# Advanced Linux --- Lab 2 Albert Akmukhametov a.akmukhametov@innopolis.university _Note:_ In fact this assignment took much less time that it seems like. I've put information about all useful steps I've applied. ## Analyzing the binary First of all, let's just run it  We see that there is some license check based on our HWID. For now it's unknown what this HWID is. Let's take a look at `strace ./hack_app` until key is prompted (dynamic linkage part is ommited)  We can see that there is attempt to check probably saved key in file attributes. Probably it's failed due to lack of that attribute. Bring on the ~~Fluggegecheimen~~ Ghidra! We see very pretty decompiled listing  ## Patch that! We see after key was read from attributes into `xattrValue` and compared with pre-calculated key in `md5decode`  So if we make `local_24` equal 1 we can bypass licensing mechanis. To achieve that I'd like to flip condition on line 42. Hypothetically if file attributes will contain correct key, our patch will fail executeion. Really no key will be written into attributes because it happens after key prompt.  That is assembly of that condition  `EAX` contains result of `strncmp`. `JNZ` means jump if after `TEST` `ZF == 0` (i.e. `EAX & EAX != 0`). So, our goal is to avoid that jump (because it will skip writin into `local_24`). Let's just repace `JNZ` with its opposite `JZ`: 1. Put cursor on `jnz` and press Ctrl+Shift+G (i.e. Patch Instruction) 2. Replace JNZ with JZ. We see Ghidra's decompile listing changed accordingly   If we save it (File -> Export Program) and run we see it's runs like we have license:  ## Figure out key generation and create keygen For furher analysis I'll assign some comfortable names in Ghidra. Also for further analysis I'll refer to `__get_cpuid` [implementation from GCC](https://github.com/gcc-mirror/gcc/blob/master/gcc/config/i386/cpuid.h). `__get_cpuid` itself is wrapper over `CPUID` asm instruction. In our case `CPUID` called for leaf 1 --- information about processor and feature bits.  We are interested in manipulations over `EAX` and `EDX`. First is about processor version, second is about processor features. In fact, we don't care about that, just something curious. If we compare actual HWID from given binary and result of CPUID, we can easily figure out that `HWID_LEFT=bytewsie_reverse(EAX)` and `HWID_RIGHT=bytewise_reverse(EDX)`. HWID: EC060800FFFB8B0F EAX: 000806ec EDX: 0f8bfbff From further listing we can figure out that `KEY=hex(reverse(MD5(HWID)))`  So, technically, we obtain the formula for key generation. For my HWID `EC060800FFFB8B0F` key is `2fbd5901ce050f76c2719cac45fe6030`. Let's try it:   Just to ensure I've uploaded `hack_app` to my another server and tryed to use keygen there:   Yeah, we purchased it, exactly. ## Create a patch I used python to find which byte were changed by Ghidra.  So I wrote simple python script which replaces required byte ```python orig_file = open('hack_app', 'rb') orig = orig_file.read() orig_file.close() patched = orig[:5534] + (116).to_bytes(1, 'little') + orig[5534+1:] patched_file = open('hack_app.patched', 'wb+') patched_file.write(patched) patched_file.flush() patched_file.close() ```