in the name of zero

[ out of the blue personal project ]
school work is slowly getting the better part of me. that’s bad news. anyway, yesterday, i ditched class to start working on an idea that popped in my head (mainly because i found a new inspiration) for my very own crackme. it will be a very easily crackable crackme. no challenge whatsoever. in a nutshell, i’ll mainly be implementing a simple encrypted binary (hopefully with lots of pitfalls) thru the use of a polymorphic elf virii engine attached at a defined place where i fancy. i still haven’t gotten to the encryption and polymorphic engine part but at least i’ve made some progress with e_entry hijacking.

some rough ideas for the crackme:
a fully working elf binary would have an entry point defined in the e_entry section of its header. i’ll manually infect a program to attach the code fragment somewhere. distort every byte at the executable section and then update the entry point to the start of the decryption loop i inserted.

so onto the subject matter at hand - e_entry hijacking.
(more…)

mal’akh n. (hebrew) angel. messenger.

i don’t know why, but i suddenly became interested in angels.

[ new desktop ]
blue moon theme, because i’m in love.

also, i’m slowly removing every traces of “steph”, i can find in my box. i have a new love now. we recently had a little misunderstanding though, but everything is fine now.

i was reading the manpage of ld.so (man 8 ld.so) when i chanced upon the environment variable LD_PRELOAD

LD_PRELOAD
A whitespace-separated list of additional, user-specified, ELF
shared libraries to be loaded before all others. This can be
used to selectively override functions in other shared
libraries. For setuid/setgid ELF binaries, only libraries in
the standard search directories that are also setuid will be
loaded.

wanting to give function overriding a shot, i decided to make a program that has anti-ptrace to see if i can bypass that without resorting to manual patching. a program would call ptrace() with PTRACE_TRACEME request initiating that it wants to be traced. since only one process is allowed this technique works against ptrace() based applications like strace and gdb
(more…)

all’s well that ends well.

happy birthday my dear. i hope you’ll like my present for you.

[ birthday easter egg asm message ]
just something i whipped up for a special someone…

; 21 is the magic number that will unlock the message
%define	lynkey	21
	
	global lynlyn
section .text
lynlyn
	mov edx, (egreeter-greeter)
	lea ecx, [edx-2]
	lea edi, [greeter]
dmorph
	mov al, [edi]
	xor al, lynkey
	mov [edi], al
	inc edi
loop	dmorph
	
	mov eax, 4
	mov ebx, 1
	mov ecx, greeter
	int 0x80
	
	xor eax, eax
	inc eax
	xor ebx, ebx
	int 0x80
	
section .data
	greeter	\
	db	0x78,0x6c,0x35,0x71,0x70,0x74,0x67,0x35,0x73,0x67,0x7c,0x70
	db	0x7b,0x71,0x35,0x79,0x6c,0x7b,0x79,0x6c,0x7b,0x39,0x1f,0x1f
	db	0x6c,0x7a,0x60,0x32,0x63,0x70,0x35,0x74,0x79,0x62,0x74,0x6c
	db	0x66,0x35,0x77,0x70,0x70,0x7b,0x35,0x61,0x7d,0x70,0x67,0x70
	db	0x35,0x73,0x7a,0x67,0x35,0x78,0x70,0x35,0x70,0x66,0x65,0x70
	db	0x76,0x7c,0x74,0x79,0x79,0x6c,0x1f,0x71,0x60,0x67,0x7c,0x7b
	db	0x72,0x35,0x78,0x6c,0x35,0x79,0x7a,0x62,0x70,0x66,0x61,0x35
	db	0x78,0x7a,0x78,0x70,0x7b,0x61,0x66,0x3b,0x1f,0x7c,0x35,0x76
	db	0x7a,0x60,0x79,0x71,0x35,0x7b,0x7a,0x61,0x35,0x74,0x66,0x7e
	db	0x35,0x73,0x7a,0x67,0x35,0x74,0x35,0x77,0x70,0x61,0x61,0x70
	db	0x67,0x35,0x73,0x70,0x78,0x74,0x79,0x70,0x35,0x73,0x67,0x7c
	db	0x70,0x7b,0x71,0x3b,0x1f,0x6c,0x7a,0x60,0x35,0x78,0x74,0x6c
	db	0x35,0x7b,0x70,0x63,0x70,0x67,0x35,0x72,0x70,0x61,0x35,0x61
	db	0x7a,0x35,0x67,0x70,0x74,0x71,0x35,0x61,0x7d,0x7c,0x66,0x39
	db	0x35,0x77,0x60,0x61,0x35,0x7c,0x7b,0x76,0x74,0x66,0x70,0x35
	db	0x6c,0x7a,0x60,0x35,0x71,0x7a,0x3b,0x3b,0x3b,0x1f,0x7c,0x35
	db	0x7f,0x60,0x66,0x61,0x35,0x62,0x74,0x7b,0x7b,0x74,0x35,0x66
	db	0x74,0x6c,0x35,0x61,0x7d,0x74,0x7b,0x7e,0x35,0x6c,0x7a,0x60
	db	0x35,0x73,0x7a,0x67,0x35,0x77,0x70,0x7c,0x7b,0x72,0x35,0x78
	db	0x6c,0x35,0x77,0x70,0x66,0x61,0x35,0x73,0x67,0x7c,0x70,0x7b
	db	0x71,0x3b,0x1f,0x65,0x79,0x70,0x74,0x66,0x70,0x35,0x71,0x7a
	db	0x7b,0x32,0x61,0x35,0x70,0x63,0x70,0x67,0x35,0x76,0x7d,0x74
	db	0x7b,0x72,0x70,0x3b,0x35,0x74,0x7b,0x71,0x35,0x7c,0x73,0x35
	db	0x61,0x7d,0x70,0x35,0x71,0x74,0x6c,0x35,0x76,0x7a,0x78,0x70
	db	0x66,0x35,0x62,0x7d,0x70,0x7b,0x1f,0x6c,0x7a,0x60,0x32,0x79
	db	0x79,0x35,0x73,0x7c,0x7b,0x74,0x79,0x79,0x6c,0x35,0x62,0x74
	db	0x79,0x7e,0x35,0x71,0x7a,0x62,0x7b,0x35,0x61,0x7d,0x70,0x35
	db	0x7c,0x66,0x79,0x70,0x35,0x62,0x7c,0x61,0x7d,0x35,0x74,0x7b
	db	0x7a,0x61,0x7d,0x70,0x67,0x35,0x72,0x60,0x6c,0x39,0x1f,0x7c
	db	0x35,0x66,0x62,0x70,0x74,0x67,0x35,0x7c,0x32,0x79,0x79,0x35
	db	0x76,0x67,0x6c,0x3b,0x35,0x7d,0x70,0x32,0x66,0x35,0x61,0x7d
	db	0x70,0x35,0x79,0x60,0x76,0x7e,0x7c,0x70,0x66,0x61,0x35,0x72
	db	0x60,0x6c,0x35,0x7a,0x7b,0x35,0x70,0x74,0x67,0x61,0x7d,0x35
	db	0x77,0x70,0x76,0x74,0x60,0x66,0x70,0x35,0x7a,0x73,0x35,0x6c
	db	0x7a,0x60,0x3b,0x1f,0x1f,0x7d,0x74,0x65,0x65,0x6c,0x35,0x27
	db	0x24,0x35,0x61,0x7d,0x7a,0x60,0x72,0x7d,0x61,0x73,0x60,0x79
	db	0x35,0x6c,0x70,0x74,0x67,0x66,0x35,0x72,0x7a,0x79,0x71,0x7c
	db	0x79,0x7a,0x76,0x7e,0x66,0x3b,0x3b,0x35,0x70,0x66,0x61,0x70
	db	0x35,0x79,0x6c,0x7b,0x61,0x60,0x61,0x34,0x1f,0x1f,0x7c,0x32
	db	0x79,0x79,0x35,0x7e,0x70,0x70,0x65,0x35,0x6c,0x7a,0x60,0x35
	db	0x76,0x79,0x7a,0x66,0x70,0x35,0x61,0x7a,0x35,0x78,0x6c,0x35
	db	0x7d,0x70,0x74,0x67,0x61,0x35,0x61,0x7c,0x79,0x79,0x35,0x61
	db	0x7d,0x70,0x35,0x71,0x74,0x6c,0x35,0x7c,0x35,0x71,0x7c,0x70
	db	0x3b,0x1f,0x1f,0x66,0x7c,0x72,0x7b,0x70,0x71,0x2f,0x1f,0x35
	db	0x38,0x35,0x7b,0x7c,0x70,0x79,0x35,0x74,0x7b,0x61,0x7d,0x7a
	db	0x7b,0x6c,0x35,0x70,0x35,0x74,0x76,0x60,0x7b,0x74,0x3b,0x35
	db	0x25,0x23,0x3a,0x27,0x24,0x3a,0x25,0x23,0x0a,0x00
	egreeter

here.

An open source crackme for Linux

oohh, an opensource crackme. this one was rather interesting. i spent the major part of the time commenting the source codes and trying out values just to trace program behavior.

the program’s protection algorithm can be divided into three steps. after a vector hash is created out of the user’s name:

a) the serial input is being checked for illegal characters, that is, any character that is not ‘a’, ‘b’ or ‘c’ (small letters).
b) the number of a,b and c characters are being tested against values corresponding to how many characters the serial must have.
c) check for the right order of a,b and c characters.

before moving further, please open a separate window for my commented jandepora crackme now.

the first two steps were easy to follow on the source code. the last step consisted of opening eight (8) child processes and some pipes to implement the order of characters. a correct serial/wrong serial condition is triggered by issuing SIGUSR1 and SIGUSR2 respectively. and only the last fork (fork 7) issued a wrong serial condition SIGUSR2. this line in particular:

launch(serial, &count, 8, 8, 8, SIGUSR2);

i compiled and ran the program under strace to keep track of pipes it uses for communication and then modified the launch() function so that it’ll print the fork id of the process who called it. i figured, as long as fork 7 won’t be called when t == _NUM_CHARS_, things will be ok. see commented jandepora crackme to understand the flow of the forks.

fork 0 - ‘c’
fork 1 - ‘a’
fork 2 - ‘b’
fork 3 - ‘c’
fork 5 - repeat characters.

this would translate to “every two letter c’s, there is at least one a and one b.”

now, the whole of step three will be an endless loop if it werent for _NUM_CHARS_ afterall. that arrangement provided a way for me to recycle characters again and create a circular loop between the forks too, at least until _NUM_CHARS_. i really didn’t care on which fork it will stop because afterall, they all issue SIGUSR1! perhaps there are other steps, but this one was the most obvious solution to take. in my example, i used the single letter ‘a’ as my name. and after the second check, i already constructed a serial that still has to be checked for correctness of order.

name: a
serial: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbcccccc

there were 43 ‘a’, 3 ‘b’ and 6 ‘c’

and constructing the second part of the serial, i had ‘cabccabccabc’ subtraced the number of ‘a’ characters used from the total number of ‘a’ (34-3 = 31) and the number of ‘b’ characters used from the total number of ‘b’ (3-3 = 0), i constructed the first part of the serial, i arrived at the string ‘aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaacabccabccabc’

i tried it out and here’s what happened:

steph@heaven ~/git/reverse/jandepora $ ./crackme4
eSn-mIn's crackme #4
--------------------
	
[*] Input your user name: a
[*] Input serial number: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaacabccabccabc
[*] Verifying serial number..
[!] Registered x)

success! it worked.. somehow. now i had to construct the keygen. (just had to put the logic i just discovered into working order)
(more…)

everyone (family) is mad at me because i was the one who cooked rice tonight and i overcooked it-so much that the whole thing turned brown.(perhaps even crispy, smelled horrible too). (yes. we have a rice cooker.)

even more sooner than that, i bought the wrong signpen. i normally use g-tec point 3 for writing, but i discovered this morning that the sales lady at the department store gave me the wrong point size. i also bought a big notebook, which turned out to be unecessary, because i only have four subjects and i don’t write down notes that much.

i bought prepaid so i can go unlimited texting but it turns out, globe’s system isn’t responding to requests since this morning.

the only good thing that happened today, i guess, was when i went to metro bank to deposit. i’ve been keeping this for a long time. (at least until i knew the name of the cute teller) her arms were white. and for sure, her hands, clean, soft. she wears a golden bracelet on her right wrist. a watch on her left. golden necklace around her white neck. no traces of pimples on her face. totally flawless. i guess she never experienced doing any house chores. her nails, neatly polished! and based on how she types the keyboard (teller keyboard or whatever) and how she counts money and how she seats, she definitely has high class! luckily, i was able to glance at her id while she was not looking and i got her name! i hurried back to school, tried searching at friendster, and immdiately got a hit on the first try! bankers suck. and i hate to sit around waiting for the counter to reach the number i’m holding, but i’m not really in any hurry to leave because of that cute (chinese) teller. her uniform makes me wanna whistle too! i wonder if she digs linux? nah.. maybe she doesn’t even know what linux is. any self-respecting (accountancy) cutie will make it a point to not learn anything more than how to use microsoft word, excel, yahoo messenger and internet explorer. i’m not saying they’re stupid. i’m saying that learning beyond those stuff will have an impact on their cool-cute-clueless-accountancy-feminine aura that we schoolboys adore so much. maybe good, maybe bad. depends really.

groovy! my solution to qcrk5 by qnix was accepted. i’m itching to solve and submit more crackme solutions now! (also working out an algorithm for my own crackme atm) thanks to the moderators who reviewed my solution.

so i went to school today to attend classes for the first time because my classmates gave me the impression that our philosophy 104 (philo of religion) teacher was a “business is business” jackass. by far, my only real reason for going to school. the color of the day was pink. and the campus was breeming with freshies. i’ll try keeping my thoughts organized today by outlining things from the most significant-important to the least.

[ chicks ]
xandra l was wearing pink. for the first time, i saw her hair untied. was speechless (shocked) so i ended up just pinching her arm. i gave her a second glance though as she walked away. she’s my new love interest.

chris e l was also wearing pink. her cheeks were soo pink too! still small, still cute. and i’m quite happy that my philo classroom is close to her philo classroom! i guess i’ll be seeing more of her this semester-philo time. not to mention, she has cute-sexy classmates as well…but i guess that goes with being a female accounting student anyway. along with that, they’re also the type who’d ace exams and the like. i’ll be glad to see a cute-sexy female accounting student who doesn’t capitalize on getting high grades while being cute-sexy at the same time.

unknown girl at the back canteen who was also wearing pink.

[ subjects and teachers ]
so they’re still teaching assembly in ateneo de zamboanga till now. luckily, the teacher was absent. the other cs teacher was also absent. another plus. i was not in the mood for any lessons afterall. and lastly, our philo teacher turns out to be your average strict professor jerk. i’ll try staying on his good side.

[ no more middle schoolers ]
high school has transfered to the new ateneo site at tumaga. no more younglings. there goes another way of life. how are we supposed to celebrate ateneo fiesta from now on? separately? suddenly, the campus felt so spacious.

[ weather ]
rain. for one thing, it wets the clothes of girls and makes them even more sexier. besides, after two months of sunshine and blackout, i’m in for some cold weather flirting.

[ archmage ]
i’m playing the-reincarnation dot com. apprentice server.

[ other stuff ]
holy fuck! have you seen the new close up commercial? where a girl was auditioning and sam milby was there? don’t get me wrong though, i could care less if sam was there or not. the background song rocks!!! i wonder who the artist and what the title is?

[ nonsense ]
steph already has a boyfriend and xiao long nu is about to marry another man. *sigh* my heart will explode anytime soon.

[ back to topic ]
solved two crackmes.
cli3nt’s mycrk
intsig’s Easy_Math
(more…)