神刀安全网

DON’T HATE “THE HACKER”, HATE THE CODE.- PART 2

Let’s say if  we are provided again with an executable of a program written in C, compiled with gcc.  And when we run the executable  with the password it checks if its a valid password. 

What if we couldn’t figure it out with the traditional methods like strings, ltrace  because the password is not hardcoded in the executable. That just gives a clue of the password being  validated on fly. As previously discussed we can hack the password if it is hardcoded in the program and strcmp (or similar) is used so the way to over come is to use a hash .

For the Experiment:The executable crackme is present over here

Things to try.. when an executable is given:

Run the executable with and without input.

DON’T HATE “THE HACKER”, HATE THE CODE.- PART 2

DON’T HATE “THE HACKER”, HATE THE CODE.- PART 2

strings  -d ./crackme

DON’T HATE “THE HACKER”, HATE THE CODE.- PART 2

ltrace  executable

DON’T HATE “THE HACKER”, HATE THE CODE.- PART 2

No Luck! using strings. ltrace, strace. How about objdump? It is good, but radare2 gives the graphical representation of the flow of code along with the disassemble of code.

r2 ./crackme

DON’T HATE “THE HACKER”, HATE THE CODE.- PART 2

We see that there are couple of calls like printf, puts  and what could be checksum (will be explained it later).

In general any password checker program would take an input and validate it against something.Lets take the words reverse engineering seriously !! How about creating the program equivalent to the program. But one problem at a time.

The skeleton of the program

DON’T HATE “THE HACKER”, HATE THE CODE.- PART 2

What could be the condition. If we did have some unknown function checksum

First, What is CheckSum?

Checksum (As per Wikipedia):  checksum  or  hash sum  is a small-size datum from a block of  digital data  for the purpose of  detecting errors  which may have been introduced during its  transmission  or  storage .

DON’T HATE “THE HACKER”, HATE THE CODE.- PART 2

Lets Assume if we had a checksum. The skeleton would now look like the following.

DON’T HATE “THE HACKER”, HATE THE CODE.- PART 2

Now its the time to figure out what the checksum value is getting compare to?

DON’T HATE “THE HACKER”, HATE THE CODE.- PART 2

Its write in there in the assembly 0xdee where compare is happening, whose decimal equivalent is 3566 .

understanding/interpreting the assembly we could create the checksum. DON’T HATE “THE HACKER”, HATE THE CODE.- PART 2

Our C program can be completed as below

DON’T HATE “THE HACKER”, HATE THE CODE.- PART 2

We have the program , we know how to get the password 😉 . we can try the program with the inputs to satisfy checksum value to 3566 DON’T HATE “THE HACKER”, HATE THE CODE.- PART 2

Isn’t it tedious to run the program to get the perfect checksum value .

How about creating the script hat generates a random valid password for  crackle? 😀

DON’T HATE “THE HACKER”, HATE THE CODE.- PART 2

How about an infernum Challenge to Patch  crackme so that any password will work. The change should include least possible bytes.

We cannot just edit the executable code. If you still want to, the question would be where you want to? and How can you edit without corrupting the file.

one of the answer would be gdb

I found here a good documentation on the way to patch the executable using gdb  .

DON’T HATE “THE HACKER”, HATE THE CODE.- PART 2

DON’T HATE “THE HACKER”, HATE THE CODE.- PART 2 Tada Congrats!!!! the cracked file is available here

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » DON’T HATE “THE HACKER”, HATE THE CODE.- PART 2

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址
分享按钮