Basics of CrackMe With Sample and Example

Discussion in 'Ethical hacking Tips' started by lionaneesh, Jan 26, 2011.

  1. lionaneesh

    lionaneesh Active Member

    Mar 21, 2010
    Likes Received:
    Trophy Points:
    I assume basic understanding of assembly language and a GDB (How to get started with GNU Project Debugger [GDB]?) basic knowledge.

    Let's Get Started

    We'll be using a basic string compare (inelegant) crackme for This tutorial..

    crackme :-
    #define pass "CraxMe001-Explicted"
    int main(int argc,char **argv)
            if(argc != 2)
                    printf("Usage : %s password\n",argv[0]);
    Compiling :-

    aneesh@aneesh-laptop:~/articles$ gcc crackme.c -o crackme 
    Lets first examine this in GDB....

    aneesh@aneesh-laptop:~/articles$ gdb ./crackme
    GNU gdb (GDB) 7.1-ubuntu
    Copyright (C) 2010 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later <>
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
    and "show warranty" for details.
    This GDB was configured as "i486-linux-gnu".
    For bug reporting instructions, please see:
    Reading symbols from /home/aneesh/articles/crackme...(no debugging symbols found)...done.
    I am setting the disassmebly flavour to intel because in am comfortable with it but you can also choose the basic att syntax if your confortable..

    Now lets disassemble the main function and identify the needed code...

    (gdb) disassemble main 
    Dump of assembler code for function main:
       0x08048454 <+0>:	push   ebp
       0x08048455 <+1>:	mov    ebp,esp
       0x08048457 <+3>:	and    esp,0xfffffff0
       0x0804845a <+6>:	sub    esp,0x10
       0x0804845d <+9>:	cmp    DWORD PTR [ebp+0x8],0x2
    		; The argc check
       0x08048461 <+13>:	je     0x8048480 <main+44>
    		; jmp to main+44 is equal
       0x08048463 <+15>:	mov    eax,DWORD PTR [ebp+0xc]
       0x08048466 <+18>:	mov    edx,DWORD PTR [eax]
       0x08048468 <+20>:	mov    eax,0x8048570
       0x0804846d <+25>:	mov    DWORD PTR [esp+0x4],edx
       0x08048471 <+29>:	mov    DWORD PTR [esp],eax
       0x08048474 <+32>:	call   0x8048364 <printf@plt>
               ; Print the usage
       0x08048479 <+37>:	mov    eax,0x0
       0x0804847e <+42>:	jmp    0x80484ad <main+89>
       0x08048480 <+44>:	mov    eax,DWORD PTR [ebp+0xc]
    	; if jumped here then we passed the argc test thus we have a user entered pass and we are shifting the address of that pass into eax
       0x08048483 <+47>:	add    eax,0x4
       0x08048486 <+50>:	mov    eax,DWORD PTR [eax]
    		; the eax contains the address of the pass entered by the user
       0x08048488 <+52>:	mov    DWORD PTR [esp+0x4],0x8048585 ;thus most probably this would be the address of the pass in the program lets check
       0x08048490 <+60>:	mov    DWORD PTR [esp],eax 
       0x08048493 <+63>:	call   0x8048384 <strcmp@plt>
       0x08048498 <+68>:	test   eax,eax
       0x0804849a <+70>:	jne    0x80484a8 <main+84>
    ---Type <return> to continue, or q <return> to quit---
       0x0804849c <+72>:	mov    DWORD PTR [esp],0x8048599
       0x080484a3 <+79>:	call   0x8048374 <puts@plt>
       0x080484a8 <+84>:	mov    eax,0x0
    		; The exit code
       0x080484ad <+89>:	leave  
    				; exit
       0x080484ae <+90>:	ret    
    The dump looks quite interesting...While glancing over the code we see a call to strcmp @ 0x08048493 with 2 arguments...These arguments must contain the password...
    I have commented the above dump to make it more understandable for you guyz!!!

    So now that we have came to know the address of the Pass string lets check the data in it...

    Lets set a breakpoint at the beginning of the Program..

    (gdb) break main
    Breakpoint 1 at 0x8048457
    Lets run the program with some args!!

    (gdb) run pass
    The program being debugged has been started already.
    Start it from the beginning? (y or n) y
    Starting program: /home/aneesh/articles/crackme pass
    Breakpoint 1, 0x08048457 in main ()
    Lets step the code now

    (gdb) s
    Single stepping until exit from function main, 
    which has no line number information.
    0x001a1140 in strcmp () from /lib/tls/i686/cmov/
    Now that we know where the data exists lets examine the address's memory and get the password...

    This can be done by 'x' command

    Lets see how x works
    (gdb) help x
    Examine memory: x/FMT ADDRESS.
    ADDRESS is an expression for the memory address to examine.
    FMT is a repeat count followed by a format letter and a size letter.
    Format letters are o(octal), x(hex), d(decimal), u(unsigned decimal),
      t(binary), f(float), a(address), i(instruction), c(char) and s(string).
    Size letters are b(byte), h(halfword), w(word), g(giant, 8 bytes).
    The specified number of objects of the specified size are printed
    according to the format.
    Defaults for format and size letters are those previously used.
    Default count is 1.  Default address is following last thing printed
    with this command or "print".
    The help page of GDB is quite self-explanatory...

    So for Examining memory @ address 0x8048585 and display it as a string

    would be :-

    (gdb) x/1s 0x8048585
    0x8048585:	 "CraxMe001-Explicted"
    So … BOOOM!!!! We have successfully managed to get the pass out of this simple program...

    I hope you all liked it and Most Probably will continue Making more advanced articles on debugging..
  2. lionaneesh

    lionaneesh Active Member

    Mar 21, 2010
    Likes Received:
    Trophy Points:
    Shabbir , Thanks for accepting my article...

    Thanks a ton!!!!
  3. shabbir

    shabbir Administrator Staff Member

    Jul 12, 2004
    Likes Received:
    Trophy Points:
    My pleasure.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice