- Prison Code Breaker Diary -: Solve intsig's Easymath

Solve intsig's Easymath

Cracking, Crackmes, Linux, Reverse, Utilities Add comments

==:: Crackme Info ::==
Difficulty: 1 - Very easy, for newbies
Platform: Unix/linux etc.
Language: C/C++
Refer: click here
Click to Download

The crackme will only print 'done' message if we get the correct password only.
This crackme seems to be very complicated. If you try to dump it with Dasm2 or load through GDB, it certainly doesn't work at all.
We use readelf to look at its header information


$ readelf -e easymath
ELF Header:
Magic:   7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class:                             ELF32
Data:                              2's complement, little endian
Version:                           1 (current)
OS/ABI:                            UNIX - System V
ABI Version:                       0
Type:                              EXEC (Executable file)
Machine:                           Intel 80386
Version:                           0x1
Entry point address:               0x8048380
Start of program headers:          52 (bytes into file)
Start of section headers:          0 (bytes into file)
Flags:                             0x0
Size of this header:               52 (bytes)
Size of program headers:           32 (bytes)
Number of program headers:         7
Size of section headers:           0 (bytes)
Number of section headers:         0
Section header string table index: 0 <corrupt: out of range>

There are no sections in this file.

Program Headers:
Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
PHDR           0x000034 0x08048034 0x08048034 0x000e0 0x000e0 R E 0x4
INTERP         0x000114 0x08048114 0x08048114 0x00013 0x00013 R   0x1
   [Requesting program interpreter: /lib/ld-linux.so.2]
LOAD           0x000000 0x08048000 0x08048000 0x00644 0x00644 R E 0x1000
LOAD           0x000644 0x08049644 0x08049644 0x00110 0x00114 RW  0x1000
DYNAMIC        0x000658 0x08049658 0x08049658 0x000c8 0x000c8 RW  0x4
NOTE           0x000128 0x08048128 0x08048128 0x00020 0x00020 R   0x4
GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RW  0x4

It's not looking good at all.
Let's load it with IDA. Here a little view:

Jump to entry point of program: Ctrl+E -> start


LOAD:08048380 ;    Attributes: noreturn
LOAD:08048380
LOAD:08048380              public start
LOAD:08048380 start          proc near
LOAD:08048380              xor     ebp, ebp
LOAD:08048382              pop     esi
LOAD:08048383              mov     ecx, esp
LOAD:08048385              and     esp, 0FFFFFFF0h
LOAD:08048388              push    eax
LOAD:08048389              push    esp
LOAD:0804838A              push    edx
LOAD:0804838B              push    offset sub_8048580
LOAD:08048390              push    offset sub_8048510
LOAD:08048395              push    ecx
LOAD:08048396              push    esi
LOAD:08048397              push    offset sub_8048438
LOAD:0804839C              call    sub_8048344
LOAD:080483A1              hlt
LOAD:080483A1 start          endp

So, the OEP of main() is call


LOAD:08048397              push    offset sub_8048438

Jump to main() [G: 8048438]

Scroll down a bit:


LOAD:0804849E loc_804849E:                  ;    CODE XREF: sub_8048438+47j
LOAD:0804849E              mov     [ebp+var_10], 6
LOAD:080484A5              mov     [ebp+var_C], 2
LOAD:080484AC              mov     [ebp+var_8], 0
LOAD:080484B3              mov     [ebp+var_4], 4530h
LOAD:080484BA              mov     eax, [ebp+arg_4]
LOAD:080484BD              add     eax, 4
LOAD:080484C0              mov     eax, [eax]
LOAD:080484C2              sub     esp, 0Ch
LOAD:080484C5              push    eax
LOAD:080484C6              call    sub_8048354
LOAD:080484CB              add     esp, 10h
LOAD:080484CE              mov     [ebp+var_14], eax
LOAD:080484D1              nop
LOAD:080484D2              mov     eax, [ebp+var_10]
LOAD:080484D5              mov     edx, eax
LOAD:080484D7              imul    edx, [ebp+var_C]
LOAD:080484DB              mov     eax, [ebp+var_14]
LOAD:080484DE              imul    eax, edx
LOAD:080484E1              mov     [ebp+var_8], eax
LOAD:080484E4              xor     eax, eax
LOAD:080484E6              mov     eax, [ebp+var_4]
LOAD:080484E9              cmp     eax, [ebp+var_8]
LOAD:080484EC              jnz     short loc_80484FE
LOAD:080484EE              sub     esp, 0Ch
LOAD:080484F1              push    offset aDone    ;    "done"
LOAD:080484F6              call    sub_8048324
LOAD:080484FB              add     esp, 10h

So, the comparison is at: 0x080484E9 and the jump is below.
There're two ways to solve this problem: Patch & KeyGen

1. Patch:
- We will NOP at the jump. The offset of the jump is at 0x4EC
- Load hexedit


$ hexedit easymath

Press {Enter} then type the offset: 0x4EC
- We patch 2 bytes: 75 10 into 90 90
F2 to save then F10 (or Ctrl+X) to quit.
- Run crackme with any-value argument

2. Keygen:
- Take a closer look at disassembly code above, I explain them like this:


LOAD:0804849E              mov     [ebp+var_10], 6            ; var_10 = 6
LOAD:080484A5              mov     [ebp+var_C], 2            ; var_C  = 2
LOAD:080484AC              mov     [ebp+var_8], 0            ; var_8  = 0
LOAD:080484B3              mov     [ebp+var_4], 4530h        ; var_4  = 4530
LOAD:080484BA              mov     eax, [ebp+arg_4]
LOAD:080484BD              add     eax, 4
LOAD:080484C0              mov     eax, [eax]
LOAD:080484C2              sub     esp, 0Ch
LOAD:080484C5              push    eax
LOAD:080484C6              call    sub_8048354                ; atoi( argv[1] )
LOAD:080484CB              add     esp, 10h
LOAD:080484CE              mov     [ebp+var_14], eax            ; var_14 = atoi( argv[1] )
LOAD:080484D1              nop
LOAD:080484D2              mov     eax, [ebp+var_10]            ; eax = var_10 = 6
LOAD:080484D5              mov     edx, eax                    ; edx = eax = 6
LOAD:080484D7              imul    edx, [ebp+var_C]            ; edx = edx * var_C = 6 * 2 = C
LOAD:080484DB              mov     eax, [ebp+var_14]            ; eax = var_14
LOAD:080484DE              imul    eax, edx                    ; eax = eax * edx = var_14 * C
LOAD:080484E1              mov     [ebp+var_8], eax            ; var_8 = eax = var_14 * C
LOAD:080484E4              xor     eax, eax                    ; eax = 0
LOAD:080484E6              mov     eax, [ebp+var_4]            ; eax = var_4
LOAD:080484E9              cmp     eax, [ebp+var_8]            ; eax == var_8 ?
LOAD:080484EC              jnz     short loc_80484FE            ; 0x080484EC if true : 0x80484FE else
LOAD:080484EE              sub     esp, 0Ch
LOAD:080484F1              push    offset aDone    ;    "done"
LOAD:080484F6              call    sub_8048324
LOAD:080484FB              add     esp, 10h

As you can see, var_14 is our input as argv[1]. So it must be the number N that satisfies the equation: N * C = 4530 (in hex).
So, N = 5C4 or 1476 in decimal.
Try it


$ ./easymath 1476
done

That's all for this crackme.

Have fun!@

- Prison Code Breaker Diary -

My Products

My Books, Papers

My Tutorial

Hacker Games/Competition

Archives

Friends

Categories

Favorite Links

[ Cool Tools ]

Solve intsig's Easymath

0 comments

Post a Comment

[ Highlight ]

Perl

Virus

Reverse Engineering

Gaming

Security

Economics