Reverseme – Trivial Linux

This one is pretty darn easy. It’s written in assembly, it’s very small.

You can download the executable at this link:  crackme2

The tricky part on this one was all the weird assembly instruction which I’m not used to. For example, there’s no printf, it’s done with system calls. Anyway, witha debugger it was really easy to figure out what the password is, because it loads it into memory right before it compares it to what you entered. I basically used the same tools as in this one.

Anyway, here’s a disassembly with notes:

Disassembly of section .text:

08048080 <.text>:
8048080: b8 04 00 00 00 mov $0x4,%eax
8048085: bb 01 00 00 00 mov $0x1,%ebx
804808a: b9 f8 90 04 08 mov $0x80490f8,%ecx ; password
804808f: ba 0d 00 00 00 mov $0xd,%edx
8048094: cd 80 int $0x80 ;print it out probably
8048096: ba 00 01 00 00 mov $0x100,%edx
804809b: b9 1b 91 04 08 mov $0x804911b,%ecx
80480a0: bb 00 00 00 00 mov $0x0,%ebx
80480a5: b8 03 00 00 00 mov $0x3,%eax
80480aa: cd 80 int $0x80 ;input the junk probably
80480ac: be 26 91 04 08 mov $0x8049126,%esi ;”QTBXCTU”
80480b1: 89 f7 mov %esi,%edi
80480b3: 31 db xor %ebx,%ebx
80480b5: fc cld ;clear the direction flag
#break
80480b6: ac lods %ds:(%esi),%al ;load string, 81 to al
80480b7: 34 21 xor $0x21,%al
80480b9: aa stos %al,%es:(%edi) ; string store
80480ba: 43 inc %ebx
80480bb: 81 fb 07 00 00 00 cmp $0x7,%ebx
#while ebx!=7
80480c1: 74 02 je 0x80480c5
80480c3: e2 f1 loop 0x80480b6
#break 7
80480c5: be 1b 91 04 08 mov $0x804911b,%esi ;user pass
80480ca: bf 26 91 04 08 mov $0x8049126,%edi ;pucybut
80480cf: b9 07 00 00 00 mov $0x7,%ecx
80480d4: fc cld
80480d5: f3 a6 repz cmpsb %es:(%edi),%ds:(%esi)
#break 8
80480d7: 75 16 jne 0x80480ef
80480d9: b8 04 00 00 00 mov $0x4,%eax
80480de: bb 01 00 00 00 mov $0x1,%ebx
80480e3: b9 05 91 04 08 mov $0x8049105,%ecx
80480e8: ba 16 00 00 00 mov $0x16,%edx
80480ed: cd 80 int $0x80
80480ef: b8 01 00 00 00 mov $0x1,%eax
80480f4: cd 80 int $0x80

I didn’t read through most of this very carefully. The important stuff is here:
80480c5: be 1b 91 04 08 mov $0x804911b,%esi ;user pass
80480ca: bf 26 91 04 08 mov $0x8049126,%edi ;pucybut
80480cf: b9 07 00 00 00 mov $0x7,%ecx
80480d4: fc cld
80480d5: f3 a6 repz cmpsb %es:(%edi),%ds:(%esi)

In gdb, you can see this by going x 0x8049126, which contains pucybut.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s