EvilZone

Hacking and Security => Reverse Engineering => : daxda December 28, 2013, 04:21:12 PM

: Crackme 03
: daxda December 28, 2013, 04:21:12 PM

Welcome to crackme No. 03!
This time the reverser has to solve the challenge without modifying the binary itself (no patching).
As always please do not post the plain solution key to solve it. Write a little tutorial on how you solved it so that everyone who isn't as experienced or stuck has a chance to learn from you!

Good luck and have fun.

Download Crackme03 (http://upload.evilzone.org/download.php?id=5113090&type=rar)
(Compiled on Linux 64-bit, available for Linux 32-bit and 64-bit)

PS: If you experience any issues or find bugs let me know asap.

: Re: Crackme 03
: s3my0n December 30, 2013, 06:02:04 PM

Ok, I couldn't be bothered reversing all the nested if's, so I hacked cracked it :P
I used Linux LD_PRELOAD hooking mechanism to put a single '0' inside the tmp key file.
This way "if(buffer == '0')" will be true so then "if(i == 1 || i == 7)" will get executed and evaluate to false, thus going to the beginning/end of the loop that increments the counter by 1.
Since strlen(buffer) is 1 and counter is 1, it will break out of the loop and execute the "bad" function, which is the success function  ;D

: Re: Crackme 03
: dz_ruyk January 04, 2014, 01:15:24 AM

Hi.
Another option is to hook fgets function like this:

: (c)

char *
fgets(char *s, int size, FILE *stream)
{
    *s = '\0';
    return s;
}
Then first compare of string length and counter drops us to call of bad() function.