martes, 4 de enero de 2011

Solucion - Linux - lord's Easy crackme 2

http://www.crackmes.de/users/lord/easy_crackme_2/

$ wget http://www.crackmes.de/users/lord/easy_crackme_2/download
--2011-01-04 15:19:11-- http://www.crackmes.de/users/lord/easy_crackme_2/download
Resolviendo www.crackmes.de... 88.198.55.82
Conectando a www.crackmes.de|88.198.55.82|:80... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 362 [application/gz]
Guardando en: «download»

100%[============================================================================================================>] 362 --.-K/s en 0s

2011-01-04 15:19:17 (36,3 MB/s) - «download» guardado [362/362]


$ file download
download: gzip compressed data, was "cm1eng", from Unix, last modified: Fri Mar 31 10:34:34 2006

$ mv download cm1eng.gz
$ gzip -d cm1eng.gz
$ chmod +x cm1eng
$ ./cm1eng

Password : asdf
$



$ strings cm1eng
Password :
Great you did it !:)

QTBXCTU


$ objdump -d cm1eng

cm1eng: file format elf32-i386


Disassembly of section .text:

08048080 <.text>:
8048080: b8 04 00 00 00 mov $0x4,%eax
8048085: bb 01 00 00 00 mov $0x1,%ebx
804808a: b9 f8 90 04 08 mov $0x80490f8,%ecx
804808f: ba 0d 00 00 00 mov $0xd,%edx
8048094: cd 80 int $0x80
8048096: ba 00 01 00 00 mov $0x100,%edx
804809b: b9 1b 91 04 08 mov $0x804911b,%ecx
80480a0: bb 00 00 00 00 mov $0x0,%ebx
80480a5: b8 03 00 00 00 mov $0x3,%eax
80480aa: cd 80 int $0x80
80480ac: be 26 91 04 08 mov $0x8049126,%esi
80480b1: 89 f7 mov %esi,%edi
80480b3: 31 db xor %ebx,%ebx
80480b5: fc cld
80480b6: ac lods %ds:(%esi),%al
80480b7: 34 21 xor $0x21,%al
80480b9: aa stos %al,%es:(%edi)
80480ba: 43 inc %ebx
80480bb: 81 fb 07 00 00 00 cmp $0x7,%ebx
80480c1: 74 02 je 0x80480c5
80480c3: e2 f1 loop 0x80480b6
80480c5: be 1b 91 04 08 mov $0x804911b,%esi
80480ca: bf 26 91 04 08 mov $0x8049126,%edi
80480cf: b9 07 00 00 00 mov $0x7,%ecx
80480d4: fc cld
80480d5: f3 a6 repz cmpsb %es:(%edi),%ds:(%esi)
80480d7: 75 16 jne 0x80480ef
80480d9: b8 04 00 00 00 mov $0x4,%eax
80480de: bb 01 00 00 00 mov $0x1,%ebx
80480e3: b9 05 91 04 08 mov $0x8049105,%ecx
80480e8: ba 16 00 00 00 mov $0x16,%edx
80480ed: cd 80 int $0x80
80480ef: b8 01 00 00 00 mov $0x1,%eax
80480f4: cd 80 int $0x80
$

Vemos que tiene que tener longitud 7 la entrada de datos y hace un XOR con 21 en hex (simbolo ! en ascii)

Viendo las strings, vemos que hace XOR a esa misma string y obtenemos el password.


$ perl -e 'print "QTBXCTU"^"!!!!!!!\n"'
pucybut


$ ./cm1eng

Password : pucybut
Great you did it !:)



No hay comentarios:

Publicar un comentario