Reverse engineering on Linux :: CrackMe (1)

The CrackMe is here :: http://www.crackmes.de/users/libertyordeath/libertyordeaths_keygenme_3/

0x8048a18 --> anti-debug
0x80489b0 --> serial can be sniffed from EAX.

name hash is generated here ::

=========================================
0x80488b6 : shl DWORD PTR [ebp-0x220],1 <----- shift.left 0x80488bc : add esi,0x1
0x80488bf : movzx eax,BYTE PTR [esi+ebp*1-0x10f]
0x80488c7 : test al,al
0x80488c9 : je 0x80488de
0x80488cb : test esi,0x1
0x80488d1 : je 0x80488b6
0x80488d3 : movsx eax,al
0x80488d6 : mov DWORD PTR [ebp-0x220],eax
0x80488dc : jmp 0x80488b6
=========================================


hostname hash is generated here ::

=================================================================
0x80488e0 : mov DWORD PTR [ebp-0x224],0x0
0x80488ea : jmp 0x8048904
0x80488ec : lea esi,[esi+eiz*1+0x0]
0x80488f0 : test bl,0x1
0x80488f3 : jne 0x8048901
0x80488f5 : imul eax,ebx <------------
0x80488f8 : imul eax,esi <------------
0x80488fb : mov DWORD PTR [ebp-0x224],eax
0x8048901 : add ebx,0x1
0x8048904 : mov eax,ds:0x80494e4
0x8048909 : mov DWORD PTR [esp],eax
0x804890c : call 0x8048574 <_io_getc@plt>
0x8048911 : cmp eax,0xa
0x8048914 : jne 0x80488f0
===================================================================

Keygen ::

#include "stdio.h";
#include "string.h";

int main ()
{
 char name[30];
 char hostname[30];

 int  i;
 int name_hash;
 int host_hash;

 printf("\n[?] Input name : ");
 scanf("%s",name);

 printf("[?] Input hostname : ");
 scanf("%s",hostname);

 for (i=0;i<strlen(name);i+=2)
 {
  name_hash = name[i] * i * strlen(hostname);
 }

 for (i=1;i<strlen(hostname);i+=2)
 {
  host_hash = hostname[i] << 2;
 }

 printf("\n>>> serial = %d-",name_hash+host_hash);

 for (i=0;i<strlen(hostname);i+=2)
 {
  putchar(hostname[i]);
 }

 printf("\n\n");
 return 0;
}

Writing tutorial is very boring, yet if anyone wants to know any detail, drop me a line. I'll try to explain. The CrackMe was not very difficult anyway.

"RE" On Linux :: Debugging stripped binaries with GDB

gdb$ info file

This will print the entry point of the file.

Symbols from "/home/babil/Desktop/Keygenme_v3/Keygenme_v3.p2".
Local exec file:
`/home/babil/Desktop/Keygenme_v3/Keygenme_v3.p2', file type elf32-i386.
Entry point: 0x8048610 0x08048114 - 0x08048127 is .interp
0x08048128 - 0x08048148 is .note.ABI-tag
0x08048148 - 0x080481dc is .hash
0x080481dc - 0x08048200 is .gnu.hash
0x08048200 - 0x08048320 is .dynsym
0x08048320 - 0x0804840e is .dynstr
0x0804840e - 0x08048432 is .gnu.version
0x08048434 - 0x08048464 is .gnu.version_r
0x08048464 - 0x08048474 is .rel.dyn
0x08048474 - 0x080484e4 is .rel.plt
0x080484e4 - 0x08048514 is .init
0x08048514 - 0x08048604 is .plt
0x08048610 - 0x08048c0c is .text
0x08048c0c - 0x08048c28 is .fini
0x08048c28 - 0x08048d76 is .rodata
0x08048d78 - 0x08048d7c is .eh_frame
0x08049000 - 0x08049008 is .ctors
0x08049008 - 0x08049010 is .dtors
0x08049010 - 0x08049014 is .jcr
0x08049014 - 0x080490fc is .dynamic
0x080490fc - 0x08049100 is .got
0x08049100 - 0x08049144 is .got.plt
0x08049160 - 0x080494e4 is .data
0x080494e4 - 0x080494f0 is .bss


Now set a temporary break on that address. (don't miss the star before 0x8048610)

gdb$ tbreak *0x8048610

"RE" On Linux :: Enable core dump

$ ulimit -c 1024

This will enable a maximum core size of 1GB.

$ gdb ./app ./core

Should get you started ;-)