- Prison Code Breaker Diary -

-:== Crackme Info ==:-
Difficulty: 1 - Very easy, for newbies
Platform: Unix/linux etc.
Language: Assembler
Link: Click to refer

Solution:

This is a pretty simple crackme under Linux. The tools you need is GNU Debugger (GDB) and OBJDUMP, supported w/ every Linux distribution.

Download then extract file.

If you run the executables blah, it shows nothing.
Let's have a quick view of this binary in assembly

$ objdump -D blah

This is result

blah:     file format elf32-i386


Disassembly of section .text:

08048094 <.text>:
8048094:    31 c0                    xor    %eax,%eax
8048096:    b8 2f 00 00 00           mov    $0x2f,%eax
804809b:    cd 80                    int    $0x80
804809d:    3d ad de 00 00           cmp    $0xdead,%eax
80480a2:    75 16                    jne    0x80480ba
80480a4:    b8 04 00 00 00           mov    $0x4,%eax
80480a9:    bb 01 00 00 00           mov    $0x1,%ebx
80480ae:    b9 c4 90 04 08           mov    $0x80490c4,%ecx
80480b3:    ba 06 00 00 00           mov    $0x6,%edx
80480b8:    cd 80                    int    $0x80
80480ba:    31 c0                    xor    %eax,%eax
80480bc:    40                       inc    %eax
80480bd:    31 db                    xor    %ebx,%ebx
80480bf:    cd 80                    int    $0x80

Disassembly of section .data:

080490c4 <.data>:
80490c4:    4f                       dec    %edi
80490c5:    6b 65 6a 21              imul   $0x21,0x6a(%ebp),%esp
80490c9:    0a                       .byte 0xa

Quick view, as you know about Linux programming, you surely know the the system call (interrupt) 80h.

The first syscall:

8048094:    31 c0                    xor    %eax,%eax
8048096:    b8 2f 00 00 00           mov    $0x2f,%eax
804809b:    cd 80                    int    $0x80

This syscall is to retrieve the group id (0x2f), getgid().
Reference Linux system call table

And then, program will try to compare the result from getgid() and 0xDEAD.
If not equal, it will jump below

80480ba:    31 c0                    xor    %eax,%eax
80480bc:    40                       inc    %eax
80480bd:    31 db                    xor    %ebx,%ebx
80480bf:    cd 80                    int    $0x80

This is the exit() syscall (0x01).

If it equals, then the program will try to print the message by syscall write().
The message is stored in data section (0x080490C4).

OK!
So, here we can find our solutions.
+ Either, create a new group and set id is 0xDEAD (57005)
+ Or, patch the conditional jump.

The first solution is to set group id to 57005 ( using setgid() ), then add user to the group by groupadd().

I'm going to talk about patching the jump next.

Load gdb

$ gdb blah

We set breakpoint at 0x804809d

(gdb) break *0x804809d

(gdb) run
Breakpoint 1, 0x0804809d in ?? ()

(gdb) info registers
eax            0x1f4    500
ecx            0x0    0
edx            0x0    0
ebx            0x0    0
esp            0xbf9c04d0    0xbf9c04d0
ebp            0x0    0x0
esi            0x0    0
edi            0x0    0
eip            0x804809d    0x804809d
eflags         0x200246    [ PF ZF IF ID ]
cs             0x73    115
ss             0x7b    123
ds             0x7b    123
es             0x7b    123
fs             0x0    0
gs             0x0    0

As you see, my group id is 500 (stored in EAX); hence, program will exit immediately.
Let's do the patch 2-NOP bytes at 0x80480a2

(gdb) x/x 0x80480a2
0x80480a2:    0x04b81675

We need to patch 2 bytes: 75 16
therefore,

(gdb) set {int} 0x80480a2 = 0x04b89090
(gdb) quit

Now re-run the patched crackme.

$ ./blah
Okej!

well done! you patched the crackme.
Hope this tutorial be a little guide for whom to start cracking in Linux like me.

Have fun!@