ARTEAM EZINE ISSUE IV
0x000003FD 0x00000400 0x00000403 0x00000405 0x0000040A 0x0000040D 0x00000410 0x00000412 0x00000415 0x00000418 0x0000041D 0x00000422 0x00000425 0x0000042C 0x00000431
83c004 83ec0c ff30 e8befeffff 83c410 83f80a 741f 83ec08 ff75fc 680d870408 e8c6feffff 83c410 c745ec00000000 e9a8010000 90
eax += 0x4 ; 4 ‘ ‘ esp -= 0xc ; 12 ‘ ‘ push dword [eax] ^ call 0x2C8 ; 2 = sym_strlen esp += 0x10 ; 16 ‘ ‘ cmp eax, 0xa v jz 0x431 ; 3 = sym_main+0x6d esp -= 0x8 ; 8 ‘ ‘ push dword [ebp-0x4] push dword 0x804870d ; "GoodSerial!"+0 ^ call 0x2E8 ; 4 = sym_printf esp += 0x10 ; 16 ‘ ‘ dword [ebp-0x14] = 0x0 ^ goto 0x5D9 ; 5 = sym_main+0x215 nop Listing 1
From the above listing, we can roughly conclude that the serial MUST be of length 10 otherwise it will printf “BadSerial!” Now let’s attach a debugger to it using the following commandline and give the program a serial, abcdefghij, of a length of 10: [root@home Desktop]# radare dbg://"crkme1-linux32 abcdefghij" argv = 'crkme1-linux32', 'abcdefghij', ] Program 'crkme1-linux32 abcdefghij' open debugger ro crkme1-linux32 abcdefghij Message of the day: Find hexpairs with ‘/x a0 cc 33’ Automagically flagging crkme1-linux32 15 symbols added. 17 strings added. 15 syscalls added. flag 'entry' at 0x08048300 and size 00 [0x43169810]> What we should do next is to set a breakpoint at the address where the address of nop starts; in this case it is 0x8048431. [0x43169810]> !bp 0x08048431 new breakpoint at 0x8048431 [0x43169810]> !cont cont: breakpoint stop (0x8048431) [0x43169810]> V Press ‘V’ without the quotes and you will get something like below.
Handy Primer on Linux Reversing by Gunther
59