- Prison Code Breaker Diary -: Solve Qnix's qcrk5

Solve Qnix's qcrk5

Cracking, Crackmes, Linux, Reverse, Tutorial Add comments

==:: Crackme Info ::==
Difficulty: 1 - Very easy, for newbies
Platform: Unix/linux etc.
Language: C/C++
Refer: click me
Click to Download

This crackme is in fact pretty tough for beginner, like me . Since it's built in static mode, everything's just look very confusing.
I will use IDA, then go to the Entry Point of main function.
Here it is


.text:08048208
.text:08048208 ; Attributes: bp-based frame
.text:08048208
.text:08048208 sub_8048208     proc near           ; DATA XREF: start+17o
.text:08048208
.text:08048208 var_28           = dword ptr -28h
.text:08048208 var_24           = dword ptr -24h
.text:08048208 var_20           = dword ptr -20h
.text:08048208 var_1C           = dword ptr -1Ch
.text:08048208 var_14           = dword ptr -14h
.text:08048208 var_8           = dword ptr -8
.text:08048208 var_4           = dword ptr -4
.text:08048208 arg_0           = dword ptr  8
.text:08048208 arg_4           = dword ptr  0Ch
.text:08048208
.text:08048208               push    ebp
.text:08048209               mov     ebp, esp
.text:0804820B               sub     esp, 28h
.text:0804820E               and     esp, 0FFFFFFF0h
.text:08048211               mov     eax, 0
.text:08048216               add     eax, 0Fh
.text:08048219               add     eax, 0Fh
.text:0804821C               shr     eax, 4
.text:0804821F               shl     eax, 4
.text:08048222               sub     esp, eax
.text:08048224               mov     [ebp+var_4], 4B7F3DA0h
.text:0804822B               mov     [esp+28h+var_1C], 0
.text:08048233               mov     [esp+28h+var_20], 1
.text:0804823B               mov     [esp+28h+var_24], 0
.text:08048243               mov     [esp+28h+var_28], 0
.text:0804824A               call    sub_804EA50
.text:0804824F               test    eax, eax
.text:08048251               jns     short loc_8048260
.text:08048253               mov     eax, 1
.text:08048258               mov     [ebp+var_14], eax
.text:0804825B               jmp     loc_8048335
.text:08048260 ; ---------------------------------------------------------------------------
.text:08048260
.text:08048260 loc_8048260:                   ; CODE XREF: sub_8048208+49j
.text:08048260               cmp     [ebp+arg_0], 2
.text:08048264               jz      short loc_8048291
.text:08048266               mov     eax, [ebp+arg_4]
.text:08048269               mov     eax, [eax]
.text:0804826B               mov     edx, off_80AF3B4
.text:08048271               mov     [esp+28h+var_20], eax
.text:08048275               mov     [esp+28h+var_24], offset    aUsageSPassword    ; "Usage : %s \n"
.text:0804827D               mov     [esp+28h+var_28], edx
.text:08048280               call    sub_8049530
.text:08048285               mov     [esp+28h+var_28], 0
.text:0804828C               call    sub_8048C10
.text:08048291 ; ---------------------------------------------------------------------------
.text:08048291
.text:08048291 loc_8048291:                   ; CODE XREF: sub_8048208+5Cj
.text:08048291               mov     eax, [ebp+arg_4]
.text:08048294               add     eax, 4
.text:08048297               mov     eax, [eax]
.text:08048299               mov     [esp+28h+var_28], eax
.text:0804829C               call    sub_8048BE0
.text:080482A1               mov     [ebp+var_8], eax
.text:080482A4               lea     eax, [ebp+var_8]
.text:080482A7               add     dword ptr [eax],    5
.text:080482AA               lea     eax, [ebp+var_8]
.text:080482AD               add     dword ptr [eax],    60h
.text:080482B0               mov     edx, [ebp+var_8]
.text:080482B3               mov     eax, edx
.text:080482B5               shl     eax, 8
.text:080482B8               sub     eax, edx
.text:080482BA               mov     [ebp+var_8], eax
.text:080482BD               mov     eax, [ebp+var_8]
.text:080482C0               imul    eax, 909090h
.text:080482C6               mov     [ebp+var_8], eax
.text:080482C9               mov     eax, [ebp+arg_4]
.text:080482CC               add     eax, 4
.text:080482CF               mov     eax, [eax]
.text:080482D1               mov     edx, off_80AF3B4
.text:080482D7               mov     [esp+28h+var_20], eax
.text:080482DB               mov     [esp+28h+var_24], offset    aUsingS    ; "Using %s\n"
.text:080482E3               mov     [esp+28h+var_28], edx
.text:080482E6               call    sub_8049530
.text:080482EB               mov     eax, [ebp+var_4]
.text:080482EE               cmp     eax, [ebp+var_8]
.text:080482F1               jnz     short loc_8048314
.text:080482F3               mov     eax, off_80AF3B4
.text:080482F8               mov     [esp+28h+var_24], offset    aCorrectCracked    ; "Correct, Cracked !!\n"
.text:08048300               mov     [esp+28h+var_28], eax
.text:08048303               call    sub_8049530
.text:08048308               mov     [esp+28h+var_28], 0
.text:0804830F               call    sub_8048C10
.text:08048314 ; ---------------------------------------------------------------------------
.text:08048314
.text:08048314 loc_8048314:                   ; CODE XREF: sub_8048208+E9j
.text:08048314               mov     eax, off_80AF3B4
.text:08048319               mov     [esp+28h+var_24], offset    aWrong ; "Wrong!\n"
.text:08048321               mov     [esp+28h+var_28], eax
.text:08048324               call    sub_8049530
.text:08048329               mov     [esp+28h+var_28], 0
.text:08048330               call    sub_8048C10
.text:08048335 ; ---------------------------------------------------------------------------
.text:08048335
.text:08048335 loc_8048335:                   ; CODE XREF: sub_8048208+53j
.text:08048335               mov     eax, [ebp+var_14]
.text:08048338               leave
.text:08048339               retn
.text:08048339 sub_8048208     endp
.text:08048339
.text:08048339 ;

This is where the input is compared


.text:080482EB               mov     eax, [ebp+var_4]
.text:080482EE               cmp     eax, [ebp+var_8]
.text:080482F1               jnz     short loc_8048314

There have 2 solutions here as usual: Patch & Keygen

1. Patch:
- Just do this as a practice since author doesn't allow patching. For beginners, it's good to know how to patch as well.
- We patch the Jump at 0x080482F1 from: 75 21 to: 90 90

2. Keygen:
- Look at the code flow, you can see [ebp+var_4] doesn't change in main. Its value is assigned at beginning:


.text:08048224               mov     [ebp+var_4], 4B7F3DA0h

- The translation of disassembly part


.text:08048291               mov     eax, [ebp+arg_4]
.text:08048294               add     eax, 4
.text:08048297               mov     eax, [eax]
.text:08048299               mov     [esp+28h+var_28], eax
.text:0804829C               call    sub_8048BE0                ; atoi( argv[1] )
.text:080482A1               mov     [ebp+var_8], eax            ; var_8 = atoi( arv[1] )
.text:080482A4               lea     eax, [ebp+var_8]            ; eax = var_8
.text:080482A7               add     dword ptr [eax],    5        ; eax += 5
.text:080482AA               lea     eax, [ebp+var_8]
.text:080482AD               add     dword ptr [eax],    60h        ; eax += 60
.text:080482B0               mov     edx, [ebp+var_8]            ; edx = var_8
.text:080482B3               mov     eax, edx                    ; eax = edx
.text:080482B5               shl     eax, 8                    ; eax <<= 8
.text:080482B8               sub     eax, edx                    ; eax = eax - edx
.text:080482BA               mov     [ebp+var_8], eax
.text:080482BD               mov     eax, [ebp+var_8]            ; eax = var_8
.text:080482C0               imul    eax, 909090h                ; eax = eax * 909090
.text:080482C6               mov     [ebp+var_8], eax            ; var_8 = eax
.text:080482C9               mov     eax, [ebp+arg_4]
.text:080482CC               add     eax, 4
.text:080482CF               mov     eax, [eax]
.text:080482D1               mov     edx, off_80AF3B4
.text:080482D7               mov     [esp+28h+var_20], eax
.text:080482DB               mov     [esp+28h+var_24], offset    aUsingS    ; "Using %s\n"
.text:080482E3               mov     [esp+28h+var_28], edx
.text:080482E6               call    sub_8049530
.text:080482EB               mov     eax, [ebp+var_4]            ; var_4 = 4B7F3DA0
.text:080482EE               cmp     eax, [ebp+var_8]            ; var_8
.text:080482F1               jnz     short loc_8048314

Here is the simple keygen written in C


#include <stdio.h>

unsigned int
compute( unsigned int i )
{
register unsigned int x, y;
x = y = (i + 0x65);
x <<= 8;
x -= y;
x *= 0x909090;
return x;
}

int
main( int argc, char *argv[] )
{
unsigned int i = 0;
const int TARGET = 0x4B7F3DA0;
while( i < 0xFFFFFFFF ) {
 if( compute(i) == TARGET ) {
  printf("[+] Found: %u \n", i);
 }
 ++i;
}
return 0;
}

Have fun!@

- Prison Code Breaker Diary -

My Products

My Books, Papers

My Tutorial

Hacker Games/Competition

Archives

Friends

Categories

Favorite Links

[ Cool Tools ]

Solve Qnix's qcrk5

0 comments

Post a Comment

[ Highlight ]

Perl

Virus

Reverse Engineering

Gaming

Security

Economics