10-25-16
Will says:
I solved this little crackme and learned some radare2 (much more intuitive than gdb and objdumps),
basic_logic
It was a fun little crackme. It jumps through a bunch of system calls querying for different things, loops through them, stores them in various registers, then checks if user input matches what it expects. for a more detailed explanation, check out my attachments ("solution" and the two screenshots)
Will says to Dylan:
I believe there is a way to check if a debugger (or whatever else) is using the program:
mov eax, 0x1a
int 0x80
or something. I don't know exactly what point a debugger might initially step into, but if possible, try to set a breakpoint where that code is and set eax to something less harmful
Dylan says:
So this isn't a very through write-up on my part, and it may just turn-out to be a dump of my code for talking points, hwoever I want to cover what I've been exploring: Modifing a Program's Execution.
Different ways to do this:
- Recreate the program by listening and repeating API or RESTful service calls
- DLL injection w/ LD_PRELOAD
- Attaching as a debugger w/ PTRACE
- Reading and writing to process memory
DLL injection via LD_PRELOAD
LD_PRELOAD: A list of additional, user-specified, ELF shared objects to be loaded before all others. The items of the list can be separated by spaces or colons. This can be used to selectively override functions in other shared objects. It will not effect statically linked functions.
file: dummy_loop.c
Prints a random number to the console every two seconds. It is an example program -- meant to be modified via DLL injection or other means.
Running:
$ gcc dummy_loop.c -o dummy_loop
$ ./dummy_loop
Random number: 83
Random number: 86
file: notsorandom.c
Contains a definition of the ran() function to use in overriding via LD_PRELOAD. Compile as a shared library and run:
$ gcc -Wall -fPIC -shared -o notsorandom.so notsorandom.c
$ LD_PRELOAD=./notsorandom.so ./dummy_loop
Random number: 42
Random number: 42
Reading and writing to process memory
file: structloop.c
$ gcc -Og -o structloop structloop.c
$ ./structloop
Integer: 80085
Integer: 80085
file: hack.c
First find offset of struct in heap via debugger (flow graph attached)
Find PID of process
$ pgrep structloop
10675
Find entry point of process
$ sudo head -n 1 /proc/10675/maps
5565d15ea000-5565d15eb000 r-xp 00000000 08:02 14028202 /home/frosty/Desktop/structloop
Just to show you the address end up on the heap later
$ sudo cat /proc/10675/maps | grep "heap"
5565d32ca000-5565d32eb000 rw-p 00000000 00:00 0 [heap]
Enter in the PID and offset in hack.c and run with:
$ gcc hack.c -o hack && sudo ./hack
4 bytes read
39 5 0 0
4 bytes written to 0x5593f75a6014
39 5 0 0
Integer: 1337
Integer: 1337
![[paper clip]](/courses/source/wiki_images/paper_clip_tilt.png)
name last modified size
