--------------------------[Crackme1 by cyrex]----------------> Author: evilcry E-mail: evilcry @ virgilio . it Other contacts: http://abcd6.interfree.it - #cryptorev on irc.azzurranet.org Platform: Linux Tools used: IDA ------------------[The Essay]--------> This is a truly easy crackme, that can be solved in less than 5 minutes. The most intersting thing it's an easy antidebugging trick. After disassembling our ELF, we can jump directly to the EntryPoint (ctrl + E -> "start"), here we can found 08048457 push offset sub_8048520 ;Main proc 0804845C call ___libc_start_main let's jump to the main proc (where there is the security routine) 08048529 push 0 0804852B push 1 0804852D push 0 0804852F push 0 08048531 call _ptrace 08048536 add esp, 10h 08048539 mov eax, eax 0804853B test eax, eax 0804853D jge short loc_8048560 ; If the cracke is traced with a ptrace based dbg, jump ; to the next check, else shut off the execution 0804853F add esp, 0FFFFFFF4h 08048542 push offset aAreYouTryingTo ; "Are you trying to Debug me?\n" 08048547 call _printf 0804854C add esp, 10h 0804854F mov eax, 1 08048554 jmp locret_8048690 In this piece of code we can see ptrace() function used for the antidebugging trick, here a little explaination: if ( ptrace(PTRACE_TRACEME, 0, NULL, NULL) < 0 ) { /* we are being debugged */ } Specifically ptrace checks the task struct of the caller and returns -1 if the caller is currently being ptrace( )ed by another process. This check is done at kernel level, but it's truly easy to understand /usr/src/linux/arch/i386/kernel/ptrace.c if (request == PTRACE_TRACEME) { /* are we already being traced? */ if (current->ptrace & PT_PTRACED) goto out; /* set the ptrace bit in the process flags. */ current->ptrace |= PT_PTRACED; ret = 0; goto out; } This trick can be overcome with a simple NOP on the jump, or a more elegant solution could be to write a LKM to wrap ptrace. But in our case, we don't care about this trick, because IDA is enough to solve this crackme :) 08048583 push offset aEnterPassword ; "-[ Enter Password: " 08048588 call _printf 0804858D add esp, 10h 08048590 add esp, 0FFFFFFF8h 08048593 lea eax, [ebp+var_400] 08048599 push eax 0804859A push offset aS ; "%s" 0804859F call _scanf ; Our password is taken This is the first "protection", our password is taken and next.. 080485D1 push offset a7gb5fjf8v4bg8f ; "7gb5fjf8v4bg8fb34f" ; Correct password 080485D6 lea eax, [ebp-400h] 080485DC push eax ;Our password 080485DD call _strcmp 080485E7 test eax, eax 080485E9 jnz short loc_8048600 ;If the passwd are different, jump out 080485EB add esp, 0FFFFFFF4h 080485EE push offset aStage1Cleared ; "-[ Stage 1 Cleared\n" 080485F3 call _printf with a simple strcmp our password is compaired with the correct one, which is: 7gb5fjf8v4bg8fb34f Let's see the next protection 08048617 push offset aCheckingStage2 ; "-[ Checking Stage 2 Now....\n" 0804861C call _printf 08048627 push offset aR ; "r" open file in +r mode 0804862C push offset aTmpCrackme_89n ; "/tmp/crackme_89nfnjfiefheufeue" 08048631 call _fopen 08048636 add esp, 10h 08048639 mov eax, eax 0804863B mov [ebp-404h], eax 08048641 cmp dword ptr [ebp-404h], 0 08048648 jnz short loc_8048667 ; If the file does not exists, jump out, else ; crackme solved! So we have to create a file placed in /tmp/ ... bash# touch crackme_89nfnjfiefheufeue Regards all UIC people especially: Quequero, AndreaGeddon, Ironspark, LonelyWolf, ZaiRoN, Littleluk, Ntoskrnl; and reverse-engineering.net community