Results 1 to 10 of 10

Thread: oxf001m3 a "harder" crackme

  1. #1

    Cool oxf001m3 a "harder" crackme

    hi,

    i have created my first crackme for your pleasure

    i hand crafted this binary in asm (NASM) , and included some
    anti-libbfd, anti-disassembling, anti-debugging stuff, and a bit
    of obfuscation. though it is not so scary you will see ...

    your task is to find the correct password.

    all tools allowed, if they dont segfault

    have a lot of fun ..... !

    0xf001
    Attached Files Attached Files

  2. #2

    Thumbs up

    Ohhh grühht
    Thanks I'll give it a look, in spite of my light linux knowledge.

  3. #3
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,508
    Blog Entries
    15
    a bps on gdb or ald and you can defeat the eax = 0x1a int 80 call with set $eax = 0

    and that will let you get out of push 0xf001 retn trap
    and you will end up here

    0x08048a4d in ?? ()
    1: x/i $pc 0x8048a4d: int 0x80
    (gdb)
    oxfoo1m3 started ;] <-------
    0x08048a50 in ?? ()
    1: x/i $pc 0x8048a50: pushf
    (gdb)

    0x08048a4d in ?? ()
    1: x/i $pc 0x8048a4d: int 0x80
    (gdb)
    3nt4 p455w0rD:<-----------
    0x08048a50 in ?? ()
    1: x/i $pc 0x8048a50: pushf

    (gdb) i r eax
    eax 0xa 10
    (gdb) x/s $esi-1
    0x8048223: "\nXXXXXXXXXXmyne{xtvfw~è\001"
    (gdb)



    got few more tricks after this ? or is it now just bruteforcing through the add edx,9 push edx retns ?

    nice anyway but doesnt look like gdb or ald is afraid of this cme ?
    Last edited by blabberer; April 21st, 2007 at 03:45.

  4. #4
    blabberer,

    of course no magic to defeat anti ptrace , u need to know how to use the tools. that is indeed very simple, its just one part.
    btw i realized i made a lil mistake in encryption, but thats no problem it gets easier, i think you saw this.


    so when u are there where u are, so get the password. bruteforcing is lame, but go for it

    nice anyway but doesnt look like gdb or ald is afraid of this cme
    well, my gdb does not load the cme at all. did your gdb load it as it was?

    to be honest, i am not sure now if u came very far. u are i think after decryption of the body. its more or less a question of time until u figure the rest. but, thats always the case aaand .... i know a bit your skills, u are a bit too experienced, and i guess an exception of the typical crackmes.de audience

    cheers, 0xf001

  5. #5
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,508
    Blog Entries
    15
    btw i realized i made a lil mistake in encryption, but thats no problem it gets easier, i think you saw this.
    if you mean the decryption of 0xa80 bytes xorring with 0x58 or some other byte then yes you miss two bytes in the sequence (not sure but my instinct said i could break on 0x*****95 and still pass your decryption unscathed

    all i did was gdb -q ./foo1 break 0x****

    Code:
    :~/0xf001/oxfoo1m3> gdb -q ./oxfoo1m3
    BFD: /0xf001/oxfoo1m3/oxfoo1m3: invalid string offset 1482184787 >= 26 for section `v+0+,*,9:Xv,= ,Xv;755=6,X'
    BFD: /0xf001/oxfoo1m3/oxfoo1m3: invalid string offset 1482184777 >= 26 for section `v+0+,*,9:Xv,= ,Xv;755=6,X'
    BFD: /0xf001/oxfoo1m3/oxfoo1m3: invalid string offset 1482184787 >= 26 for section `v+0+,*,9:Xv,= ,Xv;755=6,X'
    BFD: /0xf001/oxfoo1m3/oxfoo1m3: invalid string offset 1482184777 >= 26 for section `v+0+,*,9:Xv,= ,Xv;755=6,X'
    (no debugging symbols found)...gdb $
    
    -------------------------------------------------------------------------[ regs]
         eax:00000080 ebx:00000000  ecx:00000000  edx:08048193     eflags:00000316
         esi:08048C16 edi:08048C16  esp:BFFFD230  ebp:00000000     eip:0804809E
         cs:0023  ds:002B  es:002B  fs:0000  gs:0000  ss:002B    o d I T s z A P c
    [002B:BFFFD230]---------------------------------------------------------[stack]
    BFFFD260 : 65 F3 FF BF  76 F3 FF BF - 84 F3 FF BF  AD F3 FF BF e...v...........
    BFFFD250 : 16 F3 FF BF  3D F3 FF BF - 49 F3 FF BF  59 F3 FF BF ....=...I...Y...
    BFFFD240 : 80 F2 FF BF  90 F2 FF BF - C2 F2 FF BF  06 F3 FF BF ................
    BFFFD230 : 01 00 00 00  40 F2 FF BF - 00 00 00 00  67 F2 FF BF ....@.......g...
    [002B:08048C16]---------------------------------------------------------[ data]
    08048C16 : C8 00 00 00  00 00 00 00 - 00 00 00 00  00 00 00 00 ................
    08048C26 : 00 00 00 00  00 00 00 00 - 00 00 00 00  00 00 00 00 ................
    [0023:0804809E]---------------------------------------------------------[ code]
    0x804809e:      call   0x80480a4
    0x80480a3:      jmp    0x13c70202
    0x80480a8:      add    BYTE PTR [eax],al
    0x80480aa:      add    BYTE PTR [edx-61],dl
    0x80480ad:      jmp    0x8134333
    0x80480b2:      add    BYTE PTR [eax],al
    -------------------------------------------------------------------------------
    Error while running hook_stop:
    Invalid type combination in ordering comparison.
    0x0804809e in ?? ()
    gdb $
    
         eax:0000001A ebx:00000000  ecx:00000001  edx:080487CE     eflags:00000282
         esi:00000000 edi:08048C16  esp:BFFFD228  ebp:00000000     eip:08048A4D
         cs:0023  ds:002B  es:002B  fs:0000  gs:0000  ss:002B    o d I t S z a p c
    [002B:BFFFD228]---------------------------------------------------------[stack]
    BFFFD258 : 49 F3 FF BF  59 F3 FF BF - 65 F3 FF BF  76 F3 FF BF I...Y...e...v...
    BFFFD248 : C2 F2 FF BF  06 F3 FF BF - 16 F3 FF BF  3D F3 FF BF ............=...
    BFFFD238 : 00 00 00 00  67 F2 FF BF - 80 F2 FF BF  90 F2 FF BF ....g...........
    BFFFD228 : CE 87 04 08  BC 80 04 08 - 01 00 00 00  40 F2 FF BF ............@...
    [002B:08048C16]---------------------------------------------------------[ data]
    08048C16 : C8 00 00 00  00 00 00 00 - 00 00 00 00  00 00 00 00 ................
    08048C26 : 00 00 00 00  00 00 00 00 - 00 00 00 00  00 00 00 00 ................
    [0023:08048A4D]---------------------------------------------------------[ code]
    0x8048a4d:      int    0x80
    0x8048a4f:      pushf
    0x8048a50:      pushf
    0x8048a51:      pusha
    0x8048a52:      call   0x8048a58
    0x8048a57:      jmp    0x13c70bb6
    -------------------------------------------------------------------------------
    Error while running hook_stop:
    Invalid type combination in ordering comparison.
    
    Breakpoint 3, 0x08048a4d in ?? ()
    Last edited by blabberer; April 21st, 2007 at 10:24.

  6. #6
    blabberer, please stay tuned ... if u can ...

    i boot my environments to verify ....

    what gdb version do u use?

    thanks!

    EDIT: ok, i have gdb 6.4.90 on debian etch unstable

    it tells me: File format not recognized!

    i cant use gdb on it, without getting over first "trick". so u had it quite much more easy, because to defeat that
    on the systems i tried, its a bit a challenge.
    what libbfd do u have? i think u have a damn cool libbfd! probably u can even objdump it???

    if you mean the decryption of 0xa80 bytes xorring with 0x58 or some other byte then yes you miss two bytes in the sequence (not sure but my instinct said i could break on 0x*****95 and still pass your decryption unsca
    nope, i meant i wanted to load the decryption operand from the modified elf header, so if u restored it, in order to run it in gdb etc, it would decrypt wrong.

    regards, 0xf001

  7. #7
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,508
    Blog Entries
    15
    well i dont run the latest and greatest
    gdb -v
    GNU gdb 5.3.92
    Code:
     objdump -x ./oxfoo1m3
    BFD: ./oxfoo1m3: invalid string offset 1482184787 >= 26 for section `v+0+,*,9:Xv,= ,Xv;755=6,X'
    BFD: ./oxfoo1m3: invalid string offset 1482184777 >= 26 for section `v+0+,*,9:Xv,= ,Xv;755=6,X'
    
    ./oxfoo1m3:     file format elf32-i386
    ./oxfoo1m3
    architecture: i386, flags 0x00000102:
    EXEC_P, D_PAGED
    start address 0x08048080
    
    Program Header:
        LOAD off    0x00000000 vaddr 0x08048000 paddr 0x08048000 align 2**12
             filesz 0x00000c17 memsz 0x00000c17 flags rwx
    
    Sections:
    Idx Name          Size      VMA       LMA       File off  Algn
    SYMBOL TABLE:
    no symbols
    Code:
     readelf -l ./oxfoo1m3
    
    Elf file type is EXEC (Executable file)
    Entry point 0x8048080
    There are 1 program headers, starting at offset 52
    
    Program Headers:
      Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
      LOAD           0x000000 0x08048000 0x08048000 0x00c17 0x00c17 RWE 0x1000
    
     Section to Segment mapping:
      Segment Sections...
       00
    Code:
    readelf -a ./oxfoo1m3  | more
    ELF Header:
      Magic:   7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
      Class:                             ELF32
      Data:                              2's complement, little endian
      Version:                           1 (current)
      OS/ABI:                            UNIX - System V
      ABI Version:                       0
      Type:                              EXEC (Executable file)
      Machine:                           Intel 80386
      Version:                           0x1
      Entry point address:               0x8048080
      Start of program headers:          52 (bytes into file)
      Start of section headers:          3152 (bytes into file)
      Flags:                             0x0
      Size of this header:               52 (bytes)
      Size of program headers:           32 (bytes)
      Number of program headers:         1
      Size of section headers:           40 (bytes)
      Number of section headers:         4
      Section header string table index: 3
    Section Headers:
      [Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf Al
      [ 0] <corrupt>         <unknown>: 5858 58585858 58585858 58585858 58585858 xMI
    xxxxop 1482184792 58585858 1482184792
      [ 1] <corrupt>         <unknown>: 5858 505cd8d8 585858d8 585853cf 58585858 AXx
    MIxxxxop 1482184792 58585858 1482184776
      [ 2] <corrupt>         <unknown>: 5858 00000000 000c17 00001f 00      0   0  1
      [ 3] v+0+,*,9:Xv,= ,Xv STRTAB          00000000 000c36 00001a 00      0   0  1
    Key to Flags:
      W (write), A (alloc), X (execute), M (merge), S (strings)
      I (info), L (link order), G (group), x (unknown)
      O (extra OS processing required) o (OS specific), p (processor specific)
    
    Program Headers:
      Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
      LOAD           0x000000 0x08048000 0x08048000 0x00c17 0x00c17 RWE 0x1000
    
     Section to Segment mapping:
      Segment Sections...
       00
    
    There is no dynamic segment in this file.
    
    There are no relocations in this file.
    
    There are no unwind sections in this file.
    
    No version information found in this file.
    Code:
     ndisasm -u  -e 0x80 ./oxfoo1m3 | more
    00000000  E801000000        call 0x6
    00000005  E95A81C20B        jmp 0xbc28164
    0000000A  0000              add [eax],al
    0000000C  0052C3            add [edx-0x3d],dl
    0000000F  E981C20E00        jmp 0xec295
    00000014  0000              add [eax],al
    00000016  52                push edx
    00000017  68C2800408        push dword 0x80480c2
    0000001C  C3                ret
    0000001D  E8E8010000        call 0x20a
    00000022  00E9              add cl,ch
    00000024  5A                pop edx
    00000025  81C20B000000      add edx,0xb
    0000002B  52                push edx
    0000002C  C3                ret
    0000002D  E981C20E00        jmp 0xec2b3
    00000032  0000              add [eax],al
    00000034  52                push edx
    00000035  6871860408        push dword 0x8048671
    0000003A  C3                ret
    0000003B  E8E9D60000        call 0xd729
    00000040  00E8              add al,ch
    --More--
    Code:
    ndisasm -u  -e 0x86 ./oxfoo1m3 | more
    00000000  5A                pop edx
    00000001  81C20B000000      add edx,0xb
    00000007  52                push edx
    00000008  C3                ret
    Last edited by blabberer; April 21st, 2007 at 10:45.

  8. #8
    holy shiiiit!

    oss software degrading in quality with higher versions .... i will spank that developers asses

    ok .... very good to know!

    i love this discussion, its so valuable input for my next crackme then, to look for your gdb version etc.

    thanks man

    please continue, how do u find to work with it in gdb after all .... ? is it as annoying as I think?

    thanx verry verry,

    0xf001

    ps: i think i should rephrase after all, ... "an attemt to a harder crackme" heheh. still, solve it, but wait for next one!

  9. #9
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,508
    Blog Entries
    15
    and well i dont know if the bfd version matter
    gdb was not my first choice i switched to gdb only when i saw i have to memory modify eax after your ptrace detection

    ald loads it fine as well
    Code:
    ald ./oxfoo1m3
    Assembly Language Debugger 0.1.7
    Copyright (C) 2000-2004 Patrick Alken
    
    ./oxfoo1m3: ELF Intel 80386 (32 bit), LSB - little endian, Executable, Version 1 (Current)
    Loading debugging symbols...(no symbols found)
    ald> disassemble -n 3 0x8048080
    08048080                      E801000000           call near +0x1 (0x8048086)
    08048085                      E95A81C20B           jmp near +0xbc2815a (0x13c701e4)
    0804808A                      0000                 add byte [eax], al
    ald> s
    eax = 0x00000000 ebx = 0x00000000 ecx = 0x00000000 edx = 0x00000000
    esp = 0xBFFFE53C ebp = 0x00000000 esi = 0x00000000 edi = 0x00000000
    ds  = 0x002B es  = 0x002B fs  = 0x0000 gs  = 0x0000
    ss  = 0x002B cs  = 0x0023 eip = 0x08048086 eflags = 0x00000346
    
    Flags: PF ZF TF IF
    
    
    08048086                      5A                   pop edx
    ald>
    ald> s
    eax = 0x00000000 ebx = 0x00000000 ecx = 0x00000000 edx = 0x08048085
    esp = 0xBFFFE540 ebp = 0x00000000 esi = 0x00000000 edi = 0x00000000
    ds  = 0x002B es  = 0x002B fs  = 0x0000 gs  = 0x0000
    ss  = 0x002B cs  = 0x0023 eip = 0x08048087 eflags = 0x00000346
    
    Flags: PF ZF TF IF
    
    
    08048087                      81C20B000000         add edx, 0xb
    ald>
    and i meant this when i talked about your decryption

    Code:
    080480C2                      BE96810408           mov esi, 0x8048196
    
    ald> e esi
    Dumping 64 bytes of memory starting at 0x08048196 in hex
    08048196:  CC B0 59 58 58 58 B1 02 D9 9A 53 58 58 58 0A 9B    ..YXXX....SXXX..
    080481A6:  B1 D9 9A 56 58 58 58 0A 30 05 D3 5C 50 9B B0 D9    ...VXXX.0..\P...
    080481B6:  99 78 58 58 58 69 98 D1 9A 18 D1 9B 99 B8 5A 5A    .xXXXi........ZZ
    080481C6:  4D B2 D9 5C 50 B0 D2 5E 58 58 B1 4E 58 58 58 37    M..\P..^XX.NXXX7
    
    0804810D                      B9800A0000           mov ecx, 0xa80
    
    08048135                      AC                   lodsb
    ald>
    eax = 0x000000CC ebx = 0x00000000 ecx = 0x00000A80 edx = 0x08048130
    esp = 0xBFFFE53C ebp = 0x00000000 esi = 0x08048197 edi = 0x08048196
    ds  = 0x002B es  = 0x002B fs  = 0x0000 gs  = 0x0000
    ss  = 0x002B cs  = 0x0023 eip = 0x08048136 eflags = 0x00000316
    
    Flags: PF AF TF IF
    
    
    08048136                      E801000000           call near +0x1 (0x804813c)
    
    08048154                      3458                 xor al, 0x58
    
    08048174                      AA                   stosb
    
    08048193                      E2A0                 loop +0xa0 (0x8048235)
    ald> disassemble -n 3 0x8048193
    08048193                      E2A0                 loop +0xa0 (0x8048235)
    08048195                      C3                   retn
    08048196                      94                   xchg eax, esp
    ald>
    
    ald> break 0x8048195
    Breakpoint 1 set for 0x08048195
    ald> c
    Breakpoint 1 encountered at 0x08048195
    eax = 0x00000080 ebx = 0x00000000 ecx = 0x00000000 edx = 0x08048193
    esp = 0xBFFFE53C ebp = 0x00000000 esi = 0x08048C16 edi = 0x08048C16
    ds  = 0x002B es  = 0x002B fs  = 0x0000 gs  = 0x0000
    ss  = 0x002B cs  = 0x0023 eip = 0x08048195 eflags = 0x00000216
    
    Flags: PF AF IF
    
    
    08048195                      C3                   retn
    after this its a simple matter of keeping the finger pressed in enter key and notice

    Code:
    08048783                      D1E0                 shl eax, 1
    ald>
    eax = 0x0000001A ebx = 0x00000000 ecx = 0x00000001 edx = 0x00000000
    esp = 0xBFFFE53C ebp = 0x00000000 esi = 0x00000000 edi = 0x08048C16
    ds  = 0x002B es  = 0x002B fs  = 0x0000 gs  = 0x0000
    ss  = 0x002B cs  = 0x0023 eip = 0x08048785 eflags = 0x00000302
    
    Flags: TF IF
    
    
    08048785                      9C                   pushfd
    ald>
    eax = 0x0000001A ebx = 0x00000000 ecx = 0x00000001 edx = 0x00000000
    esp = 0xBFFFE538 ebp = 0x00000000 esi = 0x00000000 edi = 0x08048C16
    ds  = 0x002B es  = 0x002B fs  = 0x0000 gs  = 0x0000
    ss  = 0x002B cs  = 0x0023 eip = 0x08048786 eflags = 0x00000302
    
    Flags: TF IF
    
    
    08048786                      60                   pushad
    some thing happened there lets slow down and hit enter once each time
    Code:
    080489C4                      0F8489FCFFFF         je near +0xfffffc89 (0x8048653)
    ald> disassemble -n 3 0x8048653
    08048653                      E801000000           call near +0x1 (0x8048659)
    08048658                      E95A81C20B           jmp near +0xbc2815a (0x13c707b7)
    0804865D                      0000                 add byte [eax], al
    ald> disassemble -n 3 0x8048659
    08048659                      5A                   pop edx
    0804865A                      81C20B000000         add edx, 0xb
    08048660                      52                   push edx
    so disassembling further we know it return to foo1 we dont want to go here
    lets memory patch flags modify registers do whatever till we succeed
    Last edited by blabberer; April 21st, 2007 at 11:06.

  10. #10
    and i meant this when i talked about your decryption
    oh, thats just fine

    EDIT: oh the libbfd, well .... its for objdump and alike tools, which in my case all fuck up gdb doesnt use it, yes.

    regards, 0xf001

Similar Threads

  1. Terminal Dogma: "the whole crackme is ANTI trace!"
    By ZaiRoN in forum Mini Project Area
    Replies: 11
    Last Post: December 1st, 2006, 19:23
  2. Replies: 9
    Last Post: May 16th, 2006, 02:52
  3. Replies: 5
    Last Post: June 23rd, 2005, 00:15
  4. "brand-new-ways-crypted" crackme for new year!
    By evaluator in forum Mini Project Area
    Replies: 17
    Last Post: January 5th, 2005, 04:05
  5. CoDe_InSiDe's "checkit" crackme
    By rmlobvx in forum Mini Project Area
    Replies: 10
    Last Post: January 13th, 2003, 03:39

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •