blob: a3bc0d39a679bdadc6c86affd8243002ea9f9d37 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
|
Lets see info about what is inside with general tools
```text
objdump --debugging ./mycrk
```
```text
readelf --debug-dump=line
```
```text
nm -a ./mycrk
```
Okey checked and havent found nothing interesting. There was hope to find
some nice string that could look like key. ... but there was no candidates
for such string.
Only way now is too see disassembly if there is something interesting.
Lets use objdump for that. Should be enought of objdump as its just 1 level.
```text
objdump -d ./mycrk
```
Okey we know that there is printed out first message and then we type in
our key. First _printf_ is for string and then _scanf_ definetly to read
our input.
```text
80483f1: e8 ee fe ff ff call 80482e4 <printf@plt>
80483f6: 83 c4 10 add $0x10,%esp
80483f9: 83 ec 08 sub $0x8,%esp
80483fc: 8d 45 f4 lea -0xc(%ebp),%eax
80483ff: 50 push %eax
8048400: 68 22 85 04 08 push $0x8048522
8048405: e8 ba fe ff ff call 80482c4 <scanf@plt>
804840a: 83 c4 10 add $0x10,%esp
804840d: 8b 45 f8 mov -0x8(%ebp),%eax
8048410: 3b 45 f4 cmp -0xc(%ebp),%eax
8048413: 75 1d jne 8048432 <main+0x6e>
```
_scanf_ has somekind of params at address 0x8048522. Lets check what it have
... and its "%d " ha then its _scanf("%d ",(int))_ then it reads integer we can
assume that key are numbers only. In format string _%d_ is signed number but
who cares. And asume most easy task that it just compare with some number with
are our searched key. Lets put breakpoint at 0x80483f6
```text
(gdb)break *0x80483f6
```
and step instruction by instruction. That _%eax=%ebp-0x8_ is decision to
validate key and one of the values are our own second is 0x5b1270 lets do
small translation and ...
int(0x5b1270) = 5968496
```text
;at this point happends comparison for if input value is valid or not
; something like
; if scanf("%d",stdin) == cd_key
804840d: 8b 45 f8 mov eax,DWORD PTR [ebp-0x8]
8048410: 3b 45 f4 cmp eax,DWORD PTR [ebp-0xc]
```
And lets check our number ... and its correct
KEY: 5968496
## Notes
__break *0x000__ breakpoint on address
__x/i $pc__ print current position instruction
__p $eflags__ print eflags
__p $eax__ print register EAX values
|