in the name of zero

December 5, 2006

gtk thru a lens

Filed under: hermetic studies, reverse engineering

here’s the scenario.

i encountered a linux crackme today that employs a gui. my first time. the most obvious difference, (of course,) between a console and a GUI program would be the fact that one of them has a GUI and one doesn’t. a gui program has the added workload of “constructing” a gui along with the processing of data. in the same manner, if we look at a GUI program’s disassembly, we must isolate the “data processing” specific parts from the parts that take care of guifications.

running the crackme, it displayed a window, with a text “Kill this window (patch file)…”. there was no other button than the standard title bar buttons minimize, restore and quit, so i pressed quit. a new window appeared this time, with text entries and some button. i filled the text entries with some letters then pressed the “CrackMe” button, only to be greeted by “BAD KEY :p BAD cracker BAD :p”

now, although i _could_ deduce the toolset used for the gui based on the look n feel alone, i had to make sure on things…

misha@heaven ~/veneta $ file cm2
cm2: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5,
dynamically linked (uses shared libs), stripped

dyn-linked, but stripped. i wonder what libs it was using….

misha@heaven ~/veneta $ readelf -d cm2 | grep -i .so
 0x00000001 (NEEDED)                     Shared library: [libgtk-1.2.so.0]
 0x00000001 (NEEDED)                     Shared library: [libgdk-1.2.so.0]
 0x00000001 (NEEDED)                     Shared library: [libglib-1.2.so.0]
 0x00000001 (NEEDED)                     Shared library: [libc.so.6]

libgtk, libgdk, libglib gave things away. so i’m definitely looking at a gtk-1.2 crackme. at address 0x0404898D, things started becoming interesting. it copied the address of a string to esi, then called a function, which i later discovered was the nagscreen. following the call to the function in question, i saw the typical frame setup, then this:

 8048dfc:       68 01 00 00 00          push   0x1				; GTK_WINDOW_DIALOG
 8048e01:       e8 ba f9 ff ff          call   80487c0 <gtk_window_new@plt>	; gtk_window_new()
 8048e06:       a3 a0 a3 04 08          mov    ds:0x804a3a0,eax			; nag_screen_window GtkWidget *
	
gtk-1.2/gtk/gtkwindow.h :: GtkWidget* gtk_window_new(GtkWindowType type);
gtk-1.2/gtk/gtkwindow.h :: typedef enum { } GtkWindowType;

then it sets the window title like so:

 8048e0b:       68 2c a0 04 08          push   0x804a02c			; address of title string
 8048e10:       ff 35 a0 a3 04 08       push   ds:0x804a3a0			; nag screen window GtkWidget *
 8048e16:       e8 c5 f9 ff ff          call   80487e0 <gtk_window_set_title@plt>	; gtk_window_set_title()
	
gtk-1.2/gtk/gtkwindow.h :: void gtk_window_set_title(GtkWindow *window, const gchar *title);

then it creates a label widget using the string passed to esi before….

 8048e1b:       56                      push   esi				; "Kill this window (patch file)..."
 8048e1c:       e8 8f f9 ff ff          call   80487b0 <gtk_label_new@plt>
	
gtk-1.2/gtk/gtklabel.h :: GtkWidget* gtk_label_new (const gchar *str);

and adds the newly created label widget to the nag screen window.

 8048e21:       50                      push   eax				; label GtkWdiget *
 8048e22:       ff 35 a0 a3 04 08       push   ds:0x804a3a0			; nag screen window GtkWidget *
 8048e28:       e8 63 f9 ff ff          call   8048790 <gtk_container_add@plt>	; gtk_container_add();
	
gtk-1.2/gtk/gtkcontainer.h :: void gtk_container_add(GtkContainer *container, GtkWidget *widget);

the nagscreen window is being typecasted to a GtkContainer structure. (consult the GTK widget Hierarchy) which is how GTK implements classes and and inheritance using C. it roughly goes…

GtkObject <- GtkWidget <- GtkContainer <- GtkBin <- GtkWindow

finally, the nag screen window is given a default size, gtk_window_set_default_size() and then is being displayed via call to gtk_widget_show_all().

the function returns and then a signal is being setup for the destroy signal. with the callback to a function that draws the new “main window”. this is why when i pressed the “x” button on the nagscreen, a new window pops up that holds the user input entries and buttons.

 8048997:       68 00 00 00 00          push   0x0			; NULL
 804899c:       68 bd 89 04 08          push   0x80489bd		; crackme_main_screen()
 80489a1:       68 28 a2 04 08          push   0x804a228		; "destroy"
 80489a6:       ff 35 a0 a3 04 08       push   ds:0x804a3a0		; crackme_nagscreen
 80489ac:       e8 cf fe ff ff          call   8048880 <gtk_signal_connect@plt>
	
gtk-1.2/gtk/gtksignal.h :: guint gtk_signal_connect(GtkObject *object,
						const gchar *name,
						GtkSignalFunc func,
						gpointer func_data);

well, that’s it. my first few fun-filled moments studying the gtk crackme.

1 Comment »

The URI to TrackBack this entry is: http://gnurbs.blogsome.com/2006/12/05/gtk-thru-a-lens/trackback/

  1. These comments have been invaluable to me as is this whole site. I thank you for your comment.

    Comment by Rosie — April 29, 2007 @ 3:27 am

RSS feed for comments on this post.

Leave a comment

Line and paragraph breaks automatic, e-mail address never displayed, HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>


Get free blog up and running in minutes with Blogsome | Theme designs available here