Reversing and Cracking first simple Program - bin 0x05

LiveOverflow · Beginner ·🛡️ AI Safety & Ethics ·10y ago
Skills: AI Security80%

Key Takeaways

The video demonstrates a simple reversing challenge for Linux, where the goal is to crack a C program that checks for a valid license key. The presenter uses GDB to disassemble the binary and analyze the control flow, and then steps through the program to understand the license check mechanism.

Full Transcript

[Music] I have written a small C program it's supposed to be a simple license check so you can execute it and you can supply a key as an argument and it will be checked our goal is to crack this program so we don't have to use a valid license key I've made this program available through a GitHub repository you can download from gab.com overflow and the repository name life overflow YouTube or you can install git with sud sudo appg install git and get the whole repository with Git clone and the address you can see on GitHub we will probably talk more about what get is later for now it's enough to know that it's a way how developers can program together on a project and I use it to share some stuff to have a look at the binary assembly code we can use a program called GDB the new debugger so type GDB and the path to the binary so every C program has a main function remember so let's type in disassemble main which will display all assembler instructions from the main function but do you see how ugly that looks that's horrible horrible AT&T syntax so type in set disassembly flavor Intel remember that you can use tab completion here as well now disassemble main again and now it's much more readable okay so it looks complicated but you can ignore most of it first of all get a higher level view of it it doesn't make sense to start going through this instruction by instruction this main function obviously calls other functions so just draw a mental picture of the rough control flow I will actually print out this assembler code and use a pen that's how I did it in the beginning and still do it when I counter more complex code and remember to just ignore most of the stuff concentrate on the actual flow so at this start it arrives at a compare with number two and afterwards a jump not equal so something is checked if it is two if that is the case we proceed to a print F which we know is a function to display text then comes a string compare if you don't know that function read the man page of it Man 3 string compare so this Compares two strings and returns zero if both strings were the same after that call we see another jump not equal so if the zero flag is not said there will be a puts call use the main page to figure out what it does but it just prints text like printer so if the original compare with the number two was not true then it would jump to the address 4623 so in that case it prints some other text with puts and exits I always add the address or at least part of the address from important locations so I know where I am this will help you later when we step through the program now we have one branch missing which also just prints text some jumps are still missing but you can add them to get a nice control flow graph now let's actually execute this and step through it you can then draw which path through the graph you have taken on your paper to do this we first set a break point at the start of main with break main breakpoint is set now use run to start the program starting the program and we hit the breakpoint one at this address a breakpoint is a point where execution stops now look at the registers with info registers here you can see the RP uh the the instruction pointer points to the first address in main now use SI to Step One instruction now we are at the new address in main info registers and you see the changed instruction pointer so now just step through it and follow the addresses in your control graph but use ni i instead of Si because Si would step into function calls but we only want to step through this main function and not follow stuff like puts okay did you notice when we jumped the jump was at 5D 0 and then the next instruction was at 623 so we followed the jump which means whatever was compared to two was not two and then the program printed the usage information after 628 which was the last puts call so we can write down that this puts prints the usage information now it's pretty clear that we didn't pass a key to this program which means the check was looking at the arguments if we supplied a license key so let's run the program again but this time with a random license key yes we want to start the program again now do the same n i and I and I now we are at 5D 0 again will we jump this time no cool so the next Branch we expect is at 609 let's an i and see what happens ah another print text so that print f is the info that a license key will be checked n i now comes the branch okay we are arrived at 609 let's see where we are afterwards at 617 so we did jump which means that the string compare failed and when we continue with an i we see that it's wrong okay let's set a breakpoint just before the last compare and run the program again remember that you can easily copy and paste values in the terminal by simply marking something and pressing your mouse wheel now run again break point one now continue this will run the program normally again until we hit the next breakpoint now it stopped before we execute the test eax eax eax just refers to the first 32-bit of the 64-bit Rax register so its value is hex e let's set this to zero which would indicate that the string compare was correct and returned zero set dollar E equals to zero info registers and you see that it's now zero now use an i again to step and follow your control path access granted yay so we circumvented the license check and you can always write your own little C program trying to make it more secure and then crack it yourself again you will notice that it's impossible to make a program uncrackable those kind of challenges are called crack me people create small programs that have to be cracked or more often you have to create a valid key again if you think something like this is fun check out Crack m.de creating control graphs like we just did is pretty useful that's why there are some programs that do that for us here are three different example of this specific control graph first is from the hopper disassembler second is from Ida and the last one is from radar it see you hopefully next time when we use some different tools to explore this license check binary a bit more [Music]

Original Description

A very simple reversing challenge for Linux GitHub: https://github.com/LiveOverflow/liveoverflow_youtube/tree/master/0x05_simple_crackme_intro_assembler http://crackmes.de http://www.hopperapp.com/ https://www.hex-rays.com/products/ida/ https://github.com/radare/radare2 -=[ ❤️ Support ]=- → per Video: https://www.patreon.com/join/liveoverflow → per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join -=[ 🐕 Social ]=- → Twitter: https://twitter.com/LiveOverflow/ → Website: https://liveoverflow.com/ → Subreddit: https://www.reddit.com/r/LiveOverflow/ → Facebook: https://www.facebook.com/LiveOverflow/ -=[ 📄 P.S. ]=- All links with "*" are affiliate links. LiveOverflow / Security Flag GmbH is part of the Amazon Affiliate Partner Programm. #ReverseEngineering
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from LiveOverflow · LiveOverflow · 6 of 60

1 LiveOverflow - Trailer
LiveOverflow - Trailer
LiveOverflow
2 Introduction to Linux - Installation and the Terminal - bin 0x01
Introduction to Linux - Installation and the Terminal - bin 0x01
LiveOverflow
3 Writing a simple Program in C
Writing a simple Program in C
LiveOverflow
4 Writing a simple Program in Python - bin 0x03
Writing a simple Program in Python - bin 0x03
LiveOverflow
5 Live Hacking - Twitch Recording overthewire.org - Vortex 0x01-0x03 (3h)
Live Hacking - Twitch Recording overthewire.org - Vortex 0x01-0x03 (3h)
LiveOverflow
Reversing and Cracking first simple Program - bin 0x05
Reversing and Cracking first simple Program - bin 0x05
LiveOverflow
7 Abusing the exception handler to leak flag - 32C3CTF readme (pwnable 200)
Abusing the exception handler to leak flag - 32C3CTF readme (pwnable 200)
LiveOverflow
8 ROP with a very small stack - 32C3CTF teufel (pwnable 200)
ROP with a very small stack - 32C3CTF teufel (pwnable 200)
LiveOverflow
9 Uncrackable Programs? Key validation with Algorithm and creating a Keygen - Part 1/2 - bin 0x07
Uncrackable Programs? Key validation with Algorithm and creating a Keygen - Part 1/2 - bin 0x07
LiveOverflow
10 Uncrackable Program? Finding a Parser Differential in loading ELF - Part 2/2 - bin 0x08
Uncrackable Program? Finding a Parser Differential in loading ELF - Part 2/2 - bin 0x08
LiveOverflow
11 Syscalls, Kernel vs. User Mode and Linux Kernel Source Code - bin 0x09
Syscalls, Kernel vs. User Mode and Linux Kernel Source Code - bin 0x09
LiveOverflow
12 Smashing the Stack for Fun and Profit - setuid, ssh and exploit.education - bin 0x0B
Smashing the Stack for Fun and Profit - setuid, ssh and exploit.education - bin 0x0B
LiveOverflow
13 Live Hacking - EFF-CTF 2016 - Level 0-4 (Enigma Conference)
Live Hacking - EFF-CTF 2016 - Level 0-4 (Enigma Conference)
LiveOverflow
14 First Stack Buffer Overflow to modify Variable - bin 0x0C
First Stack Buffer Overflow to modify Variable - bin 0x0C
LiveOverflow
15 First Exploit! Buffer Overflow with Shellcode - bin 0x0E
First Exploit! Buffer Overflow with Shellcode - bin 0x0E
LiveOverflow
16 Buffer Overflows can Redirect Program Execution - bin 0x0D
Buffer Overflows can Redirect Program Execution - bin 0x0D
LiveOverflow
17 Doing ret2libc with a Buffer Overflow because of restricted return pointer - bin 0x0F
Doing ret2libc with a Buffer Overflow because of restricted return pointer - bin 0x0F
LiveOverflow
18 Reverse engineering C programs (64bit vs 32bit) - bin 0x10
Reverse engineering C programs (64bit vs 32bit) - bin 0x10
LiveOverflow
19 pwnable.kr - Levels: fd, collision, bof, flag
pwnable.kr - Levels: fd, collision, bof, flag
LiveOverflow
20 Reverse Engineering and identifying Bugs - BKPCTF cookbook (pwn 6) part 1
Reverse Engineering and identifying Bugs - BKPCTF cookbook (pwn 6) part 1
LiveOverflow
21 Leaking Heap and Libc address - BKPCTF cookbook (pwn 6) part 2
Leaking Heap and Libc address - BKPCTF cookbook (pwn 6) part 2
LiveOverflow
22 Arbitrary write with House of Force (heap exploit) - BKPCTF cookbook (pwn 6) part 3
Arbitrary write with House of Force (heap exploit) - BKPCTF cookbook (pwn 6) part 3
LiveOverflow
23 Live Hacking - Internetwache CTF 2016 - web50, web60, web80
Live Hacking - Internetwache CTF 2016 - web50, web60, web80
LiveOverflow
24 Live Hacking - Internetwache CTF 2016 - crypto60, crypto70, crypto90
Live Hacking - Internetwache CTF 2016 - crypto60, crypto70, crypto90
LiveOverflow
25 A simple Format String exploit example - bin 0x11
A simple Format String exploit example - bin 0x11
LiveOverflow
26 NEW VIDEOS ARE COMING - loopback 0x00
NEW VIDEOS ARE COMING - loopback 0x00
LiveOverflow
27 HTML + CSS + JavaScript introduction - web 0x00
HTML + CSS + JavaScript introduction - web 0x00
LiveOverflow
28 The HTTP Protocol: GET /test.html - web 0x01
The HTTP Protocol: GET /test.html - web 0x01
LiveOverflow
29 Building Poor Man's Logic Analyzer with an Arduino - Reverse Engineering A/C Remote part 1
Building Poor Man's Logic Analyzer with an Arduino - Reverse Engineering A/C Remote part 1
LiveOverflow
30 What is PHP and why is XSS so common there? - web 0x02
What is PHP and why is XSS so common there? - web 0x02
LiveOverflow
31 Introducing the AngularJS Javascript Framework - XSS with AngularJS 0x00
Introducing the AngularJS Javascript Framework - XSS with AngularJS 0x00
LiveOverflow
32 Sandbox Bypass in Version 1.0.8 - XSS with AngularJS 0x1
Sandbox Bypass in Version 1.0.8 - XSS with AngularJS 0x1
LiveOverflow
33 Capturing & Analyzing Packets with Saleae Logic Pro 8 - Reverse Engineering A/C Remote part 2
Capturing & Analyzing Packets with Saleae Logic Pro 8 - Reverse Engineering A/C Remote part 2
LiveOverflow
34 XSS Contexts and some Chrome XSS Auditor tricks - web 0x03
XSS Contexts and some Chrome XSS Auditor tricks - web 0x03
LiveOverflow
35 Previous Bypass is now fixed in version 1.4.7 - XSS with AngularJS 0x2
Previous Bypass is now fixed in version 1.4.7 - XSS with AngularJS 0x2
LiveOverflow
36 New Sandbox Bypass in 1.4.7 - XSS with AngularJS 0x3
New Sandbox Bypass in 1.4.7 - XSS with AngularJS 0x3
LiveOverflow
37 The Heap: what does malloc() do? - bin 0x14
The Heap: what does malloc() do? - bin 0x14
LiveOverflow
38 The Heap: How to exploit a Heap Overflow - bin 0x15
The Heap: How to exploit a Heap Overflow - bin 0x15
LiveOverflow
39 Reverse Engineering with Binary Ninja and gdb a key checking algorithm - TUMCTF 2016 Zwiebel part 1
Reverse Engineering with Binary Ninja and gdb a key checking algorithm - TUMCTF 2016 Zwiebel part 1
LiveOverflow
40 Scripting radare2 with python for dynamic analysis - TUMCTF 2016 Zwiebel part 2
Scripting radare2 with python for dynamic analysis - TUMCTF 2016 Zwiebel part 2
LiveOverflow
41 Live Hacking - Internetwache CTF 2016 - exp50, exp70, exp80
Live Hacking - Internetwache CTF 2016 - exp50, exp70, exp80
LiveOverflow
42 Sandbox bypass for the latest AngularJS version 1.5.8 - XSS with AngularJS 0x4
Sandbox bypass for the latest AngularJS version 1.5.8 - XSS with AngularJS 0x4
LiveOverflow
43 Channel is growing and Riscure hardware CTF starting soon - loopback 0x01
Channel is growing and Riscure hardware CTF starting soon - loopback 0x01
LiveOverflow
44 Explaining Dirty COW local root exploit - CVE-2016-5195
Explaining Dirty COW local root exploit - CVE-2016-5195
LiveOverflow
45 What is CTF? An introduction to security Capture The Flag competitions
What is CTF? An introduction to security Capture The Flag competitions
LiveOverflow
46 The Heap: How do use-after-free exploits work? - bin 0x16
The Heap: How do use-after-free exploits work? - bin 0x16
LiveOverflow
47 The Browser is a very Confused Deputy - web 0x05
The Browser is a very Confused Deputy - web 0x05
LiveOverflow
48 The Heap: Once upon a free() - bin 0x17
The Heap: Once upon a free() - bin 0x17
LiveOverflow
49 Simple reversing challenge and gaming the system - BruCON CTF part 1
Simple reversing challenge and gaming the system - BruCON CTF part 1
LiveOverflow
50 int0x80 from DualCore lent me his lockpicking set and I'm a horse - BruCON CTF part 2
int0x80 from DualCore lent me his lockpicking set and I'm a horse - BruCON CTF part 2
LiveOverflow
51 The Heap: dlmalloc unlink() exploit - bin 0x18
The Heap: dlmalloc unlink() exploit - bin 0x18
LiveOverflow
52 MD5 Length Extension and Blind SQL Injection - BruCON CTF part 3
MD5 Length Extension and Blind SQL Injection - BruCON CTF part 3
LiveOverflow
53 TCP Protocol introduction - bin 0x1A
TCP Protocol introduction - bin 0x1A
LiveOverflow
54 Socket programming in python and Integer Overflow - bin 0x1B
Socket programming in python and Integer Overflow - bin 0x1B
LiveOverflow
55 Linux signals and core dumps - bin 0x1C
Linux signals and core dumps - bin 0x1C
LiveOverflow
56 [Live] Remote oldschool dlmalloc Heap exploit - bin 0x1F
[Live] Remote oldschool dlmalloc Heap exploit - bin 0x1F
LiveOverflow
57 Riscure Embedded Hardware CTF setup and introduction - rhme2 Soldering
Riscure Embedded Hardware CTF setup and introduction - rhme2 Soldering
LiveOverflow
58 Rooting a CTF server to get all the flags with Dirty COW - CVE-2016-5195
Rooting a CTF server to get all the flags with Dirty COW - CVE-2016-5195
LiveOverflow
59 How to learn hacking? ft. Rubber Ducky
How to learn hacking? ft. Rubber Ducky
LiveOverflow
60 Format String to dump binary and gain RCE - 33c3ctf ESPR (pwn 150)
Format String to dump binary and gain RCE - 33c3ctf ESPR (pwn 150)
LiveOverflow

The video teaches how to reverse engineer a simple C program to crack a license check using GDB and control flow analysis. The presenter demonstrates how to disassemble the binary, analyze the control flow, and step through the program to understand the license check mechanism.

Key Takeaways
  1. Download the C program from GitHub
  2. Disassemble the binary using GDB
  3. Analyze the control flow
  4. Step through the program to understand the license check mechanism
  5. Use control flow graphs to visualize the program's flow
  6. Modify the program to circumvent the license check
💡 Creating control graphs is a useful technique for understanding the control flow of a program, and there are tools available that can automate this process.

Related Reads

📰
GuardFall: When Decades-Old Shell Injection Tricks Beat Modern AI Safety Guardrails
Decades-old shell injection tricks can bypass modern AI safety guardrails, highlighting the need for more robust security measures
Dev.to · Cor E
📰
What 116 court judgments taught me about the limits of AI
Learn about the limitations of AI in professional settings through an analysis of 116 court judgments and a personal project using consumer AI tools
Medium · AI
📰
Your ChatGPT History Is a Liability. I Fixed That With a $80 Chip and a Pi5.
Protect your ChatGPT history from being used as evidence with a simple hardware solution using a $80 chip and a Pi5
Medium · AI
📰
Your Skepticism About AI Is an Asset. Here’s How to Use It.
Learn to leverage skepticism about AI to improve its adoption and implementation in your team and organization, and why it matters for responsible AI development
Medium · Programming
Up next
Containers Don't Make Your AI Agent Safe
Web Dev Simplified
Watch →