Artificial truth

The more you see, the less you believe.

[archives] [latest] | [homepage] | [atom/rss]

Defeating lincrackme2
Wed 22 August 2012 — download

You can get the crackme here. The readme says :

This is a linux crackme (32 and 64 bit). The goal is to obtain the correct key (there's just one valid key).

The crackme implements simple anti-debugging/anti-dissasembling tricks you'll have to bypass to get the key. Thus, the purpose is to learn this tricks and how to bypass them to achieve your goal.

This crackme is part of a series of crackmes I'll be publishing with different tricks, so people can learn more about this techniques in Linux.

Patching is allowed as last resource only. The key generation method is not complicated, because its not the goal of the crackme.

Have fun!

My own solution (and maybe some of yours) will be published here: http://securityetalii.es

$ file lincrackme2
lincrackme2: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, BuildID[sha1]=0x326adbcd600fd137f96f5b359d842759481c659d, stripped

Shared libs ? Nice. What can ltrace tell us about it ?

$ ltrace ./lincrackme2
__libc_start_main(0x804860a, 1, 0xff9cf3c4, 0x8048790, 0x8048780
<unfinished ...>
close(3) = -1
malloc(9) = 0x08624008
printf("You can enter the key now: ") = 27
close(3) = -1
getchar(3, 0, 0xff9cf328, 0xf7585c2f, 0xf76dca20You can enter the key
now: 1234
) = 49
getchar(3, 0, 0xff9cf328, 0xf7585c2f, 0xf76dca20) = 50
getchar(3, 0, 0xff9cf328, 0xf7585c2f, 0xf76dca20) = 51
getchar(3, 0, 0xff9cf328, 0xf7585c2f, 0xf76dca20) = 52
getchar(3, 0, 0xff9cf328, 0xf7585c2f, 0xf76dca20) = 10
puts("Wrong Key. Looks like you suck a"...Wrong Key. Looks like you
suck at this.
) = 40
+++ exited (status 1) +++

Wrong key, we sucks at guessing, ok. But we can see a malloc(9) : maybe the key is 8 characters (plus the '\0' one) long.

$ ltrace ./lincrackme2
__libc_start_main(0x804860a, 1, 0xffcd3214, 0x8048790, 0x8048780
<unfinished ...>
close(3) = -1
malloc(9) = 0x091ae008
printf("You can enter the key now: ") = 27
close(3) = -1
getchar(3, 0, 0xffcd3178, 0xf75fec2f, 0xf7755a20You can enter the key
now: 12345678
) = 49
getchar(3, 0, 0xffcd3178, 0xf75fec2f, 0xf7755a20) = 50
getchar(3, 0, 0xffcd3178, 0xf75fec2f, 0xf7755a20) = 51
getchar(3, 0, 0xffcd3178, 0xf75fec2f, 0xf7755a20) = 52
getchar(3, 0, 0xffcd3178, 0xf75fec2f, 0xf7755a20) = 53
getchar(3, 0, 0xffcd3178, 0xf75fec2f, 0xf7755a20) = 54
getchar(3, 0, 0xffcd3178, 0xf75fec2f, 0xf7755a20) = 55
getchar(3, 0, 0xffcd3178, 0xf75fec2f, 0xf7755a20) = 56
getchar(3, 0, 0xffcd3178, 0xf75fec2f, 0xf7755a20) = 10
strncmp("IEEAAEEI", "12345678", 9) = 1
puts("Wrong Key. Looks like you suck a"...Wrong Key. Looks like you
suck at this.
) = 40
+++ exited (status 1) +++

Ho, a strncmp, between IEEAAEEI, our key, on 9 chars.

$ ./lincrackme2
You can enter the key now: IEEAAEEI
OK. You passed! Next crackme will be released soon ^_^

Easy.