- Prison Code Breaker Diary -

==:: Crackme Info ::==
Difficulty: 1 - Very easy, for newbies
Platform: Unix/linux etc.
Language: C/C++
Refer: click me
Click to Download

Disassembly main() function to see what's going on.

(gdb) disas main

Look at this

0x080484b0 :    movl   $0x80485e3,(%esp)
0x080484b7 :    call   0x804831c 

This is the string: [!] Solved!
Look up a little bit, we can see

0x0804846c :    mov    $0xa,%ecx
0x08048471 :    mov    0x4(%edx),%esi
0x08048474 :    repz cmpsb %es:(%edi),%ds:(%esi)
0x08048476 :    je     0x80484b0 

It's how it goes.
There's a byte-to-byte comparison at EDI and ESI, up to 0x0A bytes then jump if they're still equal to each other; then, it certainly prints the good message. Otherwise, it will fail.

There're solution you can do at this point.
1. Patch the Jump
2. Check for string in EDI

Let's do both of these as a practice.

1. Patching:

$ gdb --write -nx -q crackme1
(gdb) x/x 0x8048474
0x8048474 :    0x3874a6f3
(gdb) set {int} 0x8048474 = 0x38749090
(gdb) q
$ ./crackme1
[!] Solved!

2. Trace through EDI
- Set breakpoint at main+65 then run

(gdb) x/s $edi
0x80485d4:     "__gmon_start__"

ok..since it compares only 10 bytes, then we just need to pass our arguments as: __gmon_sta is enough or whatever is next the string.

Have fun!@