summaryrefslogtreecommitdiff
path: root/md/writeup/crackme
diff options
context:
space:
mode:
authorFreeArtMan <dos21h@gmail.com>2016-01-25 21:03:22 +0000
committerFreeArtMan <dos21h@gmail.com>2016-01-25 21:03:22 +0000
commit29f6ce617ab588e8e00979c61411d751e2fc741b (patch)
tree335639c872daefd6ef551fb9b2150c3cf3b5addd /md/writeup/crackme
parentdbbfddf6a811908aca66269c630c12d8a126f476 (diff)
downloadmd-content-29f6ce617ab588e8e00979c61411d751e2fc741b.tar.gz
md-content-29f6ce617ab588e8e00979c61411d751e2fc741b.zip
Added note writeup/crackme/mycrk_by_cli3nt.md how to solve crackme
Diffstat (limited to 'md/writeup/crackme')
-rw-r--r--md/writeup/crackme/mycrk_by_cli3nt.md74
1 files changed, 74 insertions, 0 deletions
diff --git a/md/writeup/crackme/mycrk_by_cli3nt.md b/md/writeup/crackme/mycrk_by_cli3nt.md
new file mode 100644
index 0000000..cab25d4
--- /dev/null
+++ b/md/writeup/crackme/mycrk_by_cli3nt.md
@@ -0,0 +1,74 @@
+
+Lets see info about what is inside with general tools
+
+```text
+ objdump --debugging ./mycrk
+```
+
+```text
+ readelf --debug-dump=line
+```
+
+```text
+ nm -a ./mycrk
+```
+
+Okey checked and havent found nothing interesting. There was hope to find
+some nice string that could look like key. ... but there was no candidates
+for such string.
+ Only way now is too see disassembly if there is something interesting.
+Lets use objdump for that. Should be enought of objdump as its just 1 level.
+
+```text
+ objdump -d ./mycrk
+```
+
+Okey we know that there is printed out first message and then we type in
+our key. First _printf_ is for string and then _scanf_ definetly to read
+our input.
+
+```text
+ 80483f1: e8 ee fe ff ff call 80482e4 <printf@plt>
+ 80483f6: 83 c4 10 add $0x10,%esp
+ 80483f9: 83 ec 08 sub $0x8,%esp
+ 80483fc: 8d 45 f4 lea -0xc(%ebp),%eax
+ 80483ff: 50 push %eax
+ 8048400: 68 22 85 04 08 push $0x8048522
+ 8048405: e8 ba fe ff ff call 80482c4 <scanf@plt>
+ 804840a: 83 c4 10 add $0x10,%esp
+ 804840d: 8b 45 f8 mov -0x8(%ebp),%eax
+ 8048410: 3b 45 f4 cmp -0xc(%ebp),%eax
+ 8048413: 75 1d jne 8048432 <main+0x6e>
+```
+
+_scanf_ has somekind of params at address 0x8048522. Lets check what it have
+... and its "%d " ha then its _scanf("%d ",(int))_ then it reads integer we can
+assume that key are numbers only. In format string _%d_ is signed number but
+who cares. And asume most easy task that it just compare with some number with
+are our searched key. Lets put breakpoint at 0x80483f6
+
+```text
+ (gdb)break *0x80483f6
+```
+
+and step instruction by instruction. That _%eax=%ebp-0x8_ is decision to
+validate key and one of the values are our own second is 0x5b1270 lets do
+small translation and ...
+
+int(0x5b1270) = 5968496
+
+
+```text
+ ;at this point happends comparison for if input value is valid or not
+ ; something like
+ ; if scanf("%d",stdin) == cd_key
+ 804840d: 8b 45 f8 mov eax,DWORD PTR [ebp-0x8]
+ 8048410: 3b 45 f4 cmp eax,DWORD PTR [ebp-0xc]
+```
+
+## Notes
+
+__break *0x000__ breakpoint on address
+__x/i $pc__ print current position instruction
+__p $eflags__ print eflags
+__p $eax__ print register EAX values \ No newline at end of file