diff options
author | FreeArtMan <dos21h@gmail.com> | 2016-01-25 21:03:22 +0000 |
---|---|---|
committer | FreeArtMan <dos21h@gmail.com> | 2016-01-25 21:03:22 +0000 |
commit | 29f6ce617ab588e8e00979c61411d751e2fc741b (patch) | |
tree | 335639c872daefd6ef551fb9b2150c3cf3b5addd /md/writeup/crackme | |
parent | dbbfddf6a811908aca66269c630c12d8a126f476 (diff) | |
download | md-content-29f6ce617ab588e8e00979c61411d751e2fc741b.tar.gz md-content-29f6ce617ab588e8e00979c61411d751e2fc741b.zip |
Added note writeup/crackme/mycrk_by_cli3nt.md how to solve crackme
Diffstat (limited to 'md/writeup/crackme')
-rw-r--r-- | md/writeup/crackme/mycrk_by_cli3nt.md | 74 |
1 files changed, 74 insertions, 0 deletions
diff --git a/md/writeup/crackme/mycrk_by_cli3nt.md b/md/writeup/crackme/mycrk_by_cli3nt.md new file mode 100644 index 0000000..cab25d4 --- /dev/null +++ b/md/writeup/crackme/mycrk_by_cli3nt.md @@ -0,0 +1,74 @@ + +Lets see info about what is inside with general tools + +```text + objdump --debugging ./mycrk +``` + +```text + readelf --debug-dump=line +``` + +```text + nm -a ./mycrk +``` + +Okey checked and havent found nothing interesting. There was hope to find +some nice string that could look like key. ... but there was no candidates +for such string. + Only way now is too see disassembly if there is something interesting. +Lets use objdump for that. Should be enought of objdump as its just 1 level. + +```text + objdump -d ./mycrk +``` + +Okey we know that there is printed out first message and then we type in +our key. First _printf_ is for string and then _scanf_ definetly to read +our input. + +```text + 80483f1: e8 ee fe ff ff call 80482e4 <printf@plt> + 80483f6: 83 c4 10 add $0x10,%esp + 80483f9: 83 ec 08 sub $0x8,%esp + 80483fc: 8d 45 f4 lea -0xc(%ebp),%eax + 80483ff: 50 push %eax + 8048400: 68 22 85 04 08 push $0x8048522 + 8048405: e8 ba fe ff ff call 80482c4 <scanf@plt> + 804840a: 83 c4 10 add $0x10,%esp + 804840d: 8b 45 f8 mov -0x8(%ebp),%eax + 8048410: 3b 45 f4 cmp -0xc(%ebp),%eax + 8048413: 75 1d jne 8048432 <main+0x6e> +``` + +_scanf_ has somekind of params at address 0x8048522. Lets check what it have +... and its "%d " ha then its _scanf("%d ",(int))_ then it reads integer we can +assume that key are numbers only. In format string _%d_ is signed number but +who cares. And asume most easy task that it just compare with some number with +are our searched key. Lets put breakpoint at 0x80483f6 + +```text + (gdb)break *0x80483f6 +``` + +and step instruction by instruction. That _%eax=%ebp-0x8_ is decision to +validate key and one of the values are our own second is 0x5b1270 lets do +small translation and ... + +int(0x5b1270) = 5968496 + + +```text + ;at this point happends comparison for if input value is valid or not + ; something like + ; if scanf("%d",stdin) == cd_key + 804840d: 8b 45 f8 mov eax,DWORD PTR [ebp-0x8] + 8048410: 3b 45 f4 cmp eax,DWORD PTR [ebp-0xc] +``` + +## Notes + +__break *0x000__ breakpoint on address +__x/i $pc__ print current position instruction +__p $eflags__ print eflags +__p $eax__ print register EAX values
\ No newline at end of file |