Log in

View Full Version : oxf001m3 a "harder" crackme

0xf001
April 20th, 2007, 12:02
hi,

i have created my first crackme for your pleasure

i hand crafted this binary in asm (NASM) , and included some
anti-libbfd, anti-disassembling, anti-debugging stuff, and a bit
of obfuscation. though it is not so scary you will see ...

your task is to find the correct password.

all tools allowed, if they dont segfault

have a lot of fun ..... !

0xf001
Silkut
April 20th, 2007, 13:39
Ohhh grühht
Thanks I'll give it a look, in spite of my light linux knowledge.
blabberer
April 21st, 2007, 03:33
a bps on gdb or ald and you can defeat the eax = 0x1a int 80 call with set $eax = 0

and that will let you get out of push 0xf001 retn trap
and you will end up here

0x08048a4d in ?? ()
1: x/i $pc 0x8048a4d: int 0x80
(gdb)
oxfoo1m3 started ;] <-------
0x08048a50 in ?? ()
1: x/i $pc 0x8048a50: pushf
(gdb)

0x08048a4d in ?? ()
1: x/i $pc 0x8048a4d: int 0x80
(gdb)
3nt4 p455w0rD:<-----------
0x08048a50 in ?? ()
1: x/i $pc 0x8048a50: pushf

(gdb) i r eax
eax 0xa 10
(gdb) x/s $esi-1
0x8048223: "\nXXXXXXXXXXmyne{xtvfw~è\001"
(gdb)



got few more tricks after this ? or is it now just bruteforcing through the add edx,9 push edx retns ?

nice anyway but doesnt look like gdb or ald is afraid of this cme ?
0xf001
April 21st, 2007, 10:01
blabberer,

of course no magic to defeat anti ptrace , u need to know how to use the tools. that is indeed very simple, its just one part.
btw i realized i made a lil mistake in encryption, but thats no problem it gets easier, i think you saw this.


so when u are there where u are, so get the password. bruteforcing is lame, but go for it

Quote:
nice anyway but doesnt look like gdb or ald is afraid of this cme


well, my gdb does not load the cme at all. did your gdb load it as it was?

to be honest, i am not sure now if u came very far. u are i think after decryption of the body. its more or less a question of time until u figure the rest. but, thats always the case aaand .... i know a bit your skills, u are a bit too experienced, and i guess an exception of the typical crackmes.de audience

cheers, 0xf001
blabberer
April 21st, 2007, 10:18
Quote:

btw i realized i made a lil mistake in encryption, but thats no problem it gets easier, i think you saw this.


if you mean the decryption of 0xa80 bytes xorring with 0x58 or some other byte then yes you miss two bytes in the sequence (not sure but my instinct said i could break on 0x*****95 and still pass your decryption unscathed

all i did was gdb -q ./foo1 break 0x****

Code:


:~/0xf001/oxfoo1m3> gdb -q ./oxfoo1m3

BFD: /0xf001/oxfoo1m3/oxfoo1m3: invalid string offset 1482184787 >= 26 for section `v+0+,*,9:Xv,= ,Xv;755=6,X'

BFD: /0xf001/oxfoo1m3/oxfoo1m3: invalid string offset 1482184777 >= 26 for section `v+0+,*,9:Xv,= ,Xv;755=6,X'

BFD: /0xf001/oxfoo1m3/oxfoo1m3: invalid string offset 1482184787 >= 26 for section `v+0+,*,9:Xv,= ,Xv;755=6,X'

BFD: /0xf001/oxfoo1m3/oxfoo1m3: invalid string offset 1482184777 >= 26 for section `v+0+,*,9:Xv,= ,Xv;755=6,X'

(no debugging symbols found)...gdb $



-------------------------------------------------------------------------[ regs]

     eax:00000080 ebx:00000000  ecx:00000000  edx:08048193     eflags:00000316

     esi:08048C16 edi:08048C16  esp:BFFFD230  ebp:00000000     eip:0804809E

     cs:0023  ds:002B  es:002B  fs:0000  gs:0000  ss:002B    o d I T s z A P c

[002B:BFFFD230]---------------------------------------------------------[stack]

BFFFD260 : 65 F3 FF BF  76 F3 FF BF - 84 F3 FF BF  AD F3 FF BF e...v...........

BFFFD250 : 16 F3 FF BF  3D F3 FF BF - 49 F3 FF BF  59 F3 FF BF ....=...I...Y...

BFFFD240 : 80 F2 FF BF  90 F2 FF BF - C2 F2 FF BF  06 F3 FF BF ................

BFFFD230 : 01 00 00 00  40 F2 FF BF - 00 00 00 00  67 F2 FF BF ....@.......g...

[002B:08048C16]---------------------------------------------------------[ data]

08048C16 : C8 00 00 00  00 00 00 00 - 00 00 00 00  00 00 00 00 ................

08048C26 : 00 00 00 00  00 00 00 00 - 00 00 00 00  00 00 00 00 ................

[0023:0804809E]---------------------------------------------------------[ code]

0x804809e:      call   0x80480a4

0x80480a3:      jmp    0x13c70202

0x80480a8:      add    BYTE PTR [eax],al

0x80480aa:      add    BYTE PTR [edx-61],dl

0x80480ad:      jmp    0x8134333

0x80480b2:      add    BYTE PTR [eax],al

-------------------------------------------------------------------------------

Error while running hook_stop:

Invalid type combination in ordering comparison.

0x0804809e in ?? ()

gdb $



     eax:0000001A ebx:00000000  ecx:00000001  edx:080487CE     eflags:00000282

     esi:00000000 edi:08048C16  esp:BFFFD228  ebp:00000000     eip:08048A4D

     cs:0023  ds:002B  es:002B  fs:0000  gs:0000  ss:002B    o d I t S z a p c

[002B:BFFFD228]---------------------------------------------------------[stack]

BFFFD258 : 49 F3 FF BF  59 F3 FF BF - 65 F3 FF BF  76 F3 FF BF I...Y...e...v...

BFFFD248 : C2 F2 FF BF  06 F3 FF BF - 16 F3 FF BF  3D F3 FF BF ............=...

BFFFD238 : 00 00 00 00  67 F2 FF BF - 80 F2 FF BF  90 F2 FF BF ....g...........

BFFFD228 : CE 87 04 08  BC 80 04 08 - 01 00 00 00  40 F2 FF BF ............@...

[002B:08048C16]---------------------------------------------------------[ data]

08048C16 : C8 00 00 00  00 00 00 00 - 00 00 00 00  00 00 00 00 ................

08048C26 : 00 00 00 00  00 00 00 00 - 00 00 00 00  00 00 00 00 ................

[0023:08048A4D]---------------------------------------------------------[ code]

0x8048a4d:      int    0x80

0x8048a4f:      pushf

0x8048a50:      pushf

0x8048a51:      pusha

0x8048a52:      call   0x8048a58

0x8048a57:      jmp    0x13c70bb6

-------------------------------------------------------------------------------

Error while running hook_stop:

Invalid type combination in ordering comparison.



Breakpoint 3, 0x08048a4d in ?? ()
0xf001
April 21st, 2007, 10:25
blabberer, please stay tuned ... if u can ...

i boot my environments to verify ....

what gdb version do u use?

thanks!

EDIT: ok, i have gdb 6.4.90 on debian etch unstable

it tells me: File format not recognized!

i cant use gdb on it, without getting over first "trick". so u had it quite much more easy, because to defeat that
on the systems i tried, its a bit a challenge.
what libbfd do u have? i think u have a damn cool libbfd! probably u can even objdump it???

Quote:
if you mean the decryption of 0xa80 bytes xorring with 0x58 or some other byte then yes you miss two bytes in the sequence (not sure but my instinct said i could break on 0x*****95 and still pass your decryption unsca


nope, i meant i wanted to load the decryption operand from the modified elf header, so if u restored it, in order to run it in gdb etc, it would decrypt wrong.

regards, 0xf001
blabberer
April 21st, 2007, 10:34
well i dont run the latest and greatest
gdb -v
GNU gdb 5.3.92
Code:


 objdump -x ./oxfoo1m3

BFD: ./oxfoo1m3: invalid string offset 1482184787 >= 26 for section `v+0+,*,9:Xv,= ,Xv;755=6,X'

BFD: ./oxfoo1m3: invalid string offset 1482184777 >= 26 for section `v+0+,*,9:Xv,= ,Xv;755=6,X'



./oxfoo1m3:     file format elf32-i386

./oxfoo1m3

architecture: i386, flags 0x00000102:

EXEC_P, D_PAGED

start address 0x08048080



Program Header:

    LOAD off    0x00000000 vaddr 0x08048000 paddr 0x08048000 align 2**12

         filesz 0x00000c17 memsz 0x00000c17 flags rwx



Sections:

Idx Name          Size      VMA       LMA       File off  Algn

SYMBOL TABLE:

no symbols


Code:


 readelf -l ./oxfoo1m3



Elf file type is EXEC (Executable file)

Entry point 0x8048080

There are 1 program headers, starting at offset 52



Program Headers:

  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align

  LOAD           0x000000 0x08048000 0x08048000 0x00c17 0x00c17 RWE 0x1000



 Section to Segment mapping:

  Segment Sections...

   00


Code:


readelf -a ./oxfoo1m3  | more

ELF Header:

  Magic:   7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00

  Class:                             ELF32

  Data:                              2's complement, little endian

  Version:                           1 (current)

  OS/ABI:                            UNIX - System V

  ABI Version:                       0

  Type:                              EXEC (Executable file)

  Machine:                           Intel 80386

  Version:                           0x1

  Entry point address:               0x8048080

  Start of program headers:          52 (bytes into file)

  Start of section headers:          3152 (bytes into file)

  Flags:                             0x0

  Size of this header:               52 (bytes)

  Size of program headers:           32 (bytes)

  Number of program headers:         1

  Size of section headers:           40 (bytes)

  Number of section headers:         4

  Section header string table index: 3

Section Headers:

  [Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf Al

  [ 0] <corrupt>         <unknown>: 5858 58585858 58585858 58585858 58585858 xMI

xxxxop 1482184792 58585858 1482184792

  [ 1] <corrupt>         <unknown>: 5858 505cd8d8 585858d8 585853cf 58585858 AXx

MIxxxxop 1482184792 58585858 1482184776

  [ 2] <corrupt>         <unknown>: 5858 00000000 000c17 00001f 00      0   0  1

  [ 3] v+0+,*,9:Xv,= ,Xv STRTAB          00000000 000c36 00001a 00      0   0  1

Key to Flags:

  W (write), A (alloc), X (execute), M (merge), S (strings)

  I (info), L (link order), G (group), x (unknown)

  O (extra OS processing required) o (OS specific), p (processor specific)



Program Headers:

  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align

  LOAD           0x000000 0x08048000 0x08048000 0x00c17 0x00c17 RWE 0x1000



 Section to Segment mapping:

  Segment Sections...

   00



There is no dynamic segment in this file.



There are no relocations in this file.



There are no unwind sections in this file.



No version information found in this file.


Code:


 ndisasm -u  -e 0x80 ./oxfoo1m3 | more

00000000  E801000000        call 0x6

00000005  E95A81C20B        jmp 0xbc28164

0000000A  0000              add [eax],al

0000000C  0052C3            add [edx-0x3d],dl

0000000F  E981C20E00        jmp 0xec295

00000014  0000              add [eax],al

00000016  52                push edx

00000017  68C2800408        push dword 0x80480c2

0000001C  C3                ret

0000001D  E8E8010000        call 0x20a

00000022  00E9              add cl,ch

00000024  5A                pop edx

00000025  81C20B000000      add edx,0xb

0000002B  52                push edx

0000002C  C3                ret

0000002D  E981C20E00        jmp 0xec2b3

00000032  0000              add [eax],al

00000034  52                push edx

00000035  6871860408        push dword 0x8048671

0000003A  C3                ret

0000003B  E8E9D60000        call 0xd729

00000040  00E8              add al,ch

--More--


Code:


ndisasm -u  -e 0x86 ./oxfoo1m3 | more

00000000  5A                pop edx

00000001  81C20B000000      add edx,0xb

00000007  52                push edx

00000008  C3                ret


0xf001
April 21st, 2007, 10:40
holy shiiiit!

oss software degrading in quality with higher versions .... i will spank that developers asses

ok .... very good to know!

i love this discussion, its so valuable input for my next crackme then, to look for your gdb version etc.

thanks man

please continue, how do u find to work with it in gdb after all .... ? is it as annoying as I think?

thanx verry verry,

0xf001

ps: i think i should rephrase after all, ... "an attemt to a harder crackme" heheh. still, solve it, but wait for next one!
blabberer
April 21st, 2007, 10:49
and well i dont know if the bfd version matter
gdb was not my first choice i switched to gdb only when i saw i have to memory modify eax after your ptrace detection

ald loads it fine as well
Code:


ald ./oxfoo1m3

Assembly Language Debugger 0.1.7

Copyright (C) 2000-2004 Patrick Alken



./oxfoo1m3: ELF Intel 80386 (32 bit), LSB - little endian, Executable, Version 1 (Current)

Loading debugging symbols...(no symbols found)

ald> disassemble -n 3 0x8048080

08048080                      E801000000           call near +0x1 (0x8048086)

08048085                      E95A81C20B           jmp near +0xbc2815a (0x13c701e4)

0804808A                      0000                 add byte [eax], al

ald> s

eax = 0x00000000 ebx = 0x00000000 ecx = 0x00000000 edx = 0x00000000

esp = 0xBFFFE53C ebp = 0x00000000 esi = 0x00000000 edi = 0x00000000

ds  = 0x002B es  = 0x002B fs  = 0x0000 gs  = 0x0000

ss  = 0x002B cs  = 0x0023 eip = 0x08048086 eflags = 0x00000346



Flags: PF ZF TF IF





08048086                      5A                   pop edx

ald>

ald> s

eax = 0x00000000 ebx = 0x00000000 ecx = 0x00000000 edx = 0x08048085

esp = 0xBFFFE540 ebp = 0x00000000 esi = 0x00000000 edi = 0x00000000

ds  = 0x002B es  = 0x002B fs  = 0x0000 gs  = 0x0000

ss  = 0x002B cs  = 0x0023 eip = 0x08048087 eflags = 0x00000346



Flags: PF ZF TF IF





08048087                      81C20B000000         add edx, 0xb

ald>


and i meant this when i talked about your decryption

Code:


080480C2                      BE96810408           mov esi, 0x8048196



ald> e esi

Dumping 64 bytes of memory starting at 0x08048196 in hex

08048196:  CC B0 59 58 58 58 B1 02 D9 9A 53 58 58 58 0A 9B    ..YXXX....SXXX..

080481A6:  B1 D9 9A 56 58 58 58 0A 30 05 D3 5C 50 9B B0 D9    ...VXXX.0..\P...

080481B6:  99 78 58 58 58 69 98 D1 9A 18 D1 9B 99 B8 5A 5A    .xXXXi........ZZ

080481C6:  4D B2 D9 5C 50 B0 D2 5E 58 58 B1 4E 58 58 58 37    M..\P..^XX.NXXX7



0804810D                      B9800A0000           mov ecx, 0xa80



08048135                      AC                   lodsb

ald>

eax = 0x000000CC ebx = 0x00000000 ecx = 0x00000A80 edx = 0x08048130

esp = 0xBFFFE53C ebp = 0x00000000 esi = 0x08048197 edi = 0x08048196

ds  = 0x002B es  = 0x002B fs  = 0x0000 gs  = 0x0000

ss  = 0x002B cs  = 0x0023 eip = 0x08048136 eflags = 0x00000316



Flags: PF AF TF IF





08048136                      E801000000           call near +0x1 (0x804813c)



08048154                      3458                 xor al, 0x58



08048174                      AA                   stosb



08048193                      E2A0                 loop +0xa0 (0x8048235)

ald> disassemble -n 3 0x8048193

08048193                      E2A0                 loop +0xa0 (0x8048235)

08048195                      C3                   retn

08048196                      94                   xchg eax, esp

ald>



ald> break 0x8048195

Breakpoint 1 set for 0x08048195

ald> c

Breakpoint 1 encountered at 0x08048195

eax = 0x00000080 ebx = 0x00000000 ecx = 0x00000000 edx = 0x08048193

esp = 0xBFFFE53C ebp = 0x00000000 esi = 0x08048C16 edi = 0x08048C16

ds  = 0x002B es  = 0x002B fs  = 0x0000 gs  = 0x0000

ss  = 0x002B cs  = 0x0023 eip = 0x08048195 eflags = 0x00000216



Flags: PF AF IF





08048195                      C3                   retn


after this its a simple matter of keeping the finger pressed in enter key and notice

Code:


08048783                      D1E0                 shl eax, 1

ald>

eax = 0x0000001A ebx = 0x00000000 ecx = 0x00000001 edx = 0x00000000

esp = 0xBFFFE53C ebp = 0x00000000 esi = 0x00000000 edi = 0x08048C16

ds  = 0x002B es  = 0x002B fs  = 0x0000 gs  = 0x0000

ss  = 0x002B cs  = 0x0023 eip = 0x08048785 eflags = 0x00000302



Flags: TF IF





08048785                      9C                   pushfd

ald>

eax = 0x0000001A ebx = 0x00000000 ecx = 0x00000001 edx = 0x00000000

esp = 0xBFFFE538 ebp = 0x00000000 esi = 0x00000000 edi = 0x08048C16

ds  = 0x002B es  = 0x002B fs  = 0x0000 gs  = 0x0000

ss  = 0x002B cs  = 0x0023 eip = 0x08048786 eflags = 0x00000302



Flags: TF IF





08048786                      60                   pushad


some thing happened there lets slow down and hit enter once each time
Code:


080489C4                      0F8489FCFFFF         je near +0xfffffc89 (0x8048653)

ald> disassemble -n 3 0x8048653

08048653                      E801000000           call near +0x1 (0x8048659)

08048658                      E95A81C20B           jmp near +0xbc2815a (0x13c707b7)

0804865D                      0000                 add byte [eax], al

ald> disassemble -n 3 0x8048659

08048659                      5A                   pop edx

0804865A                      81C20B000000         add edx, 0xb

08048660                      52                   push edx


so disassembling further we know it return to foo1 we dont want to go here
lets memory patch flags modify registers do whatever till we succeed
0xf001
April 21st, 2007, 10:59
Quote:
and i meant this when i talked about your decryption


oh, thats just fine

EDIT: oh the libbfd, well .... its for objdump and alike tools, which in my case all fuck up gdb doesnt use it, yes.

regards, 0xf001