int printf(const char *format)
| 0x0804840c c70424418504. mov dword [esp],
str.Password: ; [0x8048541:4]=0x73736150 ; "Password: "
| 0x08048413 e804ffffff call sym.imp.printf ;
int printf(const char *format)
| 0x08048418 8d45fc lea eax, [var_4h]
| 0x0804841b 89442404 mov dword [var_sp_4h], eax
| 0x0804841f c704244c8504. mov dword [esp], 0x804854c ;
[0x804854c:4]=0x49006425
| 0x08048426 e8e1feffff call sym.imp.scanf ;
int scanf(const char *format)
| 0x0804842b 817dfc9a1400. cmp dword [var_4h], 0x149a
| ,=< 0x08048432 740e je 0x8048442
| | 0x08048434 c704244f8504. mov dword [esp],
str.Invalid_Password ; [0x804854f:4]=0x61766e49 ; "Invalid Password!\n"
| | 0x0804843b e8dcfeffff call sym.imp.printf ;
int printf(const char *format)
| ,==< 0x08048440 eb0c jmp 0x804844e
| |`-> 0x08048442 c70424628504. mov dword [esp],
str.Password_OK_: ; [0x8048562:4]=0x73736150 ; "Password OK :)\n"
| | 0x08048449 e8cefeffff call sym.imp.printf ;
int printf(const char *format)
| | ; CODE XREF from main @ 0x8048440
| `--> 0x0804844e b800000000 mov eax, 0
| 0x08048453 c9 leave
\ 0x08048454 c3 ret
"aa" tells r2 to analyze the whole binary, which gets you symbol names, among things.
"pdf" stands for
• Disassemble
• Function
This will print the disassembly of the main function, or the main() that everyone knows. You can see several things as well: weird names, arrows, etc.
• "imp." stands for imports. Those are imported symbols, like printf()
• "str." stands for strings. Those are strings (obviously).
If you look carefully, you'll see a cmp instruction, with a constant, 0x149a. cmp is an x86 compare instruction, and the 0x in front of it specifies it is in base 16, or hex (hexadecimal).
0x0804842b 817dfc9a140. cmp dword [ebp + 0xfffffffc], 0x149a
You can use radare2's ? command to display 0x149a in another numeric base.
[0x08048330]> ? 0x149a
int32 5274
uint32 5274
hex 0x149a
octal 012232
unit 5.2K
segment 0000:049a
string "\x9a\x14"
fvalue: 5274.0
float: 0.000000f
double: 0.000000
binary 0b0001010010011010
trits 0t21020100
So now we know that 0x149a is 5274 in decimal. Let's try this as a password.
$ ./crackme0x01
IOLI Crackme Level 0x01
Password: 5274
Password OK :)
Bingo, the password was 5274. In this case, the password function at 0x0804842b was comparing the input against the value, 0x149a in hex. Since user input is usually decimal, it was a safe bet that the input was intended to be in decimal, or 5274. Now, since we're hackers, and curiosity drives us, let's see what happens when we input in hex.
$ ./crackme0x01
IOLI Crackme Level 0x01
Password: 0x149a
Invalid Password!
It was worth a shot, but it doesn't work. That's because scanf() will take the 0 in 0x149a to be a zero, rather than accepting the input as actually being the hex value.
And this concludes IOLI 0x01.
IOLI 0x02
This is the third one.
$ ./crackme0x02
IOLI Crackme Level 0x02
Password: hello
Invalid Password!
check it with rabin2.
$ rabin2 -z ./crackme0x02
[Strings]
nth paddr vaddr len size section type string
―――――――――――――――――――――――――――――――――――――――――――――――――――――――
0 0x00000548 0x08048548 24 25 .rodata ascii IOLI Crackme Level 0x02\n
1 0x00000561 0x08048561 10 11 .rodata ascii Password:
2 0x0000056f 0x0804856f 15 16 .rodata ascii Password OK :)\n
3 0x0000057f 0x0804857f 18 19 .rodata ascii Invalid Password!\n
similar to 0x01, no explicity password string here. so it's time to analyze it with r2.
[0x08048330]>
aa
[x] Analyze all flags starting with sym. and entry0 (aa)
[0x08048330]> pdf@main
; DATA XREF from entry0 @ 0x8048347
/ 144: int main (int argc, char **argv, char **envp);
| ; var int32_t var_ch @ ebp-0xc
| ; var int32_t var_8h @ ebp-0x8
| ; var int32_t var_4h @ ebp-0x4
| ; var int32_t var_sp_4h @ esp+0x4
| 0x080483e4 55 push ebp
| 0x080483e5 89e5 mov ebp, esp
| 0x080483e7 83ec18 sub esp, 0x18
| 0x080483ea 83e4f0 and esp, 0xfffffff0
| 0x080483ed b800000000 mov eax, 0
| 0x080483f2 83c00f add eax, 0xf ;
15
| 0x080483f5 83c00f add eax, 0xf ;
15
| 0x080483f8 c1e804 shr eax, 4
| 0x080483fb c1e004 shl eax, 4
| 0x080483fe 29c4 sub esp, eax
| 0x08048400 c70424488504. mov dword [esp],
str.IOLI_Crackme_Level_0x02 ; [0x8048548:4]=0x494c4f49 ; "IOLI Crackme
Level 0x02\n"
| 0x08048407 e810ffffff call sym.imp.printf ;
int printf(const char *format)
| 0x0804840c c70424618504. mov dword [esp],
str.Password: ; [0x8048561:4]=0x73736150 ; "Password: "
| 0x08048413 e804ffffff call sym.imp.printf ;
int printf(const char *format)
| 0x08048418 8d45fc lea eax, [var_4h]
| 0x0804841b 89442404 mov dword [var_sp_4h], eax
| 0x0804841f c704246c8504. mov dword [esp], 0x804856c ;
[0x804856c:4]=0x50006425
| 0x08048426 e8e1feffff call sym.imp.scanf ;
int scanf(const char *format)
| 0x0804842b c745f85a0000. mov dword [var_8h], 0x5a ;
'Z' ; 90
| 0x08048432 c745f4ec0100. mov dword [var_ch], 0x1ec ;
492
| 0x08048439 8b55f4 mov edx, dword [var_ch]
| 0x0804843c 8d45f8 lea eax, [var_8h]
| 0x0804843f 0110 add dword [eax], edx
| 0x08048441 8b45f8 mov eax, dword [var_8h]
| 0x08048444 0faf45f8 imul eax, dword [var_8h]
| 0x08048448 8945f4 mov dword [var_ch], eax
| 0x0804844b 8b45fc mov eax, dword [var_4h]
| 0x0804844e 3b45f4 cmp eax, dword [var_ch]
| ,=< 0x08048451 750e jne 0x8048461
| | 0x08048453 c704246f8504. mov dword [esp],
str.Password_OK_: ; [0x804856f:4]=0x73736150 ; "Password OK :)\n"
| | 0x0804845a e8bdfeffff call sym.imp.printf ;
int printf(const char *format)
| ,==< 0x0804845f eb0c jmp 0x804846d
| |`-> 0x08048461 c704247f8504. mov dword [esp],
str.Invalid_Password ; [0x804857f:4]=0x61766e49 ; "Invalid Password!\n"
| | 0x08048468 e8affeffff call sym.imp.printf ;
int printf(const char *format)
| | ; CODE XREF from main @ 0x804845f
| `--> 0x0804846d b800000000 mov eax, 0
| 0x08048472 c9 leave
\ 0x08048473 c3 ret
with the experience of solving crackme0x02, we first locate the position of cmp instruction by using this simple oneliner:
[0x08048330]> pdf@main | grep cmp
| 0x0804844e 3b45f4 cmp eax, dword [var_ch]
Unfortunately, the variable compared to eax is stored in the stack. we can't check the value of this variable directly. It's a common case in reverse engineerning that we have to derive the value of the variable from the previous sequence. As the amount of code is relatively small, it's possible.
for example:
| 0x080483ed b800000000 mov eax, 0
| 0x080483f2 83c00f add eax, 0xf ; 15
| 0x080483f5 83c00f add eax, 0xf ; 15
| 0x080483f8 c1e804 shr eax, 4
| 0x080483fb c1e004 shl eax, 4
| 0x080483fe 29c4 sub esp, eax
we can easily get the value of eax. it's 0x16.
It gets hard when the scale of program grows. radare2 provides a pseudo disassembler output in C-like syntax. It may be useful.
[0x08048330]> pdc@main
function main () {
// 4 basic blocks
loc_0x80483e4:
//DATA XREF from entry0 @ 0x8048347
push ebp
ebp = esp
esp -= 0x18
esp &= 0xfffffff0
eax = 0
eax += 0xf //15
eax += 0xf //15
eax >>>= 4
eax <<<= 4
esp -= eax
dword [esp] = "IOLI Crackme Level 0x02\n" //[0x8048548:4]=0x494c4f49 ; str.IOLI_Crackme_Level_0x02 ; const char *format
int printf("IOLI Crackme Level 0x02\n")
dword [esp] = "Password: " //[0x8048561:4]=0x73736150 ; str.Password: ; const char *format
int printf("Password: ")
eax = var_4h
dword [var_sp_4h] = eax