Title: Defeating lincrackme2 Date: 2012-08-22 13:43 You can get the crackme here. The readme says : > This is a linux crackme (32 and 64 bit). The goal is to obtain the > correct key (there's just one valid key). > > The crackme implements simple anti-debugging/anti-dissasembling tricks > you'll have to bypass to get the key. Thus, the purpose is to learn > this tricks and how to bypass them to achieve your goal. > > This crackme is part of a series of crackmes I'll be publishing with > different tricks, so people can learn more about this techniques in > Linux. > > Patching is allowed as last resource only. > The key generation method is not complicated, because its not the > goal of the crackme. > > Have fun! > > My own solution (and maybe some of yours) will be published here: > http://securityetalii.es :::bash $ file lincrackme2 lincrackme2: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, BuildID[sha1]=0x326adbcd600fd137f96f5b359d842759481c659d, stripped Shared libs ? Nice. What can ltrace tell us about it ? :::bash $ ltrace ./lincrackme2 __libc_start_main(0x804860a, 1, 0xff9cf3c4, 0x8048790, 0x8048780 close(3) = -1 malloc(9) = 0x08624008 printf("You can enter the key now: ") = 27 close(3) = -1 getchar(3, 0, 0xff9cf328, 0xf7585c2f, 0xf76dca20You can enter the key now: 1234 ) = 49 getchar(3, 0, 0xff9cf328, 0xf7585c2f, 0xf76dca20) = 50 getchar(3, 0, 0xff9cf328, 0xf7585c2f, 0xf76dca20) = 51 getchar(3, 0, 0xff9cf328, 0xf7585c2f, 0xf76dca20) = 52 getchar(3, 0, 0xff9cf328, 0xf7585c2f, 0xf76dca20) = 10 puts("Wrong Key. Looks like you suck a"...Wrong Key. Looks like you suck at this. ) = 40 +++ exited (status 1) +++ Wrong key, we sucks at guessing, ok. But we can see a *malloc(9)* : maybe the key is 8 characters (plus the '\0' one) long. :::bash $ ltrace ./lincrackme2 __libc_start_main(0x804860a, 1, 0xffcd3214, 0x8048790, 0x8048780 close(3) = -1 malloc(9) = 0x091ae008 printf("You can enter the key now: ") = 27 close(3) = -1 getchar(3, 0, 0xffcd3178, 0xf75fec2f, 0xf7755a20You can enter the key now: 12345678 ) = 49 getchar(3, 0, 0xffcd3178, 0xf75fec2f, 0xf7755a20) = 50 getchar(3, 0, 0xffcd3178, 0xf75fec2f, 0xf7755a20) = 51 getchar(3, 0, 0xffcd3178, 0xf75fec2f, 0xf7755a20) = 52 getchar(3, 0, 0xffcd3178, 0xf75fec2f, 0xf7755a20) = 53 getchar(3, 0, 0xffcd3178, 0xf75fec2f, 0xf7755a20) = 54 getchar(3, 0, 0xffcd3178, 0xf75fec2f, 0xf7755a20) = 55 getchar(3, 0, 0xffcd3178, 0xf75fec2f, 0xf7755a20) = 56 getchar(3, 0, 0xffcd3178, 0xf75fec2f, 0xf7755a20) = 10 strncmp("IEEAAEEI", "12345678", 9) = 1 puts("Wrong Key. Looks like you suck a"...Wrong Key. Looks like you suck at this. ) = 40 +++ exited (status 1) +++ Ho, a strncmp, between **IEEAAEEI**, our key, on 9 chars. :::bash $ ./lincrackme2 You can enter the key now: IEEAAEEI OK. You passed! Next crackme will be released soon ^_^ Easy.