Zen & The Art of Cracking. (Part 1)

Hola Amigos!
This is a tutorial explaining some old school
+orc inspired reversing/cracking techniques.
Today, our target application is a crackme that
i wrote a few days ago in an esoteric language
named 'Brainfuck'.The code of the crackme can
be found here :

http://aodrulez.110mb.com/crackme.txt

But before we begin our reversing tutorial, let
me show you how to compile this code & make
our crackme application.In my previous post, i've
provided the source code of my 'Brainfuck Pseudo
Compiler'.You can compile this crackme using this
compiler.First of all, compile the 'Brainfuck
Pseudo Compiler' as follows :

aodrulez@pwn4g3:~/muse$ gcc bfc.c -o bfc

Here am assuming you've copied the code of my
compiler into a file named 'bfc.c'.Once this is
done, you should have an executable named 'bfc'
which is our brainfuck compiler.Now lets compile
the crackme.Copy the contents of the above link
to a file named 'crackme.txt'.Then issue this
command :

aodrulez@pwn4g3:~/muse$ ./bfc crackme.txt crackme

That should compile our 'crackme' for you.


Cracking the Code

Before we do any reversing & fire any of our tools,
lets study the crackme first.Lets try running it
& see what happens.

aodrulez@pwn4g3:~/muse$ ./crackme
Serial : aaaaaa
� � ������� �� aodrulez@pwn4g3:~/muse$


Now that doesnt look like a valid serial :D .But one
important thing i observed was that it takes exactly
'6' bytes/characters for the serial. Not a byte less,
not a byte more.How did i know that? Try entering
one character & then hit enter & see what happens..
& keep on doin this until you get an output. :)
(remember that even 'enter' or Line-Feed is a char!)

Now, lets think about it... is there a way to find
out the valid serial without even looking at the
algorithm?? ofcourse there is... the magic word for
you is...'bruteforce'.There are times when the algo
involved is so complicated that its very tough to
reverse it & find a valid serial.In such cases..when
you have no other choice left.. you can always try
bruteforce.

The truth though is that its an ugly way of doing
things.Why? Lemme explain. Lets say we have a serial
the length of which is 1 character.How many possible
values can it have?

If its only alphabets : 26
AlphaNumeric : 36
CaseSensitive Alphanumeric : 26+26+10=62

What do these numbers mean? if the password is just
alphabets... case insensitive... the maximum number of
possible right answers is 26.So, i hope its understood
that if i try all of these 26 possible values, am sure
to get the right password.But, if the password is 2
characters in size, the max possible combination becomes
26*26...or 26^2==676!. Pure Permutation.Now thats pure
bruteforce attempt. Alrighty... now how to implement a
custom bruteforce tool for our particular crackme?

As we know already.. the crackme needs an input..
So lets try this command in a linux terminal:

aodrulez@pwn4g3:~/muse$ echo "aaaaaa" | ./crackme

what this'll do is... it'll first echo "aaaaaa" to the
screen but the redirection symbol "|" tells it to
pipe the output to the command specified...in this
case.. to "crackme" executable.This trick..combined
with some programming skills can be turned into a sort
of bruteforce attack.

So here am providing a very ugly bruteforce-algorithm
that i just wrote...its ugly..not optimized....but sure
as hell works.Here we go :-

Bruteforce COde version 1.0


Try compiling this code & put the executable in the
same directory as 'crackme'.Then execute it & observe
the crude output you get. What this code does is..
it'll craft a 6-character long string with all possible
combinations.Now if you lookup an ASCII table, the
ascii codes from 97-122 is the range for 'a'-'z'.
So, this script is a lower-case-6-character-pattern
generator..whose output is piped to our crackme as
input.Simple & sweet. Try running the above code & observe
the output.. somewhere down the line...you'll see
":) Congratulations" & the corresponding string is
a valid serial. :)


This is a lil better version of the same bruteforce
script as far as output is concerned.

Bruteforce C0de version 1.1


That'll generate you some valid serials. Now remember
that i still hav'nt looked at the code of the crackme
& have no idea how the actual algorithm works.I just
got lucky because a valid serial can be formed by just
entering 6 lowercase alphabets.. if this would'nt have
worked...i would have tried uppercase..alphanumeric..
special characters etc as combination.No matter what..
am sure to get atleast one valid serial because thats
the fundamental idea behind bruteforce.

Hope you learnt something new out of this really long
n boring tutorial.Happy hacking!


Just in case the above Crackme code's link is not
working, here it is :

# Aodrulez's Brainfuck Crackme V1
# -------------------------------------------------
# (Its very Easy)
>++++++++++[>++++++++>++++++++++>+++++++++++>++++++
+++++>++++++++++>+++++++++++>+++>++++++>+++><<<<<<<
<<<-]>+++>+>++++>----->--->-->++>-->++><<<<<<<<<<>.
>.>.>.>.>.>.>.>.>,>,>,>,>,>,<[>-<-]#>[>+++>++++++>+
+++>+++>+++++++>+++++++++++>+++++++++++>++++++++++>
+++++++++++>++++++++++>++++++++++++>++++++++++++>++
+++++++++>++++++++++>++++++++++++>+++++++++++>+++++
++++++>+++++++++++>++++++++++++>+++++>+++><<<<<<<<<
<<<<<<<<<<<<<-]>++>-->+>++>--->+>>+++>++++>--->----
>--->-->--->---->----->+>>----->---->++><<<<<<<<<<<
<<<<<<<<<<<>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.