Crackme - lord's easy linux crackme =================================== Public domain ******************************************************************************** URL: [http://crackmes.de/users/lord/easy_linux_crackme/](http://crackmes.de/users/lord/easy_linux_crackme/) Download: [http://crackmes.de/users/lord/easy_linux_crackme/download](http://crackmes.de/users/lord/easy_linux_crackme/download) Solutions: [http://crackmes.de/users/lord/easy_linux_crackme/solutions/png](http://crackmes.de/users/lord/easy_linux_crackme/solutions/png) [http://crackmes.de/users/lord/easy_linux_crackme/solutions/rayden5](http://crackmes.de/users/lord/easy_linux_crackme/solutions/rayden5) [http://crackmes.de/users/lord/easy_linux_crackme/solutions/krio](http://crackmes.de/users/lord/easy_linux_crackme/solutions/krio) [http://crackmes.de/users/lord/easy_linux_crackme/solutions/oorja_halt](http://crackmes.de/users/lord/easy_linux_crackme/solutions/oorja_halt) Extraction # tar zxvf blah.tar.gz Determine file type # file blah blah: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped Change mode # chmod +x blah Lunch: # ./blach (No Output) Check exit value # echo $? 0 Find printable strings # strings blah 1À¸/ 1À@1ÛÍ Okej! .shstrtab .text .got.plt .data .bss Trace system calls and signals # strace ./blah execve("./blah", ["./blah"], [/* 45 vars */]) = 0 getgid() = 0 write(1, "Okej!\n", 6Okej! ) = 6 _exit(0) = ? Process 3691 detached (Seems it will write "Okej!" string in some condition) Hex Dump # hexdump -C blah 00000000 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 |.ELF............| 00000010 02 00 03 00 01 00 00 00 94 80 04 08 34 00 00 00 |............4...| 00000020 f4 00 00 00 00 00 00 00 34 00 20 00 03 00 28 00 |ô.......4. ...(.| 00000030 06 00 05 00 01 00 00 00 00 00 00 00 00 80 04 08 |................| 00000040 00 80 04 08 c1 00 00 00 c1 00 00 00 05 00 00 00 |....Á...Á.......| 00000050 00 10 00 00 01 00 00 00 c4 00 00 00 c4 90 04 08 |........Ä...Ä...| 00000060 c4 90 04 08 06 00 00 00 08 00 00 00 06 00 00 00 |Ä...............| 00000070 00 10 00 00 80 15 04 65 00 00 00 00 00 00 00 00 |.......e........| 00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 28 00 00 |.............(..| 00000090 04 00 00 00 31 c0 b8 2f 00 00 00 cd 80 3d ad de |....1À¸/...Í.=­Þ| 000000a0 00 00 90 90 b8 04 00 00 00 bb 01 00 00 00 b9 c4 |....¸....»....¹Ä| 000000b0 90 04 08 ba 06 00 00 00 cd 80 31 c0 40 31 db cd |...º....Í.1À@1ÛÍ| 000000c0 80 00 00 00 4f 6b 65 6a 21 0a 00 00 00 2e 73 68 |....Okej!.....sh| 000000d0 73 74 72 74 61 62 00 2e 74 65 78 74 00 2e 67 6f |strtab..text..go| 000000e0 74 2e 70 6c 74 00 2e 64 61 74 61 00 2e 62 73 73 |t.plt..data..bss| 000000f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000110 00 00 00 00 00 00 00 00 00 00 00 00 0b 00 00 00 |................| 00000120 01 00 00 00 06 00 00 00 94 80 04 08 94 00 00 00 |................| 00000130 2d 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 |-...............| 00000140 00 00 00 00 11 00 00 00 01 00 00 00 01 00 00 00 |................| 00000150 c4 90 04 08 cc 00 00 00 00 00 00 00 00 00 00 00 |Ä...Ì...........| 00000160 00 00 00 00 01 00 00 00 00 00 00 00 1a 00 00 00 |................| 00000170 01 00 00 00 03 00 00 00 c4 90 04 08 c4 00 00 00 |........Ä...Ä...| 00000180 06 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 |................| 00000190 00 00 00 00 20 00 00 00 08 00 00 00 03 00 00 00 |.... ...........| 000001a0 cc 90 04 08 cc 00 00 00 00 00 00 00 00 00 00 00 |Ì...Ì...........| 000001b0 00 00 00 00 04 00 00 00 00 00 00 00 01 00 00 00 |................| 000001c0 03 00 00 00 00 00 00 00 00 00 00 00 cc 00 00 00 |............Ì...| 000001d0 25 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 |%...............| 000001e0 00 00 00 00 |....| 000001e4 Disassemble: (/usr/include/asm-i386/unistd.h) # objdump -M intel -D blah blah: file format elf32-i386 Disassembly of section .text: 08048094 <.text >: 8048094: 31 c0 xor eax,eax ; put 0 to eax 8048096: b8 2f 00 00 00 mov eax,0x2f ; syscall :47 (getgid) 804809b: cd 80 int 0x80 ; call kernel 804809d: 3d ad de 00 00 cmp eax,0xdead ; compare gid with 0xDEAD 80480a2: 75 16 jne 0x80480ba ; If they are not equal jump 80480a4: b8 04 00 00 00 mov eax,0x4 ; syscall : 4 (write) 80480a9: bb 01 00 00 00 mov ebx,0x1 ; to stdout 80480ae: b9 c4 90 04 08 mov ecx,0x80490c4 ; pointer to "Okej!\n" 80480b3: ba 06 00 00 00 mov edx,0x6 ; len of string 80480b8: cd 80 int 0x80 ; call kernel 80480ba: 31 c0 xor eax,eax ; put 0 to eax 80480bc: 40 inc eax ; syscall :1 (exit) 80480bd: 31 db xor ebx,ebx ; return number (0) 80480bf: cd 80 int 0x80 ; call kertnel Disassembly of section .data: 080490c4 <.data >: 80490c4: 4f dec edi ; Starting of "Okej!\n" 80490c5: 6b 65 6a 21 imul esp,DWORD PTR [ebp+106],0x21 80490c9: 0a .byte 0xa So this crackme will show "Okej!\n" if GID is equal to 0xDEAD. Decision made at this line: 80480a2: 75 16 jne 0x80480ba _I can change 7516 (jne) to 9090 (nop nop) or 7416 (je) at 80480a2_ _I did that with "bvi" , search like this : \7516 , and using R for Replace_ Disassemble the result # objdump -M interl -D blah blah: file format elf32-i386 Disassembly of section .text: 08048094 <.text >: 8048094: 31 c0 xor %eax,%eax 8048096: b8 2f 00 00 00 mov $0x2f,%eax 804809b: cd 80 int $0x80 804809d: 3d ad de 00 00 cmp $0xdead,%eax 80480a2: 90 nop ; this was 75 80480a3: 90 nop ; this was 16 80480a4: b8 04 00 00 00 mov $0x4,%eax 80480a9: bb 01 00 00 00 mov $0x1,%ebx 80480ae: b9 c4 90 04 08 mov $0x80490c4,%ecx 80480b3: ba 06 00 00 00 mov $0x6,%edx 80480b8: cd 80 int $0x80 80480ba: 31 c0 xor %eax,%eax 80480bc: 40 inc %eax 80480bd: 31 db xor %ebx,%ebx 80480bf: cd 80 int $0x80 Disassembly of section .data: 080490c4 <.data >: 80490c4: 4f dec %edi 80490c5: 6b 65 6a 21 imul $0x21,0x6a(%ebp),%esp 80490c9: 0a .byte 0xa Lunch # ./blah Okej! Done. ******************************************************************************** _BY: Pejman Moghadam_ _TAG: crackme_ _DATE: 2008-08-12 14:58:15_