Created
December 17, 2015 12:49
-
-
Save OsandaMalith/7c7ff9359adfcd081db7 to your computer and use it in GitHub Desktop.
Rootme ELF - No software breakpoints Cracking Challenge
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
%if 0 | |
* Title: Rootme ELF - No software breakpoints Cracking Challenge | |
* Author: Osanda Malith (@OsandaMalith) | |
* Website: http://osandamalith.wordpress.com | |
%endif | |
extern printf | |
extern exit | |
global main | |
section .bss | |
password resb 26 | |
section .data | |
fmt_checksum db "[+] Checksum: %x",0xa,0xa,0 | |
fmt_serial db "[+] Serial is: %s",0xa,0xa,0 | |
banner: | |
db 0x9,"------------------------------------------------------------",0xa | |
db 0x9,"[~] Rootme No software breakpoints Cracking Challenge",0xa | |
db 0x9,"[~] Author: Osanda Malith (@OsandaMalith)",0xa | |
db 0x9,"[~] Website: http://osandamalith.wordpress.com",0xa | |
db 0x9,"------------------------------------------------------------",0xa,0xa,0 | |
shellcode: | |
db 0xb8,0x04,0x00,0x00,0x00,0xbb,0x01,0x00,0x00,0x00 | |
db 0xb9,0xa1,0x91,0x04,0x08,0xba,0x26,0x00,0x00,0x00 | |
db 0xcd,0x80,0xb8,0x03,0x00,0x00,0x00,0x31,0xdb,0xb9 | |
db 0x88,0x91,0x04,0x08,0xba,0x33,0x00,0x00,0x00,0xcd | |
db 0x80,0x31,0xc9,0xb8,0x80,0x80,0x04,0x08,0xbb,0x23 | |
db 0x81,0x04,0x08,0xe8,0x5b,0x00,0x00,0x00,0x89,0xca | |
db 0xb9,0x19,0x00,0x00,0x00,0xb8,0x55,0x91,0x04,0x08 | |
db 0xbb,0x88,0x91,0x04,0x08,0xd1,0xca,0x8a,0x44,0x08 | |
db 0xff,0x8a,0x5c,0x0b,0xff,0x30,0xd8,0x30,0xd0,0x75 | |
db 0x1b,0x49,0x75,0xe3,0xb8,0x04,0x00,0x00,0x00,0xbb | |
db 0x01,0x00,0x00,0x00,0xb9,0x24,0x91,0x04,0x08,0xba | |
db 0x26,0x00,0x00,0x00,0xcd,0x80,0xeb,0x16,0xb8,0x04 | |
db 0x00,0x00,0x00,0xbb,0x01,0x00,0x00,0x00,0xb9,0x4a | |
db 0x91,0x04,0x08,0xba,0x0b,0x00,0x00,0x00,0xcd,0x80 | |
db 0xb8,0x01,0x00,0x00,0x00,0x31,0xdb,0xcd,0x80,0x29 | |
db 0xc3,0x31,0xc9,0x02,0x08,0xc1,0xc1,0x03,0x40,0x4b | |
db 0x75,0xf7,0xc3 | |
shellcode_len equ $-shellcode | |
key_bytes: | |
db 0x1e, 0xcd, 0x2a, 0xd5, 0x34, 0x87, 0xfc, 0x78 | |
db 0x64, 0x35, 0x9d, 0xec, 0xde, 0x15, 0xac, 0x97 | |
db 0x99, 0xaf, 0x96, 0xda, 0x79, 0x26, 0x4f, 0x32 | |
db 0xe0 | |
keybytes_len equ $-key_bytes | |
section .text | |
main: | |
push banner ; push the banner label | |
call printf ; display banner | |
add esp, 0x4 ; realign the stack | |
lea esi, [shellcode] ; load offset of shellcode | |
mov ebx, shellcode_len ; mov the len of shellcode | |
xor ecx, ecx ; Zero out ecx | |
;-------------------------------------------------------- | |
; Calculate the Checksum | |
;-------------------------------------------------------- | |
_loop: | |
add cl, [esi] ; add opcode to cl | |
rol ecx, 0x3 ; Rotate left ecx by 3 | |
inc esi ; incremenet esi | |
dec ebx ; decrement ebx | |
jnz _loop ; if ebx != 0 loop | |
push ecx ; push the result to stack | |
push fmt_checksum ; push the format string | |
call printf ; print it | |
mov ebx, [esp+4] ; mov the result from stack to ebx | |
add esp, 0x8 ; Clear the stack | |
;-------------------------------------------------------- | |
; Serial Routine | |
;-------------------------------------------------------- | |
xor eax, eax ; Zero out eax | |
mov ecx, keybytes_len ; len of key bytes | |
__loop: | |
ror ebx, 1 ; rotate right by 1 the checksum | |
mov al, [key_bytes+ecx*1-0x1] ; mov byte by byte from keybyte to al in descending order | |
xor al, bl ; XOR al by bl and store in al | |
mov [password+ecx*1-0x1], al ; mov the result into our password array in descending order | |
dec ecx ; decrement ecx | |
jnz __Loop ; if (ecx != 0) loop | |
push password ; push serial to stack | |
push fmt_serial ; push the format string | |
call printf ; Display serial | |
add esp, 0x8 ; clear stack | |
;-------------------------------------------------------- | |
; Exit gracefully | |
;-------------------------------------------------------- | |
push 1 ; Push 1 | |
call exit ; Exit returning 1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment