Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- O cabeçalho do ELF está todo zuado, apontando pra um cabeçalho de seção lá na
- pqp, que não existe e isso faz os programas que lêem ELF se lascarem:
- $ chmod +x crackme.03.32; ./!$
- chmod +x crackme.03.32; ./crackme.03.32
- Try to find the string of success and make me print it.
- $ readelf -h crackme.03.32
- readelf: Error: Unable to read in 0x140c bytes of section headers
- ELF Header:
- Magic: 7f 45 4c 46 01 00 00 00 00 00 00 00 00 00 01 00
- Class: ELF32
- Data: none
- Version: 0
- OS/ABI: UNIX - System V
- ABI Version: 0
- Type: EXEC (Executable file)
- Machine: Intel 80386
- Version: 0x10020
- Entry point address: 0x10020
- Start of program headers: 4 (bytes into file)
- Start of section headers: 3224447667 (bytes into file)
- Flags: 0x12eb40
- Size of this header: 52 (bytes)
- Size of program headers: 32 (bytes)
- Number of program headers: 1
- Size of section headers: 5132 (bytes)
- Number of section headers: 31888
- Section header string table index: 44439 <corrupt: out of range>
- readelf: Error: Unable to read in 0x9c116c0 bytes of section headers
- $ gdb -q ./crackme.03.32
- "/home/fernando/downloads/crackme.03.32": not in executable format: File format
- not recognized
- (gdb)
- $ objdump -dM intel ./crackme.03.32
- objdump: ./crackme.03.32: File format not recognized
- Eu optei por disassemblar sem interpretar, com o udcli. O readelf já deu a dica
- que o ELF header tem 52 bytes, então o código começa em 0x34:
- $ udcli crackme.03.32
- 0000000000000000 7f45 jg 0x47
- 0000000000000002 4c dec esp
- 0000000000000003 46 inc esi
- 0000000000000004 0100 add [eax], eax
- 0000000000000006 0000 add [eax], al
- 0000000000000008 0000 add [eax], al
- 000000000000000a 0000 add [eax], al
- 000000000000000c 0000 add [eax], al
- 000000000000000e 0100 add [eax], eax
- 0000000000000010 0200 add al, [eax]
- 0000000000000012 0300 add eax, [eax]
- 0000000000000014 2000 and [eax], al
- 0000000000000016 0100 add [eax], eax
- 0000000000000018 2000 and [eax], al
- 000000000000001a 0100 add [eax], eax
- 000000000000001c 0400 add al, 0x0
- 000000000000001e 0000 add [eax], al
- 0000000000000020 b32a mov bl, 0x2a
- 0000000000000022 31c0 xor eax, eax
- 0000000000000024 40 inc eax
- 0000000000000025 eb12 jmp 0x39
- 0000000000000027 003400 add [eax+eax], dh
- 000000000000002a 2000 and [eax], al
- 000000000000002c 0100 add [eax], eax
- 000000000000002e 0c14 or al, 0x14
- 0000000000000030 90 nop
- 0000000000000031 7c97 jl 0xffffffffffffffca
- 0000000000000033 ad lodsd
- 0000000000000034 b6b6 mov dh, 0xb6
- 0000000000000036 c6c0bf mov al, 0xbf
- 0000000000000039 29c9 sub ecx, ecx
- 000000000000003b b900000100 mov ecx, 0x10000
- 0000000000000040 31d2 xor edx, edx
- 0000000000000042 31db xor ebx, ebx
- 0000000000000044 8a19 mov bl, [ecx]
- 0000000000000046 01da add edx, ebx
- 0000000000000048 41 inc ecx
- 0000000000000049 81f92e000100 cmp ecx, 0x1002e
- 000000000000004f 75f3 jnz 0x44
- 0000000000000051 c1e202 shl edx, 0x2
- 0000000000000054 663b152e000100 cmp dx, [0x1002e]
- 000000000000005b 7529 jnz 0x86
- 000000000000005d 31ed xor ebp, ebp
- 000000000000005f 89d7 mov edi, edx
- 0000000000000061 45 inc ebp
- 0000000000000062 b810800000 mov eax, 0x8010
- 0000000000000067 45 inc ebp
- 0000000000000068 f7e5 mul ebp
- 000000000000006a 96 xchg esi, eax
- 000000000000006b 89f0 mov eax, esi
- 000000000000006d 662b0514000100 sub ax, [0x10014]
- 0000000000000074 7510 jnz 0x86
- 0000000000000076 29fe sub esi, edi
- 0000000000000078 6681f614ec xor si, 0xec14
- 000000000000007d 7507 jnz 0x86
- 000000000000007f eb01 jmp 0x82
- 0000000000000081 d431 aam 0x31
- 0000000000000083 c0755e29 shl byte [ebp+0x5e], 0x29
- 0000000000000087 d2743854 shl [eax+edi+0x54], cl
- 000000000000008b 7279 jb 0x106
- 000000000000008d 20746f20 and [edi+ebp*2+0x20], dh
- 0000000000000091 66696e642074 imul bp, [esi+0x64], 0x7420
- 0000000000000097 6865207374 push dword 0x74732065
- 000000000000009c 7269 jb 0x107
- 000000000000009e 6e outsb
- 000000000000009f 67206f66 and [bx+0x66], ch
- 00000000000000a3 207375 and [ebx+0x75], dh
- 00000000000000a6 636365 arpl [ebx+0x65], sp
- 00000000000000a9 7373 jae 0x11e
- 00000000000000ab 20616e and [ecx+0x6e], ah
- 00000000000000ae 64206d61 and [fs:ebp+0x61], ch
- 00000000000000b2 6b65206d imul esp, [ebp+0x20], 0x6d
- 00000000000000b6 65207072 and [gs:eax+0x72], dh
- 00000000000000ba 696e742069742e imul ebp, [esi+0x74], 0x2e746920
- 00000000000000c1 0ab804000000 or bh, [eax+0x4]
- 00000000000000c7 bb01000000 mov ebx, 0x1
- 00000000000000cc b98a000100 mov ecx, 0x1008a
- 00000000000000d1 ba38000000 mov edx, 0x38
- 00000000000000d6 cd80 int 0x80
- 00000000000000d8 b801000000 mov eax, 0x1
- 00000000000000dd bb00000000 mov ebx, 0x0
- 00000000000000e2 cd80 int 0x80
- 00000000000000e4 31d2 xor edx, edx
- 00000000000000e6 6839000100 push dword 0x10039
- 00000000000000eb 66832c240b sub word [esp], 0xb
- 00000000000000f0 5e pop esi
- 00000000000000f1 8d7601 lea esi, [esi+0x1]
- 00000000000000f4 29c9 sub ecx, ecx
- 00000000000000f6 75ec jnz 0xe4
- 00000000000000f8 46 inc esi
- 00000000000000f9 eb01 jmp 0xfc
- 00000000000000fb c3 ret
- 00000000000000fc 8a16 mov dl, [esi]
- 00000000000000fe 88140c mov [esp+ecx], dl
- 0000000000000101 41 inc ecx
- 0000000000000102 83f909 cmp ecx, 0x9
- 0000000000000105 75f1 jnz 0xf8
- 0000000000000107 29d2 sub edx, edx
- 0000000000000109 31c9 xor ecx, ecx
- 000000000000010b 41 inc ecx
- 000000000000010c 8a140c mov dl, [esp+ecx]
- 000000000000010f 80ea09 sub dl, 0x9
- 0000000000000112 80f2ac xor dl, 0xac
- 0000000000000115 eb02 jmp 0x119
- 0000000000000117 e84132540c call 0xc54335d
- 000000000000011c ff88140c83f9 dec dword [eax+0xf9830c14]
- 0000000000000122 0875e6 or [ebp-0x1a], dh
- 0000000000000125 41 inc ecx
- 0000000000000126 c6040c0a mov byte [esp+ecx], 0xa
- 000000000000012a 49 dec ecx
- 000000000000012b 87d1 xchg ecx, edx
- 000000000000012d 42 inc edx
- 000000000000012e 44 inc esp
- 000000000000012f eb01 jmp 0x132
- 0000000000000131 e8b8040000 call 0x5ee
- 0000000000000136 00bb01000000 add [ebx+0x1], bh
- 000000000000013c 89e1 mov ecx, esp
- 000000000000013e 60 pushad
- 000000000000013f 31c9 xor ecx, ecx
- 0000000000000141 51 push ecx
- 0000000000000142 b900000100 mov ecx, 0x10000
- 0000000000000147 5a pop edx
- 0000000000000148 89d3 mov ebx, edx
- 000000000000014a 8a19 mov bl, [ecx]
- 000000000000014c 01da add edx, ebx
- 000000000000014e 41 inc ecx
- 000000000000014f 81f972010100 cmp ecx, 0x10172
- 0000000000000155 75f3 jnz 0x14a
- 0000000000000157 eb01 jmp 0x15a
- 0000000000000159 cd66 int 0x66
- 000000000000015b 3b1572010100 cmp edx, [0x10172]
- 0000000000000161 0f851fffffff jnz dword 0x86
- 0000000000000167 61 popad
- 0000000000000168 eb01 jmp 0x16b
- 000000000000016a c9 leave
- 000000000000016b cd80 int 0x80
- 000000000000016d e966ffffff jmp 0xd8
- 0000000000000172 6d insd
- 0000000000000173 7f invalid
- Ao final do primeiro loop ocorre um salto para 0x86, mas a obfuscação do
- disassembly não deixa a gente ler o que tem neste endereço em si:
- 0000000000000083 c0755e29 shl byte [ebp+0x5e], 0x29
- 0000000000000087 d2743854 shl [eax+edi+0x54], cl
- Se NOParmos os bytes 0x84, 0x84 e 0x85 aí sim o disassembler é capaz de mostrar
- a instrução que começa em 0x86 (usei o hte pra isso):
- 00000084 90 nop
- 00000085 90 nop
- 00000086 29d2 sub edx, edx
- 00000088 7438 jz 0xc2
- Depois vem um salto pra 0xc2, que vai sempre ocorrer porque o sub setou a flag
- zero. Em 0xc2, mais obfuscação. NOPando 0xc1:
- 000000c2 b804000000 mov eax, 0x4
- 000000c7 bb01000000 mov ebx, 0x1
- 000000cc b98a000100 mov ecx, 0001008a
- 000000d1 ba38000000 mov edx, 0x38
- 000000d6 cd80 int 0x80
- 000000d8 b801000000 mov eax, 0x1
- 000000dd bb00000000 mov ebx, 0x0
- 000000e2 cd80 int 0x80
- Fica visível a sys_write aí de 56 caracteres, que é a string que o programa
- imprime normalmente. E uma sys_exit na sequência. Como eu não queria que ele
- imprimisse a string inicial e nem saísse, em 0xd6 fiz um salto pra depois da sys_exit:
- 000000d6 eb0c jmp 0xe4
- 000000d8 b801000000 mov eax, 0x1
- 000000dd bb00000000 mov ebx, 0x0
- 000000e2 cd80 int 0x80
- 000000e4 31d2 xor edx, edx
- E agora:
- $ ./crackme.03.32
- Segmentation fault
- Hehe. Seguindo o fluxo do programa, vemos no final:
- 0000013e 60 pushad
- 0000013f 31c9 xor ecx, ecx
- 00000141 51 push ecx
- 00000142 b900000100 mov ecx, 00010000
- 00000147 5a pop edx
- 00000148 89d3 mov ebx, edx
- 0000014a 8a19 mov bl, [ecx]
- 0000014c 01da add edx, ebx
- 0000014e 41 inc ecx
- 0000014f 81f972010100 cmp ecx, 00010172
- 00000155 75f3 jnz 0x14a
- 00000157 eb01 jmp 0x15a
- 00000159 cd66 int 0x66
- 0000015b 3b1572010100 cmp edx, [00010172]
- 00000161 0f851fffffff jnz 0x86
- 00000167 61 popad
- 00000168 eb01 jmp 0x16b
- 0000016a c9 leave
- 0000016b cd80 int 0x80
- 0000016d e966ffffff jmp 0xd8
- 00000172 6d insd
- 00000173 7f db 0x7f
- O pushad salva os valores de todos os registradores na pilha e deve ser seguido
- de um popad (pelo menos espera-se que). Depois dele tem o algoritmo que vai
- gerar dinamicamente uma outra string e em 0x16b vamos uma int 0x80, que vai
- resultar em alguma sys_call. O segfault acontece quando o loop acaba, em 0x155.
- Se desobfuscarmos 0x15a, veremos que há uma comparação de dx com o que está em
- 0x10172, que é inválido e por isso o segfault. O esquema é pular logo pro
- popad, assim os valores empilhados voltarão para os registradores e a
- configuração da sys_write será preparada para a int 0x80. Então eu aproveitei o
- jmp 0x15a em 0x157 pra pular pro popad:
- 00000157 eb0e jmp 0x167
- 00000159 cd66 int 0x66
- 0000015b 3b1572010100 cmp edx, [00010172]
- 00000161 0f851fffffff jnz 0x86
- 00000167 61 popad
- E tá lá...
- $ ./crackme.03.32
- Omedetou
- Foram 3 bytes alterados no total:
- 0xd6 cd -> eb
- 0xd7 80 -> 0c
- 0x158 01 -> 0e
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement