atom.xml

<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
   <title>m00dy's place</title>
   <link href="/atom.xml" rel="self"/>
   <link href=""/>
   <updated>2014-12-19T12:50:44+00:00</updated>
   <id></id>
   <author>
      <name>John Doe</name>
      <email>john.doe@mail.sexy</email>
   </author>

   
   <entry>
      <title>An Analysis of ShellShock Malware</title>
      <link href="/An-Analysis-of-Shell-shock-malware"/>
      <updated>2014-10-03T17:00:41+00:00</updated>
      <id>/An-Analysis-of-Shell-shock-malware</id>
      <content type="html">&lt;p&gt;TL;DR
I had this malware from a gist which i dont really remember right now. I downloaded it and started to analyse what this is all about. As i analyzed so far, it&amp;#39;s somehow broken. May be i am late ?&lt;/p&gt;

&lt;p&gt;Ok lets start with file command.&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;eren@lisa:~&lt;span class=&quot;nv&quot;&gt;$ &lt;/span&gt;file nginx
nginx: ELF 32-bit LSB executable, Intel 80386, version &lt;span class=&quot;m&quot;&gt;1&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;SYSV&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;, statically linked, &lt;span class=&quot;k&quot;&gt;for&lt;/span&gt; GNU/Linux 2.6.18, stripped
eren@lisa:~&lt;span class=&quot;err&quot;&gt;$&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;file program tells us that it&amp;#39;s statically linked and stripped. So, Most of its dependencies are inside the code and we will have difficulties while debugging it because the debug informations have been removed.&lt;/p&gt;

&lt;p&gt;We&amp;#39;ll fire up gdb and start to debug the malware from its starting point.&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;eren@lisa:~&lt;span class=&quot;nv&quot;&gt;$ &lt;/span&gt;gdb nginx 
GNU gdb &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;GDB&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; 7.4.1-debian
Copyright &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;C&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;m&quot;&gt;2012&lt;/span&gt; Free Software Foundation, Inc.
License GPLv3+: GNU GPL version &lt;span class=&quot;m&quot;&gt;3&lt;/span&gt; or later &amp;lt;http://gnu.org/licenses/gpl.html&amp;gt;
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type &lt;span class=&quot;s2&quot;&gt;&amp;quot;show copying&amp;quot;&lt;/span&gt;
and &lt;span class=&quot;s2&quot;&gt;&amp;quot;show warranty&amp;quot;&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;for&lt;/span&gt; details.
This GDB was configured as &lt;span class=&quot;s2&quot;&gt;&amp;quot;x86_64-linux-gnu&amp;quot;&lt;/span&gt;.
For bug reporting instructions, please see:
&amp;lt;http://www.gnu.org/software/gdb/bugs/&amp;gt;...
Reading symbols from /home/eren/nginx...&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;no debugging symbols found&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;...done.
&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;gdb&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; info file
Symbols from &lt;span class=&quot;s2&quot;&gt;&amp;quot;/home/eren/nginx&amp;quot;&lt;/span&gt;.
Local &lt;span class=&quot;nb&quot;&gt;exec &lt;/span&gt;file:
    &lt;span class=&quot;sb&quot;&gt;`&lt;/span&gt;/home/eren/nginx&lt;span class=&quot;err&quot;&gt;&amp;#39;&lt;/span&gt;, file &lt;span class=&quot;nb&quot;&gt;type &lt;/span&gt;elf32-i386.
    Entry point: 0x8048160&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;I&amp;#39;ll put a breakpoint to 0x8048160&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;b * 0x8048160&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;and then i&amp;#39;ll run the executable and it&amp;#39;ll will stop in its entry point.&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;gdb&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; b * 0x8048160
Breakpoint &lt;span class=&quot;m&quot;&gt;1&lt;/span&gt; at 0x8048160
&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;gdb&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; r
Starting program: /home/eren/nginx 

Breakpoint 1, 0x08048160 in ?? &lt;span class=&quot;o&quot;&gt;()&lt;/span&gt;
&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;&amp;gt; 0x08048160:    &lt;span class=&quot;m&quot;&gt;31&lt;/span&gt; ed    xor    ebp,ebp
&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;gdb&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; x/20i &lt;span class=&quot;nv&quot;&gt;$pc&lt;/span&gt;
&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;&amp;gt; 0x8048160: xor    ebp,ebp
   0x8048162:   pop    esi
   0x8048163:   mov    ecx,esp
   0x8048165:   and    esp,0xfffffff0
   0x8048168:   push   eax
   0x8048169:   push   esp
   0x804816a:   push   edx
   0x804816b:   push   0x804be00
   0x8048170:   push   0x804be40
   0x8048175:   push   ecx
   0x8048176:   push   esi
   0x8048177:   push   0x804b2cc
   0x804817c:   call   0x804b7c0
   0x8048181:   hlt&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;From 0x8048160 to 0x8048181, the code blocks are standart way of glibc execution. Therefore, the malware programmer didnt modified the entry point. If you compile an empty helloworld program, you would see the same starting code like above. 
 Xoring ebp to ebp means nothing but this type of practices come from ABI (Application Binary Interface Specs). In the address of 0x804817c, the calls refers to &amp;lt;_&lt;em&gt;libc&lt;/em&gt;start_main@plt&amp;gt; function.&lt;/p&gt;

&lt;p&gt;You can look at the details &lt;a href=&quot;http://refspecs.linuxbase.org/LSB_3.1.1/LSB-Core-generic/LSB-Core-generic/baselib---libc-start-main-.html&quot;&gt;here&lt;/a&gt;
So, first paramether to libc&lt;em&gt;start&lt;/em&gt;main function is actually the last one pushed on the stack. Therefore, 0x804b2cc is our main function. Let&amp;#39;s put a breakpoint there and go on.&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;b * 0x804b2cc&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;Breakpoint 2, 0x0804b2cc in ?? &lt;span class=&quot;o&quot;&gt;()&lt;/span&gt;
&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;&amp;gt; 0x0804b2cc:    8d 4c &lt;span class=&quot;m&quot;&gt;24&lt;/span&gt; 04  lea    ecx,&lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;esp+0x4&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;gdb&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; x/30i &lt;span class=&quot;nv&quot;&gt;$pc&lt;/span&gt;
&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;&amp;gt; 0x804b2cc: lea    ecx,&lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;esp+0x4&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x804b2d0:   and    esp,0xfffffff0
   0x804b2d3:   push   DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ecx-0x4&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x804b2d6:   push   ebp
   0x804b2d7:   mov    ebp,esp
   0x804b2d9:   push   edi
   0x804b2da:   push   esi
   0x804b2db:   push   ebx
   0x804b2dc:   push   ecx
   0x804b2dd:   sub    esp,0x1464
   0x804b2e3:   push   0x0
   0x804b2e5:   call   0x8056ce0
   0x804b2ea:   mov    ebx,eax
   0x804b2ec:   call   0x8057430
   0x804b2f1:   xor    eax,ebx
   0x804b2f3:   mov    DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;esp&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,eax
   0x804b2f6:   call   0x804cb90
   0x804b2fb:   mov    DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;esp&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0x0
   0x804b302:   call   0x8056ce0
   0x804b307:   mov    ebx,eax
   0x804b309:   call   0x8057430
   0x804b30e:   xor    eax,ebx
   0x804b310:   mov    DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;esp&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,eax
   0x804b313:   call   0x8048240
   0x804b318:   call   0x8048fd5
   0x804b31d:   movzx  eax,BYTE PTR ds:0x80cc2b5
   0x804b324:   add    esp,0xc
   0x804b327:   push   eax
   0x804b328:   movzx  eax,BYTE PTR ds:0x80cc2b4
   0x804b32f:   push   eax
&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;gdb&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;As you may see, the main function has a lot of calls to other functions. I&amp;#39;ll not go into every call but cover most important aspects of its actions.&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;0x8074fd0: mov    edx,ebx
   0x8074fd2:   mov    ebx,DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;esp+0x4&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x8074fd6:   mov    eax,0x7a
   0x8074fdb:   call   DWORD PTR ds:0x80cbfd0&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;In the forth line, i see a call to somewhere over a pointer. I need to deference it.&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;gdb&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; p/x *0x80cbfd0
&lt;span class=&quot;nv&quot;&gt;$1&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; 0xf7ffd420
&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;gdb&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; x/10i 0xf7ffd420
   0xf7ffd420 &amp;lt;__kernel_vsyscall&amp;gt;:    push   ecx
   0xf7ffd421 &amp;lt;__kernel_vsyscall+1&amp;gt;:  push   edx
   0xf7ffd422 &amp;lt;__kernel_vsyscall+2&amp;gt;:  push   ebp
   0xf7ffd423 &amp;lt;__kernel_vsyscall+3&amp;gt;:  mov    ebp,esp
   0xf7ffd425 &amp;lt;__kernel_vsyscall+5&amp;gt;:  sysenter&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;After deferencing, It becomes our gate to the kernel. I wrote the address of 0x80cbfd0 somewhere to keep in my mind. We need to analyze the registers before it goes through syscall gate.&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;gdb&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; info reg
eax            0x7a 122
ecx            0xffffffff   -1
edx            0x0  0
ebx            0xffffd5f6   -10762
esp            0xffffd5e0   0xffffd5e0
ebp            0xffffd7c8   0xffffd7c8
esi            0x0  0
edi            0x804be00    134528512
eip            0x8074fdb    0x8074fdb
eflags         0x286    &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt; PF SF IF &lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
cs             0x23 35
ss             0x2b 43
ds             0x2b 43
es             0x2b 43
fs             0x0  0
gs             0x0  0&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;We need to look up syscall table for 0x7a (eax value). You can find syscall table &lt;a href=&quot;http://docs.cs.up.ac.za/programming/asm/derick_tut/syscalls.html&quot;&gt;here&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;122 belongs to uname syscall.&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;gdb&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; x/20c &lt;span class=&quot;nv&quot;&gt;$ebx&lt;/span&gt;
0xffffd5f6: &lt;span class=&quot;m&quot;&gt;76&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;L&amp;#39;&lt;/span&gt;   &lt;span class=&quot;m&quot;&gt;105&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;i&amp;#39;&lt;/span&gt;  &lt;span class=&quot;m&quot;&gt;110&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;n&amp;#39;&lt;/span&gt;  &lt;span class=&quot;m&quot;&gt;117&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;u&amp;#39;&lt;/span&gt;  &lt;span class=&quot;m&quot;&gt;120&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;x&amp;#39;&lt;/span&gt;  &lt;span class=&quot;m&quot;&gt;0&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;\000&amp;#39;&lt;/span&gt; &lt;span class=&quot;m&quot;&gt;0&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;\000&amp;#39;&lt;/span&gt; &lt;span class=&quot;m&quot;&gt;0&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;\000&amp;#39;&lt;/span&gt;
0xffffd5fe: &lt;span class=&quot;m&quot;&gt;0&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;\000&amp;#39;&lt;/span&gt; &lt;span class=&quot;m&quot;&gt;0&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;\000&amp;#39;&lt;/span&gt; &lt;span class=&quot;m&quot;&gt;0&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;\000&amp;#39;&lt;/span&gt; &lt;span class=&quot;m&quot;&gt;0&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;\000&amp;#39;&lt;/span&gt; &lt;span class=&quot;m&quot;&gt;0&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;\000&amp;#39;&lt;/span&gt; &lt;span class=&quot;m&quot;&gt;0&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;\000&amp;#39;&lt;/span&gt; &lt;span class=&quot;m&quot;&gt;0&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;\000&amp;#39;&lt;/span&gt; &lt;span class=&quot;m&quot;&gt;0&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;\000&amp;#39;&lt;/span&gt;
0xffffd606: &lt;span class=&quot;m&quot;&gt;0&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;\000&amp;#39;&lt;/span&gt; &lt;span class=&quot;m&quot;&gt;0&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;\000&amp;#39;&lt;/span&gt; &lt;span class=&quot;m&quot;&gt;0&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;\000&amp;#39;&lt;/span&gt; &lt;span class=&quot;m&quot;&gt;0&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;\000&amp;#39;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;So the malware got the information about my system.At least it knows which operating system im running :)&lt;/p&gt;

&lt;p&gt;It uses several times of brk syscall to allocate some space from the heap.&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;0x8056ce6: push   ebx
   0x8056ce7:   xor    ebx,ebx
&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;&amp;gt; 0x8056ce9: mov    eax,0xd
   0x8056cee:   call   DWORD PTR ds:0x80cbfd0&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Another syscall for getting time and later it will get also pid number.I&amp;#39;ll skip these until socket things come up.&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;0x805864f: nop
   0x8058650:   mov    edx,ebx
   0x8058652:   mov    eax,0x66
   0x8058657:   mov    ebx,0x1
&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;&amp;gt; 0x805865c: lea    ecx,&lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;esp+0x4&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x8058660:   call   DWORD PTR ds:0x80cbfd0&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;This is very important, the malware creates a socket with socket syscall.This time, eax is 102 and it is sys_socketcall in linux syscall table (i386).&lt;/p&gt;

&lt;p&gt;When we look at the parameters, &lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;gdb&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; info reg
eax            0x66 102
ecx            0xffffb2b0   -19792
edx            0x54302d33   1412443443
ebx            0x1  1
esp            0xffffb2ac   0xffffb2ac
ebp            0xffffc338   0xffffc338
esi            0x2e5fd200   778031616
edi            0x804be00    134528512
eip            0x8058660    0x8058660
eflags         0x282    &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt; SF IF &lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
cs             0x23 35
ss             0x2b 43
ds             0x2b 43
es             0x2b 43
fs             0x0  0
gs             0x63 99&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Ebx is really important, 0x1 tells us &lt;a href=&quot;http://lxr.free-electrons.com/source/include/uapi/linux/net.h#L26&quot;&gt;that&lt;/a&gt; it is a sys&lt;em&gt;socket and it will go down just &lt;a href=&quot;http://lxr.free-electrons.com/source/net/socket.c#L2509&quot;&gt;right&lt;/a&gt; there.
Ecx is our pointer which is being passed into sys&lt;/em&gt;socket function.&lt;/p&gt;

&lt;p&gt;And then, after syscall execution, the kernel should give us a file descriptor that we can write to or read from it.&lt;/p&gt;

&lt;p&gt;I go to my proc file system to see which file descriptor are mapped to my process adress space.&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;eren@lisa:/proc/30480/fd&lt;span class=&quot;nv&quot;&gt;$ &lt;/span&gt;ls -la
total 0
dr-x------ &lt;span class=&quot;m&quot;&gt;2&lt;/span&gt; eren eren  &lt;span class=&quot;m&quot;&gt;0&lt;/span&gt; Oct  &lt;span class=&quot;m&quot;&gt;4&lt;/span&gt; 18:03 .
dr-xr-xr-x &lt;span class=&quot;m&quot;&gt;8&lt;/span&gt; eren eren  &lt;span class=&quot;m&quot;&gt;0&lt;/span&gt; Oct  &lt;span class=&quot;m&quot;&gt;4&lt;/span&gt; 17:24 ..
lrwx------ &lt;span class=&quot;m&quot;&gt;1&lt;/span&gt; eren eren &lt;span class=&quot;m&quot;&gt;64&lt;/span&gt; Oct  &lt;span class=&quot;m&quot;&gt;4&lt;/span&gt; 18:04 &lt;span class=&quot;m&quot;&gt;0&lt;/span&gt; -&amp;gt; /dev/pts/0
lrwx------ &lt;span class=&quot;m&quot;&gt;1&lt;/span&gt; eren eren &lt;span class=&quot;m&quot;&gt;64&lt;/span&gt; Oct  &lt;span class=&quot;m&quot;&gt;4&lt;/span&gt; 18:04 &lt;span class=&quot;m&quot;&gt;1&lt;/span&gt; -&amp;gt; /dev/pts/0
lrwx------ &lt;span class=&quot;m&quot;&gt;1&lt;/span&gt; eren eren &lt;span class=&quot;m&quot;&gt;64&lt;/span&gt; Oct  &lt;span class=&quot;m&quot;&gt;4&lt;/span&gt; 18:03 &lt;span class=&quot;m&quot;&gt;2&lt;/span&gt; -&amp;gt; /dev/pts/0
lrwx------ &lt;span class=&quot;m&quot;&gt;1&lt;/span&gt; eren eren &lt;span class=&quot;m&quot;&gt;64&lt;/span&gt; Oct  &lt;span class=&quot;m&quot;&gt;4&lt;/span&gt; 18:04 &lt;span class=&quot;m&quot;&gt;3&lt;/span&gt; -&amp;gt; socket:&lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;324793&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
lrwx------ &lt;span class=&quot;m&quot;&gt;1&lt;/span&gt; eren eren &lt;span class=&quot;m&quot;&gt;64&lt;/span&gt; Oct  &lt;span class=&quot;m&quot;&gt;4&lt;/span&gt; 18:04 &lt;span class=&quot;m&quot;&gt;4&lt;/span&gt; -&amp;gt; socket:&lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;324794&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
lr-x------ &lt;span class=&quot;m&quot;&gt;1&lt;/span&gt; eren eren &lt;span class=&quot;m&quot;&gt;64&lt;/span&gt; Oct  &lt;span class=&quot;m&quot;&gt;4&lt;/span&gt; 18:04 &lt;span class=&quot;m&quot;&gt;5&lt;/span&gt; -&amp;gt; pipe:&lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;324795&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
l-wx------ &lt;span class=&quot;m&quot;&gt;1&lt;/span&gt; eren eren &lt;span class=&quot;m&quot;&gt;64&lt;/span&gt; Oct  &lt;span class=&quot;m&quot;&gt;4&lt;/span&gt; 18:04 &lt;span class=&quot;m&quot;&gt;6&lt;/span&gt; -&amp;gt; pipe:&lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;324795&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
lrwx------ &lt;span class=&quot;m&quot;&gt;1&lt;/span&gt; eren eren &lt;span class=&quot;m&quot;&gt;64&lt;/span&gt; Oct  &lt;span class=&quot;m&quot;&gt;4&lt;/span&gt; 18:04 &lt;span class=&quot;m&quot;&gt;7&lt;/span&gt; -&amp;gt; socket:&lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;327132&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Yeah there it is.&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;0x805844c: mov    eax,0x66
   0x8058451:   mov    ebx,0x3
   0x8058456:   lea    ecx,&lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;esp+0x4&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;&amp;gt; 0x805845a: call   DWORD PTR ds:0x80cbfd0&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;This time, Ebx is 0x3 that means SYS&lt;em&gt;CONNECT. Ecx now points to paramethers that we pushed into sys&lt;/em&gt;connect. Let&amp;#39;s examine the parameter.&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span class=&quot;m&quot;&gt;2515&lt;/span&gt;         &lt;span class=&quot;k&quot;&gt;case&lt;/span&gt; SYS_CONNECT:
&lt;span class=&quot;m&quot;&gt;2516&lt;/span&gt;                 &lt;span class=&quot;nv&quot;&gt;err&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; sys_connect&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;a0, &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;struct sockaddr __user *&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;a1, a&lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;2&lt;span class=&quot;o&quot;&gt;])&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
&lt;span class=&quot;m&quot;&gt;2517&lt;/span&gt;                 &lt;span class=&quot;nb&quot;&gt;break&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;The code above is from kernel source.Paramethers are a0,a pointer and another a2. These are all 12 bytes. So ecx should point to 12 bytes.&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;gdb&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; x/3wx &lt;span class=&quot;nv&quot;&gt;$ecx&lt;/span&gt;
0xffffb2b0: 0x00000007  0xffffc30c  0x00000010
&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;gdb&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Now, a0 =&amp;gt; 0x07, sockaddr pointer is =&amp;gt; 0xffffc30c and last paramether is 0x00000010.&lt;/p&gt;

&lt;p&gt;We want to find where this malware connects. We know that sockaddr structure holds this information. Sockaddr structure is &lt;a href=&quot;http://www.softwarerevolution.com/jeneral/ipc/include/linux/socket.h/source/SOURCE-socket.h.html&quot;&gt;here&lt;/a&gt;&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;typedef unsigned short sa_family_t&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
struct sockaddr &lt;span class=&quot;o&quot;&gt;{&lt;/span&gt;
    sa_family_t sa_family&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt; /* address family, AF_xxx */
    char sa_data&lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;14&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt; /* &lt;span class=&quot;m&quot;&gt;14&lt;/span&gt; bytes of protocol address   */
&lt;span class=&quot;o&quot;&gt;}&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;We can do our estimation that 1 short + 14 char =&amp;gt; 16 bytes.
So i&amp;#39;ll skip the first 2 bytes and print the others.&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;gdb&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; x/14bu 0xffffc30e
0xffffc30e: 0   80  108 162 197 26  0   0
0xffffc316: 0   0   0   0   0   0&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;So, it&amp;#39;s clear that the malware wants to connect to 108.162.197.26 through 80 port.&lt;/p&gt;

&lt;p&gt;Malware then tries to get the ip of host machine by executing getsockname.&lt;/p&gt;

&lt;p&gt;It then reads &amp;quot;/proc/net/route&amp;quot; here to parse network interface and uses ioctl syscall to get its MAC address (SIOCGIFHWADDR).&lt;/p&gt;

&lt;p&gt;Later, It forks itself and quit.&lt;/p&gt;

&lt;p&gt;The forked process also tries to connect somewhere(89.238.150.154) but it cannot. I don&amp;#39;t know why.&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;root@lisa:~/blog# tcpdump -v -X dst 89.238.150.154
tcpdump: listening on eth0, link-type EN10MB &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;Ethernet&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;, capture size &lt;span class=&quot;m&quot;&gt;65535&lt;/span&gt; bytes
18:52:50.373950 IP &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;tos 0x0, ttl 64, id 46732, offset 0, flags &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;DF&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;, proto TCP &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;6&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;, length 60&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
    95.85.48.36.51746 &amp;gt; 89.238.150.154.5: Flags &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;S&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;, cksum 0x8030 &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;incorrect -&amp;gt; 0x9be6&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;, seq 3399773995, win 14600, options &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;mss 1460,sackOK,TS val &lt;span class=&quot;m&quot;&gt;113698896&lt;/span&gt; ecr 0,nop,wscale 8&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;, length 0
    0x0000:  &lt;span class=&quot;m&quot;&gt;4500&lt;/span&gt; 003c b68c &lt;span class=&quot;m&quot;&gt;4000&lt;/span&gt; &lt;span class=&quot;m&quot;&gt;4006&lt;/span&gt; 042e 5f55 &lt;span class=&quot;m&quot;&gt;3024&lt;/span&gt;  E..&amp;lt;..@.@..._U0&lt;span class=&quot;err&quot;&gt;$&lt;/span&gt;
    0x0010:  59ee 969a ca22 &lt;span class=&quot;m&quot;&gt;0005&lt;/span&gt; caa4 6f2b &lt;span class=&quot;m&quot;&gt;0000&lt;/span&gt; &lt;span class=&quot;m&quot;&gt;0000&lt;/span&gt;  Y....&lt;span class=&quot;err&quot;&gt;&amp;quot;&lt;/span&gt;....o+....
    0x0020:  a002 &lt;span class=&quot;m&quot;&gt;3908&lt;/span&gt; &lt;span class=&quot;m&quot;&gt;8030&lt;/span&gt; &lt;span class=&quot;m&quot;&gt;0000&lt;/span&gt; &lt;span class=&quot;m&quot;&gt;0204&lt;/span&gt; 05b4 &lt;span class=&quot;m&quot;&gt;0402&lt;/span&gt; 080a  ..9..0..........
    0x0030:  06c6 e850 &lt;span class=&quot;m&quot;&gt;0000&lt;/span&gt; &lt;span class=&quot;m&quot;&gt;0000&lt;/span&gt; &lt;span class=&quot;m&quot;&gt;0103&lt;/span&gt; &lt;span class=&quot;m&quot;&gt;0308&lt;/span&gt;            ...P........&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Anyway, this malware looks harmless now :)&lt;/p&gt;
</content>
   </entry>
   
   <entry>
      <title>[Part2] I was asked to crack a program in a job interview !</title>
      <link href="/I-was-just-asked-to-crack-a-program-Part-2"/>
      <updated>2014-09-20T17:00:41+00:00</updated>
      <id>/I-was-just-asked-to-crack-a-program-Part-2</id>
      <content type="html">&lt;p&gt;Hello guys , 
(If you don&amp;#39;t know what part2 means , please go back and read part 1.)
First of all , i want to thank you all the people who read the &lt;a href=&quot;http://erenyagdiran.github.io/I-was-just-asked-to-crack-a-program-Part-1/&quot;&gt;part1&lt;/a&gt;.I got really good feedbacks after all.&lt;/p&gt;

&lt;p&gt;But I&amp;#39;m sorry , i would like to correct some misunderstandings.&lt;/p&gt;

&lt;p&gt;*My English is not that bad &lt;/p&gt;

&lt;p&gt;*I wasn&amp;#39;t expecting too much traffic from HN , Reddit and others.&lt;/p&gt;

&lt;p&gt;*I&amp;#39;m not working for that company now , I moved to Barcelona.&lt;/p&gt;

&lt;p&gt;*I passed the interviews almost 1 year ago.&lt;/p&gt;

&lt;p&gt;*I cracked the programs on the cloud.($5 plan , yes you know the company.)&lt;/p&gt;

&lt;p&gt;So , I don&amp;#39;t really think that root@ is problem.I can redeploy another droplet in seconds.&lt;/p&gt;

&lt;p&gt;I switched to eren@ user that&amp;#39;s because gdb didn&amp;#39;t accept root&amp;#39;s init file.&lt;/p&gt;

&lt;p&gt;*And finally , please read the end of the post.I&amp;#39;m sure you will like it.&lt;/p&gt;

&lt;p&gt;Now , this time it&amp;#39;s not about doors , we are going to crack the nuke.&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;eren@lisa:~&lt;span class=&quot;nv&quot;&gt;$ &lt;/span&gt;./CrackTheNuke 

        *** NUKE CONTROL SYSTEM  ***



PASSWORD: giveMeNuke

        *** ACCESS DENIED ***


PASSWORD: iwantanexplosion

        *** ACCESS DENIED ***


PASSWORD: knockknockitsme 

        *** ACCESS DENIED ***

        *** SYSTEM LOCKED ***

        *** SHUTTING DOWN ***

eren@lisa:~&lt;span class=&quot;err&quot;&gt;$&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;I&amp;#39;ll dump whole binary into intel asm syntax as reference.&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;eren@lisa:~&lt;span class=&quot;nv&quot;&gt;$ &lt;/span&gt;objdump -M intel -D CrackTheNuke &amp;gt; staticDis 
eren@lisa:~&lt;span class=&quot;err&quot;&gt;$&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;We&amp;#39;ll need this file later.If you look at the staticDis file , you can see whole dump in intel syntax.&lt;/p&gt;

&lt;p&gt;This time , we&amp;#39;ll try something different.I&amp;#39;ll execute the process first and later I&amp;#39;ll attach the debugger to the process.&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;eren@lisa:~&lt;span class=&quot;nv&quot;&gt;$ &lt;/span&gt;./CrackTheNuke 

        *** NUKE CONTROL SYSTEM  ***



PASSWORD:&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Therefore in this case , I&amp;#39;ll switch to another shell for debugging.&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;eren@lisa:~&lt;span class=&quot;nv&quot;&gt;$ &lt;/span&gt;ps aux &lt;span class=&quot;p&quot;&gt;|&lt;/span&gt; grep Crack
eren      &lt;span class=&quot;m&quot;&gt;4741&lt;/span&gt;  0.0  0.0   &lt;span class=&quot;m&quot;&gt;1724&lt;/span&gt;   &lt;span class=&quot;m&quot;&gt;252&lt;/span&gt; pts/0    S+   14:54   0:00 ./CrackTheNuke
eren      &lt;span class=&quot;m&quot;&gt;4845&lt;/span&gt;  0.0  0.1   &lt;span class=&quot;m&quot;&gt;7832&lt;/span&gt;   &lt;span class=&quot;m&quot;&gt;832&lt;/span&gt; pts/1    S+   14:56   0:00 grep Crack
eren@lisa:~&lt;span class=&quot;nv&quot;&gt;$ &lt;/span&gt;gdb --pid 4741
GNU gdb &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;GDB&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; 7.4.1-debian
Copyright &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;C&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;m&quot;&gt;2012&lt;/span&gt; Free Software Foundation, Inc.
License GPLv3+: GNU GPL version &lt;span class=&quot;m&quot;&gt;3&lt;/span&gt; or later &amp;lt;http://gnu.org/licenses/gpl.html&amp;gt;
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type &lt;span class=&quot;s2&quot;&gt;&amp;quot;show copying&amp;quot;&lt;/span&gt;
and &lt;span class=&quot;s2&quot;&gt;&amp;quot;show warranty&amp;quot;&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;for&lt;/span&gt; details.
This GDB was configured as &lt;span class=&quot;s2&quot;&gt;&amp;quot;x86_64-linux-gnu&amp;quot;&lt;/span&gt;.
For bug reporting instructions, please see:
&amp;lt;http://www.gnu.org/software/gdb/bugs/&amp;gt;.
Catchpoint &lt;span class=&quot;m&quot;&gt;1&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;syscall &lt;span class=&quot;s1&quot;&gt;&amp;#39;ptrace&amp;#39;&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;26&lt;span class=&quot;o&quot;&gt;])&lt;/span&gt;
Attaching to process 4741
Reading symbols from /home/eren/CrackTheNuke...&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;no debugging symbols found&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;...done.
Reading symbols from /lib32/libc.so.6...&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;no debugging symbols found&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;...done.
Loaded symbols &lt;span class=&quot;k&quot;&gt;for&lt;/span&gt; /lib32/libc.so.6
Reading symbols from /lib/ld-linux.so.2...&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;no debugging symbols found&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;...done.
Loaded symbols &lt;span class=&quot;k&quot;&gt;for&lt;/span&gt; /lib/ld-linux.so.2
0xf7726430 in __kernel_vsyscall &lt;span class=&quot;o&quot;&gt;()&lt;/span&gt;
&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;&amp;gt; 0xf7726430 &amp;lt;__kernel_vsyscall+16&amp;gt;:   5d  pop    ebp
&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;gdb&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Now type random 16 characters as input  to the previous shell , and comeback here.You are in the scanf function which comes from glibc.
(The crackme will call scanf 16 times.We save time here)&lt;/p&gt;

&lt;p&gt;In gdb , You can type &amp;quot;si&amp;quot; which is an abbreviation for &amp;quot;single step&amp;quot;.Type &amp;quot;si&amp;quot; once until you are here 0x80495ed&lt;/p&gt;

&lt;p&gt;Or you can type &amp;quot;b * 0x80495ed&amp;quot; and &amp;quot;c&amp;quot; to stop in that address.&lt;/p&gt;

&lt;p&gt;Anyway , we are now here&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;0x80495ed &amp;lt;main+195&amp;gt;:&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Ok here , we have a comparison &lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;0x80495ed &amp;lt;main+195&amp;gt;:    cmp    DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;esp+0x1c&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0x0&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;In gdb , You can type &lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;p/x &lt;span class=&quot;nv&quot;&gt;$esp&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;to examine what&amp;#39;s inside of $esp &lt;/p&gt;

&lt;p&gt;You can also do some calculations based on registers and addresses&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;p/x &lt;span class=&quot;nv&quot;&gt;$esp&lt;/span&gt;+0x1c&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;or show the contents of the address by dereferencing&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;p/x *0xff811bac&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;You can type &amp;quot;si&amp;quot; here , the crackme has consumed  the 16 chars that you have typed just before  and now It is looking for &amp;quot;\n&amp;quot; char to understand if we press the enter key or not.&lt;/p&gt;

&lt;p&gt;put another break point to 0x804962d &amp;quot;b * 0x804962d&amp;quot; if you don&amp;#39;t want to wait.&lt;/p&gt;

&lt;p&gt;Now this part is interesting.&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;&amp;gt; 0x804962d &amp;lt;main+259&amp;gt;:   push   eax
   0x804962e &amp;lt;main+260&amp;gt;:  push   ebx
   0x804962f &amp;lt;main+261&amp;gt;:  rdtsc  
   0x8049631 &amp;lt;main+263&amp;gt;:  and    eax,0xfffff
   0x8049636 &amp;lt;main+268&amp;gt;:  &lt;span class=&quot;nb&quot;&gt;test   &lt;/span&gt;eax,eax
   0x8049638 &amp;lt;main+270&amp;gt;:  je     0x8049646 &amp;lt;g99&amp;gt;
   0x804963a &amp;lt;main+272&amp;gt;:  xor    ebx,0xe
   0x804963d &amp;lt;main+275&amp;gt;:  add    ebx,0xe
   0x8049640 &amp;lt;main+278&amp;gt;:  sub    ebx,0xe
   0x8049643 &amp;lt;main+281&amp;gt;:  dec    eax&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Have you heard about &lt;a href=&quot;http://en.wikipedia.org/wiki/Time_Stamp_Counter&quot;&gt;rdtsc&lt;/a&gt; instruction ? &lt;/p&gt;

&lt;p&gt;It keeps cpu cycles.After calling rdtsc instruction ,The stamp counter will be stored in edx and eax.
After rdtsc , we keep rightmost 20bits of the eax into eax.&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;0x8049636 &amp;lt;main+268&amp;gt;:        &lt;span class=&quot;nb&quot;&gt;test   &lt;/span&gt;eax,eax
   0x8049638 &amp;lt;main+270&amp;gt;:        je     0x8049646 &amp;lt;g99&amp;gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Above asm lines were written in C , codes  would be like below.&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span class=&quot;k&quot;&gt;if&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;eax&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;==&lt;/span&gt; 0&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
&lt;span class=&quot;o&quot;&gt;{&lt;/span&gt;
    goto 0x8049646
&lt;span class=&quot;o&quot;&gt;}&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Since eax is not 0 , we will continue to investigate more.
As you may see , below codes are kindda trash :).We add 0xe to ebx and later subtract it.Those are put there to get us away from the code :) It&amp;#39;s typical psychological test :)&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;xor ebx,0xe
add ebx,0xe
sub ebx,0xe
dec eax 
&lt;span class=&quot;k&quot;&gt;until&lt;/span&gt; eax is &lt;span class=&quot;m&quot;&gt;0&lt;/span&gt; , &lt;span class=&quot;k&quot;&gt;continue&lt;/span&gt; this loop :&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;put a breakpoint &amp;quot;b * 0x8049646&amp;quot; there , and press &amp;quot;c&amp;quot;&lt;/p&gt;

&lt;p&gt;Ok not so much info here , put another step into or continue until &lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;&amp;gt; 0x80494db &amp;lt;nkc1qpE2L6f6AyqaendA&amp;gt;:   push   ebp
   0x80494dc &amp;lt;nkc1qpE2L6f6AyqaendA+1&amp;gt;:    mov    ebp,esp
   0x80494de &amp;lt;nkc1qpE2L6f6AyqaendA+3&amp;gt;:    sub    esp,0x14
   0x80494e1 &amp;lt;nkc1qpE2L6f6AyqaendA+6&amp;gt;:    mov    DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x4&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0x0
   0x80494e8 &amp;lt;nkc1qpE2L6f6AyqaendA+13&amp;gt;:   mov    DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;esp&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0x0
   0x80494ef &amp;lt;nkc1qpE2L6f6AyqaendA+20&amp;gt;:   call   0x804944b &amp;lt;qEWL8Jl0zdpmTbwhziDv&amp;gt;
   0x80494f4 &amp;lt;nkc1qpE2L6f6AyqaendA+25&amp;gt;:   mov    eax,DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp+0x8&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x80494f7 &amp;lt;nkc1qpE2L6f6AyqaendA+28&amp;gt;:   mov    DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;esp&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,eax
   0x80494fa &amp;lt;nkc1qpE2L6f6AyqaendA+31&amp;gt;:   call   0x8048604 &amp;lt;fjDKIzPtGuE8ZdfSL8vq&amp;gt;
   0x80494ff &amp;lt;nkc1qpE2L6f6AyqaendA+36&amp;gt;:   mov    DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;esp&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0x2
   0x8049506 &amp;lt;nkc1qpE2L6f6AyqaendA+43&amp;gt;:   call   0x804944b &amp;lt;qEWL8Jl0zdpmTbwhziDv&amp;gt;
   0x804950b &amp;lt;nkc1qpE2L6f6AyqaendA+48&amp;gt;:   mov    eax,DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp+0x8&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x804950e &amp;lt;nkc1qpE2L6f6AyqaendA+51&amp;gt;:   mov    DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;esp&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,eax
   0x8049511 &amp;lt;nkc1qpE2L6f6AyqaendA+54&amp;gt;:   call   0x8048ab1 &amp;lt;W0ElBw5Smo9TPiWOeK8c&amp;gt;
   0x8049516 &amp;lt;nkc1qpE2L6f6AyqaendA+59&amp;gt;:   mov    DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x4&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,eax
   0x8049519 &amp;lt;nkc1qpE2L6f6AyqaendA+62&amp;gt;:   mov    DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;esp&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0x1
   0x8049520 &amp;lt;nkc1qpE2L6f6AyqaendA+69&amp;gt;:   call   0x804944b &amp;lt;qEWL8Jl0zdpmTbwhziDv&amp;gt;
   0x8049525 &amp;lt;nkc1qpE2L6f6AyqaendA+74&amp;gt;:   mov    eax,DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x4&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x8049528 &amp;lt;nkc1qpE2L6f6AyqaendA+77&amp;gt;:   leave  
   0x8049529 &amp;lt;nkc1qpE2L6f6AyqaendA+78&amp;gt;:   ret&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;nkc1qpE2L6f6AyqaendA this function is the main workflow for the whole process.&lt;/p&gt;

&lt;p&gt;Let&amp;#39;s first investigate each function , we have 5 function call in nkc1qpE2L6f6AyqaendA.Those 3 functions are qEWL8Jl0zdpmTbwhziDv , fjDKIzPtGuE8ZdfSL8vq and W0ElBw5Smo9TPiWOeK8c.&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;gdb&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; x/10i qEWL8Jl0zdpmTbwhziDv
   0x804944b &amp;lt;qEWL8Jl0zdpmTbwhziDv&amp;gt;:  push   ebp
   0x804944c &amp;lt;qEWL8Jl0zdpmTbwhziDv+1&amp;gt;:    mov    ebp,esp
   0x804944e &amp;lt;qEWL8Jl0zdpmTbwhziDv+3&amp;gt;:    mov    eax,DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp+0x8&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x8049451 &amp;lt;qEWL8Jl0zdpmTbwhziDv+6&amp;gt;:    cmp    eax,0x0
   0x8049454 &amp;lt;qEWL8Jl0zdpmTbwhziDv+9&amp;gt;:    je     0x80494b9 &amp;lt;hzdhp&amp;gt;
   0x8049456 &amp;lt;qEWL8Jl0zdpmTbwhziDv+11&amp;gt;:   cmp    eax,0x1
   0x8049459 &amp;lt;qEWL8Jl0zdpmTbwhziDv+14&amp;gt;:   je     0x8049499 &amp;lt;qEWL8Jl0zdpmTbwhziDv+78&amp;gt;
   0x804945b &amp;lt;qEWL8Jl0zdpmTbwhziDv+16&amp;gt;:   call   0x8047b71
   0x8049460 &amp;lt;qEWL8Jl0zdpmTbwhziDv+21&amp;gt;:   add    DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;eax+0x48604bf&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0x5eb9008
   0x804946a &amp;lt;qEWL8Jl0zdpmTbwhziDv+31&amp;gt;:   add    DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;eax-0x4608ea13&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0x8048ab1&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;gdb&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; x/10i fjDKIzPtGuE8ZdfSL8vq
   0x8048604 &amp;lt;fjDKIzPtGuE8ZdfSL8vq&amp;gt;:  call   0xb027:0xaf72c78c
   0x804860b &amp;lt;fjDKIzPtGuE8ZdfSL8vq+7&amp;gt;:    cmp    esi,DWORD PTR ds:0xe4dfbbf1
   0x8048611 &amp;lt;fjDKIzPtGuE8ZdfSL8vq+13&amp;gt;:   &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;bad&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;  
   0x8048612 &amp;lt;fjDKIzPtGuE8ZdfSL8vq+14&amp;gt;:   and    al,BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp+edi*2-0x8&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x8048616 &amp;lt;fjDKIzPtGuE8ZdfSL8vq+18&amp;gt;:   push   ebx
   0x8048617 &amp;lt;fjDKIzPtGuE8ZdfSL8vq+19&amp;gt;:   push   esi
   0x8048618 &amp;lt;fjDKIzPtGuE8ZdfSL8vq+20&amp;gt;:   inc    edx
   0x8048619 &amp;lt;fjDKIzPtGuE8ZdfSL8vq+21&amp;gt;:   mov    WORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp+0x76&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,ss
   0x804861c &amp;lt;fjDKIzPtGuE8ZdfSL8vq+24&amp;gt;:   xchg   edx,eax
   0x804861d &amp;lt;fjDKIzPtGuE8ZdfSL8vq+25&amp;gt;:   mov    al,ds:0x45fd3fbb
&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;gd&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;gdb&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; x/10i W0ElBw5Smo9TPiWOeK8c
   0x8048ab1 &amp;lt;W0ElBw5Smo9TPiWOeK8c&amp;gt;:  call   0xb023:0x1c72c78c
   0x8048ab8 &amp;lt;W0ElBw5Smo9TPiWOeK8c+7&amp;gt;:    cmp    esi,DWORD PTR ds:0xe4dfbbf1
   0x8048abe &amp;lt;W0ElBw5Smo9TPiWOeK8c+13&amp;gt;:   jmp    0xf86e358
   0x8048ac3 &amp;lt;W0ElBw5Smo9TPiWOeK8c+18&amp;gt;:   xchg   ax,ax
   0x8048ac5 &amp;lt;W0ElBw5Smo9TPiWOeK8c+20&amp;gt;:   out    dx,eax
   0x8048ac6 &amp;lt;W0ElBw5Smo9TPiWOeK8c+21&amp;gt;:   dec    ebp
   0x8048ac7 &amp;lt;W0ElBw5Smo9TPiWOeK8c+22&amp;gt;:   xchg   edi,eax
   0x8048ac8 &amp;lt;W0ElBw5Smo9TPiWOeK8c+23&amp;gt;:   popa   
   0x8048ac9 &amp;lt;W0ElBw5Smo9TPiWOeK8c+24&amp;gt;:   &lt;span class=&quot;nb&quot;&gt;test   &lt;/span&gt;DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ecx-0x7e&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,esp
   0x8048acc &amp;lt;W0ElBw5Smo9TPiWOeK8c+27&amp;gt;:   &lt;span class=&quot;nb&quot;&gt;test   &lt;/span&gt;DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;edi&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,esi&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;So the workflow is in function nkc1qpE2L6f6AyqaendA ,&lt;/p&gt;

&lt;p&gt;we call qEWL8Jl0zdpmTbwhziDv -&amp;gt; fjDKIzPtGuE8ZdfSL8vq -&amp;gt; qEWL8Jl0zdpmTbwhziDv -&amp;gt; W0ElBw5Smo9TPiWOeK8c -&amp;gt; qEWL8Jl0zdpmTbwhziDv.&lt;/p&gt;

&lt;p&gt;As we examined the first 10 lines of each function.Have you felt something unusual ? &lt;/p&gt;

&lt;p&gt;Especially , If you look at the first lines of each function , you may figure out that first lines of fjDKIzPtGuE8ZdfSL8vq and W0ElBw5Smo9TPiWOeK8c are quite stupid :)&lt;/p&gt;

&lt;p&gt;I havent seen such a code &amp;quot;call   0xb023:0x1c72c78c&amp;quot; in my entire life :).It&amp;#39;s because those 2 functions are totally encrypted and gdb tried to disassemble those encrypted bytes :)&lt;/p&gt;

&lt;p&gt;So qEWL8Jl0zdpmTbwhziDv actually decrypts the functions.Therefore , it is called before them.&lt;/p&gt;

&lt;p&gt;I am going to change whole workflow ,i will swap encrypted functions with plain ones and remove qEWL8Jl0zdpmTbwhziDv function from the workflow.&lt;/p&gt;

&lt;p&gt;Therefore , new workflow will be fjDKIzPtGuE8ZdfSL8vq -&amp;gt; W0ElBw5Smo9TPiWOeK8c and that&amp;#39;s it.&lt;/p&gt;

&lt;h2&gt; DeadEnd 1 Starts&lt;/h2&gt;

&lt;p&gt;But before doing all these stuff , i would like tell you my another dead-end.It&amp;#39;s quite important for me.
While i was working on this crackme , I looked for a way to disable TimeStampCounter or somehow controll it.Because crackme calls &amp;quot;rdtsc&amp;quot; instruction 2 times , substract from each other and calculate the time between instructions that have been executed.
If you run the program under gdb , the time between instructions take much more time than it is executed by just itself.Therefore , I first searched a way to controll tsc counter.Tsc counter gets its value through CPU.It&amp;#39;s out of my ability to change its state with OS.But i wrote a kernel module to update it to 0.&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span class=&quot;c&quot;&gt;#include &amp;lt;linux/module.h&amp;gt;    // included for all kernel modules&lt;/span&gt;
&lt;span class=&quot;c&quot;&gt;#include &amp;lt;linux/kernel.h&amp;gt;    // included for KERN_INFO&lt;/span&gt;
&lt;span class=&quot;c&quot;&gt;#include &amp;lt;linux/init.h&amp;gt;      // included for __init and __exit macros&lt;/span&gt;
&lt;span class=&quot;c&quot;&gt;#include &amp;lt;linux/kthread.h&amp;gt;  // for threads&lt;/span&gt;
&lt;span class=&quot;c&quot;&gt;#include &amp;lt;linux/sched.h&amp;gt;  // for task_struct&lt;/span&gt;
&lt;span class=&quot;c&quot;&gt;#include &amp;lt;linux/time.h&amp;gt;   // for using jiffies &lt;/span&gt;
&lt;span class=&quot;c&quot;&gt;#include &amp;lt;linux/timer.h&amp;gt;&lt;/span&gt;

MODULE_LICENSE&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&amp;quot;GPL&amp;quot;&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
MODULE_AUTHOR&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&amp;quot;m00dy&amp;quot;&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
MODULE_DESCRIPTION&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&amp;quot;A Fake rdtsc emulation&amp;quot;&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;

static struct task_struct *thread1&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;

int thread_fn&lt;span class=&quot;o&quot;&gt;(){&lt;/span&gt;

uint32_t hi,lo&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
unsigned long j0,j1&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
int &lt;span class=&quot;nv&quot;&gt;delay&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; HZ / 250&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
&lt;span class=&quot;nv&quot;&gt;hi&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;0&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;lo&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;0xb&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
printk&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;KERN_INFO &lt;span class=&quot;s2&quot;&gt;&amp;quot;In thread1&amp;quot;&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
&lt;span class=&quot;nv&quot;&gt;j0&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; jiffies&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
&lt;span class=&quot;nv&quot;&gt;j1&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; j0 + delay&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;


asm volatile&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&amp;quot;wrmsr&amp;quot;&lt;/span&gt;::&lt;span class=&quot;s2&quot;&gt;&amp;quot;c&amp;quot;&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;0x10&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;,&lt;span class=&quot;s2&quot;&gt;&amp;quot;a&amp;quot;&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;lo&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;,&lt;span class=&quot;s2&quot;&gt;&amp;quot;d&amp;quot;&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;hi&lt;span class=&quot;o&quot;&gt;))&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;

&lt;span class=&quot;k&quot;&gt;while&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;1&lt;span class=&quot;o&quot;&gt;){&lt;/span&gt;
    &lt;span class=&quot;k&quot;&gt;if&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;time_before&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;jiffies,j1&lt;span class=&quot;o&quot;&gt;))&lt;/span&gt;
        schedule&lt;span class=&quot;o&quot;&gt;()&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
    &lt;span class=&quot;k&quot;&gt;else&lt;/span&gt;
    &lt;span class=&quot;o&quot;&gt;{&lt;/span&gt;
      &lt;span class=&quot;nv&quot;&gt;j1&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; jiffies + delay&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
      asm volatile&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&amp;quot;wrmsr&amp;quot;&lt;/span&gt;::&lt;span class=&quot;s2&quot;&gt;&amp;quot;c&amp;quot;&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;0x10&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;,&lt;span class=&quot;s2&quot;&gt;&amp;quot;a&amp;quot;&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;lo&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;,&lt;span class=&quot;s2&quot;&gt;&amp;quot;d&amp;quot;&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;hi&lt;span class=&quot;o&quot;&gt;))&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
    &lt;span class=&quot;o&quot;&gt;}&lt;/span&gt;
&lt;span class=&quot;o&quot;&gt;}&lt;/span&gt;

&lt;span class=&quot;o&quot;&gt;}&lt;/span&gt;

static int __init hello_init&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;void&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
&lt;span class=&quot;o&quot;&gt;{&lt;/span&gt;

    char  our_thread&lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;8&lt;span class=&quot;o&quot;&gt;]=&lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&amp;quot;thread1&amp;quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
    printk&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;KERN_INFO &lt;span class=&quot;s2&quot;&gt;&amp;quot;in init&amp;quot;&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
    &lt;span class=&quot;nv&quot;&gt;thread1&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; kthread_create&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;thread_fn,NULL,our_thread&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
    &lt;span class=&quot;k&quot;&gt;if&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;((&lt;/span&gt;thread1&lt;span class=&quot;o&quot;&gt;))&lt;/span&gt;
        &lt;span class=&quot;o&quot;&gt;{&lt;/span&gt;
        printk&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;KERN_INFO &lt;span class=&quot;s2&quot;&gt;&amp;quot;in if&amp;quot;&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
        wake_up_process&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;thread1&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
        &lt;span class=&quot;o&quot;&gt;}&lt;/span&gt;

    &lt;span class=&quot;k&quot;&gt;return&lt;/span&gt; 0&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
&lt;span class=&quot;o&quot;&gt;}&lt;/span&gt;

static void __exit hello_cleanup&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;void&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
&lt;span class=&quot;o&quot;&gt;{&lt;/span&gt;
    printk&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;KERN_INFO &lt;span class=&quot;s2&quot;&gt;&amp;quot;Fake RDTSC end \n&amp;quot;&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
&lt;span class=&quot;o&quot;&gt;}&lt;/span&gt;

module_init&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;hello_init&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
module_exit&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;hello_cleanup&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;I lost the makefile but if you want to compile it , you can use helloworld makefile template for kernel module.You can easily find it on google.&lt;/p&gt;

&lt;p&gt;Anyway , that code didnt work as i expected.So i tried something else.&lt;/p&gt;

&lt;h2&gt;DeadEnd 1 Ends&lt;/h2&gt;

&lt;p&gt;My strategy will be to stop program where those 2 encrypted functions are in plain state.&lt;/p&gt;

&lt;p&gt;For example , 0x8048ab0  is in quite good position.Because it&amp;#39;s end of the fjDKIzPtGuE8ZdfSL8vq.&lt;/p&gt;

&lt;p&gt;Now open .gdbinit file again.And put these things.&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span class=&quot;nb&quot;&gt;set &lt;/span&gt;disassembly-flavor intel
&lt;span class=&quot;nb&quot;&gt;set &lt;/span&gt;disassemble-next-line on
handle SIGTRAP noprint pass nostop
b * 0x8048ab0&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Re open the crackme , attach the gdb again.Put 16chars and type &amp;quot;c&amp;quot;.
The program should stop &lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;&amp;gt; 0xf7706430 &amp;lt;__kernel_vsyscall+16&amp;gt;:  5d  pop    ebp
&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;gdb&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x08048ab1 in W0ElBw5Smo9TPiWOeK8c &lt;span class=&quot;o&quot;&gt;()&lt;/span&gt;
&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;&amp;gt; 0x08048ab1 &amp;lt;W0ElBw5Smo9TPiWOeK8c+0&amp;gt;: 9a 8c c7 &lt;span class=&quot;m&quot;&gt;72&lt;/span&gt; 1c &lt;span class=&quot;m&quot;&gt;23&lt;/span&gt; b0  call   0xb023:0x1c72c78c
&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;gdb&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; x/10i fjDKIzPtGuE8ZdfSL8vq
   0x8048604 &amp;lt;fjDKIzPtGuE8ZdfSL8vq&amp;gt;:  push   ebp
   0x8048605 &amp;lt;fjDKIzPtGuE8ZdfSL8vq+1&amp;gt;:    mov    ebp,esp
   0x8048607 &amp;lt;fjDKIzPtGuE8ZdfSL8vq+3&amp;gt;:    call   0x8047b08
   0x804860c &amp;lt;fjDKIzPtGuE8ZdfSL8vq+8&amp;gt;:    xor    eax,0x20ec8390
   0x8048611 &amp;lt;fjDKIzPtGuE8ZdfSL8vq+13&amp;gt;:   call   0x8047b08
   0x8048616 &amp;lt;fjDKIzPtGuE8ZdfSL8vq+18&amp;gt;:   xor    eax,0x32ff45c6
   0x804861b &amp;lt;fjDKIzPtGuE8ZdfSL8vq+23&amp;gt;:   call   0x8047b08
   0x8048620 &amp;lt;fjDKIzPtGuE8ZdfSL8vq+28&amp;gt;:   xor    eax,0xdafe45c6
   0x8048625 &amp;lt;fjDKIzPtGuE8ZdfSL8vq+33&amp;gt;:   call   0x8047b08
   0x804862a &amp;lt;fjDKIzPtGuE8ZdfSL8vq+38&amp;gt;:   xor    eax,0xdbfd45c6
&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;gdb&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Ok we have at least plain form of the function fjDKIzPtGuE8ZdfSL8vq :) There&amp;#39;s still a trick there.Gdb still have problems.This technique called false assembly.Please read &lt;a href=&quot;http://www.stonedcoder.org/%7Ekd/lib/14-61-1-PB.pdf&quot;&gt;this&lt;/a&gt; for more info.&lt;/p&gt;

&lt;p&gt;Now we need to dump the plain function to a file.Paramethers are filename startAddr and endAddr.&lt;/p&gt;

&lt;p&gt;in this case , i typed &lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;dump ihex memory fjDKIzPtGuE8ZdfSL8vq_dump 0x8048604 0x8048ab0&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;We dumped the entire function into fjDKIzPtGuE8ZdfSL8vq_dump file as plain.&lt;/p&gt;

&lt;p&gt;Now , we need to do this for another encrypted function.&lt;/p&gt;

&lt;p&gt;put a breakpoint 0x08048e14  here , wait until program crashes and then type &lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;dump ihex memory W0ElBw5Smo9TPiWOeK8c_dump W0ElBw5Smo9TPiWOeK8c g999+3&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;h2&gt;Let&amp;#39;s get back to the surgery.&lt;/h2&gt;

&lt;p&gt;We now have plain forms of both encrypted functions.We can now change the workflow.&lt;/p&gt;

&lt;p&gt;Ok now , clean the .gdbinit file and put a breakpoint in 0x80494db&lt;/p&gt;

&lt;p&gt;(If you struggle here , please look at nkc1qpE2L6f6AyqaendA function.)&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span class=&quot;nb&quot;&gt;set &lt;/span&gt;disassembly-flavor intel
&lt;span class=&quot;nb&quot;&gt;set &lt;/span&gt;disassemble-next-line on

&lt;span class=&quot;nb&quot;&gt;break&lt;/span&gt; * 0x80494ef
commands
&lt;span class=&quot;nb&quot;&gt;set&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$eip&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; 0x80494f4
&lt;span class=&quot;k&quot;&gt;continue&lt;/span&gt;
end

&lt;span class=&quot;nb&quot;&gt;break&lt;/span&gt; * 0x80494fa
commands
restore fjDKIzPtGuE8ZdfSL8vq_dump
restore W0ElBw5Smo9TPiWOeK8c_dump
&lt;span class=&quot;k&quot;&gt;continue&lt;/span&gt;
end

&lt;span class=&quot;nb&quot;&gt;break&lt;/span&gt; * 0x08049506
commands
&lt;span class=&quot;nb&quot;&gt;set&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$eip&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; 0x804950b
&lt;span class=&quot;k&quot;&gt;continue&lt;/span&gt;
end

&lt;span class=&quot;nb&quot;&gt;break&lt;/span&gt; * 0x8049520
commands
&lt;span class=&quot;nb&quot;&gt;set&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$eip&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; 0x8049525
&lt;span class=&quot;k&quot;&gt;continue&lt;/span&gt;
end&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;We changed the workflow , replaced the encrypted functions with plain ones.Now this part is easy.The main algorithm is same as part 1.&lt;/p&gt;

&lt;p&gt;Inputs are xored with other constants and we compare the outputs with other constants&lt;/p&gt;

&lt;p&gt;Inputs ^ FirstConstants == SecondConstants&lt;/p&gt;

&lt;p&gt;Therefore , Inputs = SecondConstants ^ FirstConstants&lt;/p&gt;

&lt;p&gt;Here is the our key generator.&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span class=&quot;c&quot;&gt;#!/usr/bin/python&lt;/span&gt;
&lt;span class=&quot;nv&quot;&gt;firstConst&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;0x32,0xda,0xdb,0x1,0xf3,0x77,0x4c,0x57,0xbe,0x49,0xec,0x5f,0xab,0x7f,0xed,0x9f&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
&lt;span class=&quot;nv&quot;&gt;secondConst&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;0x0d,0xef,0xf1,0x4d,0xb6,0x4c,0x69,0x20,0xf9,0x20,0xdd,0x7c,0xda,0x3b,0xc9,0xaf&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
&lt;span class=&quot;nv&quot;&gt;ret&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&amp;quot;&amp;quot;&lt;/span&gt;
&lt;span class=&quot;k&quot;&gt;for&lt;/span&gt; x in range&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;16&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;:
        ret+&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;chr&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;firstConst&lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;x&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt; ^ secondConst&lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;x&lt;span class=&quot;o&quot;&gt;])&lt;/span&gt;
print ret&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;h2&gt;Here we go.&lt;/h2&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;eren@lisa:~&lt;span class=&quot;nv&quot;&gt;$ &lt;/span&gt;./CrackTheNuke 

        *** NUKE CONTROL SYSTEM  ***



PASSWORD: ?5*LE&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;%wGi1#qD&lt;span class=&quot;nv&quot;&gt;$0&lt;/span&gt;

        ***  ACCESS GRANTED  ***

        *** THE NUKE STOPPED ***


eren@lisa:~&lt;span class=&quot;err&quot;&gt;$&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;h2&gt;I&amp;#39;ll tell you what happened after i signed the contract&lt;/h2&gt;

&lt;p&gt;In my first day of the new job , They changed my department.(I still dont know why and the company still markets itself like best of bests in Turkey.)&lt;/p&gt;

&lt;p&gt;I became J2ee developer.I was using eclipse , committing svn , using a operating system called &amp;quot;Windows *&amp;quot;.They even asked me to write some css.&lt;/p&gt;

&lt;p&gt;Now , i live in Barcelona and have a great life.&lt;/p&gt;

&lt;p&gt;bb &lt;/p&gt;

&lt;p&gt;(If you want to have the crackme , shoot me an email.)&lt;/p&gt;

&lt;p&gt;(I can also give you the plain dumps of the encrypted functions in ihex format.)&lt;/p&gt;

&lt;p&gt;(Typos &amp;amp; comments are always welcome.)&lt;/p&gt;
</content>
   </entry>
   
   <entry>
      <title>I was just asked to crack a program in a job interview !</title>
      <link href="/I-was-just-asked-to-crack-a-program-Part-1"/>
      <updated>2014-09-17T17:00:41+00:00</updated>
      <id>/I-was-just-asked-to-crack-a-program-Part-1</id>
      <content type="html">&lt;p&gt;TL;DR&lt;/p&gt;

&lt;p&gt;I was just asked to crack a program in a job interview.
and got the job.&lt;/p&gt;

&lt;p&gt;Hello everyone,&lt;/p&gt;

&lt;p&gt;I am quite excited about my new blog here. I am planning to write couple of blog posts every week.&lt;/p&gt;

&lt;p&gt;Since the title gives you a brief information about a general concept, i would like to tell you my story about a job interview that was held in Ankara, TR.&lt;/p&gt;

&lt;p&gt;I applied a &amp;quot;Software Security Engineer&amp;quot; position  and in the interview, they asked me really low level stuff some of which I knew, some of which I did not.&lt;/p&gt;

&lt;p&gt;Then they sent me an email which includes an attachment for a protected and encrypted binary (&amp;quot;CRACK MEEE!&amp;quot;).&lt;/p&gt;

&lt;p&gt;When i got home, I downloaded it and it only asked me a password to unlock it. They wanted me to find that password :)&lt;/p&gt;

&lt;p&gt;At first, it looks pretty hard but I will try to introduce the general concept that I had followed :)&lt;/p&gt;

&lt;p&gt;Here is the first thing I typed in the terminal&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;root@lisa:~# ./CrackTheDoor 

        *** DOOR CONTROL SYSTEM  ***



PASSWORD:&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;I typed something stupid keyword 3 times and it quited. :)&lt;/p&gt;

&lt;p&gt;I have more tools to analyze. Lets get more info about the file.&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;root@lisa:~# file CrackTheDoor 
CrackTheDoor: ELF 32-bit LSB executable, Intel 80386, version &lt;span class=&quot;m&quot;&gt;1&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;SYSV&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;, dynamically linked &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;uses shared libs&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;, &lt;span class=&quot;k&quot;&gt;for&lt;/span&gt; GNU/Linux 2.6.15, BuildID&lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;sha1&lt;span class=&quot;o&quot;&gt;]=&lt;/span&gt;0x9927be2fe310bea01d412164103b9c8b2d7567ea, not stripped
root@lisa:~#&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Ok. Now we have a little bit more info about the binary :)&lt;/p&gt;

&lt;p&gt;Let&amp;#39;s do this.&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;root@lisa:~# ldd CrackTheDoor 
    linux-gate.so.1 &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;&amp;gt;  &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;0xf777b000&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
    libc.so.6 &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;&amp;gt; /lib32/libc.so.6 &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;0xf760c000&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
    /lib/ld-linux.so.2 &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;0xf777c000&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
root@lisa:~#&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Oh! just standard stuff. I will explain a bit.&lt;/p&gt;

&lt;p&gt;linux-gate.so is something like you cant find in your filesystem. But ldd shows that it&amp;#39;s a shared library right ? Yes, Have you heard about Virtual DSO (Virtual Dynamic Shared Object)&lt;/p&gt;

&lt;p&gt;I suggest you to read about &lt;a href=&quot;http://www.trilithium.com/johan/2005/08/linux-gate/&quot;&gt;linux-gate.so&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;libc.so.6 is general C library for GNU system as you probably know.&lt;/p&gt;

&lt;p&gt;ld-linux.so is linux&amp;#39;s dynamic loader.&lt;/p&gt;

&lt;p&gt;Anyway till here everything is fine. We need to run the program under the debugger and see what happens.&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;root@lisa:~# gdb CrackTheDoor 
GNU gdb &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;GDB&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; 7.4.1-debian
Copyright &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;C&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;m&quot;&gt;2012&lt;/span&gt; Free Software Foundation, Inc.
License GPLv3+: GNU GPL version &lt;span class=&quot;m&quot;&gt;3&lt;/span&gt; or later &amp;lt;http://gnu.org/licenses/gpl.html&amp;gt;
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type &lt;span class=&quot;s2&quot;&gt;&amp;quot;show copying&amp;quot;&lt;/span&gt;
and &lt;span class=&quot;s2&quot;&gt;&amp;quot;show warranty&amp;quot;&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;for&lt;/span&gt; details.
This GDB was configured as &lt;span class=&quot;s2&quot;&gt;&amp;quot;x86_64-linux-gnu&amp;quot;&lt;/span&gt;.
For bug reporting instructions, please see:
&amp;lt;http://www.gnu.org/software/gdb/bugs/&amp;gt;...
Reading symbols from /root/CrackTheDoor...&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;no debugging symbols found&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;...done.
&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;gdb&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; r
Starting program: /root/CrackTheDoor 

Program received signal SIGSEGV, Segmentation fault.
0x080484fb in __do_global_dtors_aux &lt;span class=&quot;o&quot;&gt;()&lt;/span&gt;
&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;gdb&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;So, the program crashed itself. It figured out that we run it in a debugger. Therefore, there should be some anti-debugging tricks embedded inside the program. Ok...&lt;/p&gt;

&lt;p&gt;Lets reloadd the program and get the starting point of the program.&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;root@lisa:~# gdb CrackTheDoor 
GNU gdb &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;GDB&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; 7.4.1-debian
Copyright &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;C&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;m&quot;&gt;2012&lt;/span&gt; Free Software Foundation, Inc.
License GPLv3+: GNU GPL version &lt;span class=&quot;m&quot;&gt;3&lt;/span&gt; or later &amp;lt;http://gnu.org/licenses/gpl.html&amp;gt;
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type &lt;span class=&quot;s2&quot;&gt;&amp;quot;show copying&amp;quot;&lt;/span&gt;
and &lt;span class=&quot;s2&quot;&gt;&amp;quot;show warranty&amp;quot;&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;for&lt;/span&gt; details.
This GDB was configured as &lt;span class=&quot;s2&quot;&gt;&amp;quot;x86_64-linux-gnu&amp;quot;&lt;/span&gt;.
For bug reporting instructions, please see:
&amp;lt;http://www.gnu.org/software/gdb/bugs/&amp;gt;...
Reading symbols from /root/CrackTheDoor...&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;no debugging symbols found&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;...done.
&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;gdb&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; info file
Symbols from &lt;span class=&quot;s2&quot;&gt;&amp;quot;/root/CrackTheDoor&amp;quot;&lt;/span&gt;.
Local &lt;span class=&quot;nb&quot;&gt;exec &lt;/span&gt;file:
    &lt;span class=&quot;sb&quot;&gt;`&lt;/span&gt;/root/CrackTheDoor&lt;span class=&quot;err&quot;&gt;&amp;#39;&lt;/span&gt;, file &lt;span class=&quot;nb&quot;&gt;type &lt;/span&gt;elf32-i386.
    Entry point: 0x804762c
...
...&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Now we got the Entry point for the program. Let&amp;#39;s put a breakpoint there and start to debug the program through its entry point&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;b * 0x804762c&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Then press type &amp;quot;r&amp;quot; to run the program. You should be stopped at the first line of entry point&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;gdb&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; x/30i &lt;span class=&quot;nv&quot;&gt;$pc&lt;/span&gt;
&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;&amp;gt; 0x804762c: pusha  
   0x804762d:   mov    &lt;span class=&quot;nv&quot;&gt;$0xaa&lt;/span&gt;,%dl
   0x804762f:   mov    &lt;span class=&quot;nv&quot;&gt;$0x8048480&lt;/span&gt;,%edi
   0x8047634:   mov    &lt;span class=&quot;nv&quot;&gt;$0x8048cbc&lt;/span&gt;,%ecx
   0x8047639:   mov    %edi,0x80476f3
   0x804763f:   mov    %ecx,0x80476f7
   0x8047645:   sub    %edi,%ecx
   0x8047647:   mov    &lt;span class=&quot;nv&quot;&gt;$0x804762f&lt;/span&gt;,%esi
   0x804764c:   push   &lt;span class=&quot;nv&quot;&gt;$0x80476c1&lt;/span&gt;
   0x8047651:   pusha  
   0x8047652:   mov    &lt;span class=&quot;nv&quot;&gt;$0x55&lt;/span&gt;,%al
   0x8047654:   xor    &lt;span class=&quot;nv&quot;&gt;$0x99&lt;/span&gt;,%al
   0x8047656:   mov    &lt;span class=&quot;nv&quot;&gt;$0x8047656&lt;/span&gt;,%edi
   0x804765b:   mov    &lt;span class=&quot;nv&quot;&gt;$0x80476e5&lt;/span&gt;,%ecx
   0x8047660:   sub    &lt;span class=&quot;nv&quot;&gt;$0x8047656&lt;/span&gt;,%ecx
   0x8047666:   repnz scas %es:&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;%edi&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;,%al
   0x8047668:   je     0x804770a
   0x804766e:   mov    %edi,0x80476eb
   0x8047674:   popa   
   0x8047675:   add    0x80476eb,%edx
   0x804767b:   ret&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;It should be look like this.This syntax mode belongs to AT&amp;amp;T and you can switch to Intel mode.In my opinion, Intel Syntax is a bit better&lt;/p&gt;

&lt;p&gt;0x8047654 in this address, we first put 0x55 to al register then xor it via 0x99 which produces 0xCC&lt;/p&gt;

&lt;p&gt;0xCC is very important because it means it stops your process or like peter said in comments it is break-to-debugger in x86 architecture. When your debugger wants to stop your program, it swaps the bytes to 0xCC in where it wants to stop.&lt;/p&gt;

&lt;p&gt;0x8047666 , here we see repnz scas =&amp;gt; this will search the memory region bounded by es to edi for the value inside al ( 0xCC ).&lt;/p&gt;

&lt;p&gt;So, those lines will basically scan the memory, if there is a 0xCC, it will crash your program and such...&lt;/p&gt;

&lt;p&gt;Ok, I dont want to spend too much time here. Let&amp;#39;s try strace.&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;root@lisa:~# strace ./CrackTheDoor 
execve&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&amp;quot;./CrackTheDoor&amp;quot;&lt;/span&gt;, &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&amp;quot;./CrackTheDoor&amp;quot;&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;, &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;/* &lt;span class=&quot;m&quot;&gt;17&lt;/span&gt; vars */&lt;span class=&quot;o&quot;&gt;])&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; 0
&lt;span class=&quot;o&quot;&gt;[&lt;/span&gt; Process &lt;span class=&quot;nv&quot;&gt;PID&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;&lt;span class=&quot;m&quot;&gt;31085&lt;/span&gt; runs in &lt;span class=&quot;m&quot;&gt;32&lt;/span&gt; bit mode. &lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
brk&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;0&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;                                  &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; 0x9972000
access&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&amp;quot;/etc/ld.so.nohwcap&amp;quot;&lt;/span&gt;, F_OK&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;      &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; -1 ENOENT &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;No such file or directory&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
mmap2&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;NULL, 4096, PROT_READ&lt;span class=&quot;p&quot;&gt;|&lt;/span&gt;PROT_WRITE, MAP_PRIVATE&lt;span class=&quot;p&quot;&gt;|&lt;/span&gt;MAP_ANONYMOUS, -1, 0&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; 0xfffffffff7715000
access&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&amp;quot;/etc/ld.so.preload&amp;quot;&lt;/span&gt;, R_OK&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;      &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; -1 ENOENT &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;No such file or directory&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
open&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&amp;quot;/etc/ld.so.cache&amp;quot;&lt;/span&gt;, O_RDONLY&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;      &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; 3
fstat64&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;3, &lt;span class=&quot;o&quot;&gt;{&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;st_mode&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;S_IFREG&lt;span class=&quot;p&quot;&gt;|&lt;/span&gt;0644, &lt;span class=&quot;nv&quot;&gt;st_size&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;35597, ...&lt;span class=&quot;o&quot;&gt;})&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; 0
mmap2&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;NULL, 35597, PROT_READ, MAP_PRIVATE, 3, 0&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; 0xfffffffff770c000
close&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;3&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;                                &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; 0
access&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&amp;quot;/etc/ld.so.nohwcap&amp;quot;&lt;/span&gt;, F_OK&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;      &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; -1 ENOENT &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;No such file or directory&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
open&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&amp;quot;/lib32/libc.so.6&amp;quot;&lt;/span&gt;, O_RDONLY&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;      &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; 3
&lt;span class=&quot;nb&quot;&gt;read&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;3, &lt;span class=&quot;s2&quot;&gt;&amp;quot;\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300o\1\0004\0\0\0&amp;quot;&lt;/span&gt;..., 512&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; 512
fstat64&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;3, &lt;span class=&quot;o&quot;&gt;{&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;st_mode&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;S_IFREG&lt;span class=&quot;p&quot;&gt;|&lt;/span&gt;0755, &lt;span class=&quot;nv&quot;&gt;st_size&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;1441884, ...&lt;span class=&quot;o&quot;&gt;})&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; 0
mmap2&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;NULL, 4096, PROT_READ&lt;span class=&quot;p&quot;&gt;|&lt;/span&gt;PROT_WRITE, MAP_PRIVATE&lt;span class=&quot;p&quot;&gt;|&lt;/span&gt;MAP_ANONYMOUS, -1, 0&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; 0xfffffffff770b000
mmap2&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;NULL, 1456504, PROT_READ&lt;span class=&quot;p&quot;&gt;|&lt;/span&gt;PROT_EXEC, MAP_PRIVATE&lt;span class=&quot;p&quot;&gt;|&lt;/span&gt;MAP_DENYWRITE, 3, 0&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; 0xfffffffff75a7000
mprotect&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;0xf7704000, 4096, PROT_NONE&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;   &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; 0
mmap2&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;0xf7705000, 12288, PROT_READ&lt;span class=&quot;p&quot;&gt;|&lt;/span&gt;PROT_WRITE, MAP_PRIVATE&lt;span class=&quot;p&quot;&gt;|&lt;/span&gt;MAP_FIXED&lt;span class=&quot;p&quot;&gt;|&lt;/span&gt;MAP_DENYWRITE, 3, 0x15d&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; 0xfffffffff7705000
mmap2&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;0xf7708000, 10616, PROT_READ&lt;span class=&quot;p&quot;&gt;|&lt;/span&gt;PROT_WRITE, MAP_PRIVATE&lt;span class=&quot;p&quot;&gt;|&lt;/span&gt;MAP_FIXED&lt;span class=&quot;p&quot;&gt;|&lt;/span&gt;MAP_ANONYMOUS, -1, 0&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; 0xfffffffff7708000
close&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;3&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;                                &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; 0
mmap2&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;NULL, 4096, PROT_READ&lt;span class=&quot;p&quot;&gt;|&lt;/span&gt;PROT_WRITE, MAP_PRIVATE&lt;span class=&quot;p&quot;&gt;|&lt;/span&gt;MAP_ANONYMOUS, -1, 0&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; 0xfffffffff75a6000
set_thread_area&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;0xffe4d864&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;             &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; 0
mprotect&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;0xf7705000, 8192, PROT_READ&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;   &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; 0
mprotect&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;0x8049000, 4096, PROT_READ&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;    &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; 0
mprotect&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;0xf7733000, 4096, PROT_READ&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;   &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; 0
munmap&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;0xf770c000, 35597&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;               &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; 0
ptrace&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;PTRACE_TRACEME, 0, 0x1, 0&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;       &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; -1 EPERM &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;Operation not permitted&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
ptrace&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;PTRACE_TRACEME, 0, 0x1, 0&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;       &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; -1 EPERM &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;Operation not permitted&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;If you look at the last lines, the program crashed itself again. That&amp;#39;s because ptrace syscall.&lt;/p&gt;

&lt;p&gt;In linux, ptrace is an abbreviation for &amp;quot;Process Trace&amp;quot;. With ptrace, you can control another process, changing its internal state like debuggers.&lt;/p&gt;

&lt;p&gt;Debuggers use ptrace a lot :) it&amp;#39;s their job.&lt;/p&gt;

&lt;p&gt;If we imagine code, it should look like this.&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;int main&lt;span class=&quot;o&quot;&gt;()&lt;/span&gt;
&lt;span class=&quot;o&quot;&gt;{&lt;/span&gt;
    &lt;span class=&quot;k&quot;&gt;if&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;ptrace&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;PTRACE_TRACEME, 0, 1, 0&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; &amp;lt; 0&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;{&lt;/span&gt;
        &lt;span class=&quot;nb&quot;&gt;printf&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&amp;quot;DEBUGGING... Bye\n&amp;quot;&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
        &lt;span class=&quot;k&quot;&gt;return&lt;/span&gt; 1&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
    &lt;span class=&quot;o&quot;&gt;}&lt;/span&gt;
    &lt;span class=&quot;nb&quot;&gt;printf&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&amp;quot;Hello\n&amp;quot;&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
    &lt;span class=&quot;k&quot;&gt;return&lt;/span&gt; 0&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
&lt;span class=&quot;o&quot;&gt;}&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;By the way, you can only do once ptrace[PTRACE_TRACEMe], so debugger ptraced the program before, there our call will return false so we figured out there is something out there controlling our program&lt;/p&gt;

&lt;p&gt;We need to bypass this ptrace protection so that program shall never understand even it is running under a debugger.&lt;/p&gt;

&lt;p&gt;So, Our strategy will be changing result of the syscall.&lt;/p&gt;

&lt;p&gt;Syscalls are gateways from userspace to kernelspace. We are sure that ptrace is also using some syscalls to do process controlling thing.&lt;/p&gt;

&lt;p&gt;We will detect when the program uses ptrace and we will set its result to 0 :) here it is&lt;/p&gt;

&lt;p&gt;In my home folder, I create a new .gdbinit file. Therefore, everytime i run gdb, those configurations will be loaded automatically.&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;~/.gdbinit
&lt;span class=&quot;nb&quot;&gt;set &lt;/span&gt;disassembly-flavor intel &lt;span class=&quot;c&quot;&gt;# Intel syntax is better&lt;/span&gt;
&lt;span class=&quot;nb&quot;&gt;set &lt;/span&gt;disassemble-next-line on
catch syscall ptrace &lt;span class=&quot;c&quot;&gt;#Catch the syscall.&lt;/span&gt;
commands 1
&lt;span class=&quot;nb&quot;&gt;set&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$eax&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; 0
&lt;span class=&quot;k&quot;&gt;continue&lt;/span&gt;
end&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Eax will hold the result of the syscall. And it&amp;#39;s ia always 0 or let me say TRUE&lt;/p&gt;

&lt;p&gt;this way, we bypass the ptrace protection and now we need to switch back to gdb&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;eren@lisa:~&lt;span class=&quot;nv&quot;&gt;$ &lt;/span&gt;gdb ./CrackTheDoor 
GNU gdb &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;GDB&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; 7.4.1-debian
Copyright &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;C&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;m&quot;&gt;2012&lt;/span&gt; Free Software Foundation, Inc.
License GPLv3+: GNU GPL version &lt;span class=&quot;m&quot;&gt;3&lt;/span&gt; or later &amp;lt;http://gnu.org/licenses/gpl.html&amp;gt;
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type &lt;span class=&quot;s2&quot;&gt;&amp;quot;show copying&amp;quot;&lt;/span&gt;
and &lt;span class=&quot;s2&quot;&gt;&amp;quot;show warranty&amp;quot;&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;for&lt;/span&gt; details.
This GDB was configured as &lt;span class=&quot;s2&quot;&gt;&amp;quot;x86_64-linux-gnu&amp;quot;&lt;/span&gt;.
For bug reporting instructions, please see:
&amp;lt;http://www.gnu.org/software/gdb/bugs/&amp;gt;...
Catchpoint &lt;span class=&quot;m&quot;&gt;1&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;syscall &lt;span class=&quot;s1&quot;&gt;&amp;#39;ptrace&amp;#39;&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;26&lt;span class=&quot;o&quot;&gt;])&lt;/span&gt;
Reading symbols from /home/eren/CrackTheDoor...&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;no debugging symbols found&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;...done.
&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;gdb&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; r
Starting program: /home/eren/CrackTheDoor 

Catchpoint &lt;span class=&quot;m&quot;&gt;1&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;call to syscall ptrace&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;, 0x08047698 in ?? &lt;span class=&quot;o&quot;&gt;()&lt;/span&gt;
&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;&amp;gt; 0x08047698:    3d &lt;span class=&quot;m&quot;&gt;00&lt;/span&gt; f0 ff ff   cmp    eax,0xfffff000

Catchpoint &lt;span class=&quot;m&quot;&gt;1&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;returned from syscall ptrace&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;, 0x08047698 in ?? &lt;span class=&quot;o&quot;&gt;()&lt;/span&gt;
&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;&amp;gt; 0x08047698:    3d &lt;span class=&quot;m&quot;&gt;00&lt;/span&gt; f0 ff ff   cmp    eax,0xfffff000

        *** DOOR CONTROL SYSTEM  ***



PASSWORD:&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Ok, at least we can use our debugger as we want :)&lt;/p&gt;

&lt;p&gt;I put another breakpoint here PJeGPC4TIVaKFmmy53DJ&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;Breakpoint 2, 0x08048534 in PJeGPC4TIVaKFmmy53DJ &lt;span class=&quot;o&quot;&gt;()&lt;/span&gt;
&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;&amp;gt; 0x08048534 &amp;lt;PJeGPC4TIVaKFmmy53DJ+0&amp;gt;: 1e  push   ds
&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;gdb&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; x/40i &lt;span class=&quot;nv&quot;&gt;$pc&lt;/span&gt;
&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;&amp;gt; 0x8048534 &amp;lt;PJeGPC4TIVaKFmmy53DJ&amp;gt;:    push   ds
   0x8048535 &amp;lt;PJeGPC4TIVaKFmmy53DJ+1&amp;gt;:    mov    ebp,esp
   0x8048537 &amp;lt;PJeGPC4TIVaKFmmy53DJ+3&amp;gt;:    sub    esp,0x20
   0x804853a &amp;lt;PJeGPC4TIVaKFmmy53DJ+6&amp;gt;:    mov    BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x1&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0xe4
   0x804853e &amp;lt;PJeGPC4TIVaKFmmy53DJ+10&amp;gt;:   mov    BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x2&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0x87
   0x8048542 &amp;lt;PJeGPC4TIVaKFmmy53DJ+14&amp;gt;:   mov    BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x3&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0xfb
   0x8048546 &amp;lt;PJeGPC4TIVaKFmmy53DJ+18&amp;gt;:   mov    BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x4&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0xbe
   0x804854a &amp;lt;PJeGPC4TIVaKFmmy53DJ+22&amp;gt;:   mov    BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x5&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0xc9
   0x804854e &amp;lt;PJeGPC4TIVaKFmmy53DJ+26&amp;gt;:   mov    BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x6&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0x93
   0x8048552 &amp;lt;PJeGPC4TIVaKFmmy53DJ+30&amp;gt;:   mov    BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x7&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0x84
   0x8048556 &amp;lt;PJeGPC4TIVaKFmmy53DJ+34&amp;gt;:   mov    BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x8&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0xfc
   0x804855a &amp;lt;PJeGPC4TIVaKFmmy53DJ+38&amp;gt;:   mov    BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x9&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0x8d
   0x804855e &amp;lt;PJeGPC4TIVaKFmmy53DJ+42&amp;gt;:   mov    BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0xa&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0xe5
   0x8048562 &amp;lt;PJeGPC4TIVaKFmmy53DJ+46&amp;gt;:   mov    BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0xb&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0xbf
   0x8048566 &amp;lt;PJeGPC4TIVaKFmmy53DJ+50&amp;gt;:   mov    BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0xc&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0x5c
   0x804856a &amp;lt;PJeGPC4TIVaKFmmy53DJ+54&amp;gt;:   mov    BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0xd&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0xe2
   0x804856e &amp;lt;PJeGPC4TIVaKFmmy53DJ+58&amp;gt;:   mov    BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0xe&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0x76
   0x8048572 &amp;lt;PJeGPC4TIVaKFmmy53DJ+62&amp;gt;:   mov    BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0xf&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0x21
   0x8048576 &amp;lt;PJeGPC4TIVaKFmmy53DJ+66&amp;gt;:   mov    BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x10&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0xb8
   0x804857a &amp;lt;PJeGPC4TIVaKFmmy53DJ+70&amp;gt;:   mov    DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x14&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0x0
   0x8048581 &amp;lt;PJeGPC4TIVaKFmmy53DJ+77&amp;gt;:   mov    eax,DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x14&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x8048584 &amp;lt;PJeGPC4TIVaKFmmy53DJ+80&amp;gt;:   add    eax,DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp+0x8&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x8048587 &amp;lt;PJeGPC4TIVaKFmmy53DJ+83&amp;gt;:   movzx  eax,BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;eax&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x804858a &amp;lt;PJeGPC4TIVaKFmmy53DJ+86&amp;gt;:   &lt;span class=&quot;nb&quot;&gt;test   &lt;/span&gt;al,al
   0x804858c &amp;lt;PJeGPC4TIVaKFmmy53DJ+88&amp;gt;:   je     0x8048808 &amp;lt;PJeGPC4TIVaKFmmy53DJ+724&amp;gt;
   0x8048592 &amp;lt;PJeGPC4TIVaKFmmy53DJ+94&amp;gt;:   mov    eax,DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x14&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x8048595 &amp;lt;PJeGPC4TIVaKFmmy53DJ+97&amp;gt;:   add    eax,DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp+0x8&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x8048598 &amp;lt;PJeGPC4TIVaKFmmy53DJ+100&amp;gt;:  mov    edx,DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x14&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x804859b &amp;lt;PJeGPC4TIVaKFmmy53DJ+103&amp;gt;:  add    edx,DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp+0x8&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x804859e &amp;lt;PJeGPC4TIVaKFmmy53DJ+106&amp;gt;:  movzx  edx,BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;edx&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x80485a1 &amp;lt;PJeGPC4TIVaKFmmy53DJ+109&amp;gt;:  xor    dl,BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x1&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x80485a4 &amp;lt;PJeGPC4TIVaKFmmy53DJ+112&amp;gt;:  mov    BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;eax&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,dl
   0x80485a6 &amp;lt;PJeGPC4TIVaKFmmy53DJ+114&amp;gt;:  add    DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x14&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0x1
   0x80485aa &amp;lt;PJeGPC4TIVaKFmmy53DJ+118&amp;gt;:  mov    eax,DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x14&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x80485ad &amp;lt;PJeGPC4TIVaKFmmy53DJ+121&amp;gt;:  add    eax,DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp+0x8&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x80485b0 &amp;lt;PJeGPC4TIVaKFmmy53DJ+124&amp;gt;:  movzx  eax,BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;eax&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x80485b3 &amp;lt;PJeGPC4TIVaKFmmy53DJ+127&amp;gt;:  &lt;span class=&quot;nb&quot;&gt;test   &lt;/span&gt;al,al
   0x80485b5 &amp;lt;PJeGPC4TIVaKFmmy53DJ+129&amp;gt;:  je     0x804880b &amp;lt;PJeGPC4TIVaKFmmy53DJ+727&amp;gt;
   0x80485bb &amp;lt;PJeGPC4TIVaKFmmy53DJ+135&amp;gt;:  mov    eax,DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x14&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x80485be &amp;lt;PJeGPC4TIVaKFmmy53DJ+138&amp;gt;:  add    eax,DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp+0x8&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x80485c1 &amp;lt;PJeGPC4TIVaKFmmy53DJ+141&amp;gt;:  mov    edx,DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x14&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x80485c4 &amp;lt;PJeGPC4TIVaKFmmy53DJ+144&amp;gt;:  add    edx,DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp+0x8&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x80485c7 &amp;lt;PJeGPC4TIVaKFmmy53DJ+147&amp;gt;:  movzx  edx,BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;edx&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x80485ca &amp;lt;PJeGPC4TIVaKFmmy53DJ+150&amp;gt;:  xor    dl,BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x2&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Now this part is interesting&lt;/p&gt;

&lt;p&gt;I see some constants moving somewhere and the inputs I gave to program xored with those constants &lt;/p&gt;

&lt;p&gt;I continued to investigate more...&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;gdb&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; x/30i X1bdrhN8Yk9NZ59Vb7P2
   0x8048838 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2&amp;gt;:  sbb    ecx,DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ecx+0x20ec83e5&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x804883e &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+6&amp;gt;:    mov    DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x18&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0x0
   0x8048845 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+13&amp;gt;:   mov    BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x1&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0xd9
   0x8048849 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+17&amp;gt;:   mov    BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x2&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0xcd
   0x804884d &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+21&amp;gt;:   mov    BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x3&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0xc9
   0x8048851 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+25&amp;gt;:   mov    BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x4&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0xe5
   0x8048855 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+29&amp;gt;:   mov    BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x5&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0x9e
   0x8048859 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+33&amp;gt;:   mov    BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x6&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0xd0
   0x804885d &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+37&amp;gt;:   mov    BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x7&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0xe8
   0x8048861 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+41&amp;gt;:   mov    BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x8&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0xa5
   0x8048865 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+45&amp;gt;:   mov    BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x9&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0xaf
   0x8048869 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+49&amp;gt;:   mov    BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0xa&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0x87
   0x804886d &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+53&amp;gt;:   mov    BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0xb&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0xd2
   0x8048871 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+57&amp;gt;:   mov    BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0xc&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0x79
   0x8048875 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+61&amp;gt;:   mov    BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0xd&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0xa9
   0x8048879 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+65&amp;gt;:   mov    BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0xe&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0x5d
   0x804887d &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+69&amp;gt;:   mov    BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0xf&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0x7
   0x8048881 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+73&amp;gt;:   mov    BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x10&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0x81
   0x8048885 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+77&amp;gt;:   mov    DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x14&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0x0
   0x804888c &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+84&amp;gt;:   mov    eax,DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x14&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x804888f &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+87&amp;gt;:   add    eax,DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp+0x8&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x8048892 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+90&amp;gt;:   movzx  eax,BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;eax&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x8048895 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+93&amp;gt;:   cmp    al,BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x1&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x8048898 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+96&amp;gt;:   je     0x80488a2 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+106&amp;gt;
   0x804889a &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+98&amp;gt;:   mov    eax,DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x18&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;This is also similar :) Now we pushing another bunch of constants...&lt;/p&gt;

&lt;p&gt;Ok here&amp;#39;s the remaining part of the function:&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;0x804889d &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+101&amp;gt;:    jmp    0x8048a20 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+488&amp;gt;
   0x80488a2 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+106&amp;gt;:  add    DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x14&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0x1
   0x80488a6 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+110&amp;gt;:  mov    eax,DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x14&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x80488a9 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+113&amp;gt;:  add    eax,DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp+0x8&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x80488ac &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+116&amp;gt;:  movzx  eax,BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;eax&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x80488af &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+119&amp;gt;:  cmp    al,BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x2&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x80488b2 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+122&amp;gt;:  je     0x80488bc &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+132&amp;gt;
   0x80488b4 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+124&amp;gt;:  mov    eax,DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x18&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x80488b7 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+127&amp;gt;:  jmp    0x8048a20 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+488&amp;gt;
   0x80488bc &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+132&amp;gt;:  add    DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x14&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0x1
   0x80488c0 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+136&amp;gt;:  mov    eax,DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x14&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x80488c3 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+139&amp;gt;:  add    eax,DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp+0x8&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x80488c6 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+142&amp;gt;:  movzx  eax,BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;eax&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x80488c9 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+145&amp;gt;:  cmp    al,BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x3&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x80488cc &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+148&amp;gt;:  je     0x80488d6 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+158&amp;gt;
   0x80488ce &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+150&amp;gt;:  mov    eax,DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x18&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x80488d1 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+153&amp;gt;:  jmp    0x8048a20 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+488&amp;gt;
   0x80488d6 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+158&amp;gt;:  add    DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x14&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0x1
   0x80488da &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+162&amp;gt;:  mov    eax,DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x14&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x80488dd &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+165&amp;gt;:  add    eax,DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp+0x8&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
---Type &amp;lt;&lt;span class=&quot;k&quot;&gt;return&lt;/span&gt;&amp;gt; to &lt;span class=&quot;k&quot;&gt;continue&lt;/span&gt;, or q &amp;lt;&lt;span class=&quot;k&quot;&gt;return&lt;/span&gt;&amp;gt; to quit---
   0x80488e0 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+168&amp;gt;:  movzx  eax,BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;eax&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x80488e3 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+171&amp;gt;:  cmp    al,BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x4&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x80488e6 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+174&amp;gt;:  je     0x80488f0 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+184&amp;gt;
   0x80488e8 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+176&amp;gt;:  mov    eax,DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x18&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x80488eb &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+179&amp;gt;:  jmp    0x8048a20 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+488&amp;gt;
   0x80488f0 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+184&amp;gt;:  add    DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x14&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0x1
   0x80488f4 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+188&amp;gt;:  mov    eax,DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x14&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x80488f7 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+191&amp;gt;:  add    eax,DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp+0x8&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x80488fa &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+194&amp;gt;:  movzx  eax,BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;eax&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x80488fd &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+197&amp;gt;:  cmp    al,BYTE PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x5&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x8048900 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+200&amp;gt;:  je     0x804890a &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+210&amp;gt;
   0x8048902 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+202&amp;gt;:  mov    eax,DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x18&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
   0x8048905 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+205&amp;gt;:  jmp    0x8048a20 &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+488&amp;gt;
   0x804890a &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+210&amp;gt;:  add    DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x14&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;,0x1
   0x804890e &amp;lt;X1bdrhN8Yk9NZ59Vb7P2+214&amp;gt;:  mov    eax,DWORD PTR &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;ebp-0x14&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Do you see the pattern that I see here ? If you don&amp;#39;t, no problem...&lt;/p&gt;

&lt;p&gt;Here, the program compares the my xored inputs with the constants again.&lt;/p&gt;

&lt;p&gt;Now, we look at the inputs again, first inputs were xored with some constants and outputs compared with other constants&lt;/p&gt;

&lt;p&gt;So last 2 functions should be like this:&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;void PJeGPC4TIVaKFmmy53DJ &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;int * p&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
&lt;span class=&quot;o&quot;&gt;{&lt;/span&gt;
  int array&lt;span class=&quot;o&quot;&gt;[]&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;{&lt;/span&gt;0xe4,0x87,0xfb,0xbe,0xc9,0x93,0x84,0xfc,0x8d,0xe5,0xbf,0x5c,0xe2,0x76,0x21,0xb8&lt;span class=&quot;o&quot;&gt;}&lt;/span&gt;
  &lt;span class=&quot;k&quot;&gt;for&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;i&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;0&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;i&amp;lt;16&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;i++&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
 &lt;span class=&quot;o&quot;&gt;{&lt;/span&gt;
    p&lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;i&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; p&lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;i&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt; ^ array&lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;i&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
 &lt;span class=&quot;o&quot;&gt;}&lt;/span&gt;
&lt;span class=&quot;o&quot;&gt;}&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;int X1bdrhN8Yk9NZ59Vb7P2&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;int * p&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
&lt;span class=&quot;o&quot;&gt;{&lt;/span&gt;
   int &lt;span class=&quot;nv&quot;&gt;array&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;{&lt;/span&gt;0xd9,0xcd,0xc9,0xe5,0x9e,0xd0,0xe8,0xa5,0xaf,0x87,0xd2,0x79,0xa9,0x5d,0x7,0x81&lt;span class=&quot;o&quot;&gt;}&lt;/span&gt;
   &lt;span class=&quot;k&quot;&gt;for&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;i&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;0&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;i&amp;lt;16&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;i++&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
 &lt;span class=&quot;o&quot;&gt;{&lt;/span&gt;
    &lt;span class=&quot;k&quot;&gt;if&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;p&lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;i&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt; !&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; array&lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;i&lt;span class=&quot;o&quot;&gt;])&lt;/span&gt;
         &lt;span class=&quot;k&quot;&gt;return&lt;/span&gt; &lt;span class=&quot;nb&quot;&gt;false&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt; // fail..
 &lt;span class=&quot;o&quot;&gt;}&lt;/span&gt;
  &lt;span class=&quot;k&quot;&gt;return&lt;/span&gt; &lt;span class=&quot;nb&quot;&gt;true&lt;/span&gt; 
&lt;span class=&quot;o&quot;&gt;}&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;So write up a simple python script to xor those two constants to find the key:&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span class=&quot;c&quot;&gt;#!/usr/bin/python&lt;/span&gt;
&lt;span class=&quot;nv&quot;&gt;firstConst&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;0xe4,0x87,0xfb,0xbe,0xc9,0x93,0x84,0xfc,0x8d,0xe5,0xbf,0x5c,0xe2,0x76,0x21,0xb8&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
&lt;span class=&quot;nv&quot;&gt;secondConst&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;0xd9,0xcd,0xc9,0xe5,0x9e,0xd0,0xe8,0xa5,0xaf,0x87,0xd2,0x79,0xa9,0x5d,0x7,0x81&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt;
&lt;span class=&quot;nv&quot;&gt;ret&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&amp;quot;&amp;quot;&lt;/span&gt;
&lt;span class=&quot;k&quot;&gt;for&lt;/span&gt; x in range&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;16&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;:
        ret+&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;chr&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;firstConst&lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;x&lt;span class=&quot;o&quot;&gt;]&lt;/span&gt; ^ secondConst&lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;x&lt;span class=&quot;o&quot;&gt;])&lt;/span&gt;
print ret&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;eren@lisa:~&lt;span class=&quot;nv&quot;&gt;$ &lt;/span&gt;./CrackTheDoor 

        *** DOOR CONTROL SYSTEM  ***



PASSWORD: &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;J2&lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;WClY&lt;span class=&quot;err&quot;&gt;&amp;quot;&lt;/span&gt;bm%K+&lt;span class=&quot;p&quot;&gt;&amp;amp;&lt;/span&gt;9

        ***  ACCESS GRANTED  ***

        ***  THE DOOR OPENED ***&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Et voilà!&lt;/p&gt;

&lt;p&gt;I&amp;#39;ll write another to post to cover Part 2 :)&lt;/p&gt;

&lt;p&gt;The company sent me another crack me for round 2 :) That&amp;#39;s also interesting...&lt;/p&gt;

&lt;p&gt;(BTW i got the job :) ).&lt;/p&gt;

&lt;p&gt;If you want to try it yourself, send me an email for binary.&lt;/p&gt;

&lt;p&gt;(You can also poke me for typos.)&lt;/p&gt;
</content>
   </entry>
   
</feed>