Crackme 6: ELF, no ptrace

Mar 15, 2018

Link: https://www.root-me.org/en/Challenges/Cracking/ELF-Ptrace (binary)

This program has some protections against debugging, and running it in a debugger fails immediately:

$ /re/crackme/6/ch3.bin
############################################################
##        Bienvennue dans ce challenge de cracking        ##
############################################################

Password : test

Wrong password.

$ gdb /re/crackme/6/ch3.bin
GNU gdb (Debian 7.12-6) 7.12.0.20161007-git
[...]
Reading symbols from /re/crackme/6/ch3.bin...(no debugging symbols found)...done.
(gdb) r
Starting program: /re/crackme/6/ch3.bin
Debugger detecté ... Exit
[Inferior 1 (process 534) exited with code 01]

Disassembling main in Hopper or gdb shows a copy of a string into the local variable at ebp - 0xc. Let’s call it secret.

mov        dword [ebp-0xc], aKsuiealohgy ; "ksuiealohgy"

Then we see that if a call to ptrace fails, we stop the program:

push       0x0
push       0x1
push       0x0
push       0x0          ; argument "__request" for method ptrace
call       ptrace       ; ptrace
add        esp, 0x10
test       eax, eax
jns        loc_8048436

An easy way to skip this would be to replace this code with NOPs (no-ops) and the jump from a conditional to an unconditional jump.

Once we’ve bypassed this step, the control flow heads to a block where a password is read using fgets and stored in a local variable at ebp - 0x16.

lea        eax, dword [ebp-0x16]
push       eax          ; argument #1 for method _IO_fgets
call       _IO_fgets    ; _IO_fgets

and we jump into some code right after a label named _notng:

lea        eax, dword [_notng] ; _notng
inc        eax
jmp        eax

The beginning of notng is kind of strange, and gets to a HLT instruction which will stop the program:

08048497         mov        eax, 0x8bea558a                                     ; DATA XREF=main+158
0804849c         inc        ebp
0804849d         hlt

But here we’re going to eax + 1, so we can re-write the first byte as a NOP and ask Hopper to re-interpret the rest. Much better! We now have something that makes much more sense. Here’s our first byte, skipped:

_notng:
08048497         nop                                                            ; DATA XREF=main+158

And the rest at 0x08048498 is now comparing the two local buffers. dl successively takes each byte of our input, and al the expected bytes. Here, if input[0] != secret[4] (‘e’), we fail:

08048498         mov        dl, byte [ebp-0x16]
0804849b         mov        eax, dword [ebp-0xc]
0804849e         add        eax, 0x4
080484a1         mov        al, byte [eax]
080484a3         cmp        dl, al
080484a5         jne        sub_80484e4                                         ; sub_80484e4

Then input[1] (ebp - 0x16 + 1) is compared to secret[5] (‘a’)

080484a7         mov        dl, byte [ebp-0x15]
080484aa         mov        eax, dword [ebp-0xc]
080484ad         add        eax, 0x5
080484b0         mov        al, byte [eax]
080484b2         cmp        dl, al
080484b4         jne        sub_80484e4                                         ; sub_80484e4

Then input[2] to secret[1] (’s’) (notice the inc eax):

080484b6         mov        dl, byte [ebp-0x14]
080484b9         mov        eax, dword [ebp-0xc]
080484bc         inc        eax
080484bd         mov        al, byte [eax]
080484bf         cmp        dl, al
080484c1         jne        sub_80484e4                                         ; sub_80484e4

And finally input[3] to secret[10] (‘y’):

080484c3         mov        dl, byte [ebp-0x13]
080484c6         mov        eax, dword [ebp-0xc]
080484c9         add        eax, 0xa
080484cc         mov        al, byte [eax]
080484ce         cmp        dl, al
080484d0         jne        sub_80484e4     

Let’s try it:

$ /re/crackme/6/ch3.bin
############################################################
##        Bienvennue dans ce challenge de cracking        ##
############################################################

Password : easy

Good password !!!