I wrote a really simple crackme (a la crackmes.de) for a team presentation I gave on software piracy. I’m usually interested in the low-level details of any computer topic and piracy is no exception. My portion of the presentation is focused on ‘real-world’ demos of cracking applications to divert program execution in an effort to illustrate how a software pirate may attempt to bypass copyright controls. It was a good excuse to learn some more about GDB – something I’d been meaning to do for a while.
The code is written in C and tested on Windows XP and OS 10.5.7. There’s really no input validation, so don’t be suprised if it breaks with fringe cases.
Stop reading here if you wish to figure out for yourself how to use GDB to make it print “you entered the correct serial number!” without actually entering the correct serial number. If you want to know how I did it, keep reading.
1. Because this demo was just supposed to illustrate the ideas behind altering program flow, I built the crackme with debugging symbols (plus I’m not good enough with gdb to do it without the symbols…please comment if you know of any good tuts):
gcc -g crackme.c -o crackme
2. Then I ran the program and found its PID (two Terminal windows):
3. Next, I launched gdb and attached to the process:
gdb attach (PID of crackme)
4. If I wasn’t familiar with my code, I would probably run bt (backtrace) to see where I am frame-wise:
5. Then I listed the variables in the scope of ‘main’ (because the other frames look pretty internal and uninteresting):
info scope main
6. I explained if I were a cracker, I’d probably jump at the chance to modify a variable named ‘correctSerialEntered‘. Because crackme was built with symbols, GDB knows its a signed int and will set it correctly if instructed:
7. Finally, I set ‘correctSerialEntered‘ to 1:
8. …and detached from the process:
Back at my crackme Terminal window, I can enter almost anything I like into both the username prompt and the serial prompt and get the “you entered the correct serial number!” response.