Shulou(Shulou.com)05/31 Report--

This article introduces the relevant knowledge of "how to write a Linux64-bit software registration machine". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Preparatory work

We will use the following tools

1: Linux Machine (64bit mint box) 2: EDB debugger3: IDA disassembly tool 4: compiler 5: files related to this article (link: http://pan.baidu.com/s/1hqti6LA password: djnt)

Run the file command to detect the file type

File r5

The following is the returned data

R5: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID [sha1] = 86bf854ce620288567d153883d4609163485d34d, not stripped

We learned about the build from the returned data and that it was a dynamically linked file

~ / Desktop $nm r50000000000601109 B _ _ bss_start00000000006010e0 D buf000000000040069d T check_password0000000000601109 b completed.69720000000000601060 dash _ data_start0000000000601060 W data_start00000000006010a0 D delta00000000004005e0 t deregister_tm_clones0000000000400650 t _ do_global_dtors_aux0000000000600e18 t _ do_global_dtors_aux_fini_array_entry0000000000601068 ditch _ dso_handle0000000000600e28 d _ DYNAMIC0000000000601109 Dedata0000000000601110 B _ end0000000000400894 T _ fini0000000000400670 t frame_dummy0000000000600e10 t _ frame_dummy_init_array_entry0000000000400a80 r _ FRAME_END__0000000000601000 d _ GLOBAL_OFFSET_TABLE_w _ _ Gmon_start__0000000000400500 T_ init0000000000600e18 t__ init_array_end0000000000600e10 t__ init_array_start00000000004008a0 R_ IO_stdin_usedw _ ITM_deregisterTMCloneTablew _ ITM_registerTMCloneTable0000000000600e20 d _ _ JCR_END__0000000000600e20 d _ _ JCR_LIST__w _ Jv_RegisterClasses0000000000400890 T__ libc_csu_fini0000000000400820 T__ libc_csu_initU _ _ libc_start_main@@GLIBC_2.2.500000000004007b6 T main0000000000601080 D masterU printf@@GLIBC_2.2.5U puts@@GLIBC_2.2.5U random@ @ GLIBC_2.2.50000000000400610 t register_tm_clones00000000004005b0 T _ startU strcmp@@GLIBC_2.2.5U strcpy@@GLIBC_2.2.5U strlen@@GLIBC_2.2.50000000000601110 dating _ TMC_END__

64-bit Assembly Foundation

Compared to the X86 architecture, the X64 architecture adds extension register settings and some additional instructions.

The following is a list of registers added to X64

R8, r9, r10, r11, r12, r13, r14, r15

You can access the low 32 bits in the R8 register through R8d, the low 16 bits in the R8 register through R8W, and the low 8 bits in the R8 register through rb8.

So that more RIP (instruction pointers) can be accessed directly.

All registers in the X64 architecture are 64-bit, as is RIP, but the current implementation only supports 48-bit linear addresses (linear addresses: the middle layer between logical addresses and physical address translations).

In addition to ordinary registers, it also adds SSE registers, named xmm8~xmm15.

If you move data on the EAX register, it will continue from 0 to the high 32 bits of the RAX register.

In order to debug the program, we will use EDB debugger, which is similar to ollydbg on the Windows platform. It is very easy to get started. Here is the default EDB window.

Parameter passing under X64 architecture is completely different from X86 architecture.

RDI, RSI, RDX, RCX, R8, and R9 are all passed parameters through the stack.

The menu bar is as simple as ollydbg

The crack begins.

Run our R5 file and return the output as follows

~ / Desktop $. / r5Usage:. / R5 password

After all, the plaintext message is not very good, but he gave us a hint that we need a password. We have to figure out what happens when we open it in a disassembler? It is obviously looking for and passing an argument to the function.

You can clearly see that argv [1] is passed as an argument to the check_password () function.

First of all, there is about the length of the input string, which is equal to the length of the string "this_is_not_even_interesting_its_garbage".

.data: 00000000006010E0; char buf [] .data: 00000000006010E0 buf db 'this_is_not_even_interesting_its_garbage',0.data:00000000006010E0; DATA XREF: check_password+1C#o.data:00000000006010E0; check_password+3C#o.... data:00000000006010E0 _ data ends.data:00000000006010E0.bss:0000000000601109; =

Check here.

Call _ strlen; Call Proceduremov rbx, raxmov edi, offset buf; "this_is_not_even_interesting_its_garbag"... Call _ strlen; Call Procedurecmp rbx, rax; Compare Two Operandsjz short Go; Jump if Zero (ZF=1)

After that, the data in the string will be replaced by the string data we entered

Mov rax, [rbp+passcode] mov rsi, rax; srcmov edi, offset buf; "this_is_not_even_interesting_its_garbag"... call _ strcpy; Call Proceduremov [rbp+VarCheck], 1jmp loc_400791; Jump

After this operation, the program enters a loop. If the index delta is 0, then the loop body is skipped.

Movzx eax, delta [rax]

If not, some mathematical operations are performed in the input string using the value of delta and other parameters.

Expressed in C language

X = (random ()% delta [index]) + 1; delta [index] = delta [index]-x; var_check = var_check ^ (unsigned int) delta [index]

Random () does not call srand () for initialization, so we can easily guess.

* *, after 40 cycles, if the changed string is equal to "this_aint_that_simple_but_good_luck_", then "password OK" will be displayed.

We can use the following C code to calculate the string

# include unsigned char delta [] = {3,253,3,249,0,3,6,0,241,0,250,7,22,235,8,252,246,2,254,243,244,242,19,1,234,237,15,253,240,242,12,243,241,7,0,5,14,10,4,} Unsigned char buff [48]; int main (int argc, char * * argv) {int index = 0; int var_check = 1; unsigned char x ='\ x00; strcpy (buff, "this_aint_that_simple_but_good_luck_"); while (var_check) {index = 0; var_check = 0 While (index < 40) {if (delta [index]) {x = (random ()% delta [index]) + 1; delta [index] = delta [index]-x; var_check = var_check ^ (unsigned int) delta [index] Buff [index] = buff [index] + x;} / / if zero index++;}} printf ("% s\ n", buff);}

To compile and run this program, we get the following output

"well_done_now_go_on_irc_and_ask_for_more" ~ / Desktop $. / R5 "well_done_now_go_on_irc_and_ask_for_more"

The password was successfully cracked.

This is the end of the content of "how to write a Linux64-bit software registration machine". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.