Public domain
URL: http://crackmes.de/users/lord/easylinuxcrackme/
Download: http://crackmes.de/users/lord/easylinuxcrackme/download
Solutions:
http://crackmes.de/users/lord/easylinuxcrackme/solutions/png
http://crackmes.de/users/lord/easylinuxcrackme/solutions/rayden5
http://crackmes.de/users/lord/easylinuxcrackme/solutions/krio
http://crackmes.de/users/lord/easylinuxcrackme/solutions/oorja_halt
Extraction
# tar zxvf blah.tar.gz
Determine file type
# file blah
blah: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Change mode
# chmod +x blah
Lunch:
# ./blach
(No Output)
Check exit value
# echo $?
0
Find printable strings
# strings blah
1À¸/
1À@1ÛÍ
Okej!
.shstrtab
.text
.got.plt
.data
.bss
Trace system calls and signals
# strace ./blah
execve("./blah", ["./blah"], [/* 45 vars */]) = 0
getgid() = 0
write(1, "Okej!\n", 6Okej!
) = 6
_exit(0) = ?
Process 3691 detached
(Seems it will write "Okej!" string in some condition)
Hex Dump
# hexdump -C blah
00000000 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 |.ELF............|
00000010 02 00 03 00 01 00 00 00 94 80 04 08 34 00 00 00 |............4...|
00000020 f4 00 00 00 00 00 00 00 34 00 20 00 03 00 28 00 |ô.......4. ...(.|
00000030 06 00 05 00 01 00 00 00 00 00 00 00 00 80 04 08 |................|
00000040 00 80 04 08 c1 00 00 00 c1 00 00 00 05 00 00 00 |....Á...Á.......|
00000050 00 10 00 00 01 00 00 00 c4 00 00 00 c4 90 04 08 |........Ä...Ä...|
00000060 c4 90 04 08 06 00 00 00 08 00 00 00 06 00 00 00 |Ä...............|
00000070 00 10 00 00 80 15 04 65 00 00 00 00 00 00 00 00 |.......e........|
00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 28 00 00 |.............(..|
00000090 04 00 00 00 31 c0 b8 2f 00 00 00 cd 80 3d ad de |....1À¸/...Í.=Þ|
000000a0 00 00 90 90 b8 04 00 00 00 bb 01 00 00 00 b9 c4 |....¸....»....¹Ä|
000000b0 90 04 08 ba 06 00 00 00 cd 80 31 c0 40 31 db cd |...º....Í.1À@1ÛÍ|
000000c0 80 00 00 00 4f 6b 65 6a 21 0a 00 00 00 2e 73 68 |....Okej!.....sh|
000000d0 73 74 72 74 61 62 00 2e 74 65 78 74 00 2e 67 6f |strtab..text..go|
000000e0 74 2e 70 6c 74 00 2e 64 61 74 61 00 2e 62 73 73 |t.plt..data..bss|
000000f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000110 00 00 00 00 00 00 00 00 00 00 00 00 0b 00 00 00 |................|
00000120 01 00 00 00 06 00 00 00 94 80 04 08 94 00 00 00 |................|
00000130 2d 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 |-...............|
00000140 00 00 00 00 11 00 00 00 01 00 00 00 01 00 00 00 |................|
00000150 c4 90 04 08 cc 00 00 00 00 00 00 00 00 00 00 00 |Ä...Ì...........|
00000160 00 00 00 00 01 00 00 00 00 00 00 00 1a 00 00 00 |................|
00000170 01 00 00 00 03 00 00 00 c4 90 04 08 c4 00 00 00 |........Ä...Ä...|
00000180 06 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 |................|
00000190 00 00 00 00 20 00 00 00 08 00 00 00 03 00 00 00 |.... ...........|
000001a0 cc 90 04 08 cc 00 00 00 00 00 00 00 00 00 00 00 |Ì...Ì...........|
000001b0 00 00 00 00 04 00 00 00 00 00 00 00 01 00 00 00 |................|
000001c0 03 00 00 00 00 00 00 00 00 00 00 00 cc 00 00 00 |............Ì...|
000001d0 25 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 |%...............|
000001e0 00 00 00 00 |....|
000001e4
Disassemble: (/usr/include/asm-i386/unistd.h)
# objdump -M intel -D blah
blah: file format elf32-i386
Disassembly of section .text:
08048094 <.text >:
8048094: 31 c0 xor eax,eax ; put 0 to eax
8048096: b8 2f 00 00 00 mov eax,0x2f ; syscall :47 (getgid)
804809b: cd 80 int 0x80 ; call kernel
804809d: 3d ad de 00 00 cmp eax,0xdead ; compare gid with 0xDEAD
80480a2: 75 16 jne 0x80480ba ; If they are not equal jump
80480a4: b8 04 00 00 00 mov eax,0x4 ; syscall : 4 (write)
80480a9: bb 01 00 00 00 mov ebx,0x1 ; to stdout
80480ae: b9 c4 90 04 08 mov ecx,0x80490c4 ; pointer to "Okej!\n"
80480b3: ba 06 00 00 00 mov edx,0x6 ; len of string
80480b8: cd 80 int 0x80 ; call kernel
80480ba: 31 c0 xor eax,eax ; put 0 to eax
80480bc: 40 inc eax ; syscall :1 (exit)
80480bd: 31 db xor ebx,ebx ; return number (0)
80480bf: cd 80 int 0x80 ; call kertnel
Disassembly of section .data:
080490c4 <.data >:
80490c4: 4f dec edi ; Starting of "Okej!\n"
80490c5: 6b 65 6a 21 imul esp,DWORD PTR [ebp+106],0x21
80490c9: 0a .byte 0xa
So this crackme will show "Okej!\n" if GID is equal to 0xDEAD.
Decision made at this line:
80480a2: 75 16 jne 0x80480ba
I can change 7516 (jne) to 9090 (nop nop) or 7416 (je) at 80480a2
I did that with "bvi" , search like this : \7516 , and using R for Replace
Disassemble the result
# objdump -M interl -D blah
blah: file format elf32-i386
Disassembly of section .text:
08048094 <.text >:
8048094: 31 c0 xor %eax,%eax
8048096: b8 2f 00 00 00 mov $0x2f,%eax
804809b: cd 80 int $0x80
804809d: 3d ad de 00 00 cmp $0xdead,%eax
80480a2: 90 nop ; this was 75
80480a3: 90 nop ; this was 16
80480a4: b8 04 00 00 00 mov $0x4,%eax
80480a9: bb 01 00 00 00 mov $0x1,%ebx
80480ae: b9 c4 90 04 08 mov $0x80490c4,%ecx
80480b3: ba 06 00 00 00 mov $0x6,%edx
80480b8: cd 80 int $0x80
80480ba: 31 c0 xor %eax,%eax
80480bc: 40 inc %eax
80480bd: 31 db xor %ebx,%ebx
80480bf: cd 80 int $0x80
Disassembly of section .data:
080490c4 <.data >:
80490c4: 4f dec %edi
80490c5: 6b 65 6a 21 imul $0x21,0x6a(%ebp),%esp
80490c9: 0a .byte 0xa
Lunch
# ./blah
Okej!
Done.
BY: Pejman Moghadam
TAG: crackme
DATE: 2008-08-12 14:58:15