fail printf() and exit if we are unsuccessful
    ---Type <return> to continue, or q <return> to quit---
    
       0x08048415 <+81>:	mov    edx,DWORD PTR [ebp-0x10]
     ; else
       0x08048418 <+84>:	lea    eax,[ebp-0x4]
    			; Print the success string
       0x0804841b <+87>:	xor    DWORD PTR [eax],edx
    	; eax = eax^edx
    									; This certainly means that 
    									; ebp-0x4 = ebp-0x4 ^ ebp-0x10 
       0x0804841d <+89>:	sub    esp,0x8
    				; clear the stack
       0x08048420 <+92>:	push   DWORD PTR [ebp-0x4]
    	; Push the xored output
       0x08048423 <+95>:	push   0x8048525
    			; Push %d
       0x08048428 <+100>:	call   0x80482e4 <printf@plt>	; Printf the string
    
       0x0804842d <+105>:	add    esp,0x10
    			;Clear the stack
       0x08048430 <+108>:	jmp    0x8048442 <main+126>
    	; exit
       0x08048432 <+110>:	sub    esp,0xc
    
       0x08048435 <+113>:	push   0x8048529
    
       0x0804843a <+118>:	call   0x80482e4 <printf@plt>
    
       0x0804843f <+123>:	add    esp,0x10
    
       0x08048442 <+126>:	mov    eax,0x0
    
       0x08048447 <+131>:	leave  
    
       0x08048448 <+132>:	ret    
    
    End of assembler dump.
    
    (gdb)
    
    So if we see the source above ..

    We can see that we have 3 int declarations at the top ..

    These ints are defined above and are used to compare the pass we entered..

    I tried to make the rest of code as simple as possible ...I hope you understand the source..

    The main line of code is the compare statement
    Code:
    0x0804840d <+73>:	mov    eax,DWORD PTR [ebp-0x8]
    	;
    0x08048410 <+76>:	cmp    eax,DWORD PTR [ebp-0xc]	;; its basically comparing the ont we inputed by the int declared already
    
    So basically we are comparing out input (ebp-0xC) and the int specified (ebp-0x8)
    So lets see whats is ebp-0x8
    Code:
       0x080483db <+23>:	mov    DWORD PTR [ebp-0x8],0x5b1270
    	; some int declarations 
    
    So basically 0x5b1270 is the cd-key..

    As we are inputing data in int(“%d”) format so we need to first convert this pass to int then test it aginst the program..

    Lets do it..

    0x5b1270 = 5968496 // in int format

    Lets test it against the program
    Code:
    aneesh@aneesh-laptop:~$ '/home/aneesh/Desktop/mycrk' 
    
    Type cd-key: 5968496
    
    73313
    
    
    And again we did it!! WOW!!!!
    Thanks for reading and stay tuned
     
  2. lionaneesh

    lionaneesh Active Member

    Joined:
    Mar 21, 2010
    Messages:
    848
    Likes Received:
    224
    Trophy Points:
    43
    Occupation:
    Student
    Location:
    India
    Thanks a ton for accepting.. I hope the viewers like it!!!!
     
  3. lionaneesh

    lionaneesh Active Member

    Joined:
    Mar 21, 2010
    Messages:
    848
    Likes Received:
    224
    Trophy Points:
    43
    Occupation:
    Student
    Location:
    India
    The post is not related to the thread..
    I think shabbir you should check...
     
  4. shabbir

    shabbir Administrator Staff Member

    Joined:
    Jul 12, 2004
    Messages:
    15,375
    Likes Received:
    388
    Trophy Points:
    83
    Please don't quote those post into your post or else I have to edit yours as well.
     
  5. lionaneesh

    lionaneesh Active Member

    Joined:
    Mar 21, 2010
    Messages:
    848
    Likes Received:
    224
    Trophy Points:
    43
    Occupation:
    Student
    Location:
    India
    Hey Viewers :-

    I wanted to ask you guyz.. If you are liking my crackme's tutorials and want to view more..
    If yes please reply!!
     
  6. ishaqforu

    ishaqforu New Member

    Joined:
    May 31, 2011
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    0
    Hello Everyone,

    Does 'CrackMe' can be used to get the keys for the trial softwares.

    Ishaq.
     
  7. lionaneesh

    lionaneesh Active Member

    Joined:
    Mar 21, 2010
    Messages:
    848
    Likes Received:
    224
    Trophy Points:
    43
    Occupation:
    Student
    Location:
    India
    Yes! even the top Softs ca be cracked but it obviously increases the difficulty
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice