Skip to content

Commit

Permalink
Fix crackme
Browse files Browse the repository at this point in the history
  • Loading branch information
cyberfined committed Oct 14, 2023
1 parent 25676bb commit 1c62437
Show file tree
Hide file tree
Showing 3 changed files with 42 additions and 47 deletions.
48 changes: 32 additions & 16 deletions crackme.c
Original file line number Diff line number Diff line change
Expand Up @@ -201,9 +201,34 @@ static inline void int3() {
__asm__ __volatile__ ("int3");
}

typedef struct {
int offset;
uint16_t key;
} pass_info_t;

static bool check_password(pass_info_t *pass_info, size_t count) {
uint16_t password[8] = {42824,42175,27030,55028,31997,4578,9264};

if(pass_info->offset == 7) {
struct timespec tv;
nano_clock_gettime(CLOCK_REALTIME, &tv);
password[7] = (tv.tv_sec / (24 * 3600) % 229) ^ 40704;
}

if(pass_info->offset < 8) {
if((password[pass_info->offset] ^ pass_info->key) == count) {
pass_info->key *= (pass_info->offset + 10) * 5;
pass_info->offset++;
return true;
}
} else {
return true;
}
return false;
}

int main(int argc, char **argv) {
// killer256
uint16_t password[8] = {42824,42175,27030,55028,31997,4578,9264};
char greetings[] = "Crackme v0.1.666 by cyberfined\nReading from stdin\n";
char success_msg[] = "Congratulations, dear hacker!\n";
char fail_msg[] = "Password is wrong!\n";
Expand Down Expand Up @@ -256,12 +281,11 @@ int main(int argc, char **argv) {
}
}

struct timespec tv;
nano_clock_gettime(CLOCK_REALTIME, &tv);
password[7] = (tv.tv_sec / (24 * 3600) % 229) ^ 40704;
pass_info_t pass_info = {
.key = 42787,
.offset = 0,
};

uint16_t key = 42787;
int pass_offset = 0;
bool is_auth = true;
size_t count = 0;
for(;;) {
Expand All @@ -275,15 +299,7 @@ int main(int argc, char **argv) {
}

write_all(1, prev_line, strlen(prev_line));

if(pass_offset < sizeof(password) / sizeof(*password)) {
if(is_auth && (password[pass_offset] ^ key) == count) {
key *= (pass_offset + 10) * 5;
pass_offset++;
} else {
is_auth = false;
}
}
is_auth = is_auth && check_password(&pass_info, count);
}

if(!is_eof)
Expand All @@ -296,7 +312,7 @@ int main(int argc, char **argv) {
count++;
}

if(is_auth && pass_offset == sizeof(password) / sizeof(*password)) {
if(is_auth && pass_info.offset == 8) {
nano_write(1, success_msg, sizeof(success_msg) - 1);
} else {
nano_write(1, fail_msg, sizeof(fail_msg) - 1);
Expand Down
21 changes: 7 additions & 14 deletions utils/gen-add-round-key/src/Generator.hs
Original file line number Diff line number Diff line change
Expand Up @@ -298,20 +298,13 @@ randomExprForXor rnd withRound destWord = do
numOps <- randomR (2, 5)
ops <- replicateM (numOps - 1) (randomChoice [Add, Mul, Rotl, Rotr, Xor])
partialExpr <- randomPartialExpr ops
partialResult <- runExpr32 Nothing Nothing (Just rnd) partialExpr
partialResult <- runExpr32 rnd partialExpr
(lastOp, lastOperand) <- randomLastOperand partialResult [Add, Mul, Xor]
pure (Binop lastOp partialExpr lastOperand)
where randomPartialExpr :: [Binop] -> GenM Expr
randomPartialExpr (op : ops@(_:_)) = do
randomPartialExpr ops@(op : _) = do
(lOperand, isRoundUsed) <- randomOperand op (not withRound)
(rOperand, isRoundUsed') <- randomOperand op isRoundUsed
randomPartialExpr' ops isRoundUsed' (Binop op lOperand rOperand)
randomPartialExpr [op] = do
(fstOperand, isRoundUsed) <- randomOperand op (not withRound)
sndOperand <- if isRoundUsed
then fst <$> randomOperand op True
else pure (Var VarRound)
pure (Binop op fstOperand sndOperand)
randomPartialExpr' ops isRoundUsed lOperand
randomPartialExpr _ = error "Never executed"

randomPartialExpr' :: [Binop] -> Bool -> Expr -> GenM Expr
Expand Down Expand Up @@ -385,12 +378,12 @@ lookupVariable var state = case Interpreter.lookupVariable var state of
Left err -> lift $ throwE err
Right val -> pure val

runExpr32 :: Maybe AesState -> Maybe Address -> Maybe Round -> Expr -> GenM Word32
runExpr32 aesState addr rnd expr = runExpr aesState addr rnd expr >>= \case
runExpr32 :: Round -> Expr -> GenM Word32
runExpr32 rnd expr = runExpr rnd expr >>= \case
Val32 w32 -> pure w32
Val64 w64 -> pure (fromIntegral w64)

runExpr :: Maybe AesState -> Maybe Address -> Maybe Round -> Expr -> GenM Value
runExpr aesState addr rnd expr = case runInterpreterExpr aesState addr rnd expr of
runExpr :: Round -> Expr -> GenM Value
runExpr rnd expr = case runInterpreterExpr rnd expr of
Left err -> lift $ throwE err
Right res -> pure res
20 changes: 3 additions & 17 deletions utils/gen-add-round-key/src/Interpreter.hs
Original file line number Diff line number Diff line change
Expand Up @@ -62,24 +62,10 @@ runInterpreter (AesState w1 w2 w3 w4) (Address addr) (Round rnd) stmts = result
runInterpreterM :: Traversable t => t Stmt -> InterpretM ()
runInterpreterM = mapM_ runStmt

runInterpreterExpr :: Maybe AesState
-> Maybe Address
-> Maybe Round
-> Expr
-> Either InterpretError Value
runInterpreterExpr mAesState mAddr mRnd expr =
runExcept (evalStateT (runExpr expr) initState)
runInterpreterExpr :: Round -> Expr -> Either InterpretError Value
runInterpreterExpr (Round rnd) expr = runExcept (evalStateT (runExpr expr) initState)
where initState = State initVariables
initVariables = HashMap.fromList $ aesStateVariables
++ addrVariable
++ roundVariable
aesStateVariables = case mAesState of
Nothing -> []
Just (AesState w1 w2 w3 w4) ->
let f idx w = (VarState idx, Val32 w)
in zipWith f [0..] [w1, w2, w3, w4]
addrVariable = maybe [] (\(Address addr) -> [(VarAddress, Val64 addr)]) mAddr
roundVariable = maybe [] (\(Round rnd) -> [(VarRound, Val32 rnd)]) mRnd
initVariables = HashMap.fromList [(VarRound, Val32 rnd)]

runStmt :: Stmt -> InterpretM ()
runStmt = \case
Expand Down

0 comments on commit 1c62437

Please sign in to comment.