Solving Your First CrackMe By Getting Your Hands Dirty — 0x1
Reverse Engineering Series 0x1
Today we will start with our first crackme. A crackme is a simple program with something to be hacked in it, like a passphrase or some license key or some patch, etc…
This is my first crackme too! I solved it yesterday and now I am writing the complete process of how I reached there! I used Ghidra which has a decompiler and it can produce C like decompiled code which you can use to reverse engineer but in this story I will use only assembly to reverse engineer the binary ( As I said : getting hands dirty ). You can use this link to get the binary. Use the password : crackmes.one to extract the binary from the zip file. Always make sure that you must not execute the binary on the host OS as it may contain some malicious code and as soon as you execute it your host OS gets infected. Make sure that you run it on a Virtual Machine! You can Qemu ( my favorite ) or VBox or VMware like something. If you are too lazy to do that then atleast check it on Virus Total
If you are on desktop then you may use some reverse engineering tools like IDA, Ghidra, Radare etc. If you are reading this post on android then open your favorite browser and go to this link, upload your binary file and wait for it to disassemble your file!
I am using Linux and I won’t be using any standard tool to reverse engineer the binary. There is a preinstalled component called objdump in Linux. Use the command objdump -d [binary-name] > [binary-name].asm and you will get the assembly output of the program!
Now, I hope you are with me as we are going to begin the climb! I executed the above command for the executable and got the crackMe.asm file and I use atom ( A Hackable Text Editor ) to open the assembly file.
What you are seeing above is a part of the disassembly of the whole binary file. The first line gives the name label and the file format of the assembly file ( in this case ELF64). There are different types of formats based on the operating systems. In case of Windows it is PE, in Mac OS it is MACH-O . You can search their meanings as a part of homework for you ( i.e if you don’t know it ).
You may see lines like : Disassembly of section .init: or Disassembly of section .plt: or Disassembly of section .text: etc. These are the names (init, plt, text, bss, data etc…) of various sections an assembly file is divided into. The .text sections stores the basic functions to be executed by program or in other words, it contains the actual codes. The.plt section contains functions that were added at the time of linking and not defined in the high level source code itself!
As an example : the printf function in C/C++ Programming Language
The format of a formal assembly statement in the ( disassembled ) file is : location: <machine-code> <assembly-code> . We want to pay attention to the location and assemply code only.
According to the crackme we have to find the password for this file. Also it is stated that the program is written in C/C++ and we can see that too from the disassembly of the program! Now, every C/C++ program must contain a main function so jump to the 0000000000001155 <main>: function of .text section.
Now, let us start reversing the program!
Line 114 pushes the register RBP on to the stack. The BP in RBP stands for Base Pointer and RBP is 64 bit version of BP register. Take a loop at image given below for reference.
The base pointer register always points to the base of the stack frame whose position never changes in memory. The RSP or stack pointer register points at the top of the stack frame. Since the position of base pointer never changes it can be used to find the location of a variable with a particular offset from the base pointer register address in memory. This is the reason why we push the base pointer on to the stack ( although it is not necessary to do that, just to make our tasks easier we do that ). Next line assigns the value stored ( location of base of stack frame ) by rbp to rsp ( top of the stack ), thus making the stack pointer and base pointer point to the same address initially!
To understand the next two lines, you must undestand what endianness means ( google it )! Take a look at the first line of the disassembled file:
Okay, the first line is empty ( hehehe… ;-) so let’s focus on the second line… We can see that the format is for x86 processor and the x86 processors are little endian means the least significant byte is stored first! Why this matters here? The endianness explains how the stack frame will grow! Note that in line 116 we have sub $0x10, %rsp , this means that we are subtracting value the hex value 0x10 ( in decimal : 16 ). Note that the dollar sign indicates an immediate in assembly. This means that we are allocating a storage of 16 bytes on the stack ( equivalent to 2 bytes ). Note that now the value of location stored in rsp and rbp are not same!
In the next statement ( line 117 ) we are moving a value 0x130104 ( decimal : 1245444 ) to the memory position with location value [rbp - 4*8]. In assembly <hex>(<register>) means the value stored in <register> + offset value which in this case is hex -0x4 which is equivalent to 4 bytes or 4*8 bits. Why are we subtracting value you ask? This is where the endianness comes into play, take a look at the image above and try to understand! If you still have some problem them mention it in the comments section. So what the above code does in total is allocate 4 bytes of storage and stores the value 0x130104 in it.
This is a lot of stuff to take at once so we will continue this in my next post! Till then try to understand everything you learned and you can ping me on telegram at @brightprogrammer or in the comments section. If you find some errors in the writeup then please inform me and I wil edit it as soon as possible as it will help me and others who read ( I am a newbie in this field too! 😉 )
r00t3r signing off till next time…
