macabre’s frogger crackme lvl 2
macabre’s frogger crackme lvl 2
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Restrictions: NO patching. No Hijacking
Goal: Find User/Key pair to make it print ‘Cracked!!’
Notes: No anti-debugging code.
Jump Jump ..oo ribbet oo…
Difficulty: 2 - Needs a little brain (or luck)
Platform: Unix/linux etc.
Language: Assembler
/* 0x080483A0 - 0x080483D2 */
the crackme prompts for username and password and saves them respectively.
/* 0x080483D8 - 0x080483D0 */
before going further, let us inspect the two routines being called first.
see 0x0804844D - 0x08048479 @ functions.
see 0x08048496 - 0x08048506 @ functions.
/* 0x080483FC - 0x08048410 */
we see our “part1″ variable being added to address 0x080483D8 to patch the value 0xe9. what’s so relevant about this is that 0xe9 is the opcode for the “jmp” instruction. now, the question is, what offset? if we take a look further (0x08048416 exactly), we see a jmp to address 0x0804847a that prints “Bad User/Key Combo…” then does an exit(2);
let’s continue at 0x08048403. we see eax (the offset) being incremented by one. we can tell that the crackme now tries to patch the operand part of the jmp instruction. it xors our username checksum (see 0x0804844D) with part2 (see 0x08048496) and then patches the least significant byte of the address with the value it just got. and then finally, it jmps to 0x08048416.
after then jmp, we see the usage string being printed + exit(1); which is followed by the printing of “cracked…”
ok, so all we have to do is to feed a “username number1-number2″ combo pair to the crackme that will change the instruction at 0x08048416 from jmp 0x0804847a to jmp 0x08048437, which consequently, is the start of the “cracked” state.
0x08048416 - 0x080483D8 = 0x3E (which is 62 in decimal). “62-” is a constant therefore.
0x08048437 - 0x0804841b = 0x1C
therefore, our formula goes… ((username_sum ^ checksum) & 0xff) = 0x1C
we can now construct a keygenerator for the crackme.
/* trying things out */
…
misha@heaven ~/macabre/frogger-crackme $ ./getkey gentoo
found! 62-////@x
found! 62-////Aw
found! 62-////Bv
found! 62-////Cu
found! 62-////Dt
found! 62-////Es
found! 62-////Fr
found! 62-////Gq
found! 62-////Hp
found! 62-////Io
found! 62-////Jn
found! 62-////Km
found! 62-////Ll
found! 62-////Mk
found! 62-////Nj
found! 62-////Oi
found! 62-////Ph
misha@heaven ~/macabre/frogger-crackme $ ./frogger gentoo 62-////Es
[[ macabre frogger crackme - lvl 2 ]]
^^^ Cracked!!! Congratz!! ^^^
…
.:: FUNCTIONS ::.
/* 0x0804844D - 0x08048479 */
a summation (checksum) is being computed for username input by adding the ascii value of all its characters.
/* 0x08048496 - 0x08048506 */
this function null separates the password string by searching for a “dash”. it converts the first part of the serial to it’s numeric counterpart via atoi(). it checks the length of the second part of the string (which must be greater than 5) and then does a checksum on the second part by subtracting the ascii value of the remaining bytes.
