martes, 4 de enero de 2011

Solucion - Linux - lord's Easy crackme 2

http://www.crackmes.de/users/lord/easy_crackme_2/

$ wget http://www.crackmes.de/users/lord/easy_crackme_2/download
--2011-01-04 15:19:11--  http://www.crackmes.de/users/lord/easy_crackme_2/download
Resolviendo www.crackmes.de... 88.198.55.82
Conectando a www.crackmes.de|88.198.55.82|:80... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 362 [application/gz]
Guardando en: «download»

100%[============================================================================================================>] 362         --.-K/s   en 0s    

2011-01-04 15:19:17 (36,3 MB/s) - «download» guardado [362/362]


$ file download
download: gzip compressed data, was "cm1eng", from Unix, last modified: Fri Mar 31 10:34:34 2006

$ mv download cm1eng.gz
$ gzip -d cm1eng.gz
$ chmod +x cm1eng
$ ./cm1eng

Password : asdf
$



$ strings cm1eng
Password :
Great you did it !:)
    
QTBXCTU


$ objdump -d cm1eng

cm1eng:     file format elf32-i386


Disassembly of section .text:

08048080 <.text>:
8048080: b8 04 00 00 00        mov    $0x4,%eax
8048085: bb 01 00 00 00        mov    $0x1,%ebx
804808a: b9 f8 90 04 08        mov    $0x80490f8,%ecx
804808f: ba 0d 00 00 00        mov    $0xd,%edx
8048094: cd 80                 int    $0x80
8048096: ba 00 01 00 00        mov    $0x100,%edx
804809b: b9 1b 91 04 08        mov    $0x804911b,%ecx
80480a0: bb 00 00 00 00        mov    $0x0,%ebx
80480a5: b8 03 00 00 00        mov    $0x3,%eax
80480aa: cd 80                 int    $0x80
80480ac: be 26 91 04 08        mov    $0x8049126,%esi
80480b1: 89 f7                 mov    %esi,%edi
80480b3: 31 db                 xor    %ebx,%ebx
80480b5: fc                    cld 
80480b6: ac                    lods   %ds:(%esi),%al
80480b7: 34 21                 xor    $0x21,%al
80480b9: aa                    stos   %al,%es:(%edi)
80480ba: 43                    inc    %ebx
80480bb: 81 fb 07 00 00 00     cmp    $0x7,%ebx
80480c1: 74 02                 je     0x80480c5
80480c3: e2 f1                 loop   0x80480b6
80480c5: be 1b 91 04 08        mov    $0x804911b,%esi
80480ca: bf 26 91 04 08        mov    $0x8049126,%edi
80480cf: b9 07 00 00 00        mov    $0x7,%ecx
80480d4: fc                    cld 
80480d5: f3 a6                 repz cmpsb %es:(%edi),%ds:(%esi)
80480d7: 75 16                 jne    0x80480ef
80480d9: b8 04 00 00 00        mov    $0x4,%eax
80480de: bb 01 00 00 00        mov    $0x1,%ebx
80480e3: b9 05 91 04 08        mov    $0x8049105,%ecx
80480e8: ba 16 00 00 00        mov    $0x16,%edx
80480ed: cd 80                 int    $0x80
80480ef: b8 01 00 00 00        mov    $0x1,%eax
80480f4: cd 80                 int    $0x80
$

Vemos que tiene que tener longitud 7 la entrada de datos y hace un XOR con 21 en hex (simbolo ! en ascii)

Viendo las strings, vemos que hace XOR a esa misma string y obtenemos el password.


$ perl -e 'print "QTBXCTU"^"!!!!!!!\n"'
pucybut


$ ./cm1eng

Password : pucybut
Great you did it !:)



en 15:05
Etiquetas:

No hay comentarios:

Publicar un comentario

Suscribirse a: Enviar comentarios (Atom)