Making Medusa : My First CrackMe - Part 0x01

Table Of Contents#

MAIN.C
PSEUDO-C
DISASSEMBLY
LAYERING
PROBLEMO
WHAT WE LEARNT

I had just started learning C and after completing few basics, I was looking for my first project to make. After thinking around, I landed on making a CrackMe challenge in C. Goal would be to start small, compile the binary, view the disassembly, view the pseudo-C code in IDA-Free and co-relate everything and move to adding more complexities.

GGs, that sounds fun! Lets code, shall we?

MAIN.C#

First I wrote a simple main.c program—

1
#include  <stdint.h>
2
#include  <sys/mman.h>
3
#include  <string.h>
4

5
int  main()
6
{
7
  uint8_t  code  []  =  {0xB8,  0x42,  0x00,  0x00, 0x00,  0xC3}; // mov eax, 0x42; ret
8

9
  void  *mem  =  mmap(NULL,  1024,  PROT_READ  |  PROT_WRITE  |  PROT_EXEC,  MAP_ANON  |  MAP_PRIVATE,  -1,  0); // create a protected executable anonymous private memory region
10

11
  memcpy(mem,  code,  sizeof(code)); // copy the code to that region
12

13
  int  (*func)()  =  mem; // cast a function pointer and point it to mem
14

15
  int  result  =  func(); // execute the func() function and store the result in result variable
16

17
  return  result; // return the result which should be 66
18
}

Lets compile the program and view its pseudo-C code

1
gcc -m32 -fno-stack-protector -z execstack -no-pie -fno-pic main.c -o main

-m32 : Produces a 32-bit binary
-fno-stack-protector : Disables canary-based stack protection
-z execstack : Marks the stack as executable
-no-pie : Generates a binary with a fixed base address instead of randomized addresses (ASLR for PIE)
-fno-pic : Disables generation of position-independent code. Relevant mostly for shared libraries or PIEs.
main.c : Source file to compile.
-o main : Names the output binary main.

PSEUDO-C#

1
int __cdecl main(int argc, const char **argv, const char **envp)
2
{
3
  int (*v3)(void); // function pointer that takes no argument
4

5
  v3 = (int (*)(void))mmap(0, 1024u, 7, 0x22, -1, 0); // calls mmap to allocate 1024 bytes of memory with read, write, and execute permissions
6
  *(_DWORD *)v3 = 0x42B8; // store 0x42B8 in memory
7
  *((_WORD *)v3 + 2) = 0xC300; // store next bytes (0xC300) with offset of 4 (2 WORDs)
8
  return v3(); // calls the function executing the code
9
}

DISASSEMBLY#

and now its disassembly

1
; int __cdecl main(int argc, const char **argv, const char **envp)
2
public main
3
main proc near
4

5
; variables
6
var_1A= dword ptr -1Ah
7
var_16= word ptr -16h
8
var_14= dword ptr -14h
9
var_10= dword ptr -10h
10
var_C= dword ptr -0Ch
11
var_4= dword ptr -4
12
argc= dword ptr  8
13
argv= dword ptr  0Ch
14
envp= dword ptr  10h
15

16
; __unwind {
17
; stack frame setup
18
lea     ecx, [esp+4]
19
and     esp, 0FFFFFFF0h
20
push    dword ptr [ecx-4]
21
push    ebp
22
mov     ebp, esp
23
push    ecx
24
sub     esp, 24h
25

26
; call mmap to allocate executable memory and storing return pointer in var_C
27
mov     [ebp+var_1A], 42B8h
28
mov     [ebp+var_16], 0C300h
29
sub     esp, 8
30
push    0               ; offset
31
push    0FFFFFFFFh      ; fd
32
push    22h ; '"'       ; flags
33
push    7               ; prot
34
push    400h            ; len
35
push    0               ; addr
36
call    _mmap
37
add     esp, 20h
38
mov     [ebp+var_C], eax
39

40
; copy machine code to allocated memory
41
mov     eax, [ebp+var_C]
42
mov     edx, [ebp+var_1A]
43
mov     [eax], edx
44
movzx   edx, [ebp+var_16]
45
mov     [eax+4], dx
46

47
; prepare and call the function
48
mov     eax, [ebp+var_C]
49
mov     [ebp+var_10], eax
50
mov     eax, [ebp+var_10]
51
call    eax
52

53
; return the result and clean the stack
54
mov     [ebp+var_14], eax
55
mov     eax, [ebp+var_14]
56
mov     ecx, [ebp+var_4]
57
leave
58
lea     esp, [ecx-4]
59
retn
60
; } // starts at 8049166
61
main endp
62

63
_text ends

LAYERING#

Now that we have seen code in all three forms, let’s add some layers. I wrote another file validate.c—

1
#include  <stdio.h>
2
#include  <string.h>
3
int  validate(const  char  *input);
4
int  main()
5
{
6
  char  input[64];
7
  scanf("%63s",  input);
8
  if  (validate(input))
9
  {
10
  printf("Correct!\n");
11
  }
12
  else
13
  {
14
  printf("Wrong!\n");
15
  }
16
  return  0;
17
}
18

19
int  validate(const  char  *input)
20
{
21
  const  char  *flag  =  "pwning-since-1337";
22
  int  i  =  0;
23
  for  ( ; ;  i++)
24
  {
25
    unsigned  char  a  =  (unsigned  char)input[i];
26
    unsigned  char  b  =  (unsigned  char)flag[i];
27
    if  (a  !=  b)
28
    {
29
      return  0;
30
    }
31
    if  (a  ==  0)
32
    {
33
      return  1;
34
    }
35
  }
36
}

I compiled it again and this time we extract just the raw instruction bytes of validate part of the code

1
objdump -M intel -d validate | awk '/<validate>:/,/^$/' | awk '/^[[:space:]]*[0-9a-f]+:/ {for(i=2;i<=10;i++) if($i ~ /^[0-9a-f][0-9a-f]$/) printf "0x%s, ", $i} END {print ""}'

(thanks chatGPT).

which now we will be XORing with a key (0x1337) using python—

1
def  xor_encrypt(buf:  bytearray,  key:  int)  ->  None:
2
  key_bytes =  [key &  0xFF,  (key >>  8)  &  0xFF]
3
  for i in  range(len(buf)):
4
  buf[i]  ^=  key_bytes[i %  2]
5

6
validate_bytes =  [
7
0x55,  0x89,  0xe5,  0x83,  0xec,  0x10,  0xc7,  0x45,  0xf8,  0x1d,  0xa0,  0x04,
8
0x08,  0xc7,  0x45,  0xfc,  0x00,  0x00,  0x00,  0x00,  0x8b,  0x55,  0xfc,  0x8b,
9
0x45,  0x08,  0x01,  0xd0,  0x0f,  0xb6,  0x00,  0x88,  0x45,  0xf7,  0x8b,  0x55,
10
0xfc,  0x8b,  0x45,  0xf8,  0x01,  0xd0,  0x0f,  0xb6,  0x00,  0x88,  0x45,  0xf6,
11
0x0f,  0xb6,  0x45,  0xf7,  0x3a,  0x45,  0xf6,  0x74,  0x07,  0xb8,  0x00,  0x00,
12
0x00,  0x00,  0xeb,  0x13,  0x80,  0x7d,  0xf7,  0x00,  0x75,  0x07,  0xb8,  0x01,
13
0x00,  0x00,  0x00,  0xeb,  0x06,  0x83,  0x45,  0xfc,  0x01,  0xeb,  0xc1, 0xc9,
14
0xc3
15

16
]
17

18
data =  bytearray(validate_bytes)
19

20
xor_encrypt(data,  0x1337)
21

22
print("Encrypted:",  ', '.join(f'0x{b:02x}'  for b in data))

Now we update our C code to look something like this—

1
#include  <stdint.h>
2
#include  <sys/mman.h>
3
#include  <string.h>
4
#include  <stdio.h>
5

6
void  xor_decrypt(uint8_t  *buf,  size_t  len,  uint16_t  key);
7

8
int  main()
9
{
10
  char  input[64];
11
  printf("WELCOME TRAVELLER, SPEAK THY SHAN'T BE STONED: ");
12
  fflush(stdout);
13
  if  (scanf("%63s",  input)  !=  1)
14
  {
15
    return  1;
16
  }
17

18
  uint8_t  code[]  =  {0x62,  0x9a,  0xd2,  0x90,  0xdb,  0x03,  0xf0,  0x56,  0xcf,  0x0e,  0x97,  0x17,  0x3f,  0xd4,  0x72,  0xef,  0x37,  0x13,  0x37,  0x13,  0xbc,  0x46,  0xcb,  0x98,  0x72,  0x1b,  0x36,  0xc3,  0x38,  0xa5,  0x37,  0x9b,  0x72,  0xe4,  0xbc,  0x46,  0xcb,  0x98,  0x72,  0xeb,  0x36,  0xc3,  0x38,  0xa5,  0x37,  0x9b,  0x72,  0xe5,  0x38,  0xa5,  0x72,  0xe4,  0x0d,  0x56,  0xc1,  0x67,  0x30,  0xab,  0x37,  0x13,  0x37,  0x13,  0xdc,  0x00,  0xb7,  0x6e,  0xc0,  0x13,  0x42,  0x14,  0x8f,  0x12,  0x37,  0x13,  0x37,  0xf8,  0x31,  0x90,  0x72,  0xef,  0x36,  0xf8,  0xf6,  0xda,  0xf4}; // encrypted xor
19

20
  void  *mem  =  mmap(NULL,  1024,  PROT_READ  |  PROT_WRITE  |  PROT_EXEC,  MAP_ANON  |  MAP_PRIVATE,  -1,  0); // create a protected executable anonymous private memory region
21

22
  memcpy(mem,  code,  sizeof(code)); // copy the code to that region
23

24
  xor_decrypt((uint8_t  *)mem,  sizeof(code),  0x1337); // decrypt mem in runtime (use sizeof code as we only need to decrypt that many bytes)
25
  int  (*validate_func)(const  char  *)  =  mem; // cast a function pointer and point it to mem
26

27
  int  ok  =  validate_func(input);
28

29
  puts(ok  ?  "YOU ARE SAVED TRAVELLER, YOU MAY PROCEED!"  :  "YOU GOT STONED BY THE MEDUSA!");
30
}
31

32
void  xor_decrypt(uint8_t  *buf,  size_t  len,  uint16_t  key)
33
{
34
  uint8_t  key_bytes[2];
35
  key_bytes[0]  =  key  &  0xFF; // lower byte
36
  key_bytes[1]  =  (key  >>  8)  &  0xFF; // upper byte
37
  for  (size_t  i  =  0;  i  <  len;  i++)
38
  {
39
    buf[i]  ^=  key_bytes[i  %  2]; // alternate between lower and upper byte
40
  }
41
}

PROBLEMO#

But there comes a problem, no matter what I entered, wrong flag or right flag, It would always give me "YOU GOT STONED BY THE MEDUSA!" What went wrong, after pondering and tinkering I realised that the flag pwning-since-1337 would be stored in .rodata and there would be no way to access it in validate’s function.

We need to write self contained function which has the pwning-since-1337 itself. So we just make an local array, easy-peasy-lemon-squeezy!

Here is our updated validate-self-contained.c—

1
#include  <stdio.h>
2
#include  <string.h>
3

4
int  validate(const  char  *input);
5

6
int  main()
7
{
8
  char  input[64];
9
  scanf("%63s",  input);
10

11
  if  (validate(input))
12
  {
13
    printf("Correct!\n");
14
  }
15
  else
16
  {
17
    printf("Wrong!\n");
18
  }
19

20
  return  0;
21
}
22

23
int  validate(const  char  *input)
24
{
25
// Store the flag as a local array, not as a pointer to a string literal
26
const  unsigned  char  flag[]  =  {
27
'p',  'w',  'n',  'i',  'n',  'g',  '-',  's',  'i',  'n',  'c',  'e',  '-',  '1',  '3',  '3',  '7',  0};
28

29
int  i  =  0;
30
while  (1)
31
{
32
  unsigned  char  a  =  (unsigned  char)input[i];
33
  unsigned  char  b  =  flag[i];
34
  if  (a  !=  b)
35
  {
36
    return  0;
37
  }
38

39
  if  (a  ==  0)
40
  {
41
    return  1;
42
  }
43
  i++;
44
}
45
}

Compile. Extract. XOR. Same yadda yadda process and lets hit run! working-image yipeee, it is working!

We now have a simple working CrackMe.

WHAT WE LEARNT#

we can create a executable region in memory from which we can execute code
how to alternatively use key’s both bytes to XOR
the data or our flag was stored in .rodata hence we needed to make it local

In next post, we will be adding more layers to this, see you soon pwners : D