0x00pf
(pico)
May 24, 2016, 5:00pm
1
Hi Everybody!
Inspired by @TheDoctor I started working in a small side project involving some crackme’s , and I would appreciate your feedback/comments (if the binary works on your system, how easy/difficult you found the challenger,…)
The program is encoded at the end of this post. To get the binary, save the text below in a file named c1.bin and then run:
cat c1.bin | base64 -d | gunzip > c1
chmod +x c1
The objective is to get the success message not necessarily finding the password.
Looking forward to your feedback.
THE CODE
H4sIALGFRFcAA+0Yf3AU5fW7X8nlCLsn2BbU6qqhDRKOLMZKHMBsuCTfyQEXkiA/EvFCTsgIiZPs
AaUqppdAl8tZ22kd/yntH7TTcRjE6lChDtlwwAWdgkmtoFhUENxjqwSiJCJm+953e0dytjP9o//V
ndm8773v/X7ve9/mtlb4K60WC0k/VjKfIPZXSxnDy0z6C+4MC9DmEDv8zSNOxusgY5+y8XAiGQ+J
wP6iXA4u0nrdj46Dt5nkvRm9KTm7+Qqmy4LpZxoWmNxpaDdh9Xm5KZf890/aLZS/GV4bvFWL68ju
39z6+vlXf3Etf6pzxfGtBw7fe3//cE1Pd14Z0RrApZ6duKrBFfqrTbUSIg4cxDVVElSJa/txGb2v
mxPIgRT5g6Nem0G0RwDp+SOK32xhLEFggV3Gpa2EZHWpPQdhX3b0DCDbpyjwCa7OwUpUV8VXU+XC
wzRWO+qkynfKQVybZmeGtQ+B43NRLX3rqZuo0hv5KHdHPlecn0sNVdfjdVT5uobGVgtLaakuf48a
bx7A7PZYmHtntOMA9Y+Xr2qIS7U+5XNkF40aGvlngMbqC5zIspy5J+fQSJ+hL6axJwuK9uelxId+
Dx4VFInGQcgFiTQVzBnW5jD2cD9VPvMrZ5khLcjY36PKEcYoGtok4KJrjtDI4cCqBqk+HqCRY4ao
UmX0yp6Uc8P9NFZtaDNhvTK+d+6rhP+z6lPe4B103pOGYWzkh08FtCSoW6E40bX4XpI8CRt7Lcm3
AFDjhKh2fGLwoKr3kp12GbKT9l/CrAxBrID7lOt1NXI1ja4eoV2nZUo7voKmJzTWOripCIqj7Uc1
yiWqHKLKu6I69CKN2v9eDE1MlSIGfYq3YFDnIRHAhmEkO+G8sHjqwEANVb6q5jsNjCa21U0jBs9v
u4xYh4GW+O1/wOQsBTN/wZ78WS/92zk0XIaGo/lHUraO0K5j4ccrxGMSRPnyXaJxABv2ILaxlgP2
aGQE3OzlO59nWbZ/imLiwGvIQIeHQCFVjtPhD2IBg3XJBGo5Y0CmS+brl0W1a4D3HaIvUP6lOE3Y
2cmjUQtNpFamNt1DO+I86us4RwYNQ/bsvwu2TZ+YP5AEKOtG1pO9NPKlIbuossJJY5Jbn6hJoC5B
8lkvr4Rmo8plsHgCqzJRHKBKHx0epqWDYWi4E0l11DACGjdWhOWTKl9gSqUA3/keWuy6ynf2seQ+
zZK7ya29S9JCyVduJHrTTdqnXxvGgXSSz+ocjT2fiucsxkOj7SO09B2+85dMaJQJzYOiaiXgC+2C
bB2RQzRaNkKjC4Gzl/JVfVAWOZ9Gkm7WI2eGdrFM69pvwZTup7EXWe/FfjK4n/Vzx3lmSbmoLbel
isZ3+lmHrYMsLXfrU7UQSIqndTdEJg+vWNVAleHkK0BbSZVTkLTXnoBSxGnUcb8Lp8coVebTRJWT
FSpRxaZaompKqm5VhT1WoCTfggMCh/q89LBPOSktk+rwmL8NaRyCM16oPPW6L/IgWRTb6gxfXaSM
+hUIEMwPwKSIXJsangAhOyH88H06HH/VrX8kXu25xVUGJdF+Z8Xowkcl5cgBF9iESbTlumF4IWmN
bKviKI2CJw4lTyC+aC6okSdB2HeGc3zRh5260xdJuPULUP2uAZpQCXnUoHzFIewGxwCIiKovymGO
C6CbbOE8X3QZuqJPBNSBaCWgA6AsctStv43aH0THHxCPUeUdGjk0J7KlLzd8N41WQoEc60AjLAVY
hlLLQlhugaXupEYvlDTc5486mtHXjhG8dPjte9hZcNyHtFKV/+lOwH2xwDKY31NRB/b52UE6/W1/
zF/A+yIfDfqVE0O7/ECf3ovzYmFsroUq8647YVpXQCP1/BBSp7XgFQDuTjk4G1Cc4E+zblb5X6v8
PlW3iqriCDjRSRv4eAZXiiOBwFB3BIzOATn3mWuzwpd1LfrU6zBjcUjXfglN53itlR2H0KlVUr3U
ID0irYajZrlGS0/Kt+zgvfy+HH5fr3e6GuY6j8E4NBLUOAo1VeNSnahKtdAoX9DIcTa4oKmr4ZRe
2cO6+o3UchiKcwons+U4Nd6QS2npFeimTffQ6f3+WNEEP1wxt++oIHNs4UnMr89wmn1M2P2RR424
/g9R1SGoUytxSEo4B66I6kFLLXRqCd4go9ZN7o6j1lo89HTN1eQdQAxoNjgDCfJdZOgz4DLYmfwM
wt1rS36CwJ38EEFe8l0EU5MDCCYk30RgTR4GgF1fV1Ptj07LyxXIoq6P5Uo2Tr6W54MZuHgwtH5v
rNnwRW8rwMug0K9cNN2fxtwPc+XPzJ0xL5z7UKx+hgWb97BT7xdPp44miwUar7Rfnszvs2Om7Ry0
FaRavogFjRdvLi4WFqwLrl8falkbanO5SCDY3r6pta3pAeKaATuhNY83t6wV0lSBCEsWemBnRWtY
aGpuEprlO11EqAw2r/e4Zgq1bT8WgmuDzS0eF5kheJcsrnCRxjdf3la4+Zk/3a1cObRhfuIbkGQW
ZFZTaOOscFuwpal1A/F7VweWVviXSF6yMbh+bVtzS1Pq++hm8zvJsmUpsWx2W27Nz3U+Z0nR8Ruu
e9gwpoz5rsLvshKTfg8SJM69zerlpkRsFZzQwE0BXOKcpAi26uF9Fviw9Uk55+5Gvm22Sk6I2L3c
E9ZmTpCYQDnnRHvd8L4P/HeYehtAD/qwC3VdNQzFpEes1u2c84b/h+H9AuS+P8ZP9PF9eK8BvTFj
vwrtS2jfutCVNl0xIeMFYX7j91vBCPhhGReflxNsky2ZCG/Y9wLfZGhBEQmNnHsx7KL9eqAXAd2e
0VNl5sl6wZXWQ9G6N6MS9f0K+EdALmdMPEjfDfQLQJ89ho7+Hkb91wxjNGNnwcSc8p/bfM/aY47u
HG8k13bRAnVN6/kc+I5/ZRjTsvKVDyP9NNA3m/mKYdzdmK9tdsoVRhxVXLF1FVcosbqVZ+rmBblb
4Vrgs/ytB/okoP8ACcs49xIzLzLQq4H+WMZOecaOhHYksFPHFXqz7OwGua3Xx9f52+fb5//5uQT/
P+LjdqUg+6Q3XGxdtWDBA0JhXWO4RQ4LJZ45npKZs8MME58WSzzFJZ57p6fohHja17XLbXKwkXha
WuWQZ21L2NMYbl7fNLO5iXjk0GaZeNpam4JykHhC61Y/1hbcECKeFN7Y3k48a1o3bAi1yP+ruCbA
i//vW038xu8EKbwgi9+ehd9OxvxGQXBGl5kwhVPneH7LeJTpt4yx323muTsvhb+UxZ8tX5QlX2bW
pyxVGqJax/NnuUN+ZMrb0oTM7yspcFsWf7b8XJOWlhfSv8uY8s9l8buzcMm0X5xFT8vPyKJb/g20
kW8+Vab8Q/9BPv38CwsJUUvYEgAA
5 Likes
pry0cc
(Leader & Offsec Engineer & Forum Daddy)
May 24, 2016, 8:41pm
2
This runs on my machine, If it wasn’t you that posted it, I don’t think I would’ve run it. Running a random binary with no source is kind of scary xD
As for cracking it, I have no idea where to start.
3 Likes
0x00pf
(pico)
May 24, 2016, 8:44pm
3
A little help… A version without symbols stripped + a hint
Hint: Look for strncmp
NEW CODE
H4sIACu8RFcAA+1Zf3RTVx2/Lz/a0EJe9kMFmZIhaJEtNNp56ATWsKS9kYyVrR0CgyzNjzaSHzV9
DwqDjS6U7S1EOR7dYUfPRJ06PR6HcyJDDqQU+mPTURhuTOZkuM2EoJThaMewz++9776QPInHP/zH
c3yH13vv537v98fn+733vTwednkadRyH1EuHFiEycnINdNzA8GcsBRHA5iMD/K1GJiprRMVXQ0n7
ZTMqaRGy0r9kXQXpqHotD5S0NzF4d0Gvss7Abitz2cr8VNtZTFptDaxd9o4QqET/+aW6RdbfCLce
7qalrejCtBujr0qfmffsmpptT+78inlJ3VfnerH07nKcbpkwYekjL5mtKPtjoARLg9k2HUJ/b8XS
O1janMWSeFpqfWPQdYUozjtSrivYP4JTrixOT9YVjbgRfk8tjJ/sO/sJbiR5unLOiDJ1mk4h++hj
XNJ1hQORL7re2PTr1f3URPKclZohKpIZ6LvG89NxMjrOATS+jxCGpYGDpM3+Hf4SFH/RlRVPDTMF
h7eAgp3g5w6pdTtOu0aIPHE2exS4680Ik/FgRoYr14voehBw7YL2JLTPUAcl127qgOTam3KNSq5M
yvWz5OkxyfUz0LcLS4cOACVIUSopSicxpfnP41TrDli9s+BmI/yVgBjqSvHSpbCUMLZTdf2cBVwf
pyEB77MrSKyHlCHTRYq8IF0rbX4D4hw5OK26AWVfAOsH55Les9DDg65xK2L8gLKlhCvJNYpTdxED
o/sQZfJlMnd4AuQll0J6ulkm85CkAbJ6yq7JVkQXWK8uOP8PMHUbMeUkplJTktcQOmwkxIiTDy4h
gtMJN1UHvaTPE08F0jNCby/xZLh/94LnEf/rjFt6kTfihZtgYh0/drI5mwO+VkgmnByS+3ej3Gsw
sZvLjRC78lF7pucvMg8m+84bcK8smPCx81jO5C/2O1pg7JautN4rLMMp7zjuPSVg3PMh7HaE0/HR
9bdg6U+UMyydJyxLr9szF3+KU4bf18LuxdIttHVLzlmjeR5Lb4LYqtWO+3NnICzSgST0yvdi6cNl
/FaZRJ1+2IKTMs9vu0BGPTKxxD/6I5K1e8DMb8hmfKwPv/JnYriB8jb5iGLrCO4dFte67MMOiPIX
M+3yPrJTD5D9mw2QXZgcBzf7+K1PUHoNfyXL7Mf3EgE8dhEUEs7H/gS5s2fqRzZXY+5NOYOlukX5
C/ZM73HefQjvxPyz/XjQQI8cnOLwoNJj2vI23NPPE309f0ajsizYXpgJ08wn6g+QYJezJwyk14eT
H8hCFZZWmHDaYclPyTpA3SCaDHL2zMpVq/uxdAEsHiVZmWI/jqUhPDaG60dFOF6O5jJQcc1Zc/ES
yieW3ieUOpr5rX8gFnsv8VuHKLkPUXLXW7KvI3VR7pdXiV5/XfavUJT7VJLP5M04/YQSzxkSD051
jeP6V/mt36CLJuiihZDUbB2p/l5g64gQxKkG2B1LQLIP801DkBY4LZI5C62RNy8+TZnOZ78LpvIe
nP4prb30g6Mv0HOp5x1qSTqb3aNXksZv9dAK6wCWvmzJT8sGYaX9VN4CkQljK1atxtJY7peArcTS
SSBtbyekoh+njIsmwYaSJrC0CA82mWiiBpvocT7YNFXJW1PNQR0gORvYIgeCY7lbes1xn6PV0eKW
TgCNF+GIqJE273cn70B3pR82iZfukiY8EgQI5o8LH8PJy9PEagjZBOGLt+Ur4MC15N+yXzq4Cfam
PZOd0JHoxAGHdGRfFdiETb3xiiw7gbQMnXIN4BR4YtxhsiJ3qhLUCNdD2DeLFe7UclPe5E4OWvLv
QvZ7j8PxiNADMuZdh0g1GF+HJfaMO2UmHM+CatKLk9yp+4gr+SkwNJJhIwyPg7LkgCV/gmi/gzh+
u30YS6/i5KH5yY1DleKncKoREmSMm8gZ1AiPDGNE6dZAtwe6eROW+yCl4pAnZewkvvaMk6ct/+jP
6V4wLiBYfYZ/5CkYu9PN9+HUbVaig9T5mVE854Qn7ZnFu5NvjXqkoxef9gA+p4+cF0vSCzgsLdSD
cNYFhXRQIsfab8lhC+5OPfBNGJLD8A1azRn+Wxl+Tyavs2ck4/JK4qQefHyH9CTjy6SRM483y1uP
C5VbLs8TL+Szqc37PdIZKL5s5WUoOuPeON0OwZOrHPc7VjvWOLyr++2ZasNsC1SOuBhL49IHIf58
JvkWj5OnR0N83BTihaEQ/9qxV86+cgbovBGnGyzFOFB6Ds8Z5PcfwnPGYd+Ob5mPBCM5Ri9RgLuM
618TPv447+T3VPB7+pxzMqJ56zActvIglgegYjL9jlZ7xtECZfg+Tr5Mj0XYMsvgDHjv53TPvKh0
xyD1J/HYMcy9jOUXhXpc/x7U6vrP4jnHPOlbqj31eeGTj7vQfL14PY36b+SsfBuxJ6zcn/+jPZMH
yk6uJEewg5wy79kzB7gW2Ad1IJac0K239AzoWsiRgv2XcjMAbM7+EKp2EH2UCAzJK/t3P5Xb8QE8
RvQ5iTSW3COkmZR7kDTTcgJpqnNR0uhyIWjInmq9d5knNfs5oxXd1fu20EgPq38Ii8BMclgmoR1z
psOyO3XTLPKoqfFIZ5n7s6n7onnxlgVzF4qVX0rfP5cjW+OwKX/MfkrZ+DQWKOv6Y8IN/B4DYdpg
hqIFqoWzpFz66Xvcp6T3DkUXDT6nvt+1vfSLbTXdW55TcW2Lartra613dvgikWCsPZioqkLNvq6u
9fFE4HZUNRdmgv614Vi7VUWtyHr3EhvMrIiL1kA4YA0LN1cha6MvHLFV3WptSWyw+tp94ZitCs21
Ou9e6qpC8wLBdfPEhC8WiEeRx+ltvsfludvhROt8kfZEOBZA7N2TXNzGexDXbeGmT6407eCU92Ny
/+B9WfYTAYfZsk1355QK3RqQUOYWwP0uzDuK5zfRaTp/P9yVl+D5WrJ+T2H9Jri/D/O24vnw1fXf
gXs3zJ8oWX+UChC/98P9xJgsf6LovZqUGpH/NuBtBFhstmzXNZmnbtM7zNakQbekyjwVdC02m1zV
DrWL0C0gOhniPgLrZnCqPad5alLvNFv1N3BU1GE2MTvE/gKQe34cnho04WbLUpgl9lsA/x3ghoKe
JqLHZbbq3q1S9WBi3VlQSfRtB/knoaYriuIh+NOAPwr454pw4u9+wL8H+ETBDvCz+Ot699cMaeP2
CmeyUn+WU+ikes4Rvz6U5dkavgzwxPgD4N2MrzSJezvha5sBm2uSxiZzrW6VuQYA8HkxZYzGD+s+
DvuX1/jbAvh1gH+aAPeZLXczXiKANwMeKthZXLDjIHYcYKfVXOPU2Hka1j10pTTP/7/+N65sVQNt
x1lL32zlKtpvuvPO2601rW1iTBCtdbb5trpbPyfSkf0he52tts72+TkKjpCta0NU8LVBKySUtkPt
xeJC0NYeE21tYjgSuDUcQDYh2C0gWyIe8Ak+ZAt2eEMJXzSIbMq4rasL2fzxaDQYE/5bcU6Hm/z+
17Hx1e8GyniWRt6gGdtQ0TcLdPX7iJOt/+6kUnmudEj3F1dkX+U9q1CNfqWRN2nGCzTrd1U3sFYZ
79WVymvXN7L1ehUofG9Rmps08tr1Hoap663qdxq2fodG3qIZL2P2azW4un6uBuc07XXFvhddTWz9
yjLri8caiujVcYPSdrKASToIpMY/lbWTytg/OV1pezWTWvv/7tKDtFqPpbiuUGeluL5QP6W4oVAX
pbjxar5L8IpCHkvxf/1SRuIxoAuyFq8og5vL4DPK4J8tg9eVwReWwd1l8NYy+JoyOCqDtyNSixWo
m/Gm1kkC7pmQrwGWF/VZuB7u6wFfqMnXZqZni0aPxOTv0cjvoPJGdKMmX99n8g8w+RDDfwL3zaC/
k8mr59mzTI9JY/d5psfP6s3P8AMMr9Qp+G8YPsz0WDT6TzAeRIMiP4NthFMM/4u+NK6zjIfHNP58
yPAdGlzHKf5wlYqeCaa/muFZjf6PceQs0qEhDT6PyR8xKriB6VnEKXEhjV1yzt9ctF9UfCnT49Tk
617u2vlaxV2bhw6Gf5P5Y2d4nOHnNfJiGX82M38GWB4dDN/GcK3dfQxfovG/j/Gmnj8zGD7E5B+Z
pODdDD/K/NTyf6JMvG8zPauZHvWd9xzDtfVzmeE3MLyNyVfolDrZqeFhlu7admsZrs37fB3jTbN/
79ApPIxo9Cxn8l/Q8BZg/uzS+BOneirgefdAifyDTM8KjZ5HGT6qU/ATDN/O/Blg/sxk+FNM/jLj
U33nf6YMD3uZ/CGm38bwvjLyLzH5eRo/X6X+GP8lrj+yeHdr8DO6a+fxIsO19c/pFX+GKxRcff+6
Xn9tP2fqyf8U6dBhDf6ZMvK36hW7R5l+9TdcvV7hWavnDiYvmxR8DcMbmX5tHpfolXp4RlMPfqZH
u687GT6J6fk0wzcy/dp628JwLZ/Ib7f5kS8SifuhDSYSsbgX+j4hHI8B0CX4/GvbfZ20m4j5o6wH
/6Aj+NuDgk9g/a5CH9BgbB10osGossTrFcg7e6eQQG2AoHDcL0RUtCu8MYiiYizq6wSImvT6O9Z6
20VfIsCUKa6hTh+888fbQmIXuAiLNnhhmoJeb+FzSJSGA0goFBG7OkBjIBwjxvxt3qgvHBM6EkFf
gKwIdMULIcI4Em7ze9mcGAuHwsGAt2sDmIpEvPYvtIWFIhlqIsxMg4PhRDyGokoIiuMhIbEBhNaG
wpEg8isL1ifC4LYq3h6MeZmGDXHRKySIQQESEI6t9fq8gXBQoObibV8J+gUv/S7UJXjbCYiiiSC1
Bv4nBJYTxJxXIvQG4sHusKBmTnW+QA8dhRLBIOpMxNvhl5U3HFvHcu/t6ognBG+M/NwKibFCHGrk
SmZJ6IlEPKFlS1Xuj8S7gsQfEKdZ9nrhRxtzmcnEO4NAnI9mSKumUGAlyYyLAsl8JyRbQKGCa76E
vwNAWlhB+gsR8hJA4RCNkUQCxRHsLvim0lBa9CWWYApRCr3eWJwWZ1AQO71CBFKmUhsB92kM1yCR
0sfsKakvbBOkcEPp/yeOWg1EXR8AAA==
pry0cc
(Leader & Offsec Engineer & Forum Daddy)
May 24, 2016, 8:50pm
4
I’m sorry. I don’t know how I am supposed to do this? I am literally a total binary/debugging noob.
I ran strings on the generated binary from the base64, but that didn’t really help me. Any pointers? I need you to be really explicit. SORRY FOR THE N00BISHNESS.
0x00pf
(pico)
May 24, 2016, 8:51pm
5
Thanks. @pry0cc . I haven’t realize that I could have use this to trojanize all your computers .
Let’s see if the second binary (this is also safe, just a bit bigger) and hint helps to crack it!
Thanks again for checking and trusting
0x00pf
(pico)
May 24, 2016, 9:09pm
6
OK, strings
does not work on this one. I did it on purpose as I think everybody will know how to do that by now.
In this case, it is better to use the second dump (the one with symbols). This one contains the symbols, so you can see the libc functions called by the application. You can approach the crack in two main ways.
Opening the binary in a debugger and start setting breakpoints to figure out where the key is used and how is it used.
Use objdump -d
to get a assembler dump of the binary and to static analysis
In any case, when you find the relevant part of the program you will have to patch the binary. Actually finding the password is a bit tricky…
Hope this helps. I will be posting a solution tomorrow or the day after if nobody does it earlier.
Thanks for the feedback on the difficulty, this is very useful
1 Like
Reverse engineer it, lel
Though I suggest you start with the basics before going into Reverse Engineering.
dtm
May 25, 2016, 4:47am
10
Solution to the original code:
Binary patching:
After extracting the ELF binary, open it up in a disassembler
Perform a strings analysis and locate any obvious strings’ position(s) in the executable code
Find the conditional ‘jz’ instruction and patch it with an unconditional jmp, i.e. bytes 74 05 should become EB 05
???
Profit!
1 Like
0x00pf
(pico)
May 25, 2016, 5:00am
11
You are the best @dtm !!!
How would you qualify the difficulty level?..
1 Like
dtm
May 25, 2016, 5:14am
12
I’m not that great, honestly. It was pretty easy for me because I had some prior experience with this sort of thing. I haven’t explored enough of RE to develop an understanding of the range of difficulty for challenges.
1 Like
xusheng
(xusheng)
July 20, 2020, 9:22am
13
Nice and enjoyable! Though not hard
1 Like
If you find it too easy (patching) then I’d suggest to turn on some good music from the Jackson 5 on auto-repeat and have a go at finding the password.
Its fun!