Some days ago after many more days of research and reversing I managed to solve a crackme that a friend of mine (CT) passed to me. This crackme was supposed to be used in a security conference held in Spain called NoConName and was conceived to be presented as the II level of a crackme contest.
Contents
Where to find the crackme?
During the days I was trying to solve the crackme I found a really interesting web portal devoted to crackers (in the good/bad sense 
) that is basically a repository of crackmes, solutions, forums ... everything I would ask for a place like this to be.
) that is basically a repository of crackmes, solutions, forums ... everything I would ask for a place like this to be.
Thus I have uploaded the crackme there under the name ncn: http://www.crackmes.de/users/eslimasec/ncn/ enjoy it as I did!
Some tips
- If you are a beginner as I was/am in the reversing field your best friends for this crackme can be:
- GDB
- Objdump
- But I heard that some people haven't even needed to disassemble, in this post I cover a reversing view of solving the crackme.
- I have worked quite a lot with the output taken from Objdump, but then I saw It would be easier to use the GDB output (set logging file FILE) because of the relative memory addresses that it uses (main+243) that match more precisely with the output you get when debugging with GDB.
- Use breakpoints to see how the program executes
- Use watchpoints to check the values that the variables hold over the time
- As for every crack there is something that allows you to find the solution and this is ranked as an easy crack
- Maybe in certain moments you don't know that the code does but you can anticipate the ranges in the result you will get
My dirty solution
If you are really really fed up and want to see my solution (haven't uploaded to crackmes.de yet as I want people to be interested in solving it as, well) here you have my friend! Sorry that it's an [javascript:void(0);/*1247300948733*/ spanglish] code
#include<stdio.h>
#include<stdlib.h>
#include<string.h>
#define MAX_STR 1000
//many variables, some of them are written in spanish
int len,newpos,salto,i,j,increase=5,ciphered_index,seed_value,procesed=0;
//cifred = encrypted ;) it will hold the ciphered string
int cifred[MAX_STR];
//reversed= decyphered string
char reversed[MAX_STR], str[MAX_STR];
//array taken from original crackme executable that is used to do the translations between numbers and letters
char alphabet[]={'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','0','1','2','3','4','5','6','7','8','9','A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z'};
//function reversed/regenerated from crackme binary that is used to tell which position of the array we are decrypting.
//i think CT (the author) just used it so that ncn binary encrypted strings in a non sequential way
int vacia(int len,int pivote){
//printf("(%d,%d)",len,pivote);
if(len >= pivote){
if( cifred[pivote] == 0 ){
newpos=pivote;
}
else{
newpos=vacia(len, pivote+1);
}
}
else{
pivote = pivote - len;
pivote = pivote - 1;
if (cifred[pivote]==0){
newpos=pivote;
}
else{
newpos=vacia(len, pivote+1);
}
}
return newpos;
}
//a study of the binary will reveal that the "encrypting engine" puts the seed used in the second position of the ciphered array
//this is cifred[1], thus this function gets that char placed in that position and returns its seed value translated using the
//alphabet array
int get_seed(char single_char){
int result=61;
for(i=0;i<62;i++){
if(single_char==alphabet[i]){
result=i;
}
}
return result;
}
//main funcion of the ncn decrypter
int main(int argc,char *argv[]) {
if (argc != 2){
printf("Error, provide ciphered text as the unique argument\n");
exit(1);
}
len = strlen(argv[1]);
if ( len > MAX_STR) {
printf("Error, ciphered text too long, it must be < %d \n",MAX_STR);
exit(1);
}
//trying avoiding buffer overflows
strncpy(str,argv[1],len);
//this variable holds always the same value
salto = 3;
//newpos is the position of the array we are working on, it will be changed according to "vacia" function output
newpos = 1;
//we get the original seed used from the encrypted text passed
seed_value = get_seed(str[1]);
//oops debug code, you can remove when compiling
printf("seed=%d",seed_value);
//cifred array is just an array to simulate the original ncn code, it holds which positions of the encrypted text
//have been processed, cifred[i]=0 means not processed, cifred[i]=1 means processed
for(i=0;i<len;i++) {
cifred[i]=0;
}
//as I mentioned position 1 of the encrypted text always holds the seed so we marked it as already processed
cifred[1]=1;
//the main processing loop
for(i=0;i<len-1;i++){
//check which position of the encrypted string we are processing
newpos = vacia(len-1,salto+newpos);
//update that possition as processed
cifred[newpos]=1;
//the greatest nonsense I managed to achieve (at least it worked and can be useful for other similar situations):
//when I was analyzing assembly code I could not find what the heck where some really weird instructions at the beginning
//and at the end of the code, what did a do? take them as a black box and pass this code the possible used and
//then match the ouput with the encrypted position we are dealing with each time
for (j=0;j<62;j++){
//yeah its inline assembler, very useful though, %N, where n is a number is the Nth variable you have passed (seed_value in this case)
asm ( "mov %3,%%eax;"
"add %1,%%eax;"
"mov %%eax,%%ecx;"
"add %2,%%ecx;"
"mov $0x84210843,%%eax;"
"imul %%ecx;"
"lea (%%edx,%%ecx,1),%%eax;"
"mov %%eax,%%edx;"
"sar $0x5,%%edx;"
"mov %%ecx,%%eax;"
"sar $0x1f,%%eax;"
"sub %%eax,%%edx;"
"mov %%edx,%%eax;"
"shl $0x5,%%eax;"
"sub %%edx,%%eax;"
"add %%eax,%%eax;"
"sub %%eax,%%ecx;"
"mov %%ecx,%0;"
: "=m" (ciphered_index)
: "m" (j), "m" (increase), "m" (seed_value)
);
//you might be wondering what this "blackbox" of code does?? ok don't laugh, it generates the integer remainder of a division!!
//and it's damn clear that somewhere the binary needed this instruction as the seed taken from "rand" function is too long
//and the seed must be a number between 0 and 61! therefore in c code all this lines in assembly mean "seed=rand()%62"
if ( alphabet[ciphered_index] == str[newpos] ){
reversed[procesed]=alphabet[j];
}
//fprintf("j=%d,crypt=%d,newpos=%c,str[newpos]=%calphabet=\n",j,ciphered_index,newpos,(char *) str[newpos],(char *)alphabet[ciphered_index]);
}
// some computations to mimic the reversed binary behaviour
increase=increase+5;
procesed++;
}
reversed[procesed]=0;
//here it is!
printf("String reversed is %s\n",reversed);
return 0;
}
Solution code attachment:un_ncner.c
My even more dirty debugging files
- Objdump file
ncn: file format elf32-i386
Disassembly of section .init:
08048320 <_init>:
8048320: 55 push %ebp
8048321: 89 e5 mov %esp,%ebp
8048323: 83 ec 08 sub $0x8,%esp
8048326: e8 b9 00 00 00 call 80483e4 <call_gmon_start>
804832b: e8 20 01 00 00 call 8048450 <frame_dummy>
8048330: e8 eb 04 00 00 call 8048820 <__do_global_ctors_aux>
8048335: c9 leave
8048336: c3 ret
Disassembly of section .plt:
08048338 <time@plt-0x10>:
8048338: ff 35 f4 99 04 08 pushl 0x80499f4
804833e: ff 25 f8 99 04 08 jmp *0x80499f8
8048344: 00 00 add %al,(%eax)
...
08048348 <time@plt>:
8048348: ff 25 fc 99 04 08 jmp *0x80499fc
804834e: 68 00 00 00 00 push $0x0
8048353: e9 e0 ff ff ff jmp 8048338 <_init+0x18>
08048358 <strlen@plt>:
8048358: ff 25 00 9a 04 08 jmp *0x8049a00
804835e: 68 08 00 00 00 push $0x8
8048363: e9 d0 ff ff ff jmp 8048338 <_init+0x18>
08048368 <__libc_start_main@plt>:
8048368: ff 25 04 9a 04 08 jmp *0x8049a04
804836e: 68 10 00 00 00 push $0x10
8048373: e9 c0 ff ff ff jmp 8048338 <_init+0x18>
08048378 <printf@plt>:
8048378: ff 25 08 9a 04 08 jmp *0x8049a08
804837e: 68 18 00 00 00 push $0x18
8048383: e9 b0 ff ff ff jmp 8048338 <_init+0x18>
08048388 <srand@plt>:
8048388: ff 25 0c 9a 04 08 jmp *0x8049a0c
804838e: 68 20 00 00 00 push $0x20
8048393: e9 a0 ff ff ff jmp 8048338 <_init+0x18>
08048398 <strncpy@plt>:
8048398: ff 25 10 9a 04 08 jmp *0x8049a10
804839e: 68 28 00 00 00 push $0x28
80483a3: e9 90 ff ff ff jmp 8048338 <_init+0x18>
080483a8 <rand@plt>:
80483a8: ff 25 14 9a 04 08 jmp *0x8049a14
80483ae: 68 30 00 00 00 push $0x30
80483b3: e9 80 ff ff ff jmp 8048338 <_init+0x18>
Disassembly of section .text:
080483c0 <_start>:
80483c0: 31 ed xor %ebp,%ebp
80483c2: 5e pop %esi
80483c3: 89 e1 mov %esp,%ecx
80483c5: 83 e4 f0 and $0xfffffff0,%esp
80483c8: 50 push %eax
80483c9: 54 push %esp
80483ca: 52 push %edx
80483cb: 68 15 88 04 08 push $0x8048815
80483d0: 68 b0 87 04 08 push $0x80487b0
80483d5: 51 push %ecx
80483d6: 56 push %esi
80483d7: 68 d4 84 04 08 push $0x80484d4
80483dc: e8 87 ff ff ff call 8048368 <__libc_start_main@plt>
80483e1: f4 hlt
80483e2: 90 nop
08048484 <vacia>:
8048484: 55 push %ebp
8048485: 89 e5 mov %esp,%ebp
8048487: 83 ec 0c sub $0xc,%esp; subimos el esp 11 bytes
804848a: 8b 45 08 mov 0x8(%ebp),%eax;metemos salto+newpos en eax
804848d: 3b 45 0c cmp 0xc(%ebp),%eax; comparamos longitud con salto+newpos
8048490: 7e 0c jle 804849e <vacia+0x1a>;si longitud<salto+newpos vamos a salto1
8048492: 8b 55 0c mov 0xc(%ebp),%edx;mettemos longitud en edx
8048495: 8b 45 08 mov 0x8(%ebp),%eax; metemos salto+newpos en eax
8048498: 29 d0 sub %edx,%eax; restamos ambos registros
804849a: 48 dec %eax ; decrementamos en 1
804849b: 89 45 08 mov %eax,0x8(%ebp);guardamos el resultado como posible valor de retorno
salto1
804849e: 8b 45 08 mov 0x8(%ebp),%eax;
80484a1: 05 20 9b 04 08 add $0x8049b20,%eax;indice cifred(eax)
80484a6: 80 38 30 cmpb $0x30,(%eax); cifred(eax) ==48
80484a9: 75 08 jne 80484b3 <vacia+0x2f>; llamamos recursivamente a vacia
80484ab: 8b 45 08 mov 0x8(%ebp),%eax; hacemos los preparativos para salir de la funcion
80484ae: 89 45 fc mov %eax,-0x4(%ebp)
80484b1: eb 1c jmp 80484cf <vacia+0x4b>; salimos de la funcion
80484b3: 8b 45 0c mov 0xc(%ebp),%eax;preparacion para llamaa recursiva
de vacia(param1,param2)
80484b6: 89 44 24 04 mov %eax,0x4(%esp)
80484ba: 8b 45 08 mov 0x8(%ebp),%eax
80484bd: 40 inc %eax
80484be: 89 04 24 mov %eax,(%esp)
80484c1: e8 be ff ff ff call 8048484 <vacia>
80484c6: 89 45 08 mov %eax,0x8(%ebp); gilipolleces? antes de salir de la funcion
80484c9: 8b 45 08 mov 0x8(%ebp),%eax
80484cc: 89 45 fc mov %eax,-0x4(%ebp)
80484cf: 8b 45 fc mov -0x4(%ebp),%eax
80484d2: c9 leave
80484d3: c3 ret
080484d4 <main>:
80484d4: 55 push %ebp
80484d5: 89 e5 mov %esp,%ebp
80484d7: 53 push %ebx
80484d8: 83 ec 14 sub $0x14,%esp
80484db: 83 e4 f0 and $0xfffffff0,%esp;alineamiento del esp???
80484de: b8 00 00 00 00 mov $0x0,%eax;movemos 0 a eax
80484e3: 29 c4 sub %eax,%esp; restamos 0 a esp??
80484e5: c7 45 f8 40 9a 04 08 movl $0x8049a40,-0x8(%ebp);en la posición -8 en relacion al ebp ubicamos un alfabeto alfanumerico (array min(90))
80484ec: c7 05 a8 9a 04 08 02 movl $0x2,0x8049aa8; simbolo semilla
80484f3: 00 00 00
80484f6: c7 05 b4 9a 04 08 03 movl $0x3,0x8049ab4; simbolo salto no varia en tol programa
80484fd: 00 00 00
8048500: c7 05 a0 9a 04 08 01 movl $0x1,0x8049aa0; simbolo newpos
8048507: 00 00 00
804850a: c7 05 74 9b 04 08 00 movl $0x0,0x8049b74; simbolo procesadas
8048511: 00 00 00
8048514: c7 04 24 00 00 00 00 movl $0x0,(%esp)
804851b: e8 28 fe ff ff call 8048348 <time@plt> ; time devuelve los ticks del programa=1242518429, los 6 ultimos digitos varian
8048520: 89 04 24 mov %eax,(%esp);movemos el resultado a la pila
8048523: e8 60 fe ff ff call 8048388 <srand@plt>; con lo que tenemos en la pila llamamos a generar semilla
8048528: c7 05 70 9b 04 08 05 movl $0x5,0x8049b70; variable increase=5
804852f: 00 00 00
8048532: e8 71 fe ff ff call 80483a8 <rand@plt>
8048537: 89 c1 mov %eax,%ecx ; pasamos el resutlado de rand al registro ecx el número es totalmente aleatorio
8048539: b8 43 08 21 84 mov $0x84210843,%eax; movemos este valor fijo a eax
804853e: f7 e9 imul %ecx; multiplicamos la salida de rand por el valor fijo y guardamos el resultado en eax
8048540: 8d 04 0a lea (%edx,%ecx,1),%eax; movemos edx+ecx->eax
8048543: 89 c2 mov %eax,%edx;
8048545: c1 fa 05 sar $0x5,%edx;dividimos edx=eax por 32 y lo guardamos en edx
8048548: 89 c8 mov %ecx,%eax; lo dejamos en eax
804854a: c1 f8 1f sar $0x1f,%eax;multiplicamos eax por 2^31
804854d: 29 c2 sub %eax,%edx;edx=edx-eax
804854f: 89 d0 mov %edx,%eax
8048551: a3 a8 9a 04 08 mov %eax,0x8049aa8; movemos el eax en el simbolo semilla
8048556: 8b 15 a8 9a 04 08 mov 0x8049aa8,%edx;sacamos el simbolo semilla al edx
804855c: 89 d0 mov %edx,%eax
804855e: c1 e0 05 shl $0x5,%eax
8048561: 29 d0 sub %edx,%eax
8048563: 01 c0 add %eax,%eax
8048565: 29 c1 sub %eax,%ecx
8048567: 89 c8 mov %ecx,%eax
8048569: a3 a8 9a 04 08 mov %eax,0x8049aa8; volvemos a mover eax a la variable semilla suele ser un valor entre 0-60??
804856e: 83 7d 08 02 cmpl $0x2,0x8(%ebp); como podemos comprobar esto solo se trata de la tipica comprobacion de if $#=2 then ok else wrong parameters
8048572: 74 1a je 804858e <main+0xba>; si es igual vamos a salto858e
8048574: 8b 45 0c mov 0xc(%ebp),%eax
8048577: 8b 00 mov (%eax),%eax
8048579: 89 44 24 04 mov %eax,0x4(%esp)
804857d: c7 04 24 a0 88 04 08 movl $0x80488a0,(%esp) ; sintaxis incorrecta
8048584: e8 ef fd ff ff call 8048378 <printf@plt>
8048589: e9 18 02 00 00 jmp 80487a6 <main+0x2d2>; sale del programa
salto858e:
804858e: c7 04 24 c9 88 04 08 movl $0x80488c9,(%esp)
8048595: e8 de fd ff ff call 8048378 <printf@plt>; sintaxis OK
804859a: 8b 45 0c mov 0xc(%ebp),%eax; metemos la direccion de la cadena pasada ...posteriormente le sumamos 4?? no seria mejor lea 0xc+4(%ebp),eax
804859d: 83 c0 04 add $0x4,%eax
80485a0: 8b 00 mov (%eax),%eax
80485a2: 89 04 24 mov %eax,(%esp);lo dejamos en esp
80485a5: e8 ae fd ff ff call 8048358 <strlen@plt>
80485aa: 83 f8 03 cmp $0x3,%eax; si la longitud es mayor que 3 saltamos
80485ad: 77 19 ja 80485c8 <main+0xf4>
80485af: c7 44 24 04 04 00 00 movl $0x4,0x4(%esp); mostramos que la longitud debe ser mayuor que 3 y salimos
80485b6: 00
80485b7: c7 04 24 d6 88 04 08 movl $0x80488d6,(%esp)
80485be: e8 b5 fd ff ff call 8048378 <printf@plt>
80485c3: e9 d5 01 00 00 jmp 804879d <main+0x2c9>
80485c8: 8b 45 0c mov 0xc(%ebp),%eax; metemos en esp la direccion de la cadena a cifrar para comprobar su longitud
80485cb: 83 c0 04 add $0x4,%eax
80485ce: 8b 00 mov (%eax),%eax
80485d0: 89 04 24 mov %eax,(%esp)
80485d3: e8 80 fd ff ff call 8048358 <strlen@plt>
80485d8: 83 f8 4f cmp $0x4f,%eax
80485db: 76 2c jbe 8048609 <main+0x135>; si la cadena es menor que 0x4f=79 (quizas la longitud de los arrays para cifrado) saltamos a la tag linea 309 sino continuamos
80485dd: c7 05 ac 9a 04 08 50 movl $0x50,0x8049aac
80485e4: 00 00 00
80485e7: c7 44 24 08 50 00 00 movl $0x50,0x8(%esp)
80485ee: 00
80485ef: 8b 45 0c mov 0xc(%ebp),%eax
80485f2: 83 c0 04 add $0x4,%eax
80485f5: 8b 00 mov (%eax),%eax
80485f7: 89 44 24 04 mov %eax,0x4(%esp)
80485fb: c7 04 24 c0 9a 04 08 movl $0x8049ac0,(%esp)
8048602: e8 91 fd ff ff call 8048398 <strncpy@plt>
8048607: eb 35 jmp 804863e <main+0x16a>
linea 309:
8048609: 8b 45 0c mov 0xc(%ebp),%eax;sacamos la cadena introducida para pasarla a strlen
804860c: 83 c0 04 add $0x4,%eax
804860f: 8b 00 mov (%eax),%eax
8048611: 89 04 24 mov %eax,(%esp)
8048614: e8 3f fd ff ff call 8048358 <strlen@plt>
8048619: a3 ac 9a 04 08 mov %eax,0x8049aac; la longitud la guardamos en esta posición que concuerda con el simbolo length
804861e: c7 44 24 08 50 00 00 movl $0x50,0x8(%esp); metemos en la pila el numero 80...cifred?
8048625: 00
8048626: 8b 45 0c mov 0xc(%ebp),%eax
8048629: 83 c0 04 add $0x4,%eax
804862c: 8b 00 mov (%eax),%eax
804862e: 89 44 24 04 mov %eax,0x4(%esp)
8048632: c7 04 24 c0 9a 04 08 movl $0x8049ac0,(%esp)
8048639: e8 5a fd ff ff call 8048398 <strncpy@plt>; llamamos a strncpy para que copie 80 caracteres de la cadena pasada a clear
804863e: c7 05 10 9b 04 08 00 movl $0x0,0x8049b10; ponemos el contador "i" a 0
salto 3:
8048645: 00 00 00
8048648: a1 10 9b 04 08 mov 0x8049b10,%eax; eax="i"
804864d: 3b 05 ac 9a 04 08 cmp 0x8049aac,%eax; comparamos i con length
8048653: 7e 02 jle 8048657 <main+0x183>;si "i" < "length" saltamos detras del siguiente jmp
8048655: eb 15 jmp 804866c <main+0x198>;sino vamos a salto2
8048657: a1 10 9b 04 08 mov 0x8049b10,%eax; metemos en eax el contador "i"
804865c: 05 20 9b 04 08 add $0x8049b20,%eax; sumamos el valor de i con cifred[0]= esto es para indexar en el array cifred!!
8048661: c6 00 30 movb $0x30,(%eax); metemos 48d en esa posici0n
8048664: ff 05 10 9b 04 08 incl 0x8049b10; incrementamos i
804866a: eb dc jmp 8048648 <main+0x174>: tiramos patras a donde se pone "i" a 0 (salto3)
salto2:
804866c: a1 ac 9a 04 08 mov 0x8049aac,%eax; metemos la longitud en eax
8048671: 05 21 9b 04 08 add $0x8049b21,%eax ;preparamos el indice para apuntar a cifred+length+1
8048676: c6 00 00 movb $0x0,(%eax); ponemos a cifred[length+1] a 0
8048679: c7 05 10 9b 04 08 00 movl $0x0,0x8049b10; le asignamos a i el valor 0
8048680: 00 00 00
8048683: a1 a8 9a 04 08 mov 0x8049aa8,%eax; se guarda el valor semilla en eax
8048688: 05 40 9a 04 08 add $0x8049a40,%eax; se indexa min(semilla)
804868d: 0f b6 00 movzbl (%eax),%eax;guarda en eax el contenido de la posición de memoria min(semilla) y ademas como es un byte se rellena el destino con 0s a la izquierda
8048690: a2 21 9b 04 08 mov %al,0x8049b21; mueve un byte, supuestamente min(semilla)-> a cifred(1)
8048695: c7 05 10 9b 04 08 00 movl $0x0,0x8049b10; i=0;
804869c: 00 00 00
salto869f:
804869f: a1 10 9b 04 08 mov 0x8049b10,%eax; movemos i al eax
80486a4: 3b 05 ac 9a 04 08 cmp 0x8049aac,%eax; comparamos i con la longitud
80486aa: 7c 05 jl 80486b1 <main+0x1dd>; si es menor vamos a la linea de despues del jmp
80486ac: e9 cb 00 00 00 jmp 804877c <main+0x2a8>; si i>=length vamos al final para mostrar la cadena cifrada
80486b1: a1 ac 9a 04 08 mov 0x8049aac,%eax ; ponemos la longitud de la caden en eax
80486b6: 89 44 24 04 mov %eax,0x4(%esp); de eax la pasamos a la pila en esp+4
80486ba: a1 b4 9a 04 08 mov 0x8049ab4,%eax;movemos la variable salto que vale 3 al eax
80486bf: 03 05 a0 9a 04 08 add 0x8049aa0,%eax;sumamos salto+newpos donde newpos vale 1
80486c5: 89 04 24 mov %eax,(%esp); movemos salto+newpos a la pila
80486c8: e8 b7 fd ff ff call 8048484 <vacia>
80486cd: a3 a0 9a 04 08 mov %eax,0x8049aa0; vacia nos devuelvve una un nuevo newpos que guardamos en su posicion de mem asignada
80486d2: c7 05 a4 9a 04 08 00 movl $0x0,0x8049aa4; ponemos a la variable j
80486d9: 00 00 00
salto86dc:
80486dc: c7 04 24 40 9a 04 08 movl $0x8049a40,(%esp); se mete (min) en el la pila
80486e3: e8 70 fc ff ff call 8048358 <strlen@plt>; esto siempre deberia valer 90
80486e8: 39 05 a4 9a 04 08 cmp %eax,0x8049aa4; comparamos con j
80486ee: 72 02 jb 80486f2 <main+0x21e>; si j es mayor vamos a la posicion siguiente al jmp
80486f0: eb 27 jmp 8048719 <main+0x245>; sino vamos a salto 8719
80486f2: a1 a4 9a 04 08 mov 0x8049aa4,%eax; movemos j a eax
80486f7: 05 40 9a 04 08 add $0x8049a40,%eax; creamos el indice min(j)
80486fc: 8b 15 74 9b 04 08 mov 0x8049b74,%edx; metemos la variable procesadas en edx
8048702: 81 c2 c0 9a 04 08 add $0x8049ac0,%edx; creamos el indice clear(procesadas)
8048708: 0f b6 00 movzbl (%eax),%eax; metemos el byte min(j)->eax
804870b: 3a 02 cmp (%edx),%al; comparamos los bytes min(j),clear(procesadas)
804870d: 75 02 jne 8048711 <main+0x23d>;si no fuesen iguales saltamos despues de jmp siguiente
804870f: eb 08 jmp 8048719 <main+0x245>; saltamos al tag salto8719
8048711: ff 05 a4 9a 04 08 incl 0x8049aa4; incrementeamos "j"
8048717: eb c3 jmp 80486dc <main+0x208>; volvemos al tag donde se mete min en la pila para hacer un strlen
salto8719:
8048719: 8b 1d a0 9a 04 08 mov 0x8049aa0,%ebx; metemos newpos (deberia haberse actualizado tras vacia) en ebx
804871f: 81 c3 20 9b 04 08 add $0x8049b20,%ebx; indice cifred(newpos)
8048725: a1 a8 9a 04 08 mov 0x8049aa8,%eax; movemos la variable semilla en el eax
804872a: 03 05 a4 9a 04 08 add 0x8049aa4,%eax; sumamos semilla+j
8048730: 89 c1 mov %eax,%ecx; el resultado lo guardamos en ecx
8048732: 03 0d 70 9b 04 08 add 0x8049b70,%ecx;sumamos increase+semilla+j
8048738: b8 43 08 21 84 mov $0x84210843,%eax; movemos un valor hardcodeado en eax
804873d: f7 e9 imul %ecx; lo multiplicamos por la suma increase+j+semilla
804873f: 8d 04 0a lea (%edx,%ecx,1),%eax; metemos en eax la direccion generada de edx=clear(procesadas+ecx)
8048742: 89 c2 mov %eax,%edx; de ahi a edx pq eax sera sobre escrito por la siguiente instruccion??o no??
8048744: c1 fa 05 sar $0x5,%edx;dividimos por 32 pq es un shift right ademas de forma aritmetica para conservar el signo
8048747: 89 c8 mov %ecx,%eax; metemos en eax el vallor de la operacion imul con ecx anterior
8048749: c1 f8 1f sar $0x1f,%eax; dividimos por 2^31=2147483648
804874c: 29 c2 sub %eax,%edx; le restamos edx
804874e: 89 d0 mov %edx,%eax; el resultado va a eax
8048750: c1 e0 05 shl $0x5,%eax; ahora multiplicamos eax por 32
8048753: 29 d0 sub %edx,%eax; restamos eax
8048755: 01 c0 add %eax,%eax
8048757: 29 c1 sub %eax,%ecx
8048759: 89 c8 mov %ecx,%eax
804875b: 0f b6 80 40 9a 04 08 movzbl 0x8049a40(%eax),%eax
8048762: 88 03 mov %al,(%ebx); guardamos el resultado de al en cifred(newpos)
8048764: ff 05 74 9b 04 08 incl 0x8049b74; incrementamos procesadas
804876a: 83 05 70 9b 04 08 05 addl $0x5,0x8049b70; increase+5
8048771: ff 05 10 9b 04 08 incl 0x8049b10;incrementamos "i"
8048777: e9 23 ff ff ff jmp 804869f <main+0x1cb>; volvemos a salto869f
804877c: a1 ac 9a 04 08 mov 0x8049aac,%eax ; terminar la cadena en 0??
8048781: 05 21 9b 04 08 add $0x8049b21,%eax
8048786: c6 00 00 movb $0x0,(%eax)
8048789: c7 44 24 04 20 9b 04 movl $0x8049b20,0x4(%esp)
8048790: 08
8048791: c7 04 24 ee 88 04 08 movl $0x80488ee,(%esp)
8048798: e8 db fb ff ff call 8048378 <printf@plt>; se muestra la cdena encriptada es y el valor del array cifred
804879d: c7 45 f4 00 00 00 00 movl $0x0,-0xc(%ebp); se pone a cero una word de la pila
80487a4: eb 00 jmp 80487a6 <main+0x2d2>; se salta a la sigiuente linea?
80487a6: 8b 45 f4 mov -0xc(%ebp),%eax; se mueve a eax un valor, sugpongo que el codigo de salida del programa??
80487a9: 8b 5d fc mov -0x4(%ebp),%ebx
80487ac: c9 leave
80487ad: c3 ret
80487ae: 90 nop
80487af: 90 nop
- GDB dump
Dump of assembler code for function main: 0x080484d4 <main+0>: push %ebp 0x080484d5 <main+1>: mov %esp,%ebp 0x080484d7 <main+3>: push %ebx 0x080484d8 <main+4>: sub $0x14,%esp 0x080484db <main+7>: and $0xfffffff0,%esp 0x080484de <main+10>: mov $0x0,%eax 0x080484e3 <main+15>: sub %eax,%esp 0x080484e5 <main+17>: movl $0x8049a40,0xfffffff8(%ebp) 0x080484ec <main+24>: movl $0x2,0x8049aa8 0x080484f6 <main+34>: movl $0x3,0x8049ab4 0x08048500 <main+44>: movl $0x1,0x8049aa0 0x0804850a <main+54>: movl $0x0,0x8049b74 0x08048514 <main+64>: movl $0x0,(%esp) 0x0804851b <main+71>: call 0x8048348 <time@plt> 0x08048520 <main+76>: mov %eax,(%esp) 0x08048523 <main+79>: call 0x8048388 <srand@plt> 0x08048528 <main+84>: movl $0x5,0x8049b70 0x08048532 <main+94>: call 0x80483a8 <rand@plt> 0x08048537 <main+99>: mov %eax,%ecx 0x08048539 <main+101>: mov $0x84210843,%eax 0x0804853e <main+106>: imul %ecx 0x08048540 <main+108>: lea (%edx,%ecx,1),%eax 0x08048543 <main+111>: mov %eax,%edx 0x08048545 <main+113>: sar $0x5,%edx 0x08048548 <main+116>: mov %ecx,%eax 0x0804854a <main+118>: sar $0x1f,%eax 0x0804854d <main+121>: sub %eax,%edx 0x0804854f <main+123>: mov %edx,%eax 0x08048551 <main+125>: mov %eax,0x8049aa8 0x08048556 <main+130>: mov 0x8049aa8,%edx 0x0804855c <main+136>: mov %edx,%eax 0x0804855e <main+138>: shl $0x5,%eax 0x08048561 <main+141>: sub %edx,%eax 0x08048563 <main+143>: add %eax,%eax 0x08048565 <main+145>: sub %eax,%ecx 0x08048567 <main+147>: mov %ecx,%eax 0x08048569 <main+149>: mov %eax,0x8049aa8 0x0804856e <main+154>: cmpl $0x2,0x8(%ebp) 0x08048572 <main+158>: je 0x804858e <main+186> 0x08048574 <main+160>: mov 0xc(%ebp),%eax 0x08048577 <main+163>: mov (%eax),%eax 0x08048579 <main+165>: mov %eax,0x4(%esp) 0x0804857d <main+169>: movl $0x80488a0,(%esp) 0x08048584 <main+176>: call 0x8048378 <printf@plt> 0x08048589 <main+181>: jmp 0x80487a6 <main+722> 0x0804858e <main+186>: movl $0x80488c9,(%esp) 0x08048595 <main+193>: call 0x8048378 <printf@plt> 0x0804859a <main+198>: mov 0xc(%ebp),%eax 0x0804859d <main+201>: add $0x4,%eax 0x080485a0 <main+204>: mov (%eax),%eax 0x080485a2 <main+206>: mov %eax,(%esp) 0x080485a5 <main+209>: call 0x8048358 <strlen@plt> 0x080485aa <main+214>: cmp $0x3,%eax 0x080485ad <main+217>: ja 0x80485c8 <main+244> 0x080485af <main+219>: movl $0x4,0x4(%esp) 0x080485b7 <main+227>: movl $0x80488d6,(%esp) 0x080485be <main+234>: call 0x8048378 <printf@plt> 0x080485c3 <main+239>: jmp 0x804879d <main+713> 0x080485c8 <main+244>: mov 0xc(%ebp),%eax 0x080485cb <main+247>: add $0x4,%eax 0x080485ce <main+250>: mov (%eax),%eax 0x080485d0 <main+252>: mov %eax,(%esp) 0x080485d3 <main+255>: call 0x8048358 <strlen@plt> 0x080485d8 <main+260>: cmp $0x4f,%eax 0x080485db <main+263>: jbe 0x8048609 <main+309> 0x080485dd <main+265>: movl $0x50,0x8049aac 0x080485e7 <main+275>: movl $0x50,0x8(%esp) 0x080485ef <main+283>: mov 0xc(%ebp),%eax 0x080485f2 <main+286>: add $0x4,%eax 0x080485f5 <main+289>: mov (%eax),%eax 0x080485f7 <main+291>: mov %eax,0x4(%esp) 0x080485fb <main+295>: movl $0x8049ac0,(%esp) 0x08048602 <main+302>: call 0x8048398 <strncpy@plt> 0x08048607 <main+307>: jmp 0x804863e <main+362> 0x08048609 <main+309>: mov 0xc(%ebp),%eax 0x0804860c <main+312>: add $0x4,%eax 0x0804860f <main+315>: mov (%eax),%eax 0x08048611 <main+317>: mov %eax,(%esp) 0x08048614 <main+320>: call 0x8048358 <strlen@plt> 0x08048619 <main+325>: mov %eax,0x8049aac 0x0804861e <main+330>: movl $0x50,0x8(%esp) 0x08048626 <main+338>: mov 0xc(%ebp),%eax 0x08048629 <main+341>: add $0x4,%eax 0x0804862c <main+344>: mov (%eax),%eax 0x0804862e <main+346>: mov %eax,0x4(%esp) 0x08048632 <main+350>: movl $0x8049ac0,(%esp) 0x08048639 <main+357>: call 0x8048398 <strncpy@plt> 0x0804863e <main+362>: movl $0x0,0x8049b10 0x08048648 <main+372>: mov 0x8049b10,%eax 0x0804864d <main+377>: cmp 0x8049aac,%eax 0x08048653 <main+383>: jle 0x8048657 <main+387> 0x08048655 <main+385>: jmp 0x804866c <main+408> 0x08048657 <main+387>: mov 0x8049b10,%eax 0x0804865c <main+392>: add $0x8049b20,%eax 0x08048661 <main+397>: movb $0x30,(%eax) 0x08048664 <main+400>: incl 0x8049b10 0x0804866a <main+406>: jmp 0x8048648 <main+372> 0x0804866c <main+408>: mov 0x8049aac,%eax 0x08048671 <main+413>: add $0x8049b21,%eax 0x08048676 <main+418>: movb $0x0,(%eax) 0x08048679 <main+421>: movl $0x0,0x8049b10 0x08048683 <main+431>: mov 0x8049aa8,%eax 0x08048688 <main+436>: add $0x8049a40,%eax 0x0804868d <main+441>: movzbl (%eax),%eax 0x08048690 <main+444>: mov %al,0x8049b21 0x08048695 <main+449>: movl $0x0,0x8049b10 0x0804869f <main+459>: mov 0x8049b10,%eax 0x080486a4 <main+464>: cmp 0x8049aac,%eax 0x080486aa <main+470>: jl 0x80486b1 <main+477> 0x080486ac <main+472>: jmp 0x804877c <main+680> 0x080486b1 <main+477>: mov 0x8049aac,%eax 0x080486b6 <main+482>: mov %eax,0x4(%esp) 0x080486ba <main+486>: mov 0x8049ab4,%eax 0x080486bf <main+491>: add 0x8049aa0,%eax 0x080486c5 <main+497>: mov %eax,(%esp) 0x080486c8 <main+500>: call 0x8048484 <vacia> 0x080486cd <main+505>: mov %eax,0x8049aa0 0x080486d2 <main+510>: movl $0x0,0x8049aa4 0x080486dc <main+520>: movl $0x8049a40,(%esp) 0x080486e3 <main+527>: call 0x8048358 <strlen@plt> 0x080486e8 <main+532>: cmp %eax,0x8049aa4 0x080486ee <main+538>: jb 0x80486f2 <main+542> 0x080486f0 <main+540>: jmp 0x8048719 <main+581> 0x080486f2 <main+542>: mov 0x8049aa4,%eax 0x080486f7 <main+547>: add $0x8049a40,%eax 0x080486fc <main+552>: mov 0x8049b74,%edx 0x08048702 <main+558>: add $0x8049ac0,%edx 0x08048708 <main+564>: movzbl (%eax),%eax 0x0804870b <main+567>: cmp (%edx),%al 0x0804870d <main+569>: jne 0x8048711 <main+573> 0x0804870f <main+571>: jmp 0x8048719 <main+581> 0x08048711 <main+573>: incl 0x8049aa4 0x08048717 <main+579>: jmp 0x80486dc <main+520> 0x08048719 <main+581>: mov 0x8049aa0,%ebx 0x0804871f <main+587>: add $0x8049b20,%ebx 0x08048725 <main+593>: mov 0x8049aa8,%eax 0x0804872a <main+598>: add 0x8049aa4,%eax 0x08048730 <main+604>: mov %eax,%ecx 0x08048732 <main+606>: add 0x8049b70,%ecx 0x08048738 <main+612>: mov $0x84210843,%eax 0x0804873d <main+617>: imul %ecx 0x0804873f <main+619>: lea (%edx,%ecx,1),%eax 0x08048742 <main+622>: mov %eax,%edx 0x08048744 <main+624>: sar $0x5,%edx 0x08048747 <main+627>: mov %ecx,%eax 0x08048749 <main+629>: sar $0x1f,%eax 0x0804874c <main+632>: sub %eax,%edx 0x0804874e <main+634>: mov %edx,%eax 0x08048750 <main+636>: shl $0x5,%eax 0x08048753 <main+639>: sub %edx,%eax 0x08048755 <main+641>: add %eax,%eax 0x08048757 <main+643>: sub %eax,%ecx 0x08048759 <main+645>: mov %ecx,%eax 0x0804875b <main+647>: movzbl 0x8049a40(%eax),%eax 0x08048762 <main+654>: mov %al,(%ebx) 0x08048764 <main+656>: incl 0x8049b74 0x0804876a <main+662>: addl $0x5,0x8049b70 0x08048771 <main+669>: incl 0x8049b10 0x08048777 <main+675>: jmp 0x804869f <main+459> 0x0804877c <main+680>: mov 0x8049aac,%eax 0x08048781 <main+685>: add $0x8049b21,%eax 0x08048786 <main+690>: movb $0x0,(%eax) 0x08048789 <main+693>: movl $0x8049b20,0x4(%esp) 0x08048791 <main+701>: movl $0x80488ee,(%esp) 0x08048798 <main+708>: call 0x8048378 <printf@plt> 0x0804879d <main+713>: movl $0x0,0xfffffff4(%ebp) 0x080487a4 <main+720>: jmp 0x80487a6 <main+722> 0x080487a6 <main+722>: mov 0xfffffff4(%ebp),%eax 0x080487a9 <main+725>: mov 0xfffffffc(%ebp),%ebx 0x080487ac <main+728>: leave 0x080487ad <main+729>: ret End of assembler dump. Dump of assembler code for function vacia: 0x08048484 <vacia+0>: push %ebp 0x08048485 <vacia+1>: mov %esp,%ebp 0x08048487 <vacia+3>: sub $0xc,%esp 0x0804848a <vacia+6>: mov 0x8(%ebp),%eax 0x0804848d <vacia+9>: cmp 0xc(%ebp),%eax 0x08048490 <vacia+12>: jle 0x804849e <vacia+26> 0x08048492 <vacia+14>: mov 0xc(%ebp),%edx 0x08048495 <vacia+17>: mov 0x8(%ebp),%eax 0x08048498 <vacia+20>: sub %edx,%eax 0x0804849a <vacia+22>: dec %eax 0x0804849b <vacia+23>: mov %eax,0x8(%ebp) 0x0804849e <vacia+26>: mov 0x8(%ebp),%eax 0x080484a1 <vacia+29>: add $0x8049b20,%eax 0x080484a6 <vacia+34>: cmpb $0x30,(%eax) 0x080484a9 <vacia+37>: jne 0x80484b3 <vacia+47> 0x080484ab <vacia+39>: mov 0x8(%ebp),%eax 0x080484ae <vacia+42>: mov %eax,0xfffffffc(%ebp) 0x080484b1 <vacia+45>: jmp 0x80484cf <vacia+75> 0x080484b3 <vacia+47>: mov 0xc(%ebp),%eax 0x080484b6 <vacia+50>: mov %eax,0x4(%esp) 0x080484ba <vacia+54>: mov 0x8(%ebp),%eax 0x080484bd <vacia+57>: inc %eax 0x080484be <vacia+58>: mov %eax,(%esp) 0x080484c1 <vacia+61>: call 0x8048484 <vacia> 0x080484c6 <vacia+66>: mov %eax,0x8(%ebp) 0x080484c9 <vacia+69>: mov 0x8(%ebp),%eax 0x080484cc <vacia+72>: mov %eax,0xfffffffc(%ebp) 0x080484cf <vacia+75>: mov 0xfffffffc(%ebp),%eax 0x080484d2 <vacia+78>: leave 0x080484d3 <vacia+79>: ret End of assembler dump.
No comments:
Post a Comment