Simple crackme tutorial for beginners
In today’s post, we’ll walk through solving a basic crackme challenge using GDB. You can also solve this challenge on a Windows platform using IDA. I found a crackme collection on GitHub, and we'll be working with crackme01.c. You can get the source code from the repository and compile it on your machine.
Compiling the Crackme
First, let’s compile the crackme using GCC with the -mpreferred-stack-boundary=2 flag to simplify the assembly output.
user@protostar:~$ nano crackme01.c
user@protostar:~$ gcc crackme01.c -o crackme01 -mpreferred-stack-boundary=2Running the Crackme
Now, let’s run the crackme to see how it behaves:
user@protostar:~$ ./crackme01
Need exactly one argument.
user@protostar:~$ ./crackme01 hello
No, hello is not correct.We received an error indicating that exactly one argument is needed. After supplying a random argument, the program informs us that it’s incorrect. It seems like the program is checking the input against a hardcoded string. To understand how it works internally, we need to disassemble the program.
Disassembling with GDB
Let’s load the program in GDB and disassemble the main function:
(gdb) disass main
Dump of assembler code for function main:
0x08048464 <main+0>: push ebp
0x08048465 <main+1>: mov ebp,esp
0x08048467 <main+3>: sub esp,0x10
0x0804846a <main+6>: cmp DWORD PTR [ebp+0x8],0x2
0x0804846e <main+10>: je 0x8048483 <main+31>
0x08048470 <main+12>: mov DWORD PTR [esp],0x80485c0
0x08048477 <main+19>: call 0x8048388 <puts@plt>
0x0804847c <main+24>: mov eax,0xffffffff
0x08048481 <main+29>: jmp 0x80484f4 <main+144>
0x08048483 <main+31>: mov DWORD PTR [ebp-0x4],0x80485db
0x0804848a <main+38>: mov eax,DWORD PTR [ebp-0x4]
0x0804848d <main+41>: mov DWORD PTR [esp],eax
0x08048490 <main+44>: call 0x8048368 <strlen@plt>
0x08048495 <main+49>: mov edx,eax
0x08048497 <main+51>: mov eax,DWORD PTR [ebp+0xc]
0x0804849a <main+54>: add eax,0x4
0x0804849d <main+57>: mov eax,DWORD PTR [eax]
0x0804849f <main+59>: mov DWORD PTR [esp+0x8],edx
0x080484a3 <main+63>: mov edx,DWORD PTR [ebp-0x4]
0x080484a6 <main+66>: mov DWORD PTR [esp+0x4],edx
0x080484aa <main+70>: mov DWORD PTR [esp],eax
0x080484ad <main+73>: call 0x8048398 <strncmp@plt>
0x080484b2 <main+78>: test eax,eax
0x080484b4 <main+80>: je 0x80484d6 <main+114>
0x080484b6 <main+82>: mov eax,DWORD PTR [ebp+0xc]
0x080484b9 <main+85>: add eax,0x4
0x080484bc <main+88>: mov edx,DWORD PTR [eax]
0x080484be <main+90>: mov eax,0x80485e5
0x080484c3 <main+95>: mov DWORD PTR [esp+0x4],edx
0x080484c7 <main+99>: mov DWORD PTR [esp],eax
0x080484ca <main+102>: call 0x8048378 <printf@plt>
0x080484cf <main+107>: mov eax,0x1
0x080484d4 <main+112>: jmp 0x80484f4 <main+144>
0x080484d6 <main+114>: mov eax,DWORD PTR [ebp+0xc]
0x080484d9 <main+117>: add eax,0x4
0x080484dc <main+120>: mov edx,DWORD PTR [eax]
0x080484de <main+122>: mov eax,0x80485fd
0x080484e3 <main+127>: mov DWORD PTR [esp+0x4],edx
0x080484e7 <main+131>: mov DWORD PTR [esp],eax
0x080484ea <main+134>: call 0x8048378 <printf@plt>
0x080484ef <main+139>: mov eax,0x0
0x080484f4 <main+144>: leave
0x080484f5 <main+145>: retUnderstanding the Disassembly
At the top of the code, after the function prologue, we see a cmp instruction checking if the value at [ebp+0x8] is equal to 2. This location holds the argument count (argc). If argc is not 2, it prints an error message and exits.
When argc is 2, the program calculates the length of a hardcoded string and compares it with the user input using strncmp. We can extract the hardcoded string as follows:
(gdb) x/s 0x80485db
0x80485db: "password1"Conclusion
The correct password for this crackme is "password1". In the next article, we’ll tackle more advanced challenges. Thank you for reading!
Explorer the world of cyber security. Read some cool articles on System exploitation, Web application hacking, exploit development, malwara analysis, Cryptography etc.