in the name of zero

before anything else, my recent soundtrip. oldies songs, specifically everly brothers, gin blossoms and “yakap sa dilim by APO hiking society”

so i found time to solve another crackme -qnix’s qcrk2

This is a binary ELF crackme programmed in C for Linux
you should make the programe print CRACKED .

Rules : NO PATCHING .
HINT : BOF

the kinds of pinoy programmer link

the midterms are in full swing. and so far, i’ve finished taking exams in three subjects out of four in one day. i’m free this tuesday and wednesday which will give me more than enough time to brush up for my computer graphics class exam come thursday. as a special treat to myself and to my friend grainne, i plan to transfer some movie files im keeping in my hard disk so we can watch them the week after the midterms. they’re of good quality, but watching via computer isn’t particularly exciting as grainne told me. unless you have one of them 5.1 speaker system and a 21 inch computer screen. but those are rare luxuries here in my city.

so the plan was to make a vcd out of those files. now, i’m one of those few (i guess) who don’t keep kde around. as such, i don’t have the necessary libs for k3b. heck, i don’t even have the full gnome suite installed. only the necessary libs like gtk and stuff. just for survival.

here’s what i did:

1) fetch some ebuilds and placed them in my overlay
2) emerged ffmpeg vcdimager cdrdao
3) converted the avis to mpeg (ffmpeg)
4) made a vcd image out of the mpeg (vcdimager)
5) lastly, burn the bin to the cd.

i’m presently enjoying disc 1 of rurouni kenshin oav on our cheap cd/dvd player. :p

hi! i’m Niel A. from (far south) Zamboanga City, Philippines. sucks i know, and i wish i was in japan or seoul or in the states. i’m a gentoo linux user for many years now and i spend most of my time experimenting and playing with elf.

cheers,
- niel

just my philosophy 104 paper…
(more…)

my second submission at crackmes dot de. get it here.

you know the drill … no patching.

source code available upon request

so i’ve improved this program here “elf header corruption”, to not only zero out some header values but also nullify the section header tables - making reconstruction a little more harder. it’s version 0.2 and i’m contented with what it does so far.

note: as this tool removes section tables (and section information for that matter) BFD based tools like “strip” must be run first.

future plan (for now)…
1) completely remove nullified tables (blocks) to shrink binary size. like what “strip” does. no idea how to do as of now.
2) complete remove the actual blocks that section table entries describe. e.g. .comment, .note no idea either.

till next.

update
yeah, well, during the weekend, i was able to do actual distorting of section entries like .comment and .shstrtab.

i could have saved myself lots of time if i read some preliminaries regarding qnix’s qcrk1, especially if i’ve read this line, “Some of Modefieded UPX Uses” all the while, i was trying hard to rebuild the section headers and their corresponding section information. oh well, there’s an end to stupidity.

this isn’t really a solution to that crackme. it’s more of my encounter with the UPX implementation the author added to the crackme. i find that more interesting than the actual solving. my first time to handle a packed executable too. before anything else, a brief intro and acquainting to UPX was necessary.

UPX or “Ultimate Packer for eXecutables, by Markus Oberhumer & Laszlo Molnar is is a portable, extendable, high-performance executable packer for several different executable formats. It achieves an excellent compression ratio and offers *very* fast decompression.

i emerged UPX and experimented a bit, read the manual[3] and a wikipedia[2] entry about UPX[1].

now, the ptrace approach later on is a bit of an overkill and really not necessary as the author only modified a signature to disable “unpacking. how i discovered the rotten signature is another story. it was simply just a matter of studying some strace() logs of upx. and some brief analysis of packed executables against the corrupted signature from the crackme. (and some luck)

suffice to say, that normal UPX packed executables will have the signature UPX! at a relative offset. in the crackme’s case, the author replaced the signature with ZXC!

misha@heaven ~/git/reverse/needs_a_little_brain/qnix-qcrk1 $ hexdump -s 3362 -n 4 -C qcrk
00000d22  5a 58 43 21                                       |ZXC!|

i replaced those bytes with the correct signature UPX! and i was able to decompress/unpack the crackme via upx -d easily. boring. the only problem is, the author clearly stated in his rules about “no patching”. so another way was necessary. one that does not include modifying bytes in the binary.

quote from the UPX manual[3]:

A compressed executable consists of the UPX stub and an overlay
which contains the original program in a compressed form.

The UPX stub is a statically linked ELF executable and does
the following at program startup:

1) decompress the overlay to a temporary location in /tmp
2) open the temporary file for reading
3) try to delete the temporary file and start (execve)
the uncompressed program in /tmp using /proc/
/fd/X as
attained by step 2)
4) if that fails, fork off a subprocess to clean up and
start the program in /tmp in the meantime

The UPX stub is about 1700 bytes long, partly written in assembler
and only uses kernel syscalls. It is not linked against any libc.

i verified those steps thru strace() and it does actually makes a temporary image in /tmp (with a random filename) and executes the image from/proc. i didn’t reach number 4 though. my approach was to make a copy of the uncompressed file from “/proc” just before the call to execve() is made.

i named my program “dupx”. here goes nothing.
(more…)