Blog Archive

Thursday, September 1, 2011

Detailed Analysis of My Brainfuck Crackme

The Code :

Aodrulez's Brainfuck Crackme V1
# -------------------------------------------------
# (Its very Easy)
>++++++++++[>++++++++>++++++++++>+++++++++++>++++++
+++++>++++++++++>+++++++++++>+++>++++++>+++><<<<<<<
<<<-]>+++>+>++++>----->--->-->++>-->++><<<<<<<<<<>.
>.>.>.>.>.>.>.>.>,>,>,>,>,>,<[>-<-]#>[>+++>++++++>+
+++>+++>+++++++>+++++++++++>+++++++++++>++++++++++>
+++++++++++>++++++++++>++++++++++++>++++++++++++>++
+++++++++>++++++++++>++++++++++++>+++++++++++>+++++
++++++>+++++++++++>++++++++++++>+++++>+++><<<<<<<<<
<<<<<<<<<<<<<-]>++>-->+>++>--->+>>+++>++++>--->----
>--->-->--->---->----->+>>----->---->++><<<<<<<<<<<
<<<<<<<<<<<>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.

Lets split it into interesting parts.

As we know, in brainfuck input is taken by the ','
character & output is given by the '.' character.
If you've compiled & tried the crackme..it simply
asks for a "Serial : ". Based on what you enter...it'll
decide if it is correct or not. Great...so lets locate
the part where it accepts our serial. :)

Analysis

In the 4th line of the code, we can see that its takin
6 bytes of input.

>,>,>,>,>,>,

Prior to that.. the code is :

>.>.>.>.>.>.>.>.>.

Which obviously is printing "Serial : " 9 bytes exactly.

Lets see what happens after the input.

<[>-<-]

Remember that the memory pointer is still pointing to the
last character of input.So, a "<" will make it point to the
second last character.Now, after that "[]" represents a while
loop where the varible's memory address to be monitored
is pointed to by the PC register..in this case... the ASCII
value of the second last char.

Lets analyse the while loop.

[>-<-]

> == point to the next memory location. (last char)
- == decrement the value at that location
< == point to the previous mem location (second last char)
- == decrement the value at that location.

The last part inside while loop is important..
which is "<-" because the the while loop will continue as long
as the value at that memory location is not 0.

Phew! so in short.. the crackme takes input & substracts
the ascii code of the last character by the ascii code of the
second last character.

Then what?
Now..lets see...do u like patterns? :) When was the last time
you found matching ones? ;) Lets analyze the first part of
the code..the part where it prints "Serial : "

This here is the code that does that..

>++++++++++[>++++++++>++++++++++>+++++++++++>++++++
+++++>++++++++++>+++++++++++>+++>++++++>+++><<<<<<<
<<<-]>+++>+>++++>----->--->-->++>-->++><<<<<<<<<<>.
>.>.>.>.>.>.>.>.

DOnt believe me? No worries..try running it in a Brainfuck
interpreter online..right here :

http://www.iamcal.com/misc/bf_debug/

Am sure the above code prints "Serial : ". Now lets analyse the
above code..

> = increment the memory pointer.
++++++++++ = put 10 at that location.
[] = run this loop ten times.
What the loop does is that it'll put the ascii codes of the
characters you want to print in consecutive memory locations.

>+++>+>++++>----->--->-->++>-->++><<<<<<<<<<

Fine-tuning the values there & pointing to start of the
buffer.

>.>.>.>.>.>.>.>.>.

Print the string.

Now lets look at the last part of the crackme's code... where
it obviously has to print a good-boy string.

Starting from the end of its code...

>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.

Print the good boy string.

>++>-->+>++>--->+>>+++>++++>--->----
>--->-->--->---->----->+>>----->---->++><<<<<<<<<<<
<<<<<<<<<<<

Fine tuning the strings & pointing to its beginning.

[>+++>++++++>+
+++>+++>+++++++>+++++++++++>+++++++++++>++++++++++>
+++++++++++>++++++++++>++++++++++++>++++++++++++>++
+++++++++>++++++++++>++++++++++++>+++++++++++>+++++
++++++>+++++++++++>++++++++++++>+++++>+++><<<<<<<<<
<<<<<<<<<<<<<-]

While loop that puts the ascii code numbers into the
right memory locations.

But wait... something is missing aint it? The memory
location of the variable for the while-loop.

Because prior to this... the only code that exists is
this "#>" & then the part where it substracts the
ascii code values between the last 2 characters..So
what exactly is happening?

">" instruction will again make it point to the last
character.Thus..the number of iterations for the
While loop that prints the good-boy message depends
upon the ascii value of the last character.


If you remember.. usually the correct value for the
while-loop to print is 10.Lets check if our assumption
is right or not.

[>+++>++++++>+
+++>+++>+++++++>+++++++++++>+++++++++++>++++++++++>
+++++++++++>++++++++++>++++++++++++>++++++++++++>++
+++++++++>++++++++++>++++++++++++>+++++++++++>+++++
++++++>+++++++++++>++++++++++++>+++++>+++><<<<<<<<<
<<<<<<<<<<<<<-]>++>-->+>++>--->+>>+++>++++>--->----
>--->-->--->---->----->+>>----->---->++><<<<<<<<<<<
<<<<<<<<<<<>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.

This was the original code.. lets run it in the online
interpreter & see the output.you do get an output but
its gibberish. Now add this to the begining & see what
happens. >++++++++++ (move to the next mem location &
put a value of 10 there.The first part of the crackme's
code itself when it tries to print "Serial : ")

When you try to run that..you get this string :-

" :) Congratulations. " So thats perfect! The algo
is pretty simple & a valid serial should be :

1. 6 chars long
2. The last character's ascii code should be 10 units more
than the second-last character.

For Ex.
aaaaak
bbbbbl
cccccm
abcdeo
ABCDEO

Thats all. :)

(c) Aodrulez.

2 comments:

mayjune said...

Wow! You explained the code so well!! And not just some code, brainfuck code!! LOL
That's a very nice breakdown of the code...

I wouldn't have thought of it this way, but after compiling it in C, breaking the code, and now reading your blog, its all making sense to me. Like if i put enough effort maybe I might be able to look at bf code and actually read and maybe understand it without the need of compiling it to C...

Great stuff. You have certainly put a lot of hard work in this one :)

Waiting for more :)

Aodrulez said...

:) Tnx mayjune. Definitely planning to post more things.stay tuned.