- Prison Code Breaker Diary -

=> aka: Nhật Kí Code Tù

Categories

Solve lord's easy crackme 2  

, , , , Add comments

[ Crackme Info ]
Difficulty: 1 - Very easy, for newbies
Platform: Unix/linux etc.
Language: Assembler
Refer: click here
Click to Download

Load into IDA, we have the main program


.text:08048085               mov     ebx, 1           ; fd
.text:0804808A               mov     ecx, offset aPassword ; "\nPassword : "
.text:0804808F               mov     edx, 0Dh           ; len
.text:08048094               int     80h           ; LINUX - sys_write
.text:08048096               mov     edx, 100h       ; len
.text:0804809B               mov     ecx, offset asc_804911B ; "        "
.text:080480A0               mov     ebx, 0           ; fd
.text:080480A5               mov     eax, 3
.text:080480AA               int     80h           ; LINUX - sys_read
.text:080480AC               mov     esi, offset aQtbxctu ; "QTBXCTU"
.text:080480B1               mov     edi, esi
.text:080480B3               xor     ebx, ebx
.text:080480B5               cld
.text:080480B6
.text:080480B6 loc_80480B6:                   ; CODE XREF: start+43j
.text:080480B6               lodsb
.text:080480B7               xor     al, 21h
.text:080480B9               stosb
.text:080480BA               inc     ebx
.text:080480BB               cmp     ebx, 7
.text:080480C1               jz      short loc_80480C5
.text:080480C3               loop    loc_80480B6
.text:080480C5
.text:080480C5 loc_80480C5:                   ; CODE XREF: start+41j
.text:080480C5               mov     esi, offset asc_804911B ; "        "
.text:080480CA               mov     edi, offset aQtbxctu ; "QTBXCTU"
.text:080480CF               mov     ecx, 7
.text:080480D4               cld
.text:080480D5               repe cmpsb
.text:080480D7               jnz     short loc_80480EF
.text:080480D9               mov     eax, 4
.text:080480DE               mov     ebx, 1           ; status
.text:080480E3               mov     ecx, offset unk_8049105 ; addr
.text:080480E8               mov     edx, 16h           ; len
.text:080480ED               int     80h           ; LINUX - sys_write
.text:080480EF
.text:080480EF loc_80480EF:                   ; CODE XREF: start+57j
.text:080480EF               mov     eax, 1
.text:080480F4               int     80h           ; LINUX - sys_exit
.text:080480F4 start           endp
.text:080480F4
.text:080480F4 _text           ends
.text:080480F4

Each bytes of our input password is encrypted:

.text:080480B6 loc_80480B6:                   ; CODE XREF: start+43j
.text:080480B6               lodsb
.text:080480B7               xor     al, 21h
.text:080480B9               stosb
.text:080480BA               inc     ebx
.text:080480BB               cmp     ebx, 7
.text:080480C1               jz      short loc_80480C5
.text:080480C3               loop    loc_80480B6

So, the real password can be found if we decrypt the string "QTBXCTU".
The encryption is simple, each byte is XORed w/ 0x21.
Then, we also use XORed w/ 0x21 to decrypt it.
Here a little perl script I wrote to decrypt.

#!/usr/bin/perl
my $cipher_txt = "QTBXCTU";
my $plain_txt;

my @arr = unpack("C*", $cipher_txt);
foreach my $c (@arr) {
   $plain_txt .= chr( $c ^ 0x21 );
}

print $plain_txt, "\n";


Have fun!@

0 comments

Post a Comment

Newer Post Older Post