Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Rootme ELF - No software breakpoints Cracking Challenge
%if 0
* Title: Rootme ELF - No software breakpoints Cracking Challenge
* Author: Osanda Malith (@OsandaMalith)
* Website: http://osandamalith.wordpress.com
%endif
extern printf
extern exit
global main
section .bss
password resb 26
section .data
fmt_checksum db "[+] Checksum: %x",0xa,0xa,0
fmt_serial db "[+] Serial is: %s",0xa,0xa,0
banner:
db 0x9,"------------------------------------------------------------",0xa
db 0x9,"[~] Rootme No software breakpoints Cracking Challenge",0xa
db 0x9,"[~] Author: Osanda Malith (@OsandaMalith)",0xa
db 0x9,"[~] Website: http://osandamalith.wordpress.com",0xa
db 0x9,"------------------------------------------------------------",0xa,0xa,0
shellcode:
db 0xb8,0x04,0x00,0x00,0x00,0xbb,0x01,0x00,0x00,0x00
db 0xb9,0xa1,0x91,0x04,0x08,0xba,0x26,0x00,0x00,0x00
db 0xcd,0x80,0xb8,0x03,0x00,0x00,0x00,0x31,0xdb,0xb9
db 0x88,0x91,0x04,0x08,0xba,0x33,0x00,0x00,0x00,0xcd
db 0x80,0x31,0xc9,0xb8,0x80,0x80,0x04,0x08,0xbb,0x23
db 0x81,0x04,0x08,0xe8,0x5b,0x00,0x00,0x00,0x89,0xca
db 0xb9,0x19,0x00,0x00,0x00,0xb8,0x55,0x91,0x04,0x08
db 0xbb,0x88,0x91,0x04,0x08,0xd1,0xca,0x8a,0x44,0x08
db 0xff,0x8a,0x5c,0x0b,0xff,0x30,0xd8,0x30,0xd0,0x75
db 0x1b,0x49,0x75,0xe3,0xb8,0x04,0x00,0x00,0x00,0xbb
db 0x01,0x00,0x00,0x00,0xb9,0x24,0x91,0x04,0x08,0xba
db 0x26,0x00,0x00,0x00,0xcd,0x80,0xeb,0x16,0xb8,0x04
db 0x00,0x00,0x00,0xbb,0x01,0x00,0x00,0x00,0xb9,0x4a
db 0x91,0x04,0x08,0xba,0x0b,0x00,0x00,0x00,0xcd,0x80
db 0xb8,0x01,0x00,0x00,0x00,0x31,0xdb,0xcd,0x80,0x29
db 0xc3,0x31,0xc9,0x02,0x08,0xc1,0xc1,0x03,0x40,0x4b
db 0x75,0xf7,0xc3
shellcode_len equ $-shellcode
key_bytes:
db 0x1e, 0xcd, 0x2a, 0xd5, 0x34, 0x87, 0xfc, 0x78
db 0x64, 0x35, 0x9d, 0xec, 0xde, 0x15, 0xac, 0x97
db 0x99, 0xaf, 0x96, 0xda, 0x79, 0x26, 0x4f, 0x32
db 0xe0
keybytes_len equ $-key_bytes
section .text
main:
push banner ; push the banner label
call printf ; display banner
add esp, 0x4 ; realign the stack
lea esi, [shellcode] ; load offset of shellcode
mov ebx, shellcode_len ; mov the len of shellcode
xor ecx, ecx ; Zero out ecx
;--------------------------------------------------------
; Calculate the Checksum
;--------------------------------------------------------
_loop:
add cl, [esi] ; add opcode to cl
rol ecx, 0x3 ; Rotate left ecx by 3
inc esi ; incremenet esi
dec ebx ; decrement ebx
jnz _loop ; if ebx != 0 loop
push ecx ; push the result to stack
push fmt_checksum ; push the format string
call printf ; print it
mov ebx, [esp+4] ; mov the result from stack to ebx
add esp, 0x8 ; Clear the stack
;--------------------------------------------------------
; Serial Routine
;--------------------------------------------------------
xor eax, eax ; Zero out eax
mov ecx, keybytes_len ; len of key bytes
__loop:
ror ebx, 1 ; rotate right by 1 the checksum
mov al, [key_bytes+ecx*1-0x1] ; mov byte by byte from keybyte to al in descending order
xor al, bl ; XOR al by bl and store in al
mov [password+ecx*1-0x1], al ; mov the result into our password array in descending order
dec ecx ; decrement ecx
jnz __Loop ; if (ecx != 0) loop
push password ; push serial to stack
push fmt_serial ; push the format string
call printf ; Display serial
add esp, 0x8 ; clear stack
;--------------------------------------------------------
; Exit gracefully
;--------------------------------------------------------
push 1 ; Push 1
call exit ; Exit returning 1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment