grainne
dedicated to the girl who showed me that university can be fun if you’re inlove.
it’s written in pure assembler. i’ll post snippets and a few explanations as soon as a solution will be posted. oh, and for what it’s worth, my testbed for it is linux 2.6.12-gentoo-sources.
errata and download link here happy reversing.
[update]
lagalopex reported that the segfault is caused by two “jz” instructions somewhere. i wonder why the zero flag on my machine (that is linux 2.612) starts out ON. anyway, i’ve changed those two instructions and uploaded an updated (hopefully error free) version here.
Hi !
I get a segfault too on kernel 2.6.18.8-0.3-default #1 SMP i686 athlon i386 GNU/Linux, openSUSE 10.2 (ASLR and Stack-Smashing Protector)
Here’s some additional info, I hope it helps :
$ file grainne
grainne: ELF 32-bit LSB executable, Intel 80386, version 1, statically linked, corrupted section header size
$ readelf -a grainne
readelf: Error: Unable to read in 0xe800 bytes of section headers
ELF Header:
Magic: 7f 45 4c 46 01 01 01 00 73 74 65 66 74 21 74 7c
Class: ELF32
Data: 2’s complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 115
Type: EXEC (Executable file)
Machine: Intel 80386
Version: 0x1
Entry point address: 0x804800c
Start of program headers: 76 (bytes into file)
Start of section headers: 76 (bytes into file)
Flags: 0x0
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 2
Size of section headers: 59392 (bytes)
Number of section headers: 65498
Section header string table index: 65535
readelf: Error: Out of memory allocating 0xe7dd9000 bytes for section headers
readelf: Error: Section headers are not available!
Abandon
My gdb and objdump don’t want to work on it, but I think I managed to have some piece of code with ndisasm
Comment by devloop — May 20, 2007 @ 11:51 pm
yes. other than the segfault, all of those are expected behavior. i played with the header so that gdb/ald/objdump (or any bfd based tool) isn’t supposed to work when people will use them.
i’m currently downloading 2.6.21, hopefully, i can make a more stable version by the end of the week.
thanks for helping out! =) m
Comment by sleepy jenkins — May 21, 2007 @ 10:03 am
To be true I didn’t understood everything but I managed to get the key
I hope someone will post a solution so I can understand some tricks like the “push dword 0xbadc0de” followed by “ret”
Comment by devloop — May 26, 2007 @ 11:42 pm
gratz! i’m interested in how you solved it. e.g. did objdump, ald work? something like that… the crackmes.de page for it was temporarily suspended as the new version is still pending approval.
the push dword 0xbadc0de is just something i threw in for no apparent reason. well, maybe as the hex value implies… “bad code”… just some garbage bytes… nothing more. i hope you enjoyed solving it. even if the algo is as simple as things can get.
Comment by sleepy jenkins — May 27, 2007 @ 12:34 am
I made it with ndisasm and hexdump
I also used readelf/elfsh to get info on the binary
I had difficulties to find address of the code - to give it to ndisasm (-o 0xXXXXXXXX). After some time I used the hardcoded address of the strings (within mov instructions) to get the relation beetween virtual addresses and file offset :p
I understand the push dword 0xbadc0de is some garbage instruction but what about the ret just after ?
I didn’t manage to get it to run in gdb so I don’t know if the rets are executed or if the code “jump” above them
Yeah it was fun to solve it, I learn some new disassembly and anti-debug tricks
I tried to use ald for the first time and it didn’t work on it. I usually use HT Editor and gdb, same problem :p
Comment by devloop — May 27, 2007 @ 6:31 am
the ret after the push 0xbadc0de is also a garbage instruction. come to think of it, since this issue is garbage instructions, i should have just went overboard and stuffed all sorts of random “db” values… hahaha… i find that funny for some reason. :p
Comment by sleepy jenkins — May 27, 2007 @ 8:40 am