Hi there!
This post shows a simple example of how to crack a binary file. We compile a C file that when compiled will ask for a password. We dissasemble the file, change the assembly instruction that validates the password so any password is considered valid.
On my last post I wrote a simple crack to bypass a binary file. Today I’m gonna give you another example but at this time instead of using a simple unique number as a password, we’re going to change our binary in order of that every password-key entered will validade as true.
Our source file is: cracking-tutorial-2.c
#include <stdio.h>
#include <string.h>
int main (int argc, char *argv[]) {
int i=0;
if (argc < 2){
printf("Error, please type the password key \n");
return 0;
}
if (strcmp(argv[1], "my-secret-key") == 0) {
printf("Congratulations \n");
} else {
printf("Try again \n");
}
return 0;
}
Now, let’s compile and then run the objdump tool to inspect the internal functions and behavior.
objdump -d cracking-tutorial-2 > /tmp/dump.txt
cat /tmp/dump.txt
cracking-tutorial-2: file format elf64-x86-64
Disassembly of section .init:
0000000000400418 <_init>:
400418: 48 83 ec 08 sub $0x8,%rsp
40041c: 48 8b 05 d5 0b 20 00 mov 0x200bd5(%rip),%rax # 600ff8 <_DYNAMIC+0x1d0>
400423: 48 85 c0 test %rax,%rax
400426: 74 05 je 40042d <_init+0x15>
400428: e8 53 00 00 00 callq 400480 <__gmon_start__@plt>
40042d: 48 83 c4 08 add $0x8,%rsp
400431: c3 retq
Disassembly of section .plt:
0000000000400440 <puts@plt-0x10>:
400440: ff 35 c2 0b 20 00 pushq 0x200bc2(%rip) # 601008 <_GLOBAL_OFFSET_TABLE_+0x8>
400446: ff 25 c4 0b 20 00 jmpq *0x200bc4(%rip) # 601010 <_GLOBAL_OFFSET_TABLE_+0x10>
40044c: 0f 1f 40 00 nopl 0x0(%rax)
0000000000400450 <puts@plt>:
400450: ff 25 c2 0b 20 00 jmpq *0x200bc2(%rip) # 601018 <_GLOBAL_OFFSET_TABLE_+0x18>
400456: 68 00 00 00 00 pushq $0x0
40045b: e9 e0 ff ff ff jmpq 400440 <_init+0x28>
0000000000400460 <__libc_start_main@plt>:
400460: ff 25 ba 0b 20 00 jmpq *0x200bba(%rip) # 601020 <_GLOBAL_OFFSET_TABLE_+0x20>
400466: 68 01 00 00 00 pushq $0x1
40046b: e9 d0 ff ff ff jmpq 400440 <_init+0x28>
0000000000400470 <strcmp@plt>:
400470: ff 25 b2 0b 20 00 jmpq *0x200bb2(%rip) # 601028 <_GLOBAL_OFFSET_TABLE_+0x28>
400476: 68 02 00 00 00 pushq $0x2
40047b: e9 c0 ff ff ff jmpq 400440 <_init+0x28>
0000000000400480 <__gmon_start__@plt>:
400480: ff 25 aa 0b 20 00 jmpq *0x200baa(%rip) # 601030 <_GLOBAL_OFFSET_TABLE_+0x30>
400486: 68 03 00 00 00 pushq $0x3
40048b: e9 b0 ff ff ff jmpq 400440 <_init+0x28>
Disassembly of section .text:
0000000000400490 <_start>:
400490: 31 ed xor %ebp,%ebp
400492: 49 89 d1 mov %rdx,%r9
400495: 5e pop %rsi
400496: 48 89 e2 mov %rsp,%rdx
400499: 48 83 e4 f0 and $0xfffffffffffffff0,%rsp
40049d: 50 push %rax
40049e: 54 push %rsp
40049f: 49 c7 c0 60 06 40 00 mov $0x400660,%r8
4004a6: 48 c7 c1 f0 05 40 00 mov $0x4005f0,%rcx
4004ad: 48 c7 c7 7d 05 40 00 mov $0x40057d,%rdi
4004b4: e8 a7 ff ff ff callq 400460 <__libc_start_main@plt>
4004b9: f4 hlt
4004ba: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
00000000004004c0 <deregister_tm_clones>:
4004c0: b8 4f 10 60 00 mov $0x60104f,%eax
4004c5: 55 push %rbp
4004c6: 48 2d 48 10 60 00 sub $0x601048,%rax
4004cc: 48 83 f8 0e cmp $0xe,%rax
4004d0: 48 89 e5 mov %rsp,%rbp
4004d3: 77 02 ja 4004d7 <deregister_tm_clones+0x17>
4004d5: 5d pop %rbp
4004d6: c3 retq
4004d7: b8 00 00 00 00 mov $0x0,%eax
4004dc: 48 85 c0 test %rax,%rax
4004df: 74 f4 je 4004d5 <deregister_tm_clones+0x15>
4004e1: 5d pop %rbp
4004e2: bf 48 10 60 00 mov $0x601048,%edi
4004e7: ff e0 jmpq *%rax
4004e9: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)
00000000004004f0 <register_tm_clones>:
4004f0: b8 48 10 60 00 mov $0x601048,%eax
4004f5: 55 push %rbp
4004f6: 48 2d 48 10 60 00 sub $0x601048,%rax
4004fc: 48 c1 f8 03 sar $0x3,%rax
400500: 48 89 e5 mov %rsp,%rbp
400503: 48 89 c2 mov %rax,%rdx
400506: 48 c1 ea 3f shr $0x3f,%rdx
40050a: 48 01 d0 add %rdx,%rax
40050d: 48 d1 f8 sar %rax
400510: 75 02 jne 400514 <register_tm_clones+0x24>
400512: 5d pop %rbp
400513: c3 retq
400514: ba 00 00 00 00 mov $0x0,%edx
400519: 48 85 d2 test %rdx,%rdx
40051c: 74 f4 je 400512 <register_tm_clones+0x22>
40051e: 5d pop %rbp
40051f: 48 89 c6 mov %rax,%rsi
400522: bf 48 10 60 00 mov $0x601048,%edi
400527: ff e2 jmpq *%rdx
400529: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)
0000000000400530 <__do_global_dtors_aux>:
400530: 80 3d 11 0b 20 00 00 cmpb $0x0,0x200b11(%rip) # 601048 <__TMC_END__>
400537: 75 11 jne 40054a <__do_global_dtors_aux+0x1a>
400539: 55 push %rbp
40053a: 48 89 e5 mov %rsp,%rbp
40053d: e8 7e ff ff ff callq 4004c0 <deregister_tm_clones>
400542: 5d pop %rbp
400543: c6 05 fe 0a 20 00 01 movb $0x1,0x200afe(%rip) # 601048 <__TMC_END__>
40054a: f3 c3 repz retq
40054c: 0f 1f 40 00 nopl 0x0(%rax)
0000000000400550 <frame_dummy>:
400550: 48 83 3d c8 08 20 00 cmpq $0x0,0x2008c8(%rip) # 600e20 <__JCR_END__>
400557: 00
400558: 74 1e je 400578 <frame_dummy+0x28>
40055a: b8 00 00 00 00 mov $0x0,%eax
40055f: 48 85 c0 test %rax,%rax
400562: 74 14 je 400578 <frame_dummy+0x28>
400564: 55 push %rbp
400565: bf 20 0e 60 00 mov $0x600e20,%edi
40056a: 48 89 e5 mov %rsp,%rbp
40056d: ff d0 callq *%rax
40056f: 5d pop %rbp
400570: e9 7b ff ff ff jmpq 4004f0 <register_tm_clones>
400575: 0f 1f 00 nopl (%rax)
400578: e9 73 ff ff ff jmpq 4004f0 <register_tm_clones>
000000000040057d <main>:
40057d: 55 push %rbp
40057e: 48 89 e5 mov %rsp,%rbp
400581: 48 83 ec 20 sub $0x20,%rsp
400585: 89 7d ec mov %edi,-0x14(%rbp)
400588: 48 89 75 e0 mov %rsi,-0x20(%rbp)
40058c: c7 45 fc 00 00 00 00 movl $0x0,-0x4(%rbp)
400593: 83 7d ec 01 cmpl $0x1,-0x14(%rbp)
400597: 7f 11 jg 4005aa <main+0x2d>
400599: bf 78 06 40 00 mov $0x400678,%edi
40059e: e8 ad fe ff ff callq 400450 <puts@plt>
4005a3: b8 00 00 00 00 mov $0x0,%eax
4005a8: eb 37 jmp 4005e1 <main+0x64>
4005aa: 48 8b 45 e0 mov -0x20(%rbp),%rax
4005ae: 48 83 c0 08 add $0x8,%rax
4005b2: 48 8b 00 mov (%rax),%rax
4005b5: be 9d 06 40 00 mov $0x40069d,%esi
4005ba: 48 89 c7 mov %rax,%rdi
4005bd: e8 ae fe ff ff callq 400470 <strcmp@plt>
4005c2: 85 c0 test %eax,%eax
4005c4: 75 0c jne 4005d2 <main+0x55>
4005c6: bf ab 06 40 00 mov $0x4006ab,%edi
4005cb: e8 80 fe ff ff callq 400450 <puts@plt>
4005d0: eb 0a jmp 4005dc <main+0x5f>
4005d2: bf bc 06 40 00 mov $0x4006bc,%edi
4005d7: e8 74 fe ff ff callq 400450 <puts@plt>
4005dc: b8 00 00 00 00 mov $0x0,%eax
4005e1: c9 leaveq
4005e2: c3 retq
4005e3: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
4005ea: 00 00 00
4005ed: 0f 1f 00 nopl (%rax)
00000000004005f0 <__libc_csu_init>:
4005f0: 41 57 push %r15
4005f2: 41 89 ff mov %edi,%r15d
4005f5: 41 56 push %r14
4005f7: 49 89 f6 mov %rsi,%r14
4005fa: 41 55 push %r13
4005fc: 49 89 d5 mov %rdx,%r13
4005ff: 41 54 push %r12
400601: 4c 8d 25 08 08 20 00 lea 0x200808(%rip),%r12 # 600e10 <__frame_dummy_init_array_entry>
400608: 55 push %rbp
400609: 48 8d 2d 08 08 20 00 lea 0x200808(%rip),%rbp # 600e18 <__init_array_end>
400610: 53 push %rbx
400611: 4c 29 e5 sub %r12,%rbp
400614: 31 db xor %ebx,%ebx
400616: 48 c1 fd 03 sar $0x3,%rbp
40061a: 48 83 ec 08 sub $0x8,%rsp
40061e: e8 f5 fd ff ff callq 400418 <_init>
400623: 48 85 ed test %rbp,%rbp
400626: 74 1e je 400646 <__libc_csu_init+0x56>
400628: 0f 1f 84 00 00 00 00 nopl 0x0(%rax,%rax,1)
40062f: 00
400630: 4c 89 ea mov %r13,%rdx
400633: 4c 89 f6 mov %r14,%rsi
400636: 44 89 ff mov %r15d,%edi
400639: 41 ff 14 dc callq *(%r12,%rbx,8)
40063d: 48 83 c3 01 add $0x1,%rbx
400641: 48 39 eb cmp %rbp,%rbx
400644: 75 ea jne 400630 <__libc_csu_init+0x40>
400646: 48 83 c4 08 add $0x8,%rsp
40064a: 5b pop %rbx
40064b: 5d pop %rbp
40064c: 41 5c pop %r12
40064e: 41 5d pop %r13
400650: 41 5e pop %r14
400652: 41 5f pop %r15
400654: c3 retq
400655: 66 66 2e 0f 1f 84 00 data32 nopw %cs:0x0(%rax,%rax,1)
40065c: 00 00 00 00
0000000000400660 <__libc_csu_fini>:
400660: f3 c3 repz retq
Disassembly of section .fini:
0000000000400664 <_fini>:
400664: 48 83 ec 08 sub $0x8,%rsp
400668: 48 83 c4 08 add $0x8,%rsp
40066c: c3 retq
Memory address, hexadecimal and assembly. Let’s zoom in on the part the really is important to us:
4005bd: e8 ae fe ff ff callq 400470 <strcmp@plt> *** THIS LINE have the strcmp()
4005c2: 85 c0 test %eax,%eax ***
4005c4: 75 0c jne 4005d2 <main+0x55> *** JNE = Jump on Inequality
4005c6: bf ab 06 40 00 mov $0x4006ab,%edi
4005cb: e8 80 fe ff ff callq 400450 <puts@plt>
4005d0: eb 0a jmp 4005dc <main+0x5f>
4005d2: bf bc 06 40 00 mov $0x4006bc,%edi
4005d7: e8 74 fe ff ff callq 400450 <puts@plt>
Ok, let’s invert the logic on JNE:
4005c4: 75 0c jne 4005d2 <main+0x55>
Before we do the trick let’s test the program:
./cracking-tutorial-2 I-do-not-know-the-password
Try again
Now, let’s open the binary using vim:
vim cracking-tutorial-2
And then execute:
ESC + :%!xxd + ENTER
You will see VIM change to HEX mode.
Next, search by the hexadecimal codes we want to replace:
ESC + /750c + ENTER
The coursor will stop exactly on the point we need to replace 75 to 74
that means je instead of jne
After changing you need to exit HEX MODE BEFORE SAVING..
ESC + :%!xxd -r + ENTER
ESC + :x
to save and exit
Now final test:
./cracking-tutorial-2 rodolfo
Congratulations
Hope you enjoyed.
Rodolfo
<< All Posts
Cracking binary files using PHP and some Linux tools