Difficulty: 1 - Very easy, for newbies
Platform: Unix/linux etc.
Language: C/C++
Link: Click to refer
Click to Download
Try to run it first to see how it works.
Then launch gdb. Check out for function symbols
(gdb) info func
0x080483b0 __register_frame_info
0x080483b0 __register_frame_info@plt
0x080483c0 strcmp@plt
0x080483d0 scanf@plt
0x080483e0 __deregister_frame_info
0x080483e0 __deregister_frame_info@plt
0x080483f0 ptrace@plt
0x08048400 __libc_start_main@plt
0x08048410 printf@plt
0x08048420 exit@plt
0x08048430 fopen@plt
Hum....strcmp() and fopen() are called, then must be something about the real password comparison and file operation.
Boom...this crackme calls ptrace(), why?
Let's try to set breakpoint at strcmp() and fopen()
(gdb) b 0x080483c0
(gdb) b 0x08048430
(gdb) run
Are you trying to Debug me?
Bang ! So this crackme calls ptrace() for anti-debugging.
Quit gdb. We switch into dasm2.
Disassembly it:
$ dasm2 crackme -output=dump
push $8048800 ; reference to data : "-[ Linux CrackMe (Level:3) by cyrex ]-"
call 08048410 ;
add $10,%esp ;
add $fffffff4,%esp ;
push $8048840 ; reference to data : "-[ TODO: Get the valid password ]-"
call 08048410 ;
add $10,%esp ;
add $fffffff4,%esp ;
push $8048868 ; reference to data : "-[ Enter Password: "
call 08048410 ;
add $10,%esp ;
add $fffffff8,%esp ;
lea -400(%ebp),%eax ;
push %eax ;
push $804887c ; reference to data : "%s"
call 080483d0 ;
add $10,%esp ;
add $fffffff8,%esp ;
lea -400(%ebp),%eax ;
push %eax ;
push $804887f ; reference to data : "-[ Entered Password: %s"
call 08048410 ;
add $10,%esp ;
add $fffffff4,%esp ;
push $8048898 ; reference to data : "-[ Checking Stage 1 Now....."
call 08048410 ;
add $10,%esp ;
add $fffffff8,%esp ;
push $80488b6 ; reference to data : "7gb5fjf8v4bg8fb34f"
lea -400(%ebp),%eax ;
push %eax ;
call 080483c0 ;
add $10,%esp ;
mov %eax,%eax ;
test %eax,%eax ;
jne 08048600 ;
add $fffffff4,%esp ;
push $80488c9 ; reference to data : "-[ Stage 1 Cleared"
call 08048410 ;
add $10,%esp ;
jmp 08048614 ;
lea 0(%esi),%esi ;
add $fffffff4,%esp ; referenced from jump(s) at 080485e9;
push $80488dd ; reference to data : "-[ Game Over"
call 08048410 ;
add $10,%esp ;
xor %eax,%eax ;
jmp 08048690 ;
add $fffffff4,%esp ; referenced from jump(s) at 080485fb;
push $80488eb ; reference to data : "-[ Checking Stage 2 Now...."
call 08048410 ;
add $10,%esp ;
add $fffffff8,%esp ;
push $8048908 ; reference to data : "r"
push $8048920 ; reference to data : "/tmp/crackme_89nfnjfiefheufeue"
call 08048430 ;
add $10,%esp ;
mov %eax,%eax ;
mov %eax,-404(%ebp) ;
cmpl $0,-404(%ebp) ; reference to data : "__gmon_start__"
jne 08048667 ;
add $fffffff4,%esp ;
push $8048940 ; reference to data : "-[ Bad did you forgot something?"
call 08048410 ;
add $10,%esp ;
add $fffffff4,%esp ;
push $0 ; reference to data : "__gmon_start__"
call 08048420 ;
add $10,%esp ;
add $fffffff4,%esp ; referenced from jump(s) at 08048648;
push $8048980 ; reference to data : "-[ You have successfully reversed/cracked/sniffed This Crackme"
call 08048410 ;
add $10,%esp ;
add $fffffff4,%esp ;
push $80489c0 ; reference to data : "-[ Email me your solution to eth0@list.ru"
So the first password is: "7gb5fjf8v4bg8fb34f"
And then because it reads a file "/tmp/crackme_89nfnjfiefheufeue" (not writing), if the file exists, then good message shows; otherwise, fail.
Have fun!@