Crackmes: lord’s easy Linux crackme
crackme will print text under certain conditions
what are the conditions? 
sorry for my bad english - lord
Difficulty: 1 - very easy, for newbies
Platform: Unix/Linux, etc.
Language: Assembler
[Solving the Crackme]
An initiative would be running the file:
joset@kee:~/src/crackmes$ ./blah joset@kee:~/src/crackmes$
It didn’t print anything at all. So the conditions aren’t met. I’ve been using gdb and objdump for quite some time now. Since there is no form of corruption in the file, these tools will be more than enough. Here’s the disassembly of the file in objdump:
blah: file format elf32-i386 Disassembly of section .text: 08048094 < .text>: 8048094: 31 c0 xor %eax,%eax 8048096: b8 2f 00 00 00 mov $0x2f,%eax 804809b: cd 80 int $0x80 804809d: 3d ad de 00 00 cmp $0xdead,%eax 80480a2: 75 16 jne 0x80480ba 80480a4: b8 04 00 00 00 mov $0x4,%eax 80480a9: bb 01 00 00 00 mov $0x1,%ebx 80480ae: b9 c4 90 04 08 mov $0x80490c4,%ecx 80480b3: ba 06 00 00 00 mov $0x6,%edx 80480b8: cd 80 int $0x80 80480ba: 31 c0 xor %eax,%eax 80480bc: 40 inc %eax 80480bd: 31 db xor %ebx,%ebx 80480bf: cd 80 int $0x80
The first 3 lines tell us that it will call getgid (47 in /usr/include/asm/unistd.h). The system call returns the group id of the user running the file. The next 2 lines are straightforward. The execution jumps to 0x80480ba if eax is not equal to 0xdead. Here’s what will happen from 0x80480ba onward:
1. eax will be cleared out (eax = 0)
2. eax will have a new value of 1 (exit system call)
3. ebx will be cleared out (ebx = 0)
For a clearer view, try echo $? after running the file and you’ll get a 0. Here’s how I did it. I patched the file. Take a loot at 0x80480a2, we can find the conditional jump there. I just changed the opcodes jne (75) 0x80480ba (16) to nop (90).
joset@kee:~/src/crackmes$ gdb --write -nx -q blah
(no debugging symbols found)
Using host libthread_db library "/lib/libthread_db.so.1".
(gdb) x/x 0x80480a2
0x80480a2: 0x04b81675
(gdb) set {int} 0x80480a2 = 0x04b89090
(gdb) q
joset@kee:~/src/crackmes$
There it is, 1675 to 9090. Now for the final shot,
joset@kee:~/src/crackmes$ ./blah Okej! joset@kee:~/src/crackmes$
Try running the file with a user under 0xdead perhaps it would also yield the same result. I haven’t tried it though.
as far as i know lord said that editing binary in this case isn’t allow…
Comment by cli3nt — August 6, 2006 @ 5:57 pm
oh sry he told me that on irc not on crackmes.de
Comment by cli3nt — August 6, 2006 @ 5:59 pm
Oopss! I thought there’s no specific rule imposed. I have solved the other way around by creating a user with 0xdead as the gid and executing the crackme.
Comment by eradicus — August 9, 2006 @ 5:46 pm