Digital Stronghold

Language C
Linux x86/ELF

Difficulty: 1 - Very easy, for newbies
Platform: Unix/Linux, etc.
Language: C/C++

[Solving the Crackme]

As usual, we have to run the file first.

joset@kee:~/src/crackmes/mycrk$ ./mycrk
Type cd-key: eve
wrong!
joset@kee:~/src/crackmes/mycrk$

From this point we already know what the file needs, a correct key. I immediately disassembled the file without even bothering about its characteristics.

joset@kee:~/src/crackmes/mycrk$ objdump -d mycrk > temp.txt
joset@kee:~/src/crackmes/mycrk$ less temp.txt

The first trick, is to look for the disassembly of the main function. Here’s a portion of it.

...
 80483d4:       c7 45 fc 67 1e 01 00    movl   $0x11e67,0xfffffffc(%ebp)
 80483db:       c7 45 f8 70 12 5b 00    movl   $0x5b1270,0xfffffff8(%ebp)
 80483e2:       c7 45 f0 06 00 00 00    movl   $0x6,0xfffffff0(%ebp)
 80483e9:       83 ec 0c                sub    $0xc,%esp
 80483ec:       68 14 85 04 08          push   $0x8048514
 80483f1:       e8 ee fe ff ff          call   80482e4 <printf @plt>
 80483f6:       83 c4 10                add    $0x10,%esp
 80483f9:       83 ec 08                sub    $0x8,%esp
 80483fc:       8d 45 f4                lea    0xfffffff4(%ebp),%eax
 80483ff:       50                      push   %eax
 8048400:       68 22 85 04 08          push   $0x8048522
 8048405:       e8 ba fe ff ff          call   80482c4 <scanf @plt>
 804840a:       83 c4 10                add    $0x10,%esp
 804840d:       8b 45 f8                mov    0xfffffff8(%ebp),%eax
 8048410:       3b 45 f4                cmp    0xfffffff4(%ebp),%eax
 8048413:       75 1d                   jne    8048432 <main +0x6e>
 8048415:       8b 55 f0                mov    0xfffffff0(%ebp),%edx
 8048418:       8d 45 fc                lea    0xfffffffc(%ebp),%eax
 804841b:       31 10                   xor    %edx,(%eax)
 804841d:       83 ec 08                sub    $0x8,%esp
…

I am not going to provide a detailed information about this. Let’s observe the line there with a cmp, since lines with cmps usually attract crackers’ eyes at a first glance. It is very obvious that a value is being compared with the content of the eax register and is obtained through a buffered input because the line is preceded with a call 80482c4 <scanf @plt>. How do we get the value of the eax register? Getting the idea? Of course, we will use gdb by setting a breakpoint where the line resides and displaying the value being held by the eax register.

joset@kee:~/src/crackmes/mycrk$ gdb ./mycrk
...
(gdb) b *0x8048410
Breakpoint 1 at 0x8048410
(gdb) r
Starting program: /home/joset/src/crackmes/mycrk/mycrk
warning: Unable to find dynamic linker breakpoint function.
GDB will be unable to debug shared library initializers
and track explicitly loaded dynamic code.
Type cd-key: eve
	
Breakpoint 1, 0x08048410 in main ()
(gdb) print $eax
$1 = 5968496
(gdb)

Looking back, we can see that it would jump to 8048432 <main +0x6e> if the values didn’t satisfy each other. Let’s see what it does from there.

...
 8048432:       83 ec 0c                sub    $0xc,%esp
 8048435:       68 29 85 04 08          push   $0x8048529
 804843a:       e8 a5 fe ff ff          call   80482e4 <printf @plt>
 804843f:       83 c4 10                add    $0x10,%esp
 8048442:       b8 00 00 00 00          mov    $0x0,%eax
 8048447:       c9                      leave
 8048448:       c3                      ret
...

There’s the presence of a call 80482e4 <printf @plt>. We can come up with an assumption that it is the notification being printed if an invalid key is entered. Therefore the key is the value being held by the eax register awhile ago. Let’s try it.

joset@kee:~/src/crackmes/mycrk$ ./mycrk
Type cd-key: 5968496
73313
joset@kee:~/src/crackmes/mycrk$

Done.

A good morning to start off is to get this simple program working. This is an improvement of the previous palindrome checker posted. What can we benefit from this anyway?

; palindrome checker
	
start:
        mov ah, 0ah
        lea dx, strptr
        int 21h
	
        lea di, string
        lea si, strlen
        mov cl, [si]
        xor ch, ch
        mov bx, cx
        lea si, string
        shr cl, 1	        
	
check:
        mov dl, [si]
        mov dh, [di+bx-1]
        cmp dl, dh
        jne notpal
        inc si
        dec di
	
loop check
	
        cmp dl, dh
        je pal
	
notpal:
        mov ah, 09h
        lea dx, msg2
        int 21h
        int 20h
	
pal:
        mov ah, 09h
        lea dx, msg1
        int 21h
        int 20h        
	
strptr  label byte
maxlen  db 49
strlen  db ?
string  db 50 dup ('$')
msg1    db '',10,'string is a palindrome!$'
msg2    db '',10,'string is not a palindrome!$'

“If God’s people which are called by His name, will humble themselves and pray, and seek His face, and turn from their wicked ways; then He will hear from heaven, and will forgive their sins, and will heal their land.” - 2 Chron 7:14

This is a simple case inverter, if you want to try this out download the a86 assembler here. It works like a charm in dosemu-freedos.

; case inverter
	
start:
        mov ah, 0ah
        lea dx, strptr
        int 21h
	
        lea si, string
        mov cl, [strlen]
	
check:
        mov al, [si]
        cmp al, 'Z'
        ja lowercase
        cmp al, 'a'
        jb uppercase
	
lowercase:
        cmp al, 'a'
        jb traverse
        cmp al, 'z'
        jbe toupper
	
uppercase:
        cmp al, 'Z'
        ja traverse
        cmp al, 'A'
        jae tolower
	
toupper:
        sub al, 32
        mov [si], al
        jmp traverse
	
tolower:
        add al, 32
        mov [si], al
	
traverse:
        inc si
	
loop check
	
        mov ah, 02h
        mov dl, 10
        int 21h
	
        mov ah, 09h
        lea dx, string
        int 21h
        int 20h
	
strptr  label byte
maxlen  db 49
strlen  db ?
string  db 50 dup ('$')

“Fortune favors the prepared mind.” - Louis Pasteur

crackme will print text under certain conditions
what are the conditions? sorry for my bad english - lord

Difficulty: 1 - very easy, for newbies
Platform: Unix/Linux, etc.
Language: Assembler

[Solving the Crackme]

An initiative would be running the file:

joset@kee:~/src/crackmes$ ./blah
joset@kee:~/src/crackmes$

It didn’t print anything at all. So the conditions aren’t met. I’ve been using gdb and objdump for quite some time now. Since there is no form of corruption in the file, these tools will be more than enough. Here’s the disassembly of the file in objdump:

  blah:     file format elf32-i386
	
Disassembly of section .text:
	
08048094 < .text>:
 8048094:       31 c0                   xor    %eax,%eax
 8048096:       b8 2f 00 00 00          mov    $0x2f,%eax
 804809b:       cd 80                   int    $0x80
 804809d:       3d ad de 00 00          cmp    $0xdead,%eax
 80480a2:       75 16                   jne    0x80480ba
 80480a4:       b8 04 00 00 00          mov    $0x4,%eax
 80480a9:       bb 01 00 00 00          mov    $0x1,%ebx
 80480ae:       b9 c4 90 04 08          mov    $0x80490c4,%ecx
 80480b3:       ba 06 00 00 00          mov    $0x6,%edx
 80480b8:       cd 80                   int    $0x80
 80480ba:       31 c0                   xor    %eax,%eax
 80480bc:       40                      inc    %eax
 80480bd:       31 db                   xor    %ebx,%ebx
 80480bf:       cd 80                   int    $0x80

The first 3 lines tell us that it will call getgid (47 in /usr/include/asm/unistd.h). The system call returns the group id of the user running the file. The next 2 lines are straightforward. The execution jumps to 0x80480ba if eax is not equal to 0xdead. Here’s what will happen from 0x80480ba onward:

1. eax will be cleared out (eax = 0)
2. eax will have a new value of 1 (exit system call)
3. ebx will be cleared out (ebx = 0)

For a clearer view, try echo $? after running the file and you’ll get a 0. Here’s how I did it. I patched the file. Take a loot at 0x80480a2, we can find the conditional jump there. I just changed the opcodes jne (75) 0x80480ba (16) to nop (90).

joset@kee:~/src/crackmes$ gdb --write -nx -q blah
(no debugging symbols found)
Using host libthread_db library "/lib/libthread_db.so.1".
(gdb) x/x 0x80480a2
0x80480a2:      0x04b81675
(gdb) set {int} 0x80480a2 = 0x04b89090
(gdb) q
joset@kee:~/src/crackmes$

There it is, 1675 to 9090. Now for the final shot,

joset@kee:~/src/crackmes$ ./blah
Okej!
joset@kee:~/src/crackmes$

Try running the file with a user under 0xdead perhaps it would also yield the same result. I haven’t tried it though.

Making you feel loved was the easiest thing I have ever done before. It’s just sad to think that things just changed. I wish I could turn back those days. The times when we sat down under a tree, observed the fading horizon, held hands and stared at the crimsoning sun. I know how destiny fools us. If destiny asserts that we are not for each other, then I would fight destiny just to have you in my arms forever. I love you my everdearest.

I’m sorry for what had happened to the rose. It’s not too late though, I can still take care another bud for you.

Simple programming stuffs save me from insanity. This a86 assembly program tells if str1 is a palindrome.

start:
        cld
        mov cx, 7
        lea si, str1
        lea di, temp
	
reverse:
        mov al, [si+6]
        mov [di], al
        inc di
        dec si
        loop reverse
	
        mov ah, 09h
        lea dx, temp
        int 21h
	
        cld
        mov cx, 4
	
compare:
        lea di, temp
        lea si, str1
        repe cmpsb
        jne exit
	
        mov ah, 09h
        lea dx, yes
        int 21h
	
exit:
        mov ah, 4Ch
        mov al, 00
        int 21h
        int 20h
	
str1    db 'racecar$'
yes     db '',10,'string is a palindrome!$'
temp    db 8 dup ('$')

[Middle-East Crisis]

Israel, known as the chosen people of God called a thousand reservists in a possible prelude to a ground offensive against Lebanon. Accordingly, they have to clean up bunkers and tunnels that are invulnerable to air attacks. Isn’t it ironic for the Mossads to be called as the chosen people of God?

I can still remember way back then, I was five years old when I had my primary hobbies, hunting, fishing, and shooting-range. Today, we went to Sinubung, a semi-dangerous place located in the far west coast of Zamboanga City and is known for its shore having huge waves and numerous sea urchins. We have gone fishing. It was fun riding my grandfather’s motor-operated vinta again though I am deeply saddened with what had happened today. The last time I set foot on that vinta was 15 years ago. I can still remember my grandfather pulling the nylon with a huge squid hooked up. Of course, the squid fired up a black tint. Because of that black tint, and the times when I threw up while riding the vinta, I have something now which I call memories worth remembering.

Awhile ago, we did the same but no squid and from what I have observed fishes are already scarce! We spent almost three hours, changing position from time to time on the sea. I was the one throwing and pulling the anchor everytime we shift locations but damn no fishes!

A very nice experience. The prize for the experience? Well, a swollen left foot, 5 thorns pierced from black sea urchins. It’s not a big deal though. The prize does not outweigh the experience. Waves were really strong awhile ago. I was a little nervous.

The truth is, I am sad today. It could be that I’ve lost someone very special.

Red Horse Muziklaban is fast approaching. Tomorrow will be the qualification or shall I say audition. One composition down. I am still trying to come up with a nice riff for the adlib. Hoping to impress the judges tomorrow.

[Programming]

I am just messing up with DOS Assembly. I started out programming in 32-bit protected mode, now broadening my knowledge by diving into 16-bit real mode. I have nothing new these days, just reviewing C++.

Signing off through a quote by Albert Einstein

“Information is not knowledge.”

Congratulations Manny Pacquiao!

He was once a singer of a local band in Gen. Santos City. Look at him now, he is the most influential person in our nation and probably one of the most influential persons around the globe. I was really fascinated by his fight with Oscar Larios. He has become faster than ever. Incomparable vigor that is! Raise it up Manny. More power and advertisements ahead.

On the other hand, I pity Oscar Larios, he was a great fighter. I admire his sportsmanship and humility. He is one of the cheerful and honest boxers I’ve ever seen. His courage is a deadly weapon that one shouldn’t take advantage of. Maintaining his mind in equilibrium state could have driven Manny on the floor.

[Globe Telecom]

What is happening? I couldn’t send and receive SMSs. Calling does not solve the issue either. Hoping for better services in the future.