IOLI crackme Writeup
Those basic crackmes are here.
Crackme 0x00
Let’s run it first.
bin-linux$ ./crackme0x00
IOLI Crackme Level 0x00
Password: 123456
Invalid Password!
Method 1
Maybe the password is a strings so use strings to find it.
bin-linux$ strings crackme0x00
IOLI Crackme Level 0x00
Password:
250382
Invalid Password!
Password OK :)
There is a strange number 250382, try it.
bin-linux$ ./crackme0x00
IOLI Crackme Level 0x00
Password: 250382
Password OK :)
Or, use rabin2, the “binary program info extractor” from radare2.
bin-linux$ rabin2 -z ./crackme0x00
vaddr=0x08048568 paddr=0x00000568 ordinal=000 sz=25 len=24 section=.rodata type=ascii string=IOLI Crackme Level 0x00\n
vaddr=0x08048581 paddr=0x00000581 ordinal=001 sz=11 len=10 section=.rodata type=ascii string=Password:
vaddr=0x0804858f paddr=0x0000058f ordinal=002 sz=7 len=6 section=.rodata type=ascii string=250382
vaddr=0x08048596 paddr=0x00000596 ordinal=003 sz=19 len=18 section=.rodata type=ascii string=Invalid Password!\n
vaddr=0x080485a9 paddr=0x000005a9 ordinal=004 sz=16 len=15 section=.rodata type=ascii string=Password OK :)\n
-zlet you get strings (from data section)
Method 2
Modify the program logic so that any password can be OK.
I opened the binary with radare2 using -w to be in write mode, allowing radare2 to write data to the file.
bin-linux$ radare2 -w crackme0x00
[0xf7777b30]> s main
[0x08048414]> pd 32
;-- main:
;-- main:
0x08048414 55 push ebp
0x08048415 89e5 mov ebp, esp
0x08048417 83ec28 sub esp, 0x28 ; '('
0x0804841a 83e4f0 and esp, 0xfffffff0
0x0804841d b800000000 mov eax, 0
0x08048422 83c00f add eax, 0xf
0x08048425 83c00f add eax, 0xf
0x08048428 c1e804 shr eax, 4
0x0804842b c1e004 shl eax, 4
0x0804842e 29c4 sub esp, eax
0x08048430 c70424688504. mov dword [esp], str.IOLI_Crackme_Level_0x00_n ; [0x8048568:4]=0x494c4f49 ; "IOLI Crackme Level 0x00." @ 0x8048568
0x08048437 e804ffffff call sym.imp.printf
0x0804843c c70424818504. mov dword [esp], str.Password: ; [0x8048581:4]=0x73736150 ; "Password: " @ 0x8048581
0x08048443 e8f8feffff call sym.imp.printf
0x08048448 8d45e8 lea eax, dword [ebp - 0x18]
0x0804844b 89442404 mov dword [esp + 4], eax
0x0804844f c704248c8504. mov dword [esp], 0x804858c ; [0x804858c:4]=0x32007325
0x08048456 e8d5feffff call sym.imp.scanf
0x0804845b 8d45e8 lea eax, dword [ebp - 0x18]
0x0804845e c74424048f85. mov dword [esp + 4], str.250382 ; [0x804858f:4]=0x33303532 ; "250382" @ 0x804858f
0x08048466 890424 mov dword [esp], eax
0x08048469 e8e2feffff call sym.imp.strcmp
0x0804846e 85c0 test eax, eax
,=< 0x08048470 740e je 0x8048480
| 0x08048472 c70424968504. mov dword [esp], str.Invalid_Password__n ; [0x8048596:4]=0x61766e49 ; "Invalid Password!." @ 0x8048596
| 0x08048479 e8c2feffff call sym.imp.printf
,==< 0x0804847e eb0c jmp 0x804848c
|`-> 0x08048480 c70424a98504. mov dword [esp], str.Password_OK_:__n ; [0x80485a9:4]=0x73736150 ; "Password OK :)." @ 0x80485a9
| 0x08048487 e8b4feffff call sym.imp.printf
`--> 0x0804848c b800000000 mov eax, 0
0x08048491 c9 leave
0x08048492 c3 ret
slets you seek to an address (or symbol)
pd #lets you print disassembly of # instructions (from current seek)
Above is the disassembly output of the main function. I found the function at 0x08048470 is a conditionally jump je, so we change it to jmp, which is an unconditionally jump.
[0x08048414]> s 0x08048470
[0x08048470]> wx eb
[0x08048470]> pd 9
,=< 0x08048470 eb0e jmp 0x8048480
| 0x08048472 c70424968504. mov dword [esp], str.Invalid_Password__n ; [0x8048596:4]=0x61766e49 ; "Invalid Password!." @ 0x8048596
| 0x08048479 e8c2feffff call sym.imp.printf
,==< 0x0804847e eb0c jmp 0x804848c
|`-> 0x08048480 c70424a98504. mov dword [esp], str.Password_OK_:__n ; [0x80485a9:4]=0x73736150 ; "Password OK :)." @ 0x80485a9
| 0x08048487 e8b4feffff call sym.imp.printf
`--> 0x0804848c b800000000 mov eax, 0
0x08048491 c9 leave
0x08048492 c3 ret
wxis short for Write heX, and allows for writing raw bytes to an offset specificly.
Now we can get successful message whatever the password is.
bin-linux$ ./crackme0x00
IOLI Crackme Level 0x00
Password: 123456
Password OK :)
Crackme0x01
This time, the method 1 below got failed.
bin-linux$ ./crackme0x01
IOLI Crackme Level 0x01
Password: 123456
Invalid Password!
bin-linux$ rabin2 -z crackme0x01
vaddr=0x08048528 paddr=0x00000528 ordinal=000 sz=25 len=24 section=.rodata type=ascii string=IOLI Crackme Level 0x01\n
vaddr=0x08048541 paddr=0x00000541 ordinal=001 sz=11 len=10 section=.rodata type=ascii string=Password:
vaddr=0x0804854f paddr=0x0000054f ordinal=002 sz=19 len=18 section=.rodata type=ascii string=Invalid Password!\n
vaddr=0x08048562 paddr=0x00000562 ordinal=003 sz=16 len=15 section=.rodata type=ascii string=Password OK :)\n
So, lets see the code again.
bin-linux$ radare2 -w crackme0x01
[0x08048330]> aa
[x] Analyze all flags starting with sym. and entry0 (aa)
[0x08048330]> pdf @ sym.main
;-- main:
/ (fcn) main 113
| main ();
| ; var int local_4h @ ebp-0x4
| ; var int local_4h_2 @ esp+0x4
| ; DATA XREF from 0x08048347 (entry0)
| 0x080483e4 55 push ebp
| 0x080483e5 89e5 mov ebp, esp
| 0x080483e7 83ec18 sub esp, 0x18
| 0x080483ea 83e4f0 and esp, 0xfffffff0
| 0x080483ed b800000000 mov eax, 0
| 0x080483f2 83c00f add eax, 0xf
| 0x080483f5 83c00f add eax, 0xf
| 0x080483f8 c1e804 shr eax, 4
| 0x080483fb c1e004 shl eax, 4
| 0x080483fe 29c4 sub esp, eax
| 0x08048400 c70424288504. mov dword [esp], str.IOLI_Crackme_Level_0x01_n ; [0x8048528:4]=0x494c4f49 ; "IOLI Crackme Level 0x01." @ 0x8048528
| 0x08048407 e810ffffff call sym.imp.printf ; int printf(const char *format)
| 0x0804840c c70424418504. mov dword [esp], str.Password: ; [0x8048541:4]=0x73736150 ; "Password: " @ 0x8048541
| 0x08048413 e804ffffff call sym.imp.printf ; int printf(const char *format)
| 0x08048418 8d45fc lea eax, dword [local_4h]
| 0x0804841b 89442404 mov dword [local_4h_2], eax
| 0x0804841f c704244c8504. mov dword [esp], 0x804854c ; [0x804854c:4]=0x49006425 ; "%d"
| 0x08048426 e8e1feffff call sym.imp.scanf ; int scanf(const char *format)
| 0x0804842b 817dfc9a1400. cmp dword [local_4h], 0x149a ; [0x149a:4]=0x2ec0804
| ,=< 0x08048432 740e je 0x8048442
| | 0x08048434 c704244f8504. mov dword [esp], str.Invalid_Password__n ; [0x804854f:4]=0x61766e49 ; "Invalid Password!." @ 0x804854f
| | 0x0804843b e8dcfeffff call sym.imp.printf ; int printf(const char *format)
| ,==< 0x08048440 eb0c jmp 0x804844e
| |`-> 0x08048442 c70424628504. mov dword [esp], str.Password_OK_:__n ; [0x8048562:4]=0x73736150 ; "Password OK :)." @ 0x8048562
| | 0x08048449 e8cefeffff call sym.imp.printf ; int printf(const char *format)
| | ; JMP XREF from 0x08048440 (main)
| `--> 0x0804844e b800000000 mov eax, 0
| 0x08048453 c9 leave
\ 0x08048454 c3 ret
aatells radare2 to analyse the whole binary.
We also found a je at 0x08048432 and if we change it to jmp, it will be successful. But this time, we try another method to found its password. The function at 0x0804842b is a cmp instruction, with a constant 0x149a. The 0x149a is a hexadecimal number and we can change it to others.
[0x08048330]> ? 0x149a
5274 0x149a 012232 5.2K 0000:049a 5274 "\x9a\x14" 0001010010011010 5274.0 5274.000000f 5274.000000
The
?command is used to perform math operations and returns the answer in a wide variety of formats.
Maybe the password is just one of them.
bin-linux$ ./crackme0x01
IOLI Crackme Level 0x01
Password: 5274
Password OK :)
Crackme0x02
This time also a “compare-jump” program, but the destination is “Invalid_Password__n” instead “Password_OK_”.
bin-linux$ radare2 -w crackme0x02
[0x08048330]> aa
[x] Analyze all flags starting with sym. and entry0 (aa)
[0x08048330]> pdf @ sym.main
;-- main:
/ (fcn) main 144
| main ();
| ; var int local_ch @ ebp-0xc
| ; var int local_8h @ ebp-0x8
| ; var int local_4h @ ebp-0x4
| ; var int local_4h_2 @ esp+0x4
| ; DATA XREF from 0x08048347 (entry0)
| 0x080483e4 55 push ebp
| 0x080483e5 89e5 mov ebp, esp
| 0x080483e7 83ec18 sub esp, 0x18
| 0x080483ea 83e4f0 and esp, 0xfffffff0
| 0x080483ed b800000000 mov eax, 0
| 0x080483f2 83c00f add eax, 0xf
| 0x080483f5 83c00f add eax, 0xf
| 0x080483f8 c1e804 shr eax, 4
| 0x080483fb c1e004 shl eax, 4
| 0x080483fe 29c4 sub esp, eax
| 0x08048400 c70424488504. mov dword [esp], str.IOLI_Crackme_Level_0x02_n ; [0x8048548:4]=0x494c4f49 ; "IOLI Crackme Level 0x02." @ 0x8048548
| 0x08048407 e810ffffff call sym.imp.printf ; int printf(const char *format)
| 0x0804840c c70424618504. mov dword [esp], str.Password: ; [0x8048561:4]=0x73736150 ; "Password: " @ 0x8048561
| 0x08048413 e804ffffff call sym.imp.printf ; int printf(const char *format)
| 0x08048418 8d45fc lea eax, dword [local_4h]
| 0x0804841b 89442404 mov dword [local_4h_2], eax
| 0x0804841f c704246c8504. mov dword [esp], 0x804856c ; [0x804856c:4]=0x50006425 ; "%d"
| 0x08048426 e8e1feffff call sym.imp.scanf ; int scanf(const char *format)
| 0x0804842b c745f85a0000. mov dword [local_8h], 0x5a ; 'Z'
| 0x08048432 c745f4ec0100. mov dword [local_ch], 0x1ec
| 0x08048439 8b55f4 mov edx, dword [local_ch]
| 0x0804843c 8d45f8 lea eax, dword [local_8h]
| 0x0804843f 0110 add dword [eax], edx
| 0x08048441 8b45f8 mov eax, dword [local_8h]
| 0x08048444 0faf45f8 imul eax, dword [local_8h]
| 0x08048448 8945f4 mov dword [local_ch], eax
| 0x0804844b 8b45fc mov eax, dword [local_4h]
| 0x0804844e 3b45f4 cmp eax, dword [local_ch]
| ,=< 0x08048451 750e jne 0x8048461
| | 0x08048453 c704246f8504. mov dword [esp], str.Password_OK_:__n ; [0x804856f:4]=0x73736150 ; "Password OK :)." @ 0x804856f
| | 0x0804845a e8bdfeffff call sym.imp.printf ; int printf(const char *format)
| ,==< 0x0804845f eb0c jmp 0x804846d
| |`-> 0x08048461 c704247f8504. mov dword [esp], str.Invalid_Password__n ; [0x804857f:4]=0x61766e49 ; "Invalid Password!." @ 0x804857f
| | 0x08048468 e8affeffff call sym.imp.printf ; int printf(const char *format)
| | ; JMP XREF from 0x0804845f (main)
| `--> 0x0804846d b800000000 mov eax, 0
| 0x08048472 c9 leave
\ 0x08048473 c3 ret
So, we can use a nop instruction to replace the jump instruction at 0x08048451.
[0x08048330]> s 0x08048451
[0x08048451]> wx 90
[0x08048451]> pd 9
| 0x08048451 90 nop
| 0x08048452 0e push cs
| 0x08048453 c704246f8504. mov dword [esp], str.Password_OK_:__n ; [0x804856f:4]=0x73736150 ; "Password OK :)." @ 0x804856f
| 0x0804845a e8bdfeffff call sym.imp.printf ; int printf(const char *format)
| ,=< 0x0804845f eb0c jmp 0x804846d
| | 0x08048461 c704247f8504. mov dword [esp], str.Invalid_Password__n ; [0x804857f:4]=0x61766e49 ; "Invalid Password!." @ 0x804857f
| | 0x08048468 e8affeffff call sym.imp.printf ; int printf(const char *format)
| | ; JMP XREF from 0x0804845f (main)
| `-> 0x0804846d b800000000 mov eax, 0
| 0x08048472 c9 leave
bin-linux$ ./crackme0x02
IOLI Crackme Level 0x02
Password: 123456
Password OK :)
Crackme0x03
The challenge becomes a little more difficult, there is no jump instruction.
bin-linux$ radare2 -w crackme0x03
[0x08048360]> aa
[x] Analyze all flags starting with sym. and entry0 (aa)
[0x08048360]> pdf @ sym.main
;-- main:
/ (fcn) sym.main 128
| sym.main ();
| ; var int local_ch @ ebp-0xc
| ; var int local_8h @ ebp-0x8
| ; var int local_4h @ ebp-0x4
| ; var int local_4h_2 @ esp+0x4
| ; DATA XREF from 0x08048377 (entry0)
| 0x08048498 55 push ebp
| 0x08048499 89e5 mov ebp, esp
| 0x0804849b 83ec18 sub esp, 0x18
| 0x0804849e 83e4f0 and esp, 0xfffffff0
| 0x080484a1 b800000000 mov eax, 0
| 0x080484a6 83c00f add eax, 0xf
| 0x080484a9 83c00f add eax, 0xf
| 0x080484ac c1e804 shr eax, 4
| 0x080484af c1e004 shl eax, 4
| 0x080484b2 29c4 sub esp, eax
| 0x080484b4 c70424108604. mov dword [esp], str.IOLI_Crackme_Level_0x03_n ; [0x8048610:4]=0x494c4f49 ; "IOLI Crackme Level 0x03." @ 0x8048610
| 0x080484bb e890feffff call sym.imp.printf ; int printf(const char *format)
| 0x080484c0 c70424298604. mov dword [esp], str.Password: ; [0x8048629:4]=0x73736150 ; "Password: " @ 0x8048629
| 0x080484c7 e884feffff call sym.imp.printf ; int printf(const char *format)
| 0x080484cc 8d45fc lea eax, dword [local_4h]
| 0x080484cf 89442404 mov dword [local_4h_2], eax
| 0x080484d3 c70424348604. mov dword [esp], 0x8048634 ; [0x8048634:4]=0x6425 ; "%d"
| 0x080484da e851feffff call sym.imp.scanf ; int scanf(const char *format)
| 0x080484df c745f85a0000. mov dword [local_8h], 0x5a ; 'Z'
| 0x080484e6 c745f4ec0100. mov dword [local_ch], 0x1ec
| 0x080484ed 8b55f4 mov edx, dword [local_ch]
| 0x080484f0 8d45f8 lea eax, dword [local_8h]
| 0x080484f3 0110 add dword [eax], edx
| 0x080484f5 8b45f8 mov eax, dword [local_8h]
| 0x080484f8 0faf45f8 imul eax, dword [local_8h]
| 0x080484fc 8945f4 mov dword [local_ch], eax
| 0x080484ff 8b45f4 mov eax, dword [local_ch]
| 0x08048502 89442404 mov dword [local_4h_2], eax
| 0x08048506 8b45fc mov eax, dword [local_4h]
| 0x08048509 890424 mov dword [esp], eax
| 0x0804850c e85dffffff call sym.test
| 0x08048511 b800000000 mov eax, 0
| 0x08048516 c9 leave
\ 0x08048517 c3 ret
We found a function called sym.test, let’s see the detail.
[0x08048360]> pdf @ sym.test
/ (fcn) sym.test 42
| sym.test (int arg_8h, int arg_ch);
| ; arg int arg_8h @ ebp+0x8
| ; arg int arg_ch @ ebp+0xc
| ; CALL XREF from 0x0804850c (sym.main)
| 0x0804846e 55 push ebp
| 0x0804846f 89e5 mov ebp, esp
| 0x08048471 83ec08 sub esp, 8
| 0x08048474 8b4508 mov eax, dword [arg_8h] ; [0x8:4]=0
| 0x08048477 3b450c cmp eax, dword [arg_ch] ; [0xc:4]=0
| ,=< 0x0804847a 740e je 0x804848a
| | 0x0804847c c70424ec8504. mov dword [esp], str.Lqydolg_Sdvvzrug_ ; [0x80485ec:4]=0x6479714c ; "Lqydolg#Sdvvzrug$" @ 0x80485ec
| | 0x08048483 e88cffffff call sym.shift
| ,==< 0x08048488 eb0c jmp 0x8048496
| |`-> 0x0804848a c70424fe8504. mov dword [esp], str.Sdvvzrug_RN______ ; [0x80485fe:4]=0x76766453 ; "Sdvvzrug#RN$$$#=," @ 0x80485fe
| | 0x08048491 e87effffff call sym.shift
| | ; JMP XREF from 0x08048488 (sym.test)
| `--> 0x08048496 c9 leave
\ 0x08048497 c3 ret
In the below disassembly code, there are two strings seems to be encrypted, just like Invalid_Password__n and Password_OK_ we found before.
Method 1
Of course, we can replace je to cmp at 0x0804847a in function sym.test.
[0x08048360]> s 0x0804847a
[0x0804847a]> wx eb
[0x0804847a]> pdf @ sym.test
/ (fcn) sym.test 42
| sym.test (int arg_8h, int arg_ch);
| ; arg int arg_8h @ ebp+0x8
| ; arg int arg_ch @ ebp+0xc
| ; CALL XREF from 0x0804850c (sym.main)
| 0x0804846e 55 push ebp
| 0x0804846f 89e5 mov ebp, esp
| 0x08048471 83ec08 sub esp, 8
| 0x08048474 8b4508 mov eax, dword [arg_8h] ; [0x8:4]=0
| 0x08048477 3b450c cmp eax, dword [arg_ch] ; [0xc:4]=0
| ,=< 0x0804847a eb0e jmp 0x804848a
| | 0x0804847c c70424ec8504. mov dword [esp], str.Lqydolg_Sdvvzrug_ ; [0x80485ec:4]=0x6479714c ; "Lqydolg#Sdvvzrug$" @ 0x80485ec
| | 0x08048483 e88cffffff call sym.shift
| ,==< 0x08048488 eb0c jmp 0x8048496
| |`-> 0x0804848a c70424fe8504. mov dword [esp], str.Sdvvzrug_RN______ ; [0x80485fe:4]=0x76766453 ; "Sdvvzrug#RN$$$#=," @ 0x80485fe
| | 0x08048491 e87effffff call sym.shift
| | ; JMP XREF from 0x08048488 (sym.test)
| `--> 0x08048496 c9 leave
\ 0x08048497 c3 ret
bin-linux$ ./crackme0x03
IOLI Crackme Level 0x03
Password: 123456
Password OK!!! :)
Method 2
We focus on these lines in function sym.main, I have made some annotations.
| 0x080484df c745f85a0000. mov dword [local_8h], 0x5a ; 'Z'
| 0x080484e6 c745f4ec0100. mov dword [local_ch], 0x1ec
| 0x080484ed 8b55f4 mov edx, dword [local_ch] ; edx = 0x1ec
| 0x080484f0 8d45f8 lea eax, dword [local_8h] ; eax -> ebp-0x8
| 0x080484f3 0110 add dword [eax], edx ; ebp-0x8 = (0x5a + 0x1ec)
| 0x080484f5 8b45f8 mov eax, dword [local_8h] ; eax = 0x5a + 0x1ec = 0x246
| 0x080484f8 0faf45f8 imul eax, dword [local_8h] ; eax = 0x246 * 0x246 = 0x52b24
| 0x080484fc 8945f4 mov dword [local_ch], eax ; ebp-0xc = 0x52b24
| 0x080484ff 8b45f4 mov eax, dword [local_ch] ; eax = 0x52b24
| 0x08048502 89442404 mov dword [local_4h_2], eax ; esp+0x4 = eax
So, The value of eax is 0x52b24, and in function sym.test:
| 0x08048474 8b4508 mov eax, dword [arg_8h] ; [0x8:4]=0
| 0x08048477 3b450c cmp eax, dword [arg_ch] ; [0xc:4]=0
Although we know the eax in sym.main is different from in sym.test. We just try password with the decimal value of 0x52b24.
[0x08048360]> ? 0x52b24
338724 0x52b24 01225444 330.8K 5000:0b24 338724 "$+\x05" 000001010010101100100100 338724.0 338724.000000f 338724.000000
bin-linux$ ./crackme0x03
IOLI Crackme Level 0x03
Password: 338724
Password OK!!! :)
Oh, surprise!
From the name of functin sym.shift, I guess the encryption algorithm to be transposition cipher.
[0x08048360]> pdf @ sym.shift
/ (fcn) sym.shift 90
| sym.shift (int arg_8h);
| ; var int local_7ch @ ebp-0x7c
| ; var int local_78h @ ebp-0x78
| ; arg int arg_8h @ ebp+0x8
| ; var int local_4h @ esp+0x4
| ; CALL XREF from 0x08048491 (sym.test)
| ; CALL XREF from 0x08048483 (sym.test)
| 0x08048414 55 push ebp
| 0x08048415 89e5 mov ebp, esp
| 0x08048417 81ec98000000 sub esp, 0x98
| 0x0804841d c74584000000. mov dword [local_7ch], 0
| ; JMP XREF from 0x0804844e (sym.shift)
| .-> 0x08048424 8b4508 mov eax, dword [arg_8h] ; [0x8:4]=0
| | 0x08048427 890424 mov dword [esp], eax
| | 0x0804842a e811ffffff call sym.imp.strlen ; size_t strlen(const char *s)
| | 0x0804842f 394584 cmp dword [local_7ch], eax ; [0x13:4]=256
| ,==< 0x08048432 731c jae 0x8048450
| || 0x08048434 8d4588 lea eax, dword [local_78h]
| || 0x08048437 89c2 mov edx, eax
| || 0x08048439 035584 add edx, dword [local_7ch]
| || 0x0804843c 8b4584 mov eax, dword [local_7ch]
| || 0x0804843f 034508 add eax, dword [arg_8h]
| || 0x08048442 0fb600 movzx eax, byte [eax]
| || 0x08048445 2c03 sub al, 3
| || 0x08048447 8802 mov byte [edx], al
| || 0x08048449 8d4584 lea eax, dword [local_7ch]
| || 0x0804844c ff00 inc dword [eax]
| |`=< 0x0804844e ebd4 jmp 0x8048424
| `--> 0x08048450 8d4588 lea eax, dword [local_78h]
| 0x08048453 034584 add eax, dword [local_7ch]
| 0x08048456 c60000 mov byte [eax], 0
| 0x08048459 8d4588 lea eax, dword [local_78h]
| 0x0804845c 89442404 mov dword [local_4h], eax
| 0x08048460 c70424e88504. mov dword [esp], 0x80485e8 ; [0x80485e8:4]=0xa7325 ; "%s."
| 0x08048467 e8e4feffff call sym.imp.printf ; int printf(const char *format)
| 0x0804846c c9 leave
\ 0x0804846d c3 ret
Through the analysis, we can write the following script to decrypted.
In [1]: print(''.join([chr(ord(i)-0x3) for i in 'Sdvvzrug#RN$$$#=']))
Password OK!!! :)
In [2]: print(''.join([chr(ord(i)-0x3) for i in 'Lqydolg#Sdvvzrug$']))
Invalid Password!
Crackme0x04
bin-linux$ radare2 -w crackme0x04
[0x080483d0]> aa
[x] Analyze all flags starting with sym. and entry0 (aa)
[0x080483d0]> pdf @ sym.main
;-- main:
/ (fcn) sym.main 92
| sym.main ();
| ; var int local_78h @ ebp-0x78
| ; var int local_4h @ esp+0x4
| ; DATA XREF from 0x080483e7 (entry0)
| 0x08048509 55 push ebp
| 0x0804850a 89e5 mov ebp, esp
| 0x0804850c 81ec88000000 sub esp, 0x88
| 0x08048512 83e4f0 and esp, 0xfffffff0
| 0x08048515 b800000000 mov eax, 0
| 0x0804851a 83c00f add eax, 0xf
| 0x0804851d 83c00f add eax, 0xf
| 0x08048520 c1e804 shr eax, 4
| 0x08048523 c1e004 shl eax, 4
| 0x08048526 29c4 sub esp, eax
| 0x08048528 c704245e8604. mov dword [esp], str.IOLI_Crackme_Level_0x04_n ; [0x804865e:4]=0x494c4f49 ; "IOLI Crackme Level 0x04." @ 0x804865e
| 0x0804852f e860feffff call sym.imp.printf ; int printf(const char *format)
| 0x08048534 c70424778604. mov dword [esp], str.Password: ; [0x8048677:4]=0x73736150 ; "Password: " @ 0x8048677
| 0x0804853b e854feffff call sym.imp.printf ; int printf(const char *format)
| 0x08048540 8d4588 lea eax, dword [local_78h]
| 0x08048543 89442404 mov dword [local_4h], eax
| 0x08048547 c70424828604. mov dword [esp], 0x8048682 ; [0x8048682:4]=0x7325 ; "%s"
| 0x0804854e e821feffff call sym.imp.scanf ; int scanf(const char *format)
| 0x08048553 8d4588 lea eax, dword [local_78h]
| 0x08048556 890424 mov dword [esp], eax
| 0x08048559 e826ffffff call sym.check
| 0x0804855e b800000000 mov eax, 0
| 0x08048563 c9 leave
\ 0x08048564 c3 ret
[0x080483d0]> pdf @ sym.check
/ (fcn) sym.check 133
| sym.check (int arg_8h);
| ; var int local_dh @ ebp-0xd
| ; var int local_ch @ ebp-0xc
| ; var int local_8h @ ebp-0x8
| ; var int local_4h @ ebp-0x4
| ; arg int arg_8h @ ebp+0x8
| ; var int local_4h_2 @ esp+0x4
| ; var int local_8h_2 @ esp+0x8
| ; CALL XREF from 0x08048559 (sym.main)
| 0x08048484 55 push ebp
| 0x08048485 89e5 mov ebp, esp
| 0x08048487 83ec28 sub esp, 0x28 ; '('
| 0x0804848a c745f8000000. mov dword [local_8h], 0
| 0x08048491 c745f4000000. mov dword [local_ch], 0
| ; JMP XREF from 0x080484f9 (sym.check)
| .-> 0x08048498 8b4508 mov eax, dword [arg_8h] ; [0x8:4]=0
| | 0x0804849b 890424 mov dword [esp], eax
| | 0x0804849e e8e1feffff call sym.imp.strlen ; size_t strlen(const char *s)
| | 0x080484a3 3945f4 cmp dword [local_ch], eax ; [0x13:4]=256 counter > strlen ?
| ,==< 0x080484a6 7353 jae 0x80484fb
| || 0x080484a8 8b45f4 mov eax, dword [local_ch]
| || 0x080484ab 034508 add eax, dword [arg_8h]
| || 0x080484ae 0fb600 movzx eax, byte [eax]
| || 0x080484b1 8845f3 mov byte [local_dh], al
| || 0x080484b4 8d45fc lea eax, dword [local_4h]
| || 0x080484b7 89442408 mov dword [local_8h_2], eax
| || 0x080484bb c74424043886. mov dword [local_4h_2], 0x8048638 ; [0x8048638:4]=0x50006425 ; "%d"
| || 0x080484c3 8d45f3 lea eax, dword [local_dh]
| || 0x080484c6 890424 mov dword [esp], eax
| || 0x080484c9 e8d6feffff call sym.imp.sscanf ; int sscanf(const char *s,
| || 0x080484ce 8b55fc mov edx, dword [local_4h]
| || 0x080484d1 8d45f8 lea eax, dword [local_8h]
| || 0x080484d4 0110 add dword [eax], edx
| || 0x080484d6 837df80f cmp dword [local_8h], 0xf ; [0xf:4]=0x3000200
| ,===< 0x080484da 7518 jne 0x80484f4
| ||| 0x080484dc c704243b8604. mov dword [esp], str.Password_OK__n ; [0x804863b:4]=0x73736150 ; "Password OK!." @ 0x804863b
| ||| 0x080484e3 e8acfeffff call sym.imp.printf ; int printf(const char *format)
| ||| 0x080484e8 c70424000000. mov dword [esp], 0
| ||| 0x080484ef e8c0feffff call sym.imp.exit ; void exit(int status)
| `---> 0x080484f4 8d45f4 lea eax, dword [local_ch]
| || 0x080484f7 ff00 inc dword [eax]
| |`=< 0x080484f9 eb9d jmp 0x8048498
| `--> 0x080484fb c70424498604. mov dword [esp], str.Password_Incorrect__n ; [0x8048649:4]=0x73736150 ; "Password Incorrect!." @ 0x8048649
| 0x08048502 e88dfeffff call sym.imp.printf ; int printf(const char *format)
| 0x08048507 c9 leave
\ 0x08048508 c3 ret
With the man sscanf command, we know that sscanf() reads its input from the character string pointed to by str.
int sscanf(const char *str, const char *format, ...);
The functin strlen() get the length of the password we input. Everytime function sscanf() get a character from our password as “%s”, and then transform it to “%d”. With the loop for len times, which len is the length of our password, these number add together, and compare with 0xf(aka 15). If equals, jump to output the successful message.
bin-linux$ ./crackme0x04
IOLI Crackme Level 0x04
Password: 555
Password OK!
bin-linux$ ./crackme0x04
IOLI Crackme Level 0x04
Password: 12345
Password OK!
crackme0x05
bin-linux$ radare2 -w crackme0x05
[0x080483d0]> aa
[x] Analyze all flags starting with sym. and entry0 (aa)
[0x080483d0]> pdf @ sym.main
;-- main:
/ (fcn) sym.main 92
| sym.main ();
| ; var int local_78h @ ebp-0x78
| ; var int local_4h @ esp+0x4
| ; DATA XREF from 0x080483e7 (entry0)
| 0x08048540 55 push ebp
| 0x08048541 89e5 mov ebp, esp
| 0x08048543 81ec88000000 sub esp, 0x88
| 0x08048549 83e4f0 and esp, 0xfffffff0
| 0x0804854c b800000000 mov eax, 0
| 0x08048551 83c00f add eax, 0xf
| 0x08048554 83c00f add eax, 0xf
| 0x08048557 c1e804 shr eax, 4
| 0x0804855a c1e004 shl eax, 4
| 0x0804855d 29c4 sub esp, eax
| 0x0804855f c704248e8604. mov dword [esp], str.IOLI_Crackme_Level_0x05_n ; [0x804868e:4]=0x494c4f49 ; "IOLI Crackme Level 0x05." @ 0x804868e
| 0x08048566 e829feffff call sym.imp.printf ; int printf(const char *format)
| 0x0804856b c70424a78604. mov dword [esp], str.Password: ; [0x80486a7:4]=0x73736150 ; "Password: " @ 0x80486a7
| 0x08048572 e81dfeffff call sym.imp.printf ; int printf(const char *format)
| 0x08048577 8d4588 lea eax, dword [local_78h]
| 0x0804857a 89442404 mov dword [local_4h], eax
| 0x0804857e c70424b28604. mov dword [esp], 0x80486b2 ; [0x80486b2:4]=0x7325 ; "%s"
| 0x08048585 e8eafdffff call sym.imp.scanf ; int scanf(const char *format)
| 0x0804858a 8d4588 lea eax, dword [local_78h]
| 0x0804858d 890424 mov dword [esp], eax
| 0x08048590 e833ffffff call sym.check
| 0x08048595 b800000000 mov eax, 0
| 0x0804859a c9 leave
\ 0x0804859b c3 ret
[0x080483d0]> pdf @ sym.check
/ (fcn) sym.check 120
| sym.check (int arg_8h);
| ; var int local_dh @ ebp-0xd
| ; var int local_ch @ ebp-0xc
| ; var int local_8h @ ebp-0x8
| ; var int local_4h @ ebp-0x4
| ; arg int arg_8h @ ebp+0x8
| ; var int local_4h_2 @ esp+0x4
| ; var int local_8h_2 @ esp+0x8
| ; CALL XREF from 0x08048590 (sym.main)
| 0x080484c8 55 push ebp
| 0x080484c9 89e5 mov ebp, esp
| 0x080484cb 83ec28 sub esp, 0x28 ; '('
| 0x080484ce c745f8000000. mov dword [local_8h], 0
| 0x080484d5 c745f4000000. mov dword [local_ch], 0
| ; JMP XREF from 0x08048530 (sym.check)
| .-> 0x080484dc 8b4508 mov eax, dword [arg_8h] ; [0x8:4]=0
| | 0x080484df 890424 mov dword [esp], eax
| | 0x080484e2 e89dfeffff call sym.imp.strlen ; size_t strlen(const char *s)
| | 0x080484e7 3945f4 cmp dword [local_ch], eax ; [0x13:4]=256
| ,==< 0x080484ea 7346 jae 0x8048532
| || 0x080484ec 8b45f4 mov eax, dword [local_ch]
| || 0x080484ef 034508 add eax, dword [arg_8h]
| || 0x080484f2 0fb600 movzx eax, byte [eax]
| || 0x080484f5 8845f3 mov byte [local_dh], al
| || 0x080484f8 8d45fc lea eax, dword [local_4h]
| || 0x080484fb 89442408 mov dword [local_8h_2], eax
| || 0x080484ff c74424046886. mov dword [local_4h_2], 0x8048668 ; [0x8048668:4]=0x50006425 ; "%d"
| || 0x08048507 8d45f3 lea eax, dword [local_dh]
| || 0x0804850a 890424 mov dword [esp], eax
| || 0x0804850d e892feffff call sym.imp.sscanf ; int sscanf(const char *s,
| || 0x08048512 8b55fc mov edx, dword [local_4h]
| || 0x08048515 8d45f8 lea eax, dword [local_8h]
| || 0x08048518 0110 add dword [eax], edx
| || 0x0804851a 837df810 cmp dword [local_8h], 0x10 ; [0x10:4]=0x30002
| ,===< 0x0804851e 750b jne 0x804852b
| ||| 0x08048520 8b4508 mov eax, dword [arg_8h] ; [0x8:4]=0
| ||| 0x08048523 890424 mov dword [esp], eax
| ||| 0x08048526 e859ffffff call sym.parell
| `---> 0x0804852b 8d45f4 lea eax, dword [local_ch]
| || 0x0804852e ff00 inc dword [eax]
| |`=< 0x08048530 ebaa jmp 0x80484dc
| `--> 0x08048532 c70424798604. mov dword [esp], str.Password_Incorrect__n ; [0x8048679:4]=0x73736150 ; "Password Incorrect!." @ 0x8048679
| 0x08048539 e856feffff call sym.imp.printf ; int printf(const char *format)
| 0x0804853e c9 leave
\ 0x0804853f c3 ret
[0x080483d0]> pdf @ sym.parell
/ (fcn) sym.parell 68
| sym.parell (int arg_8h);
| ; var int local_4h @ ebp-0x4
| ; arg int arg_8h @ ebp+0x8
| ; var int local_4h_2 @ esp+0x4
| ; var int local_8h @ esp+0x8
| ; CALL XREF from 0x08048526 (sym.check)
| 0x08048484 55 push ebp
| 0x08048485 89e5 mov ebp, esp
| 0x08048487 83ec18 sub esp, 0x18
| 0x0804848a 8d45fc lea eax, dword [local_4h]
| 0x0804848d 89442408 mov dword [local_8h], eax
| 0x08048491 c74424046886. mov dword [local_4h_2], 0x8048668 ; [0x8048668:4]=0x50006425 ; "%d"
| 0x08048499 8b4508 mov eax, dword [arg_8h] ; [0x8:4]=0
| 0x0804849c 890424 mov dword [esp], eax
| 0x0804849f e800ffffff call sym.imp.sscanf ; int sscanf(const char *s,
| 0x080484a4 8b45fc mov eax, dword [local_4h]
| 0x080484a7 83e001 and eax, 1
| 0x080484aa 85c0 test eax, eax
| ,=< 0x080484ac 7518 jne 0x80484c6
| | 0x080484ae c704246b8604. mov dword [esp], str.Password_OK__n ; [0x804866b:4]=0x73736150 ; "Password OK!." @ 0x804866b
| | 0x080484b5 e8dafeffff call sym.imp.printf ; int printf(const char *format)
| | 0x080484ba c70424000000. mov dword [esp], 0
| | 0x080484c1 e8eefeffff call sym.imp.exit ; void exit(int status)
| `-> 0x080484c6 c9 leave
\ 0x080484c7 c3 ret
[0x080483d0]>
This time, if we want to modify instructions to get success, there are three places need to modify, 0x080484ea, 0x0804851e, and 0x080484ac.
Next, we use a normal method. Same function as the previous crackme, but this time, it’s not compared to 15, but to 16. And instead of a printf(“Password OK!”).
bin-linux$ ./crackme0x05
IOLI Crackme Level 0x05
Password: 97
Password Incorrect!
bin-linux$ ./crackme0x05
IOLI Crackme Level 0x05
Password: 970
Password OK!
crackme0x06
[0x08048400]> aa
[x] Analyze all flags starting with sym. and entry0 (aa)
[0x08048400]> pdf @ sym.main
;-- main:
/ (fcn) sym.main 99
| sym.main (int arg_10h);
| ; var int local_78h @ ebp-0x78
| ; arg int arg_10h @ ebp+0x10
| ; var int local_4h @ esp+0x4
| ; DATA XREF from 0x08048417 (entry0)
| 0x08048607 55 push ebp
| 0x08048608 89e5 mov ebp, esp
| 0x0804860a 81ec88000000 sub esp, 0x88
| 0x08048610 83e4f0 and esp, 0xfffffff0
| 0x08048613 b800000000 mov eax, 0
| 0x08048618 83c00f add eax, 0xf
| 0x0804861b 83c00f add eax, 0xf
| 0x0804861e c1e804 shr eax, 4
| 0x08048621 c1e004 shl eax, 4
| 0x08048624 29c4 sub esp, eax
| 0x08048626 c70424638704. mov dword [esp], str.IOLI_Crackme_Level_0x06_n ; [0x8048763:4]=0x494c4f49 ; "IOLI Crackme Level 0x06." @ 0x8048763
| 0x0804862d e886fdffff call sym.imp.printf ; int printf(const char *format)
| 0x08048632 c704247c8704. mov dword [esp], str.Password: ; [0x804877c:4]=0x73736150 ; "Password: " @ 0x804877c
| 0x08048639 e87afdffff call sym.imp.printf ; int printf(const char *format)
| 0x0804863e 8d4588 lea eax, dword [local_78h]
| 0x08048641 89442404 mov dword [local_4h], eax
| 0x08048645 c70424878704. mov dword [esp], 0x8048787 ; [0x8048787:4]=0x7325 ; "%s"
| 0x0804864c e847fdffff call sym.imp.scanf ; int scanf(const char *format)
| 0x08048651 8b4510 mov eax, dword [arg_10h] ; [0x10:4]=0x30002
| 0x08048654 89442404 mov dword [local_4h], eax
| 0x08048658 8d4588 lea eax, dword [local_78h]
| 0x0804865b 890424 mov dword [esp], eax
| 0x0804865e e825ffffff call sym.check
| 0x08048663 b800000000 mov eax, 0
| 0x08048668 c9 leave
\ 0x08048669 c3 ret
[0x08048400]> pdf @ sym.check
/ (fcn) sym.check 127
| sym.check (int arg_8h, int arg_ch);
| ; var int local_dh @ ebp-0xd
| ; var int local_ch @ ebp-0xc
| ; var int local_8h @ ebp-0x8
| ; var int local_4h @ ebp-0x4
| ; arg int arg_8h @ ebp+0x8
| ; arg int arg_ch @ ebp+0xc
| ; var int local_4h_2 @ esp+0x4
| ; var int local_8h_2 @ esp+0x8
| ; CALL XREF from 0x0804865e (sym.main)
| 0x08048588 55 push ebp
| 0x08048589 89e5 mov ebp, esp
| 0x0804858b 83ec28 sub esp, 0x28 ; '('
| 0x0804858e c745f8000000. mov dword [local_8h], 0
| 0x08048595 c745f4000000. mov dword [local_ch], 0
| ; JMP XREF from 0x080485f7 (sym.check)
| .-> 0x0804859c 8b4508 mov eax, dword [arg_8h] ; [0x8:4]=0
| | 0x0804859f 890424 mov dword [esp], eax
| | 0x080485a2 e801feffff call sym.imp.strlen ; size_t strlen(const char *s)
| | 0x080485a7 3945f4 cmp dword [local_ch], eax ; [0x13:4]=256
| ,==< 0x080485aa 734d jae 0x80485f9
| || 0x080485ac 8b45f4 mov eax, dword [local_ch]
| || 0x080485af 034508 add eax, dword [arg_8h]
| || 0x080485b2 0fb600 movzx eax, byte [eax]
| || 0x080485b5 8845f3 mov byte [local_dh], al
| || 0x080485b8 8d45fc lea eax, dword [local_4h]
| || 0x080485bb 89442408 mov dword [local_8h_2], eax
| || 0x080485bf c74424043d87. mov dword [local_4h_2], 0x804873d ; [0x804873d:4]=0x50006425 ; "%d"
| || 0x080485c7 8d45f3 lea eax, dword [local_dh]
| || 0x080485ca 890424 mov dword [esp], eax
| || 0x080485cd e8f6fdffff call sym.imp.sscanf ; int sscanf(const char *s,
| || 0x080485d2 8b55fc mov edx, dword [local_4h]
| || 0x080485d5 8d45f8 lea eax, dword [local_8h]
| || 0x080485d8 0110 add dword [eax], edx
| || 0x080485da 837df810 cmp dword [local_8h], 0x10 ; [0x10:4]=0x30002
| ,===< 0x080485de 7512 jne 0x80485f2
| ||| 0x080485e0 8b450c mov eax, dword [arg_ch] ; [0xc:4]=0
| ||| 0x080485e3 89442404 mov dword [local_4h_2], eax
| ||| 0x080485e7 8b4508 mov eax, dword [arg_8h] ; [0x8:4]=0
| ||| 0x080485ea 890424 mov dword [esp], eax
| ||| 0x080485ed e828ffffff call sym.parell
| `---> 0x080485f2 8d45f4 lea eax, dword [local_ch]
| || 0x080485f5 ff00 inc dword [eax]
| |`=< 0x080485f7 eba3 jmp 0x804859c
| `--> 0x080485f9 c704244e8704. mov dword [esp], str.Password_Incorrect__n ; [0x804874e:4]=0x73736150 ; "Password Incorrect!." @ 0x804874e
| 0x08048600 e8b3fdffff call sym.imp.printf ; int printf(const char *format)
| 0x08048605 c9 leave
\ 0x08048606 c3 ret
[0x08048400]> pdf @ sym.parell
/ (fcn) sym.parell 110
| sym.parell (int arg_8h, int arg_ch);
| ; var int local_8h_2 @ ebp-0x8
| ; var int local_4h @ ebp-0x4
| ; arg int arg_8h @ ebp+0x8
| ; arg int arg_ch @ ebp+0xc
| ; var int local_4h_2 @ esp+0x4
| ; var int local_8h @ esp+0x8
| ; CALL XREF from 0x080485ed (sym.check)
| 0x0804851a 55 push ebp
| 0x0804851b 89e5 mov ebp, esp
| 0x0804851d 83ec18 sub esp, 0x18
| 0x08048520 8d45fc lea eax, dword [local_4h]
| 0x08048523 89442408 mov dword [local_8h], eax
| 0x08048527 c74424043d87. mov dword [local_4h_2], 0x804873d ; [0x804873d:4]=0x50006425 ; "%d"
| 0x0804852f 8b4508 mov eax, dword [arg_8h] ; [0x8:4]=0
| 0x08048532 890424 mov dword [esp], eax
| 0x08048535 e88efeffff call sym.imp.sscanf ; int sscanf(const char *s,
| 0x0804853a 8b450c mov eax, dword [arg_ch] ; [0xc:4]=0
| 0x0804853d 89442404 mov dword [local_4h_2], eax
| 0x08048541 8b45fc mov eax, dword [local_4h]
| 0x08048544 890424 mov dword [esp], eax
| 0x08048547 e868ffffff call sym.dummy
| 0x0804854c 85c0 test eax, eax
| ,=< 0x0804854e 7436 je 0x8048586
| | 0x08048550 c745f8000000. mov dword [local_8h_2], 0
| | ; JMP XREF from 0x08048584 (sym.parell)
| .--> 0x08048557 837df809 cmp dword [local_8h_2], 9 ; [0x9:4]=0
| ,===< 0x0804855b 7f29 jg 0x8048586
| ||| 0x0804855d 8b45fc mov eax, dword [local_4h]
| ||| 0x08048560 83e001 and eax, 1
| ||| 0x08048563 85c0 test eax, eax
| ,====< 0x08048565 7518 jne 0x804857f
| |||| 0x08048567 c70424408704. mov dword [esp], str.Password_OK__n ; [0x8048740:4]=0x73736150 ; "Password OK!." @ 0x8048740
| |||| 0x0804856e e845feffff call sym.imp.printf ; int printf(const char *format)
| |||| 0x08048573 c70424000000. mov dword [esp], 0
| |||| 0x0804857a e869feffff call sym.imp.exit ; void exit(int status)
| `----> 0x0804857f 8d45f8 lea eax, dword [local_8h_2]
| ||| 0x08048582 ff00 inc dword [eax]
| |`==< 0x08048584 ebd1 jmp 0x8048557
| `-`-> 0x08048586 c9 leave
\ 0x08048587 c3 ret
[0x08048400]> pdf @ sym.dummy
/ (fcn) sym.dummy 102
| sym.dummy (int arg_ch);
| ; var int local_8h_2 @ ebp-0x8
| ; var int local_4h @ ebp-0x4
| ; arg int arg_ch @ ebp+0xc
| ; var int local_4h_2 @ esp+0x4
| ; var int local_8h @ esp+0x8
| ; CALL XREF from 0x08048547 (sym.parell)
| 0x080484b4 55 push ebp
| 0x080484b5 89e5 mov ebp, esp
| 0x080484b7 83ec18 sub esp, 0x18
| 0x080484ba c745fc000000. mov dword [local_4h], 0
| .-> 0x080484c1 8b45fc mov eax, dword [local_4h]
| | 0x080484c4 8d1485000000. lea edx, dword [eax*4]
| | 0x080484cb 8b450c mov eax, dword [arg_ch] ; [0xc:4]=0
| | 0x080484ce 833c0200 cmp dword [edx + eax], 0
| ,==< 0x080484d2 743a je 0x804850e
| || 0x080484d4 8b45fc mov eax, dword [local_4h]
| || 0x080484d7 8d0c85000000. lea ecx, dword [eax*4]
| || 0x080484de 8b550c mov edx, dword [arg_ch] ; [0xc:4]=0
| || 0x080484e1 8d45fc lea eax, dword [local_4h]
| || 0x080484e4 ff00 inc dword [eax]
| || 0x080484e6 c74424080300. mov dword [local_8h], 3
| || 0x080484ee c74424043887. mov dword [local_4h_2], str.LOLO ; [0x8048738:4]=0x4f4c4f4c ; "LOLO" @ 0x8048738
| || 0x080484f6 8b0411 mov eax, dword [ecx + edx]
| || 0x080484f9 890424 mov dword [esp], eax
| || 0x080484fc e8d7feffff call sym.imp.strncmp ; int strncmp(const char *s1, const char *s2, size_t n)
| || 0x08048501 85c0 test eax, eax
| |`=< 0x08048503 75bc jne 0x80484c1
| | 0x08048505 c745f8010000. mov dword [local_8h_2], 1
| |,=< 0x0804850c eb07 jmp 0x8048515
| `--> 0x0804850e c745f8000000. mov dword [local_8h_2], 0
| | ; JMP XREF from 0x0804850c (sym.dummy)
| `-> 0x08048515 8b45f8 mov eax, dword [local_8h_2]
| 0x08048518 c9 leave
\ 0x08048519 c3 ret
[0x08048400]> pdf @ sym.imp.sscanf
/ (fcn) sym.imp.sscanf 6
| sym.imp.sscanf ();
| ; CALL XREF from 0x080485cd (sym.check)
| ; CALL XREF from 0x08048535 (sym.parell)
\ 0x080483c8 ff2510a00408 jmp dword [reloc.sscanf_16] ; reloc.sscanf_16
Everything is same as before except the parameters of sym.check.
;before check(int passwork)
| sym.check (int arg_8h);
;now check(int password, char* argv[])
| sym.check (int arg_8h, int arg_ch);
Then the environment pointer is passed to sym.parell
| sym.parell (int arg_8h, int arg_ch);
There is a new function in sym.parell, named sym.dummy. Here are something interest:
| || 0x080484ee c74424043887. mov dword [local_4h_2], str.LOLO ; [0x8048738:4]=0x4f4c4f4c ; "LOLO" @ 0x8048738
| || 0x080484fc e8d7feffff call sym.imp.strncmp ; int strncmp(const char *s1, const char *s2, size_t n)
Looks like the binary wants the same things as the previous one, plus an environment variable named LOLO.
bin-linux$ LOLO= ./crackme0x06
IOLI Crackme Level 0x06
Password: 97
Password Incorrect!
bin-linux$ LOLO= ./crackme0x06
IOLI Crackme Level 0x06
Password: 970
Password OK!
crackme0x07
[0x08048400]> aa
[x] Analyze all flags starting with sym. and entry0 (aa)
[0x08048400]> pdf @ sym.main
Invalid address (sym.main)
|ERROR| Invalid command 'pdf @ sym.main' (0x70)
The symbols seems have some error. rabin2 with -I, we can see the binary info.
bin-linux$ rabin2 -I crackme0x07
arch x86
binsz 4780
bintype elf
bits 32
canary false
class ELF32
crypto false
endian little
havecode true
intrp /lib/ld-linux.so.2
lang c
linenum false
lsyms false
machine Intel 80386
maxopsz 16
minopsz 1
nx true
os linux
pcalign 0
pic false
relocs false
relro partial relro
rpath NONE
static false
stripped true
subsys linux
va true
Noted that stripped true, so there have no more symbols.
[0x08048400]> pdf
;-- section..text:
/ (fcn) entry0 33
| entry0 ();
| 0x08048400 31ed xor ebp, ebp ; section 13 va=0x08048400 pa=0x00000400 sz=900 vsz=900 rwx=--r-x .text
| 0x08048402 5e pop esi
| 0x08048403 89e1 mov ecx, esp
| 0x08048405 83e4f0 and esp, 0xfffffff0
| 0x08048408 50 push eax
| 0x08048409 54 push esp
| 0x0804840a 52 push edx
| 0x0804840b 6850870408 push 0x8048750 ; "U......$........U..S.........................u.X[]..U..S."
| 0x08048410 68e0860408 push 0x80486e0
| 0x08048415 51 push ecx
| 0x08048416 56 push esi
| 0x08048417 687d860408 push main ; "U....." @ 0x804867d
\ 0x0804841c e867ffffff call sym.imp.__libc_start_main; int __libc_start_main(func main, int argc, char **ubp_av, func init, func fini, func rtld_fini, void *stack_end)
Since this is GCC-produced code, the main is likely at 0x804867d (the last push before imp.__libc_start_main)
[0x08048400]> pdf @ main
/ (fcn) main 99
| main (int arg_10h);
| ; var int local_78h @ ebp-0x78
| ; arg int arg_10h @ ebp+0x10
| ; var int local_4h @ esp+0x4
| ; DATA XREF from 0x08048417 (entry0)
| 0x0804867d 55 push ebp
| 0x0804867e 89e5 mov ebp, esp
| 0x08048680 81ec88000000 sub esp, 0x88
| 0x08048686 83e4f0 and esp, 0xfffffff0
| 0x08048689 b800000000 mov eax, 0
| 0x0804868e 83c00f add eax, 0xf
| 0x08048691 83c00f add eax, 0xf
| 0x08048694 c1e804 shr eax, 4
| 0x08048697 c1e004 shl eax, 4
| 0x0804869a 29c4 sub esp, eax
| 0x0804869c c70424d98704. mov dword [esp], str.IOLI_Crackme_Level_0x07_n ; [0x80487d9:4]=0x494c4f49 ; "IOLI Crackme Level 0x07." @ 0x80487d9
| 0x080486a3 e810fdffff call sym.imp.printf ; int printf(const char *format)
| 0x080486a8 c70424f28704. mov dword [esp], str.Password: ; [0x80487f2:4]=0x73736150 ; "Password: " @ 0x80487f2
| 0x080486af e804fdffff call sym.imp.printf ; int printf(const char *format)
| 0x080486b4 8d4588 lea eax, dword [local_78h]
| 0x080486b7 89442404 mov dword [local_4h], eax
| 0x080486bb c70424fd8704. mov dword [esp], 0x80487fd ; [0x80487fd:4]=0x7325 ; "%s"
| 0x080486c2 e8d1fcffff call sym.imp.scanf ; int scanf(const char *format)
| 0x080486c7 8b4510 mov eax, dword [arg_10h] ; [0x10:4]=0x30002
| 0x080486ca 89442404 mov dword [local_4h], eax
| 0x080486ce 8d4588 lea eax, dword [local_78h]
| 0x080486d1 890424 mov dword [esp], eax
| 0x080486d4 e8e0feffff call fcn.080485b9
| 0x080486d9 b800000000 mov eax, 0
| 0x080486de c9 leave
\ 0x080486df c3 ret
[0x08048400]> pdf @ fcn.080485b9
/ (fcn) fcn.080485b9 196
| fcn.080485b9 (int arg_8h, int arg_ch);
| ; var int local_dh @ ebp-0xd
| ; var int local_ch @ ebp-0xc
| ; var int local_8h @ ebp-0x8
| ; var int local_4h @ ebp-0x4
| ; arg int arg_8h @ ebp+0x8
| ; arg int arg_ch @ ebp+0xc
| ; var int local_4h_2 @ esp+0x4
| ; var int local_8h_2 @ esp+0x8
| ; CALL XREF from 0x080486d4 (main)
| 0x080485b9 55 push ebp
| 0x080485ba 89e5 mov ebp, esp
| 0x080485bc 83ec28 sub esp, 0x28 ; '('
| 0x080485bf c745f8000000. mov dword [local_8h], 0
| 0x080485c6 c745f4000000. mov dword [local_ch], 0
| ; JMP XREF from 0x08048628 (fcn.080485b9)
| .-> 0x080485cd 8b4508 mov eax, dword [arg_8h] ; [0x8:4]=0
| | 0x080485d0 890424 mov dword [esp], eax
| | 0x080485d3 e8d0fdffff call sym.imp.strlen ; size_t strlen(const char *s)
| | 0x080485d8 3945f4 cmp dword [local_ch], eax ; [0x13:4]=256
| ,==< 0x080485db 734d jae 0x804862a
| || 0x080485dd 8b45f4 mov eax, dword [local_ch]
| || 0x080485e0 034508 add eax, dword [arg_8h]
| || 0x080485e3 0fb600 movzx eax, byte [eax]
| || 0x080485e6 8845f3 mov byte [local_dh], al
| || 0x080485e9 8d45fc lea eax, dword [local_4h]
| || 0x080485ec 89442408 mov dword [local_8h_2], eax
| || 0x080485f0 c7442404c287. mov dword [local_4h_2], 0x80487c2 ; [0x80487c2:4]=0x50006425 ; "%d"
| || 0x080485f8 8d45f3 lea eax, dword [local_dh]
| || 0x080485fb 890424 mov dword [esp], eax
| || 0x080485fe e8c5fdffff call sym.imp.sscanf ; int sscanf(const char *s,
| || 0x08048603 8b55fc mov edx, dword [local_4h]
| || 0x08048606 8d45f8 lea eax, dword [local_8h]
| || 0x08048609 0110 add dword [eax], edx
| || 0x0804860b 837df810 cmp dword [local_8h], 0x10 ; [0x10:4]=0x30002
| ,===< 0x0804860f 7512 jne 0x8048623
| ||| 0x08048611 8b450c mov eax, dword [arg_ch] ; [0xc:4]=0
| ||| 0x08048614 89442404 mov dword [local_4h_2], eax
| ||| 0x08048618 8b4508 mov eax, dword [arg_8h] ; [0x8:4]=0
| ||| 0x0804861b 890424 mov dword [esp], eax
| ||| 0x0804861e e81fffffff call 0x8048542
| `---> 0x08048623 8d45f4 lea eax, dword [local_ch]
| || 0x08048626 ff00 inc dword [eax]
| |`=< 0x08048628 eba3 jmp 0x80485cd
| `--> 0x0804862a e8f5feffff call 0x8048524
| 0x0804862f 8b450c mov eax, dword [arg_ch] ; [0xc:4]=0
| 0x08048632 89442404 mov dword [local_4h_2], eax
| 0x08048636 8b45fc mov eax, dword [local_4h]
| 0x08048639 890424 mov dword [esp], eax
| 0x0804863c e873feffff call 0x80484b4
| 0x08048641 85c0 test eax, eax
| ,=< 0x08048643 7436 je 0x804867b
| | 0x08048645 c745f4000000. mov dword [local_ch], 0
| | ; JMP XREF from 0x08048679 (fcn.080485b9)
| .--> 0x0804864c 837df409 cmp dword [local_ch], 9 ; [0x9:4]=0
| ,===< 0x08048650 7f29 jg 0x804867b
| ||| 0x08048652 8b45fc mov eax, dword [local_4h]
| ||| 0x08048655 83e001 and eax, 1
| ||| 0x08048658 85c0 test eax, eax
| ,====< 0x0804865a 7518 jne 0x8048674
| |||| 0x0804865c c70424d38704. mov dword [esp], str.wtf__n ; [0x80487d3:4]=0x3f667477 ; "wtf?." @ 0x80487d3
| |||| 0x08048663 e850fdffff call sym.imp.printf ; int printf(const char *format)
| |||| 0x08048668 c70424000000. mov dword [esp], 0
| |||| 0x0804866f e874fdffff call sym.imp.exit ; void exit(int status)
| `----> 0x08048674 8d45f4 lea eax, dword [local_ch]
| ||| 0x08048677 ff00 inc dword [eax]
| |`==< 0x08048679 ebd1 jmp 0x804864c
| `-`-> 0x0804867b c9 leave
\ 0x0804867c c3 ret
The program logic is all the same.
s = 0
for i in password:
s += i
if s == 0x10:
sym.parell()
print "Invalid"
In function 0x8048542, there are something interest.
.--> 0x0804857f 837df809 cmp dword [ebp - 8], 9 ; [0x9:4]=0
,===< 0x08048583 7f32 jg 0x80485b7
So, 9 is the maximum length of password.
bin-linux$ LOLO= ./crackme0x07
IOLI Crackme Level 0x07
Password: 111111118
Password OK!
bin-linux$ LOLO= ./crackme0x07
IOLI Crackme Level 0x07
Password: 1111111117
Password Incorrect!
Crackme0x08
[0x08048400]> aa
[x] Analyze all flags starting with sym. and entry0 (aa)
[0x08048400]> pdf @ sym.main
;-- main:
/ (fcn) sym.main 99
| sym.main (int arg_10h);
| ; var int local_78h @ ebp-0x78
| ; arg int arg_10h @ ebp+0x10
| ; var int local_4h @ esp+0x4
| ; DATA XREF from 0x08048417 (entry0)
| 0x0804867d 55 push ebp
| 0x0804867e 89e5 mov ebp, esp
| 0x08048680 81ec88000000 sub esp, 0x88
| 0x08048686 83e4f0 and esp, 0xfffffff0
| 0x08048689 b800000000 mov eax, 0
| 0x0804868e 83c00f add eax, 0xf
| 0x08048691 83c00f add eax, 0xf
| 0x08048694 c1e804 shr eax, 4
| 0x08048697 c1e004 shl eax, 4
| 0x0804869a 29c4 sub esp, eax
| 0x0804869c c70424d98704. mov dword [esp], str.IOLI_Crackme_Level_0x08_n ; [0x80487d9:4]=0x494c4f49 ; "IOLI Crackme Level 0x08." @ 0x80487d9
| 0x080486a3 e810fdffff call sym.imp.printf ; int printf(const char *format)
| 0x080486a8 c70424f28704. mov dword [esp], str.Password: ; [0x80487f2:4]=0x73736150 ; "Password: " @ 0x80487f2
| 0x080486af e804fdffff call sym.imp.printf ; int printf(const char *format)
| 0x080486b4 8d4588 lea eax, dword [local_78h]
| 0x080486b7 89442404 mov dword [local_4h], eax
| 0x080486bb c70424fd8704. mov dword [esp], 0x80487fd ; [0x80487fd:4]=0x7325 ; "%s"
| 0x080486c2 e8d1fcffff call sym.imp.scanf ; int scanf(const char *format)
| 0x080486c7 8b4510 mov eax, dword [arg_10h] ; [0x10:4]=0x30002
| 0x080486ca 89442404 mov dword [local_4h], eax
| 0x080486ce 8d4588 lea eax, dword [local_78h]
| 0x080486d1 890424 mov dword [esp], eax
| 0x080486d4 e8e0feffff call sym.check
| 0x080486d9 b800000000 mov eax, 0
| 0x080486de c9 leave
\ 0x080486df c3 ret
[0x08048400]> pdf @ sym.check
/ (fcn) sym.check 196
| sym.check (int arg_8h, int arg_ch);
| ; var int local_dh @ ebp-0xd
| ; var int local_ch @ ebp-0xc
| ; var int local_8h @ ebp-0x8
| ; var int local_4h @ ebp-0x4
| ; arg int arg_8h @ ebp+0x8
| ; arg int arg_ch @ ebp+0xc
| ; var int local_4h_2 @ esp+0x4
| ; var int local_8h_2 @ esp+0x8
| ; CALL XREF from 0x080486d4 (sym.main)
| 0x080485b9 55 push ebp
| 0x080485ba 89e5 mov ebp, esp
| 0x080485bc 83ec28 sub esp, 0x28 ; '('
| 0x080485bf c745f8000000. mov dword [local_8h], 0
| 0x080485c6 c745f4000000. mov dword [local_ch], 0
| ; JMP XREF from 0x08048628 (sym.check)
| .-> 0x080485cd 8b4508 mov eax, dword [arg_8h] ; [0x8:4]=0
| | 0x080485d0 890424 mov dword [esp], eax
| | 0x080485d3 e8d0fdffff call sym.imp.strlen ; size_t strlen(const char *s)
| | 0x080485d8 3945f4 cmp dword [local_ch], eax ; [0x13:4]=256
| ,==< 0x080485db 734d jae 0x804862a
| || 0x080485dd 8b45f4 mov eax, dword [local_ch]
| || 0x080485e0 034508 add eax, dword [arg_8h]
| || 0x080485e3 0fb600 movzx eax, byte [eax]
| || 0x080485e6 8845f3 mov byte [local_dh], al
| || 0x080485e9 8d45fc lea eax, dword [local_4h]
| || 0x080485ec 89442408 mov dword [local_8h_2], eax
| || 0x080485f0 c7442404c287. mov dword [local_4h_2], 0x80487c2 ; [0x80487c2:4]=0x50006425 ; "%d"
| || 0x080485f8 8d45f3 lea eax, dword [local_dh]
| || 0x080485fb 890424 mov dword [esp], eax
| || 0x080485fe e8c5fdffff call sym.imp.sscanf ; int sscanf(const char *s,
| || 0x08048603 8b55fc mov edx, dword [local_4h]
| || 0x08048606 8d45f8 lea eax, dword [local_8h]
| || 0x08048609 0110 add dword [eax], edx
| || 0x0804860b 837df810 cmp dword [local_8h], 0x10 ; [0x10:4]=0x30002
| ,===< 0x0804860f 7512 jne 0x8048623
| ||| 0x08048611 8b450c mov eax, dword [arg_ch] ; [0xc:4]=0
| ||| 0x08048614 89442404 mov dword [local_4h_2], eax
| ||| 0x08048618 8b4508 mov eax, dword [arg_8h] ; [0x8:4]=0
| ||| 0x0804861b 890424 mov dword [esp], eax
| ||| 0x0804861e e81fffffff call sym.parell
| `---> 0x08048623 8d45f4 lea eax, dword [local_ch]
| || 0x08048626 ff00 inc dword [eax]
| |`=< 0x08048628 eba3 jmp 0x80485cd
| `--> 0x0804862a e8f5feffff call sym.che
| 0x0804862f 8b450c mov eax, dword [arg_ch] ; [0xc:4]=0
| 0x08048632 89442404 mov dword [local_4h_2], eax
| 0x08048636 8b45fc mov eax, dword [local_4h]
| 0x08048639 890424 mov dword [esp], eax
| 0x0804863c e873feffff call sym.dummy
| 0x08048641 85c0 test eax, eax
| ,=< 0x08048643 7436 je 0x804867b
| | 0x08048645 c745f4000000. mov dword [local_ch], 0
| | ; JMP XREF from 0x08048679 (sym.check)
| .--> 0x0804864c 837df409 cmp dword [local_ch], 9 ; [0x9:4]=0
| ,===< 0x08048650 7f29 jg 0x804867b
| ||| 0x08048652 8b45fc mov eax, dword [local_4h]
| ||| 0x08048655 83e001 and eax, 1
| ||| 0x08048658 85c0 test eax, eax
| ,====< 0x0804865a 7518 jne 0x8048674
| |||| 0x0804865c c70424d38704. mov dword [esp], str.wtf__n ; [0x80487d3:4]=0x3f667477 ; "wtf?." @ 0x80487d3
| |||| 0x08048663 e850fdffff call sym.imp.printf ; int printf(const char *format)
| |||| 0x08048668 c70424000000. mov dword [esp], 0
| |||| 0x0804866f e874fdffff call sym.imp.exit ; void exit(int status)
| `----> 0x08048674 8d45f4 lea eax, dword [local_ch]
| ||| 0x08048677 ff00 inc dword [eax]
| |`==< 0x08048679 ebd1 jmp 0x804864c
| `-`-> 0x0804867b c9 leave
\ 0x0804867c c3 ret
[0x08048400]> pdf @ sym.che
/ (fcn) sym.che 30
| sym.che ();
| ; CALL XREF from 0x0804862a (sym.check)
| 0x08048524 55 push ebp
| 0x08048525 89e5 mov ebp, esp
| 0x08048527 83ec08 sub esp, 8
| 0x0804852a c70424ad8704. mov dword [esp], str.Password_Incorrect__n ; [0x80487ad:4]=0x73736150 ; "Password Incorrect!." @ 0x80487ad
| 0x08048531 e882feffff call sym.imp.printf ; int printf(const char *format)
| 0x08048536 c70424000000. mov dword [esp], 0
\ 0x0804853d e8a6feffff call sym.imp.exit ; void exit(int status)
[0x08048400]> pdf @ sym.parell
/ (fcn) sym.parell 119
| sym.parell (int arg_8h, int arg_ch);
| ; var int local_8h_2 @ ebp-0x8
| ; var int local_4h @ ebp-0x4
| ; arg int arg_8h @ ebp+0x8
| ; arg int arg_ch @ ebp+0xc
| ; var int local_4h_2 @ esp+0x4
| ; var int local_8h @ esp+0x8
| ; CALL XREF from 0x0804861e (sym.check)
| 0x08048542 55 push ebp
| 0x08048543 89e5 mov ebp, esp
| 0x08048545 83ec18 sub esp, 0x18
| 0x08048548 8d45fc lea eax, dword [local_4h]
| 0x0804854b 89442408 mov dword [local_8h], eax
| 0x0804854f c7442404c287. mov dword [local_4h_2], 0x80487c2 ; [0x80487c2:4]=0x50006425 ; "%d"
| 0x08048557 8b4508 mov eax, dword [arg_8h] ; [0x8:4]=0
| 0x0804855a 890424 mov dword [esp], eax
| 0x0804855d e866feffff call sym.imp.sscanf ; int sscanf(const char *s,
| 0x08048562 8b450c mov eax, dword [arg_ch] ; [0xc:4]=0
| 0x08048565 89442404 mov dword [local_4h_2], eax
| 0x08048569 8b45fc mov eax, dword [local_4h]
| 0x0804856c 890424 mov dword [esp], eax
| 0x0804856f e840ffffff call sym.dummy
| 0x08048574 85c0 test eax, eax
| ,=< 0x08048576 743f je 0x80485b7
| | 0x08048578 c745f8000000. mov dword [local_8h_2], 0
| | ; JMP XREF from 0x080485b5 (sym.parell)
| .--> 0x0804857f 837df809 cmp dword [local_8h_2], 9 ; [0x9:4]=0
| ,===< 0x08048583 7f32 jg 0x80485b7
| ||| 0x08048585 8b45fc mov eax, dword [local_4h]
| ||| 0x08048588 83e001 and eax, 1
| ||| 0x0804858b 85c0 test eax, eax
| ,====< 0x0804858d 7521 jne 0x80485b0
| |||| 0x0804858f 833d2ca00408. cmp dword obj.LOL, 1 ; [0x1:4]=0x1464c45
| ,=====< 0x08048596 750c jne 0x80485a4
| ||||| 0x08048598 c70424c58704. mov dword [esp], str.Password_OK__n ; [0x80487c5:4]=0x73736150 ; "Password OK!." @ 0x80487c5
| ||||| 0x0804859f e814feffff call sym.imp.printf ; int printf(const char *format)
| `-----> 0x080485a4 c70424000000. mov dword [esp], 0
| |||| 0x080485ab e838feffff call sym.imp.exit ; void exit(int status)
| `----> 0x080485b0 8d45f8 lea eax, dword [local_8h_2]
| ||| 0x080485b3 ff00 inc dword [eax]
| |`==< 0x080485b5 ebc8 jmp 0x804857f
| `-`-> 0x080485b7 c9 leave
\ 0x080485b8 c3 ret
[0x08048400]> pdf @ sym.dummy
/ (fcn) sym.dummy 112
| sym.dummy (int arg_ch);
| ; var int local_8h_2 @ ebp-0x8
| ; var int local_4h @ ebp-0x4
| ; arg int arg_ch @ ebp+0xc
| ; var int local_4h_2 @ esp+0x4
| ; var int local_8h @ esp+0x8
| ; CALL XREF from 0x0804863c (sym.check)
| ; CALL XREF from 0x0804856f (sym.parell)
| 0x080484b4 55 push ebp
| 0x080484b5 89e5 mov ebp, esp
| 0x080484b7 83ec18 sub esp, 0x18
| 0x080484ba c745fc000000. mov dword [local_4h], 0
| .-> 0x080484c1 8b45fc mov eax, dword [local_4h]
| | 0x080484c4 8d1485000000. lea edx, dword [eax*4]
| | 0x080484cb 8b450c mov eax, dword [arg_ch] ; [0xc:4]=0
| | 0x080484ce 833c0200 cmp dword [edx + eax], 0
| ,==< 0x080484d2 7444 je 0x8048518
| || 0x080484d4 8b45fc mov eax, dword [local_4h]
| || 0x080484d7 8d0c85000000. lea ecx, dword [eax*4]
| || 0x080484de 8b550c mov edx, dword [arg_ch] ; [0xc:4]=0
| || 0x080484e1 8d45fc lea eax, dword [local_4h]
| || 0x080484e4 ff00 inc dword [eax]
| || 0x080484e6 c74424080300. mov dword [local_8h], 3
| || 0x080484ee c7442404a887. mov dword [local_4h_2], str.LOLO ; [0x80487a8:4]=0x4f4c4f4c ; "LOLO" @ 0x80487a8
| || 0x080484f6 8b0411 mov eax, dword [ecx + edx]
| || 0x080484f9 890424 mov dword [esp], eax
| || 0x080484fc e8d7feffff call sym.imp.strncmp ; int strncmp(const char *s1, const char *s2, size_t n)
| || 0x08048501 85c0 test eax, eax
| |`=< 0x08048503 75bc jne 0x80484c1
| | 0x08048505 c7052ca00408. mov dword obj.LOL, 1 ; [0x804a02c:4]=0x4728203a ; ": (GNU) 3.4.6 (Gentoo 3.4.6-r2, ssp-3.4.6-1.0, pie-8.7.10)" @ 0x804a02c
| | 0x0804850f c745f8010000. mov dword [local_8h_2], 1
| |,=< 0x08048516 eb07 jmp 0x804851f
| `--> 0x08048518 c745f8000000. mov dword [local_8h_2], 0
| | ; JMP XREF from 0x08048516 (sym.dummy)
| `-> 0x0804851f 8b45f8 mov eax, dword [local_8h_2]
| 0x08048522 c9 leave
\ 0x08048523 c3 ret
It just like a unstripped version of crackme0x07.
bin-linux$ LOLO= ./crackme0x08
IOLI Crackme Level 0x08
Password: 111111118
Password OK!
bin-linux$ LOLO= ./crackme0x08
IOLI Crackme Level 0x08
Password: 1111111117
Password Incorrect!
crackme0x09
bin-linux$ rabin2 -I crackme0x09
arch x86
binsz 4780
bintype elf
bits 32
canary false
class ELF32
crypto false
endian little
havecode true
intrp /lib/ld-linux.so.2
lang c
linenum false
lsyms false
machine Intel 80386
maxopsz 16
minopsz 1
nx true
os linux
pcalign 0
pic false
relocs false
relro partial relro
rpath NONE
static false
stripped true
subsys linux
va true
It is stripped.
[0x08048420]> pdf @ main
/ (fcn) main 120
| main (int arg_10h);
| ; var int local_78h @ ebp-0x78
| ; var int local_4h_2 @ ebp-0x4
| ; arg int arg_10h @ ebp+0x10
| ; var int local_4h @ esp+0x4
| ; DATA XREF from 0x08048437 (entry0)
| 0x080486ee 55 push ebp
| 0x080486ef 89e5 mov ebp, esp
| 0x080486f1 53 push ebx
| 0x080486f2 81ec84000000 sub esp, 0x84
| 0x080486f8 e869000000 call fcn.08048766
| 0x080486fd 81c3f7180000 add ebx, 0x18f7
| 0x08048703 83e4f0 and esp, 0xfffffff0
| 0x08048706 b800000000 mov eax, 0
| 0x0804870b 83c00f add eax, 0xf
| 0x0804870e 83c00f add eax, 0xf
| 0x08048711 c1e804 shr eax, 4
| 0x08048714 c1e004 shl eax, 4
| 0x08048717 29c4 sub esp, eax
| 0x08048719 8d8375e8ffff lea eax, dword [ebx - 0x178b]
| 0x0804871f 890424 mov dword [esp], eax
| 0x08048722 e8b9fcffff call sym.imp.printf ; int printf(const char *format)
| 0x08048727 8d838ee8ffff lea eax, dword [ebx - 0x1772]
| 0x0804872d 890424 mov dword [esp], eax
| 0x08048730 e8abfcffff call sym.imp.printf ; int printf(const char *format)
| 0x08048735 8d4588 lea eax, dword [local_78h]
| 0x08048738 89442404 mov dword [local_4h], eax
| 0x0804873c 8d8399e8ffff lea eax, dword [ebx - 0x1767]
| 0x08048742 890424 mov dword [esp], eax
| 0x08048745 e876fcffff call sym.imp.scanf ; int scanf(const char *format)
| 0x0804874a 8b4510 mov eax, dword [arg_10h] ; [0x10:4]=0x30002
| 0x0804874d 89442404 mov dword [local_4h], eax
| 0x08048751 8d4588 lea eax, dword [local_78h]
| 0x08048754 890424 mov dword [esp], eax
| 0x08048757 e8bafeffff call fcn.08048616
| 0x0804875c b800000000 mov eax, 0
| 0x08048761 8b5dfc mov ebx, dword [local_4h_2]
| 0x08048764 c9 leave
\ 0x08048765 c3 ret
[0x08048420]> pdf @ fcn.08048766
/ (fcn) fcn.08048766 4
| fcn.08048766 ();
| ; CALL XREF from 0x080486f8 (main)
| ; CALL XREF from 0x0804861d (fcn.08048616)
| 0x08048766 8b1c24 mov ebx, dword [esp]
\ 0x08048769 c3 ret
[0x08048420]> pdf @ fcn.08048616
/ (fcn) fcn.08048616 216
| fcn.08048616 (int arg_8h, int arg_ch);
| ; var int local_11h @ ebp-0x11
| ; var int local_10h @ ebp-0x10
| ; var int local_ch @ ebp-0xc
| ; var int local_8h @ ebp-0x8
| ; arg int arg_8h @ ebp+0x8
| ; arg int arg_ch @ ebp+0xc
| ; var int local_4h @ esp+0x4
| ; var int local_8h_2 @ esp+0x8
| ; CALL XREF from 0x08048757 (main)
| 0x08048616 55 push ebp
| 0x08048617 89e5 mov ebp, esp
| 0x08048619 53 push ebx
| 0x0804861a 83ec24 sub esp, 0x24 ; '$'
| 0x0804861d e844010000 call fcn.08048766
| 0x08048622 81c3d2190000 add ebx, 0x19d2
| 0x08048628 c745f4000000. mov dword [local_ch], 0
| 0x0804862f c745f0000000. mov dword [local_10h], 0
| ; JMP XREF from 0x08048693 (fcn.08048616)
| .-> 0x08048636 8b4508 mov eax, dword [arg_8h] ; [0x8:4]=0
| | 0x08048639 890424 mov dword [esp], eax
| | 0x0804863c e88ffdffff call sym.imp.strlen ; size_t strlen(const char *s)
| | 0x08048641 3945f0 cmp dword [local_10h], eax ; [0x13:4]=256
| ,==< 0x08048644 734f jae 0x8048695
| || 0x08048646 8b45f0 mov eax, dword [local_10h]
| || 0x08048649 034508 add eax, dword [arg_8h]
| || 0x0804864c 0fb600 movzx eax, byte [eax]
| || 0x0804864f 8845ef mov byte [local_11h], al
| || 0x08048652 8d45f8 lea eax, dword [local_8h]
| || 0x08048655 89442408 mov dword [local_8h_2], eax
| || 0x08048659 8d835ee8ffff lea eax, dword [ebx - 0x17a2]
| || 0x0804865f 89442404 mov dword [local_4h], eax
| || 0x08048663 8d45ef lea eax, dword [local_11h]
| || 0x08048666 890424 mov dword [esp], eax
| || 0x08048669 e882fdffff call sym.imp.sscanf ; int sscanf(const char *s,
| || 0x0804866e 8b55f8 mov edx, dword [local_8h]
| || 0x08048671 8d45f4 lea eax, dword [local_ch]
| || 0x08048674 0110 add dword [eax], edx
| || 0x08048676 837df410 cmp dword [local_ch], 0x10 ; [0x10:4]=0x30002
| ,===< 0x0804867a 7512 jne 0x804868e
| ||| 0x0804867c 8b450c mov eax, dword [arg_ch] ; [0xc:4]=0
| ||| 0x0804867f 89442404 mov dword [local_4h], eax
| ||| 0x08048683 8b4508 mov eax, dword [arg_8h] ; [0x8:4]=0
| ||| 0x08048686 890424 mov dword [esp], eax
| ||| 0x08048689 e8fbfeffff call 0x8048589
| `---> 0x0804868e 8d45f0 lea eax, dword [local_10h]
| || 0x08048691 ff00 inc dword [eax]
| |`=< 0x08048693 eba1 jmp 0x8048636
| `--> 0x08048695 e8c3feffff call 0x804855d
| 0x0804869a 8b450c mov eax, dword [arg_ch] ; [0xc:4]=0
| 0x0804869d 89442404 mov dword [local_4h], eax
| 0x080486a1 8b45f8 mov eax, dword [local_8h]
| 0x080486a4 890424 mov dword [esp], eax
| 0x080486a7 e828feffff call 0x80484d4
| 0x080486ac 85c0 test eax, eax
| ,=< 0x080486ae 7438 je 0x80486e8
| | 0x080486b0 c745f0000000. mov dword [local_10h], 0
| | ; JMP XREF from 0x080486e6 (fcn.08048616)
| .--> 0x080486b7 837df009 cmp dword [local_10h], 9 ; [0x9:4]=0
| ,===< 0x080486bb 7f2b jg 0x80486e8
| ||| 0x080486bd 8b45f8 mov eax, dword [local_8h]
| ||| 0x080486c0 83e001 and eax, 1
| ||| 0x080486c3 85c0 test eax, eax
| ,====< 0x080486c5 751a jne 0x80486e1
| |||| 0x080486c7 8d836fe8ffff lea eax, dword [ebx - 0x1791]
| |||| 0x080486cd 890424 mov dword [esp], eax
| |||| 0x080486d0 e80bfdffff call sym.imp.printf ; int printf(const char *format)
| |||| 0x080486d5 c70424000000. mov dword [esp], 0
| |||| 0x080486dc e82ffdffff call sym.imp.exit ; void exit(int status)
| `----> 0x080486e1 8d45f0 lea eax, dword [local_10h]
| ||| 0x080486e4 ff00 inc dword [eax]
| |`==< 0x080486e6 ebcf jmp 0x80486b7
| `-`-> 0x080486e8 83c424 add esp, 0x24 ; '$'
| 0x080486eb 5b pop ebx
| 0x080486ec 5d pop ebp
\ 0x080486ed c3 ret
bin-linux$ LOLO= ./crackme0x09
IOLI Crackme Level 0x09
Password: 111111118
Password OK!
bin-linux$ LOLO= ./crackme0x09
IOLI Crackme Level 0x09
Password: 1111111117
Password Incorrect!
Comments