md/writeup/crackme/mycrk_by_cli3nt.md


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74


Lets see info about what is inside with general tools

```text
	objdump --debugging ./mycrk
```

```text
	readelf --debug-dump=line
```

```text
	nm -a ./mycrk
```

Okey checked and havent found nothing interesting. There was hope to find
some nice string that could look like key. ... but there was no candidates
for such string.
	Only way now is too see disassembly if there is something interesting.
Lets use objdump for that. Should be enought of objdump as its just 1 level.

```text
	objdump -d ./mycrk
```

Okey we know that there is printed out first message and then we type in
our key. First _printf_ is for string and then _scanf_ definetly to read
our input. 

```text
	80483f1:       e8 ee fe ff ff          call   80482e4 <printf@plt>
	80483f6:       83 c4 10                add    $0x10,%esp
	80483f9:       83 ec 08                sub    $0x8,%esp
	80483fc:       8d 45 f4                lea    -0xc(%ebp),%eax
	80483ff:       50                      push   %eax
	8048400:       68 22 85 04 08          push   $0x8048522
	8048405:       e8 ba fe ff ff          call   80482c4 <scanf@plt>
	804840a:       83 c4 10                add    $0x10,%esp
	804840d:       8b 45 f8                mov    -0x8(%ebp),%eax
	8048410:       3b 45 f4                cmp    -0xc(%ebp),%eax
	8048413:       75 1d                   jne    8048432 <main+0x6e>
```

_scanf_ has somekind of params at address 0x8048522. Lets check what it have 
...  and its "%d " ha then its _scanf("%d ",(int))_ then it reads integer we can
assume that key are numbers only. In format string _%d_ is signed number but 
who cares. And asume most easy task that it just compare with some number with
are our searched key. Lets put breakpoint at 0x80483f6

```text
	(gdb)break *0x80483f6
```

and step instruction by instruction. That _%eax=%ebp-0x8_ is decision to 
validate key and one of the values are our own second is 0x5b1270 lets do 
small translation and ...

int(0x5b1270) = 5968496


```text
	;at this point happends comparison for if input value is valid or not
	; something like
	; if scanf("%d",stdin) == cd_key
	804840d:	8b 45 f8             	mov    eax,DWORD PTR [ebp-0x8]
	8048410:	3b 45 f4             	cmp    eax,DWORD PTR [ebp-0xc]
```

## Notes

__break *0x000__ breakpoint on address  
__x/i $pc__ print current position instruction  
__p $eflags__ print eflags  
__p $eax__ print register EAX values