PDA

View Full Version : oxf001m3 a "harder" crackme


0xf001
April 20th, 2007, 12:02
hi,

i have created my first crackme for your pleasure

i hand crafted this binary in asm (NASM) , and included some
anti-libbfd, anti-disassembling, anti-debugging stuff, and a bit
of obfuscation. though it is not so scary you will see ...

your task is to find the correct password.

all tools allowed, if they dont segfault

have a lot of fun ..... !

0xf001

Silkut
April 20th, 2007, 13:39
Ohhh grühht
Thanks I'll give it a look, in spite of my light linux knowledge.

blabberer
April 21st, 2007, 03:33
a bps on gdb or ald and you can defeat the eax = 0x1a int 80 call with set $eax = 0

and that will let you get out of push 0xf001 retn trap
and you will end up here

0x08048a4d in ?? ()
1: x/i $pc 0x8048a4d: int 0x80
(gdb)
oxfoo1m3 started ;] <-------
0x08048a50 in ?? ()
1: x/i $pc 0x8048a50: pushf
(gdb)

0x08048a4d in ?? ()
1: x/i $pc 0x8048a4d: int 0x80
(gdb)
3nt4 p455w0rD:<-----------
0x08048a50 in ?? ()
1: x/i $pc 0x8048a50: pushf

(gdb) i r eax
eax 0xa 10
(gdb) x/s $esi-1
0x8048223: "\nXXXXXXXXXXmyne{xtvfw~è\001"
(gdb)



got few more tricks after this ? or is it now just bruteforcing through the add edx,9 push edx retns ?

nice anyway but doesnt look like gdb or ald is afraid of this cme ?

0xf001
April 21st, 2007, 10:01
blabberer,

of course no magic to defeat anti ptrace , u need to know how to use the tools. that is indeed very simple, its just one part.
btw i realized i made a lil mistake in encryption, but thats no problem it gets easier, i think you saw this.


so when u are there where u are, so get the password. bruteforcing is lame, but go for it

Quote:
nice anyway but doesnt look like gdb or ald is afraid of this cme


well, my gdb does not load the cme at all. did your gdb load it as it was?

to be honest, i am not sure now if u came very far. u are i think after decryption of the body. its more or less a question of time until u figure the rest. but, thats always the case aaand .... i know a bit your skills, u are a bit too experienced, and i guess an exception of the typical crackmes.de audience

cheers, 0xf001

blabberer
April 21st, 2007, 10:18
Quote:

btw i realized i made a lil mistake in encryption, but thats no problem it gets easier, i think you saw this.


if you mean the decryption of 0xa80 bytes xorring with 0x58 or some other byte then yes you miss two bytes in the sequence (not sure but my instinct said i could break on 0x*****95 and still pass your decryption unscathed

all i did was gdb -q ./foo1 break 0x****

Code:

:~/0xf001/oxfoo1m3> gdb -q ./oxfoo1m3
BFD: /0xf001/oxfoo1m3/oxfoo1m3: invalid string offset 1482184787 >= 26 for section `v+0+,*,9:Xv,= ,Xv;755=6,X'
BFD: /0xf001/oxfoo1m3/oxfoo1m3: invalid string offset 1482184777 >= 26 for section `v+0+,*,9:Xv,= ,Xv;755=6,X'
BFD: /0xf001/oxfoo1m3/oxfoo1m3: invalid string offset 1482184787 >= 26 for section `v+0+,*,9:Xv,= ,Xv;755=6,X'
BFD: /0xf001/oxfoo1m3/oxfoo1m3: invalid string offset 1482184777 >= 26 for section `v+0+,*,9:Xv,= ,Xv;755=6,X'
(no debugging symbols found)...gdb $

-------------------------------------------------------------------------[ regs]
eax:00000080 ebx:00000000 ecx:00000000 edx:08048193 eflags:00000316
esi:08048C16 edi:08048C16 esp:BFFFD230 ebp:00000000 eip:0804809E
cs:0023 ds:002B es:002B fs:0000 gs:0000 ss:002B o d I T s z A P c
[002B:BFFFD230]---------------------------------------------------------[stack]
BFFFD260 : 65 F3 FF BF 76 F3 FF BF - 84 F3 FF BF AD F3 FF BF e...v...........
BFFFD250 : 16 F3 FF BF 3D F3 FF BF - 49 F3 FF BF 59 F3 FF BF ....=...I...Y...
BFFFD240 : 80 F2 FF BF 90 F2 FF BF - C2 F2 FF BF 06 F3 FF BF ................
BFFFD230 : 01 00 00 00 40 F2 FF BF - 00 00 00 00 67 F2 FF BF ....@.......g...
[002B:08048C16]---------------------------------------------------------[ data]
08048C16 : C8 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
08048C26 : 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
[0023:0804809E]---------------------------------------------------------[ code]
0x804809e: call 0x80480a4
0x80480a3: jmp 0x13c70202
0x80480a8: add BYTE PTR [eax],al
0x80480aa: add BYTE PTR [edx-61],dl
0x80480ad: jmp 0x8134333
0x80480b2: add BYTE PTR [eax],al
-------------------------------------------------------------------------------
Error while running hook_stop:
Invalid type combination in ordering comparison.
0x0804809e in ?? ()
gdb $

eax:0000001A ebx:00000000 ecx:00000001 edx:080487CE eflags:00000282
esi:00000000 edi:08048C16 esp:BFFFD228 ebp:00000000 eip:08048A4D
cs:0023 ds:002B es:002B fs:0000 gs:0000 ss:002B o d I t S z a p c
[002B:BFFFD228]---------------------------------------------------------[stack]
BFFFD258 : 49 F3 FF BF 59 F3 FF BF - 65 F3 FF BF 76 F3 FF BF I...Y...e...v...
BFFFD248 : C2 F2 FF BF 06 F3 FF BF - 16 F3 FF BF 3D F3 FF BF ............=...
BFFFD238 : 00 00 00 00 67 F2 FF BF - 80 F2 FF BF 90 F2 FF BF ....g...........
BFFFD228 : CE 87 04 08 BC 80 04 08 - 01 00 00 00 40 F2 FF BF ............@...
[002B:08048C16]---------------------------------------------------------[ data]
08048C16 : C8 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
08048C26 : 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
[0023:08048A4D]---------------------------------------------------------[ code]
0x8048a4d: int 0x80
0x8048a4f: pushf
0x8048a50: pushf
0x8048a51: pusha
0x8048a52: call 0x8048a58
0x8048a57: jmp 0x13c70bb6
-------------------------------------------------------------------------------
Error while running hook_stop:
Invalid type combination in ordering comparison.

Breakpoint 3, 0x08048a4d in ?? ()


0xf001
April 21st, 2007, 10:25
blabberer, please stay tuned ... if u can ...

i boot my environments to verify ....

what gdb version do u use?

thanks!

EDIT: ok, i have gdb 6.4.90 on debian etch unstable

it tells me: File format not recognized!

i cant use gdb on it, without getting over first "trick". so u had it quite much more easy, because to defeat that
on the systems i tried, its a bit a challenge.
what libbfd do u have? i think u have a damn cool libbfd! probably u can even objdump it???

Quote:
if you mean the decryption of 0xa80 bytes xorring with 0x58 or some other byte then yes you miss two bytes in the sequence (not sure but my instinct said i could break on 0x*****95 and still pass your decryption unsca


nope, i meant i wanted to load the decryption operand from the modified elf header, so if u restored it, in order to run it in gdb etc, it would decrypt wrong.

regards, 0xf001

blabberer
April 21st, 2007, 10:34
well i dont run the latest and greatest
gdb -v
GNU gdb 5.3.92
Code:

objdump -x ./oxfoo1m3
BFD: ./oxfoo1m3: invalid string offset 1482184787 >= 26 for section `v+0+,*,9:Xv,= ,Xv;755=6,X'
BFD: ./oxfoo1m3: invalid string offset 1482184777 >= 26 for section `v+0+,*,9:Xv,= ,Xv;755=6,X'

./oxfoo1m3: file format elf32-i386
./oxfoo1m3
architecture: i386, flags 0x00000102:
EXEC_P, D_PAGED
start address 0x08048080

Program Header:
LOAD off 0x00000000 vaddr 0x08048000 paddr 0x08048000 align 2**12
filesz 0x00000c17 memsz 0x00000c17 flags rwx

Sections:
Idx Name Size VMA LMA File off Algn
SYMBOL TABLE:
no symbols


Code:

readelf -l ./oxfoo1m3

Elf file type is EXEC (Executable file)
Entry point 0x8048080
There are 1 program headers, starting at offset 52

Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
LOAD 0x000000 0x08048000 0x08048000 0x00c17 0x00c17 RWE 0x1000

Section to Segment mapping:
Segment Sections...
00


Code:

readelf -a ./oxfoo1m3 | more
ELF Header:
Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: Intel 80386
Version: 0x1
Entry point address: 0x8048080
Start of program headers: 52 (bytes into file)
Start of section headers: 3152 (bytes into file)
Flags: 0x0
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 1
Size of section headers: 40 (bytes)
Number of section headers: 4
Section header string table index: 3
Section Headers:
[Nr] Name Type Addr Off Size ES Flg Lk Inf Al
[ 0] <corrupt> <unknown>: 5858 58585858 58585858 58585858 58585858 xMI
xxxxop 1482184792 58585858 1482184792
[ 1] <corrupt> <unknown>: 5858 505cd8d8 585858d8 585853cf 58585858 AXx
MIxxxxop 1482184792 58585858 1482184776
[ 2] <corrupt> <unknown>: 5858 00000000 000c17 00001f 00 0 0 1
[ 3] v+0+,*,9:Xv,= ,Xv STRTAB 00000000 000c36 00001a 00 0 0 1
Key to Flags:
W (write), A (alloc), X (execute), M (merge), S (strings)
I (info), L (link order), G (group), x (unknown)
O (extra OS processing required) o (OS specific), p (processor specific)

Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
LOAD 0x000000 0x08048000 0x08048000 0x00c17 0x00c17 RWE 0x1000

Section to Segment mapping:
Segment Sections...
00

There is no dynamic segment in this file.

There are no relocations in this file.

There are no unwind sections in this file.

No version information found in this file.


Code:

ndisasm -u -e 0x80 ./oxfoo1m3 | more
00000000 E801000000 call 0x6
00000005 E95A81C20B jmp 0xbc28164
0000000A 0000 add [eax],al
0000000C 0052C3 add [edx-0x3d],dl
0000000F E981C20E00 jmp 0xec295
00000014 0000 add [eax],al
00000016 52 push edx
00000017 68C2800408 push dword 0x80480c2
0000001C C3 ret
0000001D E8E8010000 call 0x20a
00000022 00E9 add cl,ch
00000024 5A pop edx
00000025 81C20B000000 add edx,0xb
0000002B 52 push edx
0000002C C3 ret
0000002D E981C20E00 jmp 0xec2b3
00000032 0000 add [eax],al
00000034 52 push edx
00000035 6871860408 push dword 0x8048671
0000003A C3 ret
0000003B E8E9D60000 call 0xd729
00000040 00E8 add al,ch
--More--


Code:

ndisasm -u -e 0x86 ./oxfoo1m3 | more
00000000 5A pop edx
00000001 81C20B000000 add edx,0xb
00000007 52 push edx
00000008 C3 ret



0xf001
April 21st, 2007, 10:40
holy shiiiit!

oss software degrading in quality with higher versions .... i will spank that developers asses

ok .... very good to know!

i love this discussion, its so valuable input for my next crackme then, to look for your gdb version etc.

thanks man

please continue, how do u find to work with it in gdb after all .... ? is it as annoying as I think?

thanx verry verry,

0xf001

ps: i think i should rephrase after all, ... "an attemt to a harder crackme" heheh. still, solve it, but wait for next one!

blabberer
April 21st, 2007, 10:49
and well i dont know if the bfd version matter
gdb was not my first choice i switched to gdb only when i saw i have to memory modify eax after your ptrace detection

ald loads it fine as well
Code:

ald ./oxfoo1m3
Assembly Language Debugger 0.1.7
Copyright (C) 2000-2004 Patrick Alken

./oxfoo1m3: ELF Intel 80386 (32 bit), LSB - little endian, Executable, Version 1 (Current)
Loading debugging symbols...(no symbols found)
ald> disassemble -n 3 0x8048080
08048080 E801000000 call near +0x1 (0x8048086)
08048085 E95A81C20B jmp near +0xbc2815a (0x13c701e4)
0804808A 0000 add byte [eax], al
ald> s
eax = 0x00000000 ebx = 0x00000000 ecx = 0x00000000 edx = 0x00000000
esp = 0xBFFFE53C ebp = 0x00000000 esi = 0x00000000 edi = 0x00000000
ds = 0x002B es = 0x002B fs = 0x0000 gs = 0x0000
ss = 0x002B cs = 0x0023 eip = 0x08048086 eflags = 0x00000346

Flags: PF ZF TF IF


08048086 5A pop edx
ald>
ald> s
eax = 0x00000000 ebx = 0x00000000 ecx = 0x00000000 edx = 0x08048085
esp = 0xBFFFE540 ebp = 0x00000000 esi = 0x00000000 edi = 0x00000000
ds = 0x002B es = 0x002B fs = 0x0000 gs = 0x0000
ss = 0x002B cs = 0x0023 eip = 0x08048087 eflags = 0x00000346

Flags: PF ZF TF IF


08048087 81C20B000000 add edx, 0xb
ald>



and i meant this when i talked about your decryption

Code:

080480C2 BE96810408 mov esi, 0x8048196

ald> e esi
Dumping 64 bytes of memory starting at 0x08048196 in hex
08048196: CC B0 59 58 58 58 B1 02 D9 9A 53 58 58 58 0A 9B ..YXXX....SXXX..
080481A6: B1 D9 9A 56 58 58 58 0A 30 05 D3 5C 50 9B B0 D9 ...VXXX.0..\P...
080481B6: 99 78 58 58 58 69 98 D1 9A 18 D1 9B 99 B8 5A 5A .xXXXi........ZZ
080481C6: 4D B2 D9 5C 50 B0 D2 5E 58 58 B1 4E 58 58 58 37 M..\P..^XX.NXXX7

0804810D B9800A0000 mov ecx, 0xa80

08048135 AC lodsb
ald>
eax = 0x000000CC ebx = 0x00000000 ecx = 0x00000A80 edx = 0x08048130
esp = 0xBFFFE53C ebp = 0x00000000 esi = 0x08048197 edi = 0x08048196
ds = 0x002B es = 0x002B fs = 0x0000 gs = 0x0000
ss = 0x002B cs = 0x0023 eip = 0x08048136 eflags = 0x00000316

Flags: PF AF TF IF


08048136 E801000000 call near +0x1 (0x804813c)

08048154 3458 xor al, 0x58

08048174 AA stosb

08048193 E2A0 loop +0xa0 (0x8048235)
ald> disassemble -n 3 0x8048193
08048193 E2A0 loop +0xa0 (0x8048235)
08048195 C3 retn
08048196 94 xchg eax, esp
ald>

ald> break 0x8048195
Breakpoint 1 set for 0x08048195
ald> c
Breakpoint 1 encountered at 0x08048195
eax = 0x00000080 ebx = 0x00000000 ecx = 0x00000000 edx = 0x08048193
esp = 0xBFFFE53C ebp = 0x00000000 esi = 0x08048C16 edi = 0x08048C16
ds = 0x002B es = 0x002B fs = 0x0000 gs = 0x0000
ss = 0x002B cs = 0x0023 eip = 0x08048195 eflags = 0x00000216

Flags: PF AF IF


08048195 C3 retn



after this its a simple matter of keeping the finger pressed in enter key and notice

Code:

08048783 D1E0 shl eax, 1
ald>
eax = 0x0000001A ebx = 0x00000000 ecx = 0x00000001 edx = 0x00000000
esp = 0xBFFFE53C ebp = 0x00000000 esi = 0x00000000 edi = 0x08048C16
ds = 0x002B es = 0x002B fs = 0x0000 gs = 0x0000
ss = 0x002B cs = 0x0023 eip = 0x08048785 eflags = 0x00000302

Flags: TF IF


08048785 9C pushfd
ald>
eax = 0x0000001A ebx = 0x00000000 ecx = 0x00000001 edx = 0x00000000
esp = 0xBFFFE538 ebp = 0x00000000 esi = 0x00000000 edi = 0x08048C16
ds = 0x002B es = 0x002B fs = 0x0000 gs = 0x0000
ss = 0x002B cs = 0x0023 eip = 0x08048786 eflags = 0x00000302

Flags: TF IF


08048786 60 pushad


some thing happened there lets slow down and hit enter once each time
Code:

080489C4 0F8489FCFFFF je near +0xfffffc89 (0x8048653)
ald> disassemble -n 3 0x8048653
08048653 E801000000 call near +0x1 (0x8048659)
08048658 E95A81C20B jmp near +0xbc2815a (0x13c707b7)
0804865D 0000 add byte [eax], al
ald> disassemble -n 3 0x8048659
08048659 5A pop edx
0804865A 81C20B000000 add edx, 0xb
08048660 52 push edx


so disassembling further we know it return to foo1 we dont want to go here
lets memory patch flags modify registers do whatever till we succeed

0xf001
April 21st, 2007, 10:59
Quote:
and i meant this when i talked about your decryption


oh, thats just fine

EDIT: oh the libbfd, well .... its for objdump and alike tools, which in my case all fuck up gdb doesnt use it, yes.

regards, 0xf001