Thursday, 26 September 2013

Crackmes [Reverse] - TRVCrackme v1.0 (MIPS) [Very easy level]

In this task we are given a binary compiled for MIPS architecture. Therefore to execute it you have to find workstation that have MIPS architecture or emulate its behavior. Of course you can produce keygen without even executing it, because the logic is quite straighforward. By the time I managed to execute it I have already understood what it does.



In my post you can read how to execute this binary under amd64 Windows and probably other ones. For now I will assume that you can execute this binary. Let's run it. This binary greets us, prompts for username and serial and then terminates if given username,serial pair is wrong.
Let's look at assembly. Binary contains strings that are printed, and one of them is a congratulation message "[+] Congrats. Write a keygen & tutorial.". By finding it's usage we may detect our goal execution route. The puts function is called with the congratulation string if two calculated values are equal. We will see later that the first value is a function result from the username and the second one is result of another function from the serial code. So we have to make those values equal.
Let's take a look at places where something is read from standard input. There are two calls to the fgets function each of which is followed by call to the functions. Those functions will check input and then produce  value that will  be used later in test for equality. Function after the username fgets checks that each character is between ("A" and "{")  and if it is lowercase letter it converts it to the uppercase letter by subtracting 0x20 verifies that it is a byte by bitwise-anding it with 0xFF and sign-extends by performing two shifts: one is logical which places zero and the second one is ariphmetical which places sign bit as shifted-in bit.

Then all character codes are summed and the sum is xored with 0x3421. This is how we get the first compared value.
Let's look at the serial number parsing function. Firstly it makes sure that serial number consists of digits letters. Then it simply calls atoi function and xors the result with 0x5786. And that is the second compared value.
So all we have to do is sum up all our username letters converted to uppercase and xor the sum value with (0x3421 xored with 0x5786), and that will be the serial code.
Keygen code:
puts "Enter your name:"
username = gets()
sum = 0
username.scan(/./).each do |c|
  sum += c.upcase.ord
end

puts "Your serial:"
puts (sum ^ 0x3421 ^ 0x5786)
Proof:

No comments:

Post a Comment