Program Cracking Practice

instruction and corresponding machine code:

NOP : The NOP instruction is the "null instruction". When executing to the NOP instruction, the CPU does nothing, just as an instruction to execute the past and continue executing a command behind NOP. (Machine code: 90)

JNE : Conditional transfer directives, if not equal, jumps. (Machine code: 75)

JE : The conditional transfer instruction, if equal, jumps. (Machine code: 74)

JMP : Unconditional transfer instructions. Direct transfer within the section of JMP Short (machine code: EB) directly within the section of JMP near (machine code: E9) Section indirectly transfer JMP Word (Machine code: FF) between segments Direct (FAR) Transfer JMP remote (machine code: EA)

CMP: compare instruction, function equivalent to subtraction instruction, just compare operation between operands, do not save result. After the CMP directive executes, it affects the flag register. Other relevant instructions are identified by identifying these affected flag register bits to get a comparison result.

Practice content:

The code to be cracked is as follows:

Code function is to enter the password and the pre-stored password to match, correctly output right, otherwise output wrong.

The executable file based on this code implements the following three modifications:

1. Output right whether the input is correct or not.

To generate an executable file using the GCC command 1

Disassembly using the objdump-d 1 command

The code is very simple, note the marked Jne command, indicating that the previous CMP instruction compares the result to a non-equal jump, the value of the CMP instruction comparison is the original password and the input value, when the difference between the jump 0x80484ee output wrong, otherwise continue to execute the next command output right, To achieve inequality, also output right simply change the jump address to 8048400, that is, modify the directive to 7500

Open the executable file with VI, use%! XXD Command 16 binary display

Then use the/750e command to find the code, if you cannot search to the middle of the empty lattice/75 0e

Change it to 7500 and use:%! Xxd-r command revert to binary, finally: Wq save can

The following is the result of disassembling the modified file

Actual execution results as expected

2. Output wrong whether the input is correct or not.

Similarly, just modify 750e to eb0e that is unconditional jmp, the process is the same, the following is the result of the modified disassembly

3. Enter the correct password output wrong, enter the wrong password output right.

Similarly, as long as the modification of 750e for eb0e is the same bar JE can, the same process, the following is the result of the disassembly of the modified

Program Cracking Practice