http://www.crackmes.de/users/cyrex/linux_crackme_02/
$ wget http://www.crackmes.de/users/cyrex/linux_crackme_02/download
--2011-01-04 17:41:08-- http://www.crackmes.de/users/cyrex/linux_crackme_02/download
Resolviendo www.crackmes.de... 88.198.55.82
Conectando a www.crackmes.de|88.198.55.82|:80... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 2199 (2,1K) [application/tgz]
Guardando en: «download»
100%[============================================================================================================>] 2.199 --.-K/s en 0,004s
2011-01-04 17:41:15 (558 KB/s) - «download» guardado [2199/2199]
$ file download
download: gzip compressed data, from Unix, last modified: Wed Feb 23 23:36:55 2005
$ mv download crackme_02.tgz
$ tar xvzf crackme_02.tgz
crackme
$ ./crackme
-[ Linux CrackMe (Level:3) by cyrex ]-
-[ TODO: Get the valid password ]-
-[ Enter Password: asdf
-[ Entered Password: asdf
-[ Checking Stage 1 Now.....
-[ Game Over
$ strings crackme
/lib/ld-linux.so.2
libc.so.6
printf
__deregister_frame_info
ptrace
strcmp
scanf
exit
fopen
_IO_stdin_used
__libc_start_main
__register_frame_info
__gmon_start__
GLIBC_2.1
GLIBC_2.0
PTRh
QVh
[^_]
Are you trying to Debug me?
-[ Linux CrackMe (Level:3) by cyrex ]-
-[ TODO: Get the valid password ]-
-[ Enter Password:
-[ Entered Password: %s
-[ Checking Stage 1 Now.....
7gb5fjf8v4bg8fb34f
-[ Stage 1 Cleared
-[ Game Over
-[ Checking Stage 2 Now....
/tmp/crackme_89nfnjfiefheufeue
-[ Bad did you forgot something?
-[ You have successfully reversed/cracked/sniffed This Crackme
-[ Email me your solution to eth0@list.ru
$ ./crackme
-[ Linux CrackMe (Level:3) by cyrex ]-
-[ TODO: Get the valid password ]-
-[ Enter Password: 7gb5fjf8v4bg8fb34f
-[ Entered Password: 7gb5fjf8v4bg8fb34f
-[ Checking Stage 1 Now.....
-[ Stage 1 Cleared
-[ Checking Stage 2 Now....
-[ Bad did you forgot something?
$ touch /tmp/crackme_89nfnjfiefheufeue
$ ./crackme
-[ Linux CrackMe (Level:3) by cyrex ]-
-[ TODO: Get the valid password ]-
-[ Enter Password: 7gb5fjf8v4bg8fb34f
-[ Entered Password: 7gb5fjf8v4bg8fb34f
-[ Checking Stage 1 Now.....
-[ Stage 1 Cleared
-[ Checking Stage 2 Now....
-[ You have successfully reversed/cracked/sniffed This Crackme
-[ Email me your solution to eth0@list.ru
$
###########################################################
Veamoslo con el GDB y objdump:
$ objdump -d crackme
crackme: file format elf32-i386
...
... (omitido no importante) ...
Disassembly of section .text:
08048440 <.text>:
8048440: 31 ed xor %ebp,%ebp
8048442: 5e pop %esi
8048443: 89 e1 mov %esp,%ecx
8048445: 83 e4 f0 and $0xfffffff0,%esp
8048448: 50 push %eax
8048449: 54 push %esp
804844a: 52 push %edx
804844b: 68 00 87 04 08 push $0x8048700
8048450: 68 a0 86 04 08 push $0x80486a0
8048455: 51 push %ecx
8048456: 56 push %esi
8048457: 68 20 85 04 08 push $0x8048520
804845c: e8 9f ff ff ff call 8048400 <__libc_start_main@plt>
8048461: f4 hlt
8048462: 90 nop
8048463: 90 nop
8048464: 55 push %ebp
8048465: 89 e5 mov %esp,%ebp
8048467: 53 push %ebx
8048468: e8 00 00 00 00 call 804846d
804846d: 5b pop %ebx
804846e: 81 c3 6b 16 00 00 add $0x166b,%ebx
8048474: 50 push %eax
8048475: 8b 83 30 00 00 00 mov 0x30(%ebx),%eax
804847b: 85 c0 test %eax,%eax
804847d: 74 02 je 8048481
804847f: ff d0 call *%eax
8048481: 8b 5d fc mov -0x4(%ebp),%ebx
8048484: c9 leave
8048485: c3 ret
8048486: 90 nop
8048487: 90 nop
8048488: 90 nop
8048489: 90 nop
804848a: 90 nop
804848b: 90 nop
804848c: 90 nop
804848d: 90 nop
804848e: 90 nop
804848f: 90 nop
8048490: 55 push %ebp
8048491: 89 e5 mov %esp,%ebp
8048493: 83 ec 08 sub $0x8,%esp
8048496: 83 3d f8 99 04 08 00 cmpl $0x0,0x80499f8
804849d: 75 3e jne 80484dd
804849f: eb 12 jmp 80484b3
80484a1: a1 f4 99 04 08 mov 0x80499f4,%eax
80484a6: 8d 50 04 lea 0x4(%eax),%edx
80484a9: 89 15 f4 99 04 08 mov %edx,0x80499f4
80484af: 8b 00 mov (%eax),%eax
80484b1: ff d0 call *%eax
80484b3: a1 f4 99 04 08 mov 0x80499f4,%eax
80484b8: 83 38 00 cmpl $0x0,(%eax)
80484bb: 75 e4 jne 80484a1
80484bd: b8 e0 83 04 08 mov $0x80483e0,%eax
80484c2: 85 c0 test %eax,%eax
80484c4: 74 0d je 80484d3
80484c6: 83 c4 f4 add $0xfffffff4,%esp
80484c9: 68 fc 99 04 08 push $0x80499fc
80484ce: e8 0d ff ff ff call 80483e0 <__deregister_frame_info@plt>
80484d3: c7 05 f8 99 04 08 01 movl $0x1,0x80499f8
80484da: 00 00 00
80484dd: c9 leave
80484de: c3 ret
80484df: 90 nop
80484e0: 55 push %ebp
80484e1: 89 e5 mov %esp,%ebp
80484e3: 83 ec 08 sub $0x8,%esp
80484e6: c9 leave
80484e7: c3 ret
80484e8: 55 push %ebp
80484e9: 89 e5 mov %esp,%ebp
80484eb: 83 ec 08 sub $0x8,%esp
80484ee: b8 b0 83 04 08 mov $0x80483b0,%eax
80484f3: 85 c0 test %eax,%eax
80484f5: 74 12 je 8048509
80484f7: 83 c4 f8 add $0xfffffff8,%esp
80484fa: 68 0c 9b 04 08 push $0x8049b0c
80484ff: 68 fc 99 04 08 push $0x80499fc
8048504: e8 a7 fe ff ff call 80483b0 <__register_frame_info@plt>
8048509: c9 leave
804850a: c3 ret
804850b: 90 nop
804850c: 55 push %ebp
804850d: 89 e5 mov %esp,%ebp
804850f: 83 ec 08 sub $0x8,%esp
8048512: c9 leave
8048513: c3 ret
8048514: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
804851a: 8d bf 00 00 00 00 lea 0x0(%edi),%edi
8048520: 55 push %ebp
8048521: 89 e5 mov %esp,%ebp
8048523: 81 ec 18 04 00 00 sub $0x418,%esp
8048529: 6a 00 push $0x0
804852b: 6a 01 push $0x1
804852d: 6a 00 push $0x0
804852f: 6a 00 push $0x0
8048531: e8 ba fe ff ff call 80483f0
8048536: 83 c4 10 add $0x10,%esp
8048539: 89 c0 mov %eax,%eax
804853b: 85 c0 test %eax,%eax
804853d: 7d 21 jge 8048560
804853f: 83 c4 f4 add $0xfffffff4,%esp
8048542: 68 e0 87 04 08 push $0x80487e0
8048547: e8 c4 fe ff ff call 8048410
804854c: 83 c4 10 add $0x10,%esp
804854f: b8 01 00 00 00 mov $0x1,%eax
8048554: e9 37 01 00 00 jmp 8048690
8048559: 8d b4 26 00 00 00 00 lea 0x0(%esi,%eiz,1),%esi
8048560: 83 c4 f4 add $0xfffffff4,%esp
8048563: 68 00 88 04 08 push $0x8048800
8048568: e8 a3 fe ff ff call 8048410
804856d: 83 c4 10 add $0x10,%esp
8048570: 83 c4 f4 add $0xfffffff4,%esp
8048573: 68 40 88 04 08 push $0x8048840
8048578: e8 93 fe ff ff call 8048410
804857d: 83 c4 10 add $0x10,%esp
8048580: 83 c4 f4 add $0xfffffff4,%esp
8048583: 68 68 88 04 08 push $0x8048868
8048588: e8 83 fe ff ff call 8048410
804858d: 83 c4 10 add $0x10,%esp
8048590: 83 c4 f8 add $0xfffffff8,%esp
8048593: 8d 85 00 fc ff ff lea -0x400(%ebp),%eax
8048599: 50 push %eax
804859a: 68 7c 88 04 08 push $0x804887c
804859f: e8 2c fe ff ff call 80483d0
80485a4: 83 c4 10 add $0x10,%esp
80485a7: 83 c4 f8 add $0xfffffff8,%esp
80485aa: 8d 85 00 fc ff ff lea -0x400(%ebp),%eax
80485b0: 50 push %eax
80485b1: 68 7f 88 04 08 push $0x804887f
80485b6: e8 55 fe ff ff call 8048410
80485bb: 83 c4 10 add $0x10,%esp
80485be: 83 c4 f4 add $0xfffffff4,%esp
80485c1: 68 98 88 04 08 push $0x8048898
80485c6: e8 45 fe ff ff call 8048410
80485cb: 83 c4 10 add $0x10,%esp
80485ce: 83 c4 f8 add $0xfffffff8,%esp
80485d1: 68 b6 88 04 08 push $0x80488b6
80485d6: 8d 85 00 fc ff ff lea -0x400(%ebp),%eax
80485dc: 50 push %eax
80485dd: e8 de fd ff ff call 80483c0
80485e2: 83 c4 10 add $0x10,%esp
80485e5: 89 c0 mov %eax,%eax
80485e7: 85 c0 test %eax,%eax
80485e9: 75 15 jne 8048600
80485eb: 83 c4 f4 add $0xfffffff4,%esp
80485ee: 68 c9 88 04 08 push $0x80488c9
80485f3: e8 18 fe ff ff call 8048410
80485f8: 83 c4 10 add $0x10,%esp
80485fb: eb 17 jmp 8048614
80485fd: 8d 76 00 lea 0x0(%esi),%esi
8048600: 83 c4 f4 add $0xfffffff4,%esp
8048603: 68 dd 88 04 08 push $0x80488dd
8048608: e8 03 fe ff ff call 8048410
804860d: 83 c4 10 add $0x10,%esp
8048610: 31 c0 xor %eax,%eax
8048612: eb 7c jmp 8048690
8048614: 83 c4 f4 add $0xfffffff4,%esp
8048617: 68 eb 88 04 08 push $0x80488eb
804861c: e8 ef fd ff ff call 8048410
8048621: 83 c4 10 add $0x10,%esp
8048624: 83 c4 f8 add $0xfffffff8,%esp
8048627: 68 08 89 04 08 push $0x8048908
804862c: 68 20 89 04 08 push $0x8048920
8048631: e8 fa fd ff ff call 8048430
8048636: 83 c4 10 add $0x10,%esp
8048639: 89 c0 mov %eax,%eax
804863b: 89 85 fc fb ff ff mov %eax,-0x404(%ebp)
8048641: 83 bd fc fb ff ff 00 cmpl $0x0,-0x404(%ebp)
8048648: 75 1d jne 8048667
804864a: 83 c4 f4 add $0xfffffff4,%esp
804864d: 68 40 89 04 08 push $0x8048940
8048652: e8 b9 fd ff ff call 8048410
8048657: 83 c4 10 add $0x10,%esp
804865a: 83 c4 f4 add $0xfffffff4,%esp
804865d: 6a 00 push $0x0
804865f: e8 bc fd ff ff call 8048420
8048664: 83 c4 10 add $0x10,%esp
8048667: 83 c4 f4 add $0xfffffff4,%esp
804866a: 68 80 89 04 08 push $0x8048980
804866f: e8 9c fd ff ff call 8048410
8048674: 83 c4 10 add $0x10,%esp
8048677: 83 c4 f4 add $0xfffffff4,%esp
804867a: 68 c0 89 04 08 push $0x80489c0
804867f: e8 8c fd ff ff call 8048410
8048684: 83 c4 10 add $0x10,%esp
8048687: 31 c0 xor %eax,%eax
8048689: eb 05 jmp 8048690
804868b: 90 nop
804868c: 8d 74 26 00 lea 0x0(%esi,%eiz,1),%esi
8048690: c9 leave
8048691: c3 ret
8048692: 90 nop
8048693: 90 nop
8048694: 90 nop
8048695: 90 nop
8048696: 90 nop
8048697: 90 nop
8048698: 90 nop
8048699: 90 nop
804869a: 90 nop
804869b: 90 nop
804869c: 90 nop
804869d: 90 nop
804869e: 90 nop
804869f: 90 nop
80486a0: 55 push %ebp
80486a1: 89 e5 mov %esp,%ebp
80486a3: 57 push %edi
80486a4: 56 push %esi
80486a5: 31 f6 xor %esi,%esi
80486a7: 53 push %ebx
80486a8: 83 ec 0c sub $0xc,%esp
80486ab: e8 a0 00 00 00 call 8048750
80486b0: 81 c3 28 14 00 00 add $0x1428,%ebx
80486b6: e8 cd fc ff ff call 8048388 <__register_frame_info@plt-0x28>
80486bb: 8d 93 14 ff ff ff lea -0xec(%ebx),%edx
80486c1: 8d 83 14 ff ff ff lea -0xec(%ebx),%eax
80486c7: 29 c2 sub %eax,%edx
80486c9: c1 fa 02 sar $0x2,%edx
80486cc: 39 d6 cmp %edx,%esi
80486ce: 73 1c jae 80486ec
80486d0: 89 d7 mov %edx,%edi
80486d2: 8d b4 26 00 00 00 00 lea 0x0(%esi,%eiz,1),%esi
80486d9: 8d bc 27 00 00 00 00 lea 0x0(%edi,%eiz,1),%edi
80486e0: ff 94 b3 14 ff ff ff call *-0xec(%ebx,%esi,4)
80486e7: 46 inc %esi
80486e8: 39 fe cmp %edi,%esi
80486ea: 72 f4 jb 80486e0
80486ec: 83 c4 0c add $0xc,%esp
80486ef: 5b pop %ebx
80486f0: 5e pop %esi
80486f1: 5f pop %edi
80486f2: 5d pop %ebp
80486f3: c3 ret
80486f4: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
80486fa: 8d bf 00 00 00 00 lea 0x0(%edi),%edi
8048700: 55 push %ebp
8048701: 89 e5 mov %esp,%ebp
8048703: 83 ec 08 sub $0x8,%esp
8048706: 89 1c 24 mov %ebx,(%esp)
8048709: e8 42 00 00 00 call 8048750
804870e: 81 c3 ca 13 00 00 add $0x13ca,%ebx
8048714: 89 74 24 04 mov %esi,0x4(%esp)
8048718: 8d 83 14 ff ff ff lea -0xec(%ebx),%eax
804871e: 8d 93 14 ff ff ff lea -0xec(%ebx),%edx
8048724: 29 d0 sub %edx,%eax
8048726: c1 f8 02 sar $0x2,%eax
8048729: 85 c0 test %eax,%eax
804872b: 8d 70 ff lea -0x1(%eax),%esi
804872e: 75 10 jne 8048740
8048730: e8 5b 00 00 00 call 8048790
8048735: 8b 1c 24 mov (%esp),%ebx
8048738: 8b 74 24 04 mov 0x4(%esp),%esi
804873c: 89 ec mov %ebp,%esp
804873e: 5d pop %ebp
804873f: c3 ret
8048740: ff 94 b3 14 ff ff ff call *-0xec(%ebx,%esi,4)
8048747: 89 f0 mov %esi,%eax
8048749: 4e dec %esi
804874a: 85 c0 test %eax,%eax
804874c: 75 f2 jne 8048740
804874e: eb e0 jmp 8048730
8048750: 8b 1c 24 mov (%esp),%ebx
8048753: c3 ret
8048754: 90 nop
8048755: 90 nop
8048756: 90 nop
8048757: 90 nop
8048758: 90 nop
8048759: 90 nop
804875a: 90 nop
804875b: 90 nop
804875c: 90 nop
804875d: 90 nop
804875e: 90 nop
804875f: 90 nop
8048760: 55 push %ebp
8048761: 89 e5 mov %esp,%ebp
8048763: 83 ec 14 sub $0x14,%esp
8048766: 53 push %ebx
8048767: bb c8 9a 04 08 mov $0x8049ac8,%ebx
804876c: 83 3d c8 9a 04 08 ff cmpl $0xffffffff,0x8049ac8
8048773: 74 0c je 8048781
8048775: 8b 03 mov (%ebx),%eax
8048777: ff d0 call *%eax
8048779: 83 c3 fc add $0xfffffffc,%ebx
804877c: 83 3b ff cmpl $0xffffffff,(%ebx)
804877f: 75 f4 jne 8048775
8048781: 5b pop %ebx
8048782: c9 leave
8048783: c3 ret
8048784: 55 push %ebp
8048785: 89 e5 mov %esp,%ebp
8048787: 83 ec 08 sub $0x8,%esp
804878a: c9 leave
804878b: c3 ret
804878c: 8d 74 26 00 lea 0x0(%esi,%eiz,1),%esi
Algunas strings con gdb:
$ gdb ./crackme
GNU gdb (GDB) 7.2-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
(gdb) r
Starting program: /home/uknow/Escritorio/kk/pruebas/crackme
Are you trying to Debug me?
Program exited with code 01.
(gdb) x/s 0x80487e0
0x80487e0: "Are you trying to Debug me?\n"
El programa usa ptrace para ver si el programa esta siendo traceado o debugeado, cambiamos un simple jump y ya nos saltamos esa proteccion.
$ cmp -b crackme crackme_parcheado
crackme crackme_parcheado son distintos: el byte 1342, en la línea 3 es 175 } 176 ~
$ objdump -d crackme | grep 804853d
804853d: 7d 21 jge 8048560
$ objdump -d crackme_parcheado | grep 804853d
804853d: 7e 21 jle 8048560
$ gdb ./crackme_parcheado
GNU gdb (GDB) 7.2-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
(gdb) r
Starting program: /home/uknow/Escritorio/kk/pruebas/crackme_parcheado
-[ Linux CrackMe (Level:3) by cyrex ]-
-[ TODO: Get the valid password ]-
-[ Enter Password: aaa
-[ Entered Password: aaa
-[ Checking Stage 1 Now.....
-[ Game Over
Program exited normally.
(gdb)
##########################################################
Usando ltrace:
$ ltrace ./crackme
__libc_start_main(0x8048520, 1, 0xbf8d5c64, 0x80486a0, 0x8048700
__register_frame_info(0x80499fc, 0x8049b0c, 0xb773ece0, 0xb773dff4, 0xbf8d5c64) = 0x80499fc
ptrace(0, 0, 1, 0, 4) = -1
printf("Are you trying to Debug me?\n"Are you trying to Debug me?
) = 28
__deregister_frame_info(0x80499fc, 3, 0xbf8d5b00, 4, 0x80482a4) = 0
+++ exited (status 1) +++
$ ltrace ./crackme_parcheado
__libc_start_main(0x8048520, 1, 0xbfc384f4, 0x80486a0, 0x8048700
__register_frame_info(0x80499fc, 0x8049b0c, 0xb787fce0, 0xb787eff4, 0xbfc384f4) = 0x80499fc
ptrace(0, 0, 1, 0, 4) = -1
printf("-[ Linux CrackMe (Level:3) by cy"...-[ Linux CrackMe (Level:3) by cyrex ]-
) = 39
printf("-[ TODO: Get the valid password "...-[ TODO: Get the valid password ]-
) = 39
printf("-[ Enter Password: ") = 19
scanf(0x804887c, 0xbfc38048, 1, 0, 4-[ Enter Password: aaa
) = 1
printf("-[ Entered Password: %s\n", "aaa"-[ Entered Password: aaa
) = 25
printf("-[ Checking Stage 1 Now.....\n"-[ Checking Stage 1 Now.....
) = 29
strcmp("aaa", "7gb5fjf8v4bg8fb34f") = 1
printf("-[ Game Over\n"-[ Game Over
) = 13
__deregister_frame_info(0x80499fc, 3, 0xbfc38390, 4, 0x80482a4) = 0
+++ exited (status 0) +++
y metiendo el serial de la primera parte vemos que intenta abrir el archivo "/tmp/crackme_89nfnjfiefheufeue" en la segunda parte:
$ ltrace ./crackme_parcheado
__libc_start_main(0x8048520, 1, 0xbfdb0c04, 0x80486a0, 0x8048700
__register_frame_info(0x80499fc, 0x8049b0c, 0xb7764ce0, 0xb7763ff4, 0xbfdb0c04) = 0x80499fc
ptrace(0, 0, 1, 0, 4) = -1
printf("-[ Linux CrackMe (Level:3) by cy"...-[ Linux CrackMe (Level:3) by cyrex ]-
) = 39
printf("-[ TODO: Get the valid password "...-[ TODO: Get the valid password ]-
) = 39
printf("-[ Enter Password: ") = 19
scanf(0x804887c, 0xbfdb0758, 1, 0, 4-[ Enter Password: 7gb5fjf8v4bg8fb34f
) = 1
printf("-[ Entered Password: %s\n", "7gb5fjf8v4bg8fb34f"-[ Entered Password: 7gb5fjf8v4bg8fb34f
) = 40
printf("-[ Checking Stage 1 Now.....\n"-[ Checking Stage 1 Now.....
) = 29
strcmp("7gb5fjf8v4bg8fb34f", "7gb5fjf8v4bg8fb34f") = 0
printf("-[ Stage 1 Cleared\n"-[ Stage 1 Cleared
) = 19
printf("-[ Checking Stage 2 Now....\n"-[ Checking Stage 2 Now....
) = 28
fopen("/tmp/crackme_89nfnjfiefheufeue", "r") = 0
printf("-[ Bad did you forgot something?"...-[ Bad did you forgot something?
) = 33
exit(0
__deregister_frame_info(0x80499fc, 3, 0xbfdb0670, 4, 0xb7783b28) = 0
+++ exited (status 0) +++
No hay comentarios:
Publicar un comentario