kpouget/Makefile

## Makefile
SO_NAME := passme.so
BIN_DIR ?= .
GCC ?= gcc

SO_CFLAGS := -fPIC
SO_LDFLAGS := -fPIC -rdynamic -shared -ldl

CFLAGS := -g -O0

CRACK_ME := 101-crackme

$(BIN_DIR)/$(SO_NAME) : $(BIN_DIR)/passme.o
	$(GCC) -o $@ $^ $(SO_LDFLAGS)

$(BIN_DIR)/passme.o : passme.c
	$(GCC) -o $@ -c $< $(CFLAGS) $(SO_CFLAGS)

$(CRACK_ME):
	@echo "$(CRACK_ME) missing. Download it from"
	@echo "https://github.com/holbertonschool/0x04.c/blob/master/101-crackme"

run: $(SO_NAME) $(CRACK_ME)
	LD_PRELOAD=./$(SO_NAME) ./$(CRACK_ME) 1234

run_gdb: $(SO_NAME) $(CRACK_ME)
	gdb ./$(CRACK_ME) -ex "set env LD_PRELOAD = ./$(SO_NAME)" -ex "set args 1234"

debug: $(CRACK_ME)
	gdb ./$(CRACK_ME) -ex "source passme.py" -ex "echo \nTODO:\nrun any_password\n"


## passme.c
#include <stdlib.h>
#include <stdarg.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#define __USE_GNU
#include <dlfcn.h>
#include <sys/mman.h>
#define CHECKSUM_CALL_ADDR 0x4005e0
#define CHECKSUM_RET_VAL   "0x000ad4"

#define OVERWRITE_LEN 9

#define PASSWORD "1234"

void init(int argc, char **argv, char **env) __attribute__((constructor));

void init(int argc, char **argv, char **env) {
  volatile int x = 0;

  if (argc != 2 || strstr(argv[0], "crackme") == NULL) {
    return;
  }

  if (strcmp(argv[argc - 1], PASSWORD) != 0) {
    printf("Wrong preload password\n");
    return;
  }

  if (x == -1) {
    // NEVER EXECUTED, just to get assembly code
  here:
    asm volatile("movl $"CHECKSUM_RET_VAL", -0x8(%%rbp)" : : );
    asm volatile("nop");asm volatile("nop");
  there:
    /*NOP*/ ; // otherwise 'there' label doesn't work
  }

  void **mov_addr = &&here;
  unsigned int len = &&there - &&here;

  if (len != OVERWRITE_LEN) {
    printf("ERROR: length of code to overwrite (%db) should be %db\n", len, OVERWRITE_LEN);
    return;
  }

  void **target = (void **)CHECKSUM_CALL_ADDR;

  unsigned int pagesize = getpagesize();

  int ret;
go:
  // allow writing on target page
  ret = mprotect((void *)((unsigned int) target & ~(pagesize-1)), pagesize,
                 PROT_READ|PROT_EXEC|PROT_WRITE);
  if (ret) {
    perror("ERROR: mprotect failed");
    return;
  }

  memcpy((void *) CHECKSUM_CALL_ADDR, mov_addr, len);
}

## passme.py
import gdb

class checksumBP(gdb.Breakpoint):
    def __init__(self):
        gdb.Breakpoint.__init__(self, "checksum", internal=True)
        self.silent = True

    def stop(self):
        gdb.execute("return")
        gdb.execute("set $rax = 0xad4")

        return False
checksumBP()
	SO_NAME := passme.so
	BIN_DIR ?= .
	GCC ?= gcc

	SO_CFLAGS := -fPIC
	SO_LDFLAGS := -fPIC -rdynamic -shared -ldl

	CFLAGS := -g -O0

	CRACK_ME := 101-crackme

	$(BIN_DIR)/$(SO_NAME) : $(BIN_DIR)/passme.o
	$(GCC) -o $@ $^ $(SO_LDFLAGS)

	$(BIN_DIR)/passme.o : passme.c
	$(GCC) -o $@ -c $< $(CFLAGS) $(SO_CFLAGS)

	$(CRACK_ME):
	@echo "$(CRACK_ME) missing. Download it from"
	@echo "https://github.com/holbertonschool/0x04.c/blob/master/101-crackme"

	run: $(SO_NAME) $(CRACK_ME)
	LD_PRELOAD=./$(SO_NAME) ./$(CRACK_ME) 1234

	run_gdb: $(SO_NAME) $(CRACK_ME)
	gdb ./$(CRACK_ME) -ex "set env LD_PRELOAD = ./$(SO_NAME)" -ex "set args 1234"

	debug: $(CRACK_ME)
	gdb ./$(CRACK_ME) -ex "source passme.py" -ex "echo \nTODO:\nrun any_password\n"
	#include <stdlib.h>
	#include <stdarg.h>
	#include <stdio.h>
	#include <string.h>
	#include <unistd.h>
	#define __USE_GNU
	#include <dlfcn.h>
	#include <sys/mman.h>
	#define CHECKSUM_CALL_ADDR 0x4005e0
	#define CHECKSUM_RET_VAL "0x000ad4"

	#define OVERWRITE_LEN 9

	#define PASSWORD "1234"

	void init(int argc, char argv, char env) __attribute__((constructor));

	void init(int argc, char argv, char env) {
	volatile int x = 0;

	if (argc != 2 \|\| strstr(argv[0], "crackme") == NULL) {
	return;
	}

	if (strcmp(argv[argc - 1], PASSWORD) != 0) {
	printf("Wrong preload password\n");
	return;
	}

	if (x == -1) {
	// NEVER EXECUTED, just to get assembly code
	here:
	asm volatile("movl $"CHECKSUM_RET_VAL", -0x8(%%rbp)" : : );
	asm volatile("nop");asm volatile("nop");
	there:
	/NOP/ ; // otherwise 'there' label doesn't work
	}

	void **mov_addr = &&here;
	unsigned int len = &&there - &&here;

	if (len != OVERWRITE_LEN) {
	printf("ERROR: length of code to overwrite (%db) should be %db\n", len, OVERWRITE_LEN);
	return;
	}

	void target = (void )CHECKSUM_CALL_ADDR;

	unsigned int pagesize = getpagesize();

	int ret;
	go:
	// allow writing on target page
	ret = mprotect((void *)((unsigned int) target & ~(pagesize-1)), pagesize,
	PROT_READ\|PROT_EXEC\|PROT_WRITE);
	if (ret) {
	perror("ERROR: mprotect failed");
	return;
	}

	memcpy((void *) CHECKSUM_CALL_ADDR, mov_addr, len);
	}
	import gdb

	class checksumBP(gdb.Breakpoint):
	def __init__(self):
	gdb.Breakpoint.__init__(self, "checksum", internal=True)
	self.silent = True

	def stop(self):
	gdb.execute("return")
	gdb.execute("set $rax = 0xad4")

	return False
	checksumBP()