0x05.

5. Reversing and Cracking first simple Program - bin.0x05

: Content
-> gdb(GNU Debugger)
-> Control-Flow
-> changing behaviour - cracking the program

: github install
-> sudo apt-get install git

: “license_1” Download
-> git clone https://github.com/LiveOverflow/liveoverflow_youtube.git

: gdb ./license
-> set disassembly-flavor intel
-> disassemble main
-> 0x00000000004005bd <+0>: push   rbp
   0x00000000004005be <+1>: mov    rbp,rsp
   0x00000000004005c1 <+4>: sub    rsp,0x10
   0x00000000004005c5 <+8>: mov    DWORD PTR [rbp-0x4],edi
   0x00000000004005c8 <+11>: mov    QWORD PTR [rbp-0x10],rsi
   0x00000000004005cc <+15>: cmp    DWORD PTR [rbp-0x4],0x2
   0x00000000004005d0 <+19>: jne    0x400623 <main+102>
   0x00000000004005d2 <+21>: mov    rax,QWORD PTR [rbp-0x10]
   0x00000000004005d6 <+25>: add    rax,0x8
   0x00000000004005da <+29>: mov    rax,QWORD PTR [rax]
   0x00000000004005dd <+32>: mov    rsi,rax
   0x00000000004005e0 <+35>: mov    edi,0x4006c4
   0x00000000004005e5 <+40>: mov    eax,0x0
   0x00000000004005ea <+45>: call   0x400490 <printf@plt>
   0x00000000004005ef <+50>: mov    rax,QWORD PTR [rbp-0x10]
   0x00000000004005f3 <+54>: add    rax,0x8
   0x00000000004005f7 <+58>: mov    rax,QWORD PTR [rax]
   0x00000000004005fa <+61>: mov    esi,0x4006da
   0x00000000004005ff <+66>: mov    rdi,rax
   0x0000000000400602 <+69>: call   0x4004b0 <strcmp@plt>
   0x0000000000400607 <+74>: test   eax,eax
   0x0000000000400609 <+76>: jne    0x400617 <main+90>
   0x000000000040060b <+78>: mov    edi,0x4006ea
   0x0000000000400610 <+83>: call   0x400480 <puts@plt>
   0x0000000000400615 <+88>: jmp    0x40062d <main+112>
   0x0000000000400617 <+90>: mov    edi,0x4006fa
   0x000000000040061c <+95>: call   0x400480 <puts@plt>
   0x0000000000400621 <+100>: jmp    0x40062d <main+112>
   0x0000000000400623 <+102>: mov    edi,0x400701
   0x0000000000400628 <+107>: call   0x400480 <puts@plt>
   0x000000000040062d <+112>: mov    eax,0x0
   0x0000000000400632 <+117>: leave  
   0x0000000000400633 <+118>: ret 

-> info registers
rax            0x4005bd 4195773
rbx            0x0 0
rcx            0x400640 4195904
rdx            0x7fffffffe008 140737488347144
rsi            0x7fffffffdff8 140737488347128
rdi            0x1 1
rbp            0x400640 0x400640 <__libc_csu_init>
rsp            0x7fffffffdf18 0x7fffffffdf18
r8             0x7ffff7dd0d80 140737351847296
r9             0x7ffff7dd0d80 140737351847296
r10            0x3 3
r11            0x7ffff7a05ab0 140737347869360
r12            0x4004d0 4195536
r13            0x7fffffffdff0 140737488347120
r14            0x0 0
r15            0x0 0
rip            0x4005bd 0x4005bd <main>
eflags         0x246 [ PF ZF IF ]
cs             0x33 51
ss             0x2b 43
ds             0x0 0
es             0x0 0
fs             0x0 0
gs             0x0 0
-> si
-> 0x00000000004005be in main ()
-> info registers
rax            0x4005bd 4195773
rbx            0x0 0
rcx            0x400640 4195904
rdx            0x7fffffffe008 140737488347144
rsi            0x7fffffffdff8 140737488347128
rdi            0x1 1
rbp            0x400640 0x400640 <__libc_csu_init>
rsp            0x7fffffffdf10 0x7fffffffdf10
r8             0x7ffff7dd0d80 140737351847296
r9             0x7ffff7dd0d80 140737351847296
r10            0x3 3
r11            0x7ffff7a05ab0 140737347869360
r12            0x4004d0 4195536
r13            0x7fffffffdff0 140737488347120
r14            0x0 0
r15            0x0 0
rip            0x4005be 0x4005be <main+1>
eflags         0x246 [ PF ZF IF ]
cs             0x33 51
ss             0x2b 43
ds             0x0 0
es             0x0 0
fs             0x0 0
gs             0x0 0
-> ni
-> 0x00000000004005c1 in main ()
-> (Enter Key) 
-> 0x00000000004005c5 in main ()
-> (Enter Key)
-> 0x00000000004005c8 in main ()
-> (Enter Key)
-> 0x00000000004005cc in main ()
-> (Enter Key)
-> 0x00000000004005d0 in main () # Did you notice when we jumped?
-> (Enter Key)
-> 0x0000000000400623 in main ()
-> (Enter Key)
-> 0x0000000000400628 in main ()
-> (Enter Key)
-> Usage: <key>
   0x000000000040062d in main ()
-> (Enter Key)
-> 0x0000000000400632 in main ()
-> (Enter Key)
-> 0x0000000000400633 in main ()
-> (Enter Key)
-> __libc_start_main (main=0x4005bd <main>, argc=1, argv=0x7fffffffdff8, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffdfe8) at ../csu/libc-start.c:344
344 ../csu/libc-start.c: 그런 파일이나 디렉터리가 없습니다.

: Let’s run the program again, but this time with a random license key.
-> run AAAA-KEY-1234
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/rnrf/liveoverflow_youtube/0x05_simple_crackme_intro_assembler/license_1 AAAA-KEY-1234

Breakpoint 1, 0x00000000004005bd in main ()
-> ni
-> 0x00000000004005be in main ()
-> (Enter Key) 
-> 0x00000000004005c1 in main ()
-> (Enter Key)
-> 0x00000000004005c5 in main ()
-> (Enter Key)
-> 0x00000000004005c8 in main ()
-> (Enter Key)
-> 0x00000000004005cc in main ()
-> (Enter Key)
-> 0x00000000004005d0 in main () # Now we are at “5d0” again, will we jump this time?
-> (Enter Key)
-> 0x00000000004005d2 in main () # No! Cool! So the next branch we expect is at “609”.
-> (Enter Key)
-> 0x00000000004005d2 in main ()
-> (Enter Key) 
-> 0x00000000004005d6 in main ()
-> (Enter Key)
-> 0x00000000004005da in main ()
-> (Enter Key)
-> 0x00000000004005dd in main ()
-> (Enter Key)
-> 0x00000000004005e0 in main ()
-> (Enter Key)
-> 0x00000000004005e5 in main ()
-> (Enter Key)
-> 0x00000000004005ea in main ()
-> (Enter Key)
-> Checking License: AAAA-KEY-1234
   0x00000000004005ef in main () # So that “printf” is the info that a license key wiil be checked.
-> (Enter Key)
-> 0x00000000004005f3 in main ()
-> (Enter Key)
-> 0x00000000004005f7 in main ()
-> (Enter Key)
-> 0x00000000004005fa in main ()
-> (Enter Key)
-> 0x00000000004005ff in main ()
-> (Enter Key)
-> 0x0000000000400602 in main ()
-> (Enter Key)
-> 0x0000000000400607 in main ()
-> (Enter Key)
-> 0x0000000000400609 in main () # We arrived at “609”. Let’s see where we are afterwards.
-> (Enter Key)
-> 0x0000000000400617 in main () # At “617”. So we did jump, which means that the “strcmp” failed.
-> (Enter Key)
-> 0x000000000040061c in main ()
-> (Enter Key)
-> WRONG! # And when we continue with “ni”. we see that it’s “WRONG!”.
   0x0000000000400621 in main ()

: Let’s set a breakpoint just before the last compare and run the program again.
-> break *0x0000000000400607
-> Breakpoint 2 at 0x400607
-> run OVER-FLOW-KEY-1234
-> The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/rnrf/liveoverflow_youtube/0x05_simple_crackme_intro_assembler/license_1 OVER-FLOW-KEY-1234

Breakpoint 1, 0x00000000004005bd in main ()
-> continue
-> Continuing.
Checking License: OVER-FLOW-KEY-1234

Breakpoint 2, 0x0000000000400607 in main () # Now stopped before we execute the “test eax, eax”.
-> “EAX” just refers to the first 32bit of the 64bit “RAX” register.
-> info registers
rax            0xe 14 # It’s vaule is hex “0xe”.
rbx            0x0 0
rcx            0x0 0
rdx            0x41 65
rsi            0x4006da 4196058
rdi            0x7fffffffe35f 140737488347999
rbp            0x7fffffffdef0 0x7fffffffdef0
rsp            0x7fffffffdee0 0x7fffffffdee0
r8             0x0 0
r9             0x12 18
r10            0x3 3
r11            0x7ffff7a8de70 140737348427376
r12            0x4004d0 4195536
r13            0x7fffffffdfd0 140737488347088
r14            0x0 0
r15            0x0 0
rip            0x400607 0x400607 <main+74>
eflags         0x202 [ IF ]
cs             0x33 51
ss             0x2b 43
ds             0x0 0
es             0x0 0
fs             0x0 0
gs             0x0 0
: Let's set this to 0, which would indicate that the "strcmp" was correct and returned a "0".
-> set $eax=0
-> info registers 
rax            0x0 0 # It’s now “0”.
rbx            0x0 0
rcx            0x0 0
rdx            0x41 65
rsi            0x4006da 4196058
rdi            0x7fffffffe35f 140737488347999
rbp            0x7fffffffdef0 0x7fffffffdef0
rsp            0x7fffffffdee0 0x7fffffffdee0
r8             0x0 0
r9             0x12 18
r10            0x3 3
r11            0x7ffff7a8de70 140737348427376
r12            0x4004d0 4195536
r13            0x7fffffffdfd0 140737488347088
r14            0x0 0
r15            0x0 0
rip            0x400607 0x400607 <main+74>
eflags         0x202 [ IF ]
cs             0x33 51
ss             0x2b 43
ds             0x0 0
es             0x0 0
fs             0x0 0
gs             0x0 0
-> ni
-> 0x0000000000400609 in main ()
-> (Enter Key)
-> 0x000000000040060b in main ()
-> (Enter Key)
-> 0x0000000000400610 in main ()
-> (Enter Key)
-> Access Granted!
   0x0000000000400615 in main ()

Tips. Disassemble(GDB) - Print & Pen
-> Don't forget to ignore most things and focus on the actual flow.

: Debugger Program
-> hopperapp(www.hopperapp.com/)
-> IDA(www.hex-rays.com/products/ida/)
-> radare2(github.com/radare/radare2)