diff options
-rw-r--r-- | md/writeup.md | 3 | ||||
-rw-r--r-- | md/writeup/crackme.md | 5 | ||||
-rw-r--r-- | md/writeup/crackme/mycrk_by_cli3nt.md | 74 |
3 files changed, 81 insertions, 1 deletions
diff --git a/md/writeup.md b/md/writeup.md index 0743d93..1e22cb2 100644 --- a/md/writeup.md +++ b/md/writeup.md @@ -8,7 +8,8 @@ [Using GDB](writeup/using_gdb.md) <!--[Compile Linux Kernel](writeup/compile_linux_kernel.md)--> [QEMU usage](writeup/qemu_usage.md) -[Multiboot USB drive](writeup/multiboot_usb_drive.md) +[Multiboot USB drive](writeup/multiboot_usb_drive.md) +[Solving crackmes](writeup/crackme.md) ### Projects diff --git a/md/writeup/crackme.md b/md/writeup/crackme.md new file mode 100644 index 0000000..88b99f0 --- /dev/null +++ b/md/writeup/crackme.md @@ -0,0 +1,5 @@ +## crackmes.de + +| Name | Level | Solution | Comment | Link | +|---|---|---|---|---| +| mycrk by cli3nt | 1 | [->Solved<-](crackme/mycrk_by_cli3nt.md) | Quick notes | http://crackmes.de/users/cli3nt/mycrk/ |
\ No newline at end of file diff --git a/md/writeup/crackme/mycrk_by_cli3nt.md b/md/writeup/crackme/mycrk_by_cli3nt.md new file mode 100644 index 0000000..cab25d4 --- /dev/null +++ b/md/writeup/crackme/mycrk_by_cli3nt.md @@ -0,0 +1,74 @@ + +Lets see info about what is inside with general tools + +```text + objdump --debugging ./mycrk +``` + +```text + readelf --debug-dump=line +``` + +```text + nm -a ./mycrk +``` + +Okey checked and havent found nothing interesting. There was hope to find +some nice string that could look like key. ... but there was no candidates +for such string. + Only way now is too see disassembly if there is something interesting. +Lets use objdump for that. Should be enought of objdump as its just 1 level. + +```text + objdump -d ./mycrk +``` + +Okey we know that there is printed out first message and then we type in +our key. First _printf_ is for string and then _scanf_ definetly to read +our input. + +```text + 80483f1: e8 ee fe ff ff call 80482e4 <printf@plt> + 80483f6: 83 c4 10 add $0x10,%esp + 80483f9: 83 ec 08 sub $0x8,%esp + 80483fc: 8d 45 f4 lea -0xc(%ebp),%eax + 80483ff: 50 push %eax + 8048400: 68 22 85 04 08 push $0x8048522 + 8048405: e8 ba fe ff ff call 80482c4 <scanf@plt> + 804840a: 83 c4 10 add $0x10,%esp + 804840d: 8b 45 f8 mov -0x8(%ebp),%eax + 8048410: 3b 45 f4 cmp -0xc(%ebp),%eax + 8048413: 75 1d jne 8048432 <main+0x6e> +``` + +_scanf_ has somekind of params at address 0x8048522. Lets check what it have +... and its "%d " ha then its _scanf("%d ",(int))_ then it reads integer we can +assume that key are numbers only. In format string _%d_ is signed number but +who cares. And asume most easy task that it just compare with some number with +are our searched key. Lets put breakpoint at 0x80483f6 + +```text + (gdb)break *0x80483f6 +``` + +and step instruction by instruction. That _%eax=%ebp-0x8_ is decision to +validate key and one of the values are our own second is 0x5b1270 lets do +small translation and ... + +int(0x5b1270) = 5968496 + + +```text + ;at this point happends comparison for if input value is valid or not + ; something like + ; if scanf("%d",stdin) == cd_key + 804840d: 8b 45 f8 mov eax,DWORD PTR [ebp-0x8] + 8048410: 3b 45 f4 cmp eax,DWORD PTR [ebp-0xc] +``` + +## Notes + +__break *0x000__ breakpoint on address +__x/i $pc__ print current position instruction +__p $eflags__ print eflags +__p $eax__ print register EAX values
\ No newline at end of file |