IOLI Crackme 0x01 solution

Let's continue our IOLI's journey with level 0x01

root@kali:~/IOLI-crackme/bin-linux# r2 crackme0x01

Analize the binary:

[0x08048330]> aaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Constructing a function name for fcn. and sym.func. functions (aan)
[x] Type matching analysis for all functions (afta)
[x] Use -AA or aaaa to perform additional experimental analysis.

Show function list

[0x08048330]> afl
0x080482d4 1 23 sym.init
0x080482fc 1 6 sym.imp.libcstartmain
0x0804830c 1 6 sym.imp.scanf
0x0804831c 1 6 sym.imp.printf
0x08048330 1 33 entry0
0x08048354 3 33 fcn.08048354
0x08048380 6 47 sym.doglobaldtorsaux
0x080483b0 4 50 sym.framedummy
0x080483e4 4 113 main
0x08048460 4 99 sym.libccsuinit
0x080484d0 1 5 sym.libccsufini
0x080484d5 1 4 sym.i686.getpcthunk.bx
0x080484e0 4 35 sym.doglobalctorsaux
0x08048504 1 26 sym.fini

disassembled function main

[0x08048330]> pdf @main
*┌ (fcn) main 113
│ main (int argc, char argv, char envp);
│ ; var unsigned int local4h @ ebp-0x4
│ ; var int local4h2 @ esp+0x4
│ ; DATA XREF from entry0 (0x8048347)
│ 0x080483e4 55 push ebp
│ 0x080483e5 89e5 mov ebp, esp
│ 0x080483e7 83ec18 sub esp, 0x18
│ 0x080483ea 83e4f0 and esp, 0xfffffff0
│ 0x080483ed b800000000 mov eax, 0
│ 0x080483f2 83c00f add eax, 0xf
│ 0x080483f5 83c00f add eax, 0xf
│ 0x080483f8 c1e804 shr eax, 4
│ 0x080483fb c1e004 shl eax, 4
│ 0x080483fe 29c4 sub esp, eax
│ 0x08048400 c70424288504. mov dword [esp], str.IOLICrackmeLevel0x01
│ 0x08048407 e810ffffff call sym.imp.printf
│ 0x0804840c c70424418504. mov dword [esp], str.Password: ; [0x8048541:4]=0x73736150 ; "Password: "
│ 0x08048413 e804ffffff call sym.imp.printf
│ 0x08048418 8d45fc lea eax, dword [local4h]
│ 0x0804841b 89442404 mov dword [local4h2], eax
│ 0x0804841f c704244c8504. mov dword [esp], 0x804854c
│ 0x08048426 e8e1feffff call sym.imp.scanf
│ 0x0804842b 817dfc9a1400. cmp dword [local4h], 0x149a
│ ┌─< 0x08048432 740e je 0x8048442
│ │ 0x08048434 c704244f8504. mov dword [esp], str.InvalidPassword ; [0x804854f:4]=0x61766e49 ; "Invalid Password!\n"
│ │ 0x0804843b e8dcfeffff call sym.imp.printf
│ ┌──< 0x08048440 eb0c jmp 0x804844e
│ ││ ; CODE XREF from main (0x8048432)
│ │└─> 0x08048442 c70424628504. mov dword [esp], str.PasswordOK: ; [0x8048562:4]=0x73736150 ; "Password OK :)\n"
│ │ 0x08048449 e8cefeffff call sym.imp.printf
│ │ ; CODE XREF from main (0x8048440)
│ └──> 0x0804844e b800000000 mov eax, 0
│ 0x08048453 c9 leave
└ 0x08048454 c3 ret *

[0x08048330]> ? 0x149a
hex 0x149a
octal 012232
unit 5.2K
segment 0000:049a
int32 5274
string "\x9a\x14"
binary 0b0001010010011010
fvalue: 5274.0
float: 0.000000f
double: 0.000000
trits 0t21020100

[0x08048330]> ! ./crackme0x01
IOLI Crackme Level 0x01
Password: 5274
Password OK :)

Show Comments