#crackme

Emmm......I’m guessing the same password may still work for this one, cuz it works for 0x07, and I’m right. Still same logic as the previous one, will take a close look later.

$ LOLO= ./crackme0x08 IOLI Crackme Level 0x08 Password: 88 Password OK!

$ LOLO= ./crackme0x07 IOLI Crackme Level 0x07 Password: 88 Password OK!

Logic is the same as level 0x06 though. I’ll have a close look at the difference when I have time.

Main function calls fcn.080485b9

pdf @ fcn.080485b9

Everything’s the same as the last level except the parameters of sym.check

0x08048651    8b4510       mov eax, [ebp+0x10]    ;get the environment value  0x08048654    89442404     mov [esp+0x4], eax     ;pass it to check() 0x08048658    8d4588       lea eax, [ebp-0x78]    ;get password address

0x0804865b    890424       mov [esp], eax         ;pass it to check()

0x0804865e    e825ffffff   call 0x108048588 ; (sym.check)

The main function prints out the title and string password. Then it gets the user input and stores it to the [var_78h]. The [arg_10h] is the variable of environment variable in bash. So the parameter for sym.check() is environment variable and user input. Read about parameter passing in assembly here.

Inside sym.check, it again checks the user input with 0x10 (int 16) at 0x080485da and calls sym.parell, passing the two arguments.

Sym.parell then calls sym.dummy, passing on the arguments (usr input and environment variable).

Note inside sym.dummy:

0x080484ee      c74424043887.  mov dword [var_4h_2], str.LOLO 

0x080484f6      8b0411         mov eax, dword [ecx + edx]

 0x080484f9      890424         mov dword [esp], eax

0x080484fc      e8d7feffff     call sym.imp.strncmp 

The program is looping through the environment variables to see if there is an environment variable string named ‘LOLO’ and returns 1 if LOLO exists. To crack it, supply LOLO to the program.  Read about setting env variables here.

$ LOLO= ./crackme0x06 IOLI Crackme Level 0x06 Password: 88 Password OK!

Alternatively,

$ export LOLO=

Again there is a sym.check function called inside main. pdf @ sym.check:

 0x0804851a      837df810       cmp dword [var_8h], 0x10

Spot the comparison. 0x10 is int 16. Similar to the last crackme (0x04), let’s try 88 as the password (8+8=16):

./crackme0x05 IOLI Crackme Level 0x05 Password: 88 Password OK!

However, trying the other possibilities: 97, 79, 907 does not seem to work, but 970 works:

./crackme0x05 IOLI Crackme Level 0x05 Password: 97 Password Incorrect!

./crackme0x05 IOLI Crackme Level 0x05 Password: 970 Password OK!

I want to continue looking at the function to see why it’s causing this.

At 0x08048526, sym.check calls sym.parell. Inside sym.parell:

and eax, 1 gets the first bit of eax (the least significant bit);

test eax, eax is the same as and eax, eax (bitwise and) except that it doesn't store the result in eax. So eax isn't affected by the test, but the zero-flag is. The jne branch will be taken if not equal (zero-flag=0) --> i.e. when ZF=1 --> and ZF=1 if eax contains 1. Conversely if eax contains zero, ZF=0, the jump via jne will not happen.

Therefore, in the sym.parell function, the program reads the user input as a whole integer. As long as the input number is even number, it will output “correct password”.

0x0804851e      750b           jne 0x804852b (sym.check

0x080484ea      7346           jae 0x8048532  (sym.check

0x080484ac      7518           jne 0x80484c6  (sym.parell

I try to change the instruction at 0x080484ac to a nop so it will not jump and print str.Password_OK, but failed. Turns out we need to edit all of the above three addresses to a nop in order to make the program accept any password: wx 9090 @ address

Run pdf @ main and we see a sym.check function at 0x08048559;

pdf @ sym.check:

At this address, we see something is compared to the integer 15 (0xf).

0x080484d6      837df80f       cmp dword [var_8h], 0xf

Tracing back, we see strlen function is called to get the string length(i.e. number of characters) of the input

|       :   0x0804849b      890424         mov dword [esp], eax

|       :   0x0804849e      e8e1feffff     call sym.imp.strlen         ; size_t strlen(const char *s)

Sscanf is called to get a character from our password.

|      |:   0x080484c6      890424         mov dword [esp], eax

|      |:   0x080484c9      e8d6feffff     call sym.imp.sscanf 

With the loop for len times, which len is the length of our password, these number add together, and compare with 0xf(aka 15). So let’s try password with all digits adding up to 15.

0x0804849e    e8e1feffff   call 0x108048384 ; (sym.imp.strlen)

|     |     0x080484a3    3945f4       cmp [ebp-0xc], eax   ;;compare the length of input with counter

|     | ,== length, jump to the addr

|     | |   0x080484a8    8b45f4       mov eax, [ebp-0xc]   ;;get value from counter which is index

|     | |   0x080484ab    034508       add eax, [ebp+0x8]   ;;get eax = &(input[index])

|     | |   0x080484ae    0fb600       movzx eax, byte [eax] ;;get eax = input[index]

|     | |   ;-- eip:

|     | |   0x080484b1    8845f3       mov [ebp-0xd], al   ;; [ebp=0xd] = input[index]

|     | |   0x080484b4    8d45fc       lea eax, [ebp-0x4]  ;;get addr of [ebp-0x4]

|     | |   0x080484b7    89442408     mov [esp+0x8], eax  ;;pass this addr as param which is ret value

|     | |   0x080484bb    c7442404388. mov dword [esp+0x4], str.d   ;;pass "%d" as parm for sscanf()

|     | |   0x080484c3    8d45f3       lea eax, [ebp-0xd]  ;;get addr of input[index]

|     | |   0x080484c6 b  890424       mov [esp], eax      ;;pass it as param to sscanf()

|     | |   ; CODE (CALL) XREF from 0x080483a4 (fcn.0804839a)

|     | |   0x080484c9    e8d6feffff   call 0x1080483a4 ; (sym.imp.sscanf)

|     | |      sym.imp.sscanf()

|     | |   0x080484ce    8b55fc       mov edx, [ebp-0x4]  ;;move ret value from sscanf to edx

|     | |   0x080484d1    8d45f8       lea eax, [ebp-0x8]  ;;get addr of total sum

|     | |   0x080484d4    0110         add [eax], edx      ;;add ret value to total sum

|     | |   0x080484d6    837df80f     cmp dword [ebp-0x8], 0xf  ;;compare total sum with 0x0f

|     |,== 0x080484f4    8d45f4       lea eax, [ebp-0xc]  ;;get counter address

|     | |   0x080484f7    ff00         inc dword [eax]     ;;increase counter by 1

amzn_assoc_ad_type = "banner"; amzn_assoc_marketplace = "amazon"; amzn_assoc_region = "US"; amzn_assoc_placement = "assoc_banner_placement_default"; amzn_assoc_campaigns = "amzn_vicc_cloudcam_1017"; amzn_assoc_banner_type = "category"; amzn_assoc_isresponsive = "true"; amzn_assoc_banner_id = "1J0CHGJT75D586M66602"; amzn_assoc_tracking_id = "kraljevicn1-20"; amzn_assoc_linkid = "c122cc4768b349b4aab7d3099b74ea1c";

Sunday Round up for this week!

Articles:

Using Ghidra to attack crackme

Stealing Ethereum by Guessing Weak Private Keys

Croatian bank to delete Facebook account

How Security Tokens Can Prevent an Impending Financial Crisis

Cybersecurity Checklist for Political Campaigns

If you found some other interesting stuff this week feel free to leave a link to it in the comments section. Otherwise feel free to check out the last roundup here.

amzn_assoc_ad_type = "banner"; amzn_assoc_marketplace = "amazon"; amzn_assoc_region = "US"; amzn_assoc_placement = "assoc_banner_placement_default"; amzn_assoc_campaigns = "amzn_vicc_cloudcam_1017"; amzn_assoc_banner_type = "category"; amzn_assoc_isresponsive = "true"; amzn_assoc_banner_id = "1J0CHGJT75D586M66602"; amzn_assoc_tracking_id = "kraljevicn1-20"; amzn_assoc_linkid = "c122cc4768b349b4aab7d3099b74ea1c";

Sunday Round up for this week!

Articles:

Ghidra quickstart & tutorial: Solving a simple crackme

A quick lesson in confirmation bias

Hackers and “Carding”

[Frida] Automatically extracting KeyStores from Android apps

Sending longer strings as custom TCP packets is a lot of fun. – Securitron Linux blog.

If you found some other interesting stuff this week feel free to leave a link to it in the comments section. Otherwise feel free to check out the last roundup here.