IOLI Crackme 0x02 solution

This is another IOLI crackme challenge solution.

root@kali:~/IOLI-crackme/bin-linux# r2 crackme0x02

[0x08048330]> aaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Constructing a function name for fcn. and sym.func. functions (aan)
[x] Type matching analysis for all functions (afta)
[x] Use -AA or aaaa to perform additional experimental analysis.

[0x08048330]> afl
0x080482d4 1 23 sym.init
0x080482fc 1 6 sym.imp.libcstartmain
0x0804830c 1 6 sym.imp.scanf
0x0804831c 1 6 sym.imp.printf
0x08048330 1 33 entry0
0x08048354 3 33 fcn.08048354
0x08048380 6 47 sym.doglobaldtorsaux
0x080483b0 4 50 sym.framedummy
0x080483e4 4 144 main
0x08048480 4 99 sym.libccsuinit
0x080484f0 1 5 sym.libccsufini
0x080484f5 1 4 sym.i686.getpcthunk.bx
0x08048500 4 35 sym.doglobalctorsaux
0x08048524 1 26 sym.fini

[0x08048330]> pdf @main
*┌ (fcn) main 144
│ main (int argc, char argv, char envp);
│ ; var unsigned int localch @ ebp-0xc
│ ; var signed int local8h @ ebp-0x8
│ ; var int local4h @ ebp-0x4
│ ; var int local4h2 @ esp+0x4
│ ; DATA XREF from entry0 (0x8048347)
│ 0x080483e4 55 push ebp
│ 0x080483e5 89e5 mov ebp, esp
│ 0x080483e7 83ec18 sub esp, 0x18
│ 0x080483ea 83e4f0 and esp, 0xfffffff0
│ 0x080483ed b800000000 mov eax, 0
│ 0x080483f2 83c00f add eax, 0xf
│ 0x080483f5 83c00f add eax, 0xf
│ 0x080483f8 c1e804 shr eax, 4
│ 0x080483fb c1e004 shl eax, 4
│ 0x080483fe 29c4 sub esp, eax
│ 0x08048400 c70424488504. mov dword [esp], str.IOLICrackmeLevel0x02
│ 0x08048407 e810ffffff call sym.imp.printf
│ 0x0804840c c70424618504. mov dword [esp], str.Password:
│ 0x08048413 e804ffffff call sym.imp.printf
│ 0x08048418 8d45fc lea eax, dword [local4h]
│ 0x0804841b 89442404 mov dword [local4h2], eax
│ 0x0804841f c704246c8504. mov dword [esp], 0x804856c
│ 0x08048426 e8e1feffff call sym.imp.scanf
│ 0x0804842b c745f85a0000. mov dword [local8h], 0x5a
│ 0x08048432 c745f4ec0100. mov dword [localch], 0x1ec
│ 0x08048439 8b55f4 mov edx, dword [localch]
│ 0x0804843c 8d45f8 lea eax, dword [local8h]
│ 0x0804843f 0110 add dword [eax], edx
│ 0x08048441 8b45f8 mov eax, dword [local8h]
│ 0x08048444 0faf45f8 imul eax, dword [local8h]
│ 0x08048448 8945f4 mov dword [localch], eax
│ 0x0804844b 8b45fc mov eax, dword [local4h]
│ 0x0804844e 3b45f4 cmp eax, dword [localch]
│ ┌─< 0x08048451 750e jne 0x8048461
│ │ 0x08048453 c704246f8504. mov dword [esp], str.PasswordOK:
│ │ 0x0804845a e8bdfeffff call sym.imp.printf
│ ┌──< 0x0804845f eb0c jmp 0x804846d
│ ││ ; CODE XREF from main (0x8048451)
│ │└─> 0x08048461 c704247f8504. mov dword [esp], str.InvalidPassword
│ │ 0x08048468 e8affeffff call sym.imp.printf
│ │ ; CODE XREF from main (0x804845f)
│ └──> 0x0804846d b800000000 mov eax, 0
│ 0x08048472 c9 leave
└ 0x08048473 c3 ret *

root@kali:~/IOLI-crackme/bin-linux# cp crackme0x02 crackme0x02_patch
root@kali:~/IOLI-crackme/bin-linux# r2 -w crackme0x02_patch

[0x08048330]> aaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Constructing a function name for fcn. and sym.func. functions (aan)
[x] Type matching analysis for all functions (afta)
[x] Use -AA or aaaa to perform additional experimental analysis.

[0x08048330]> s 0x08048451
[0x08048451]> wx 9090

[0x08048451]> pdf @sym.main
*┌ (fcn) main 144
│ main (int argc, char argv, char envp);
│ ; var unsigned int localch @ ebp-0xc
│ ; var signed int local8h @ ebp-0x8
│ ; var int local4h @ ebp-0x4
│ ; var int local4h2 @ esp+0x4
│ ; DATA XREF from entry0 (0x8048347)
│ 0x080483e4 55 push ebp
│ 0x080483e5 89e5 mov ebp, esp
│ 0x080483e7 83ec18 sub esp, 0x18
│ 0x080483ea 83e4f0 and esp, 0xfffffff0
│ 0x080483ed b800000000 mov eax, 0
│ 0x080483f2 83c00f add eax, 0xf
│ 0x080483f5 83c00f add eax, 0xf
│ 0x080483f8 c1e804 shr eax, 4
│ 0x080483fb c1e004 shl eax, 4
│ 0x080483fe 29c4 sub esp, eax
│ 0x08048400 c70424488504. mov dword [esp], str.IOLICrackmeLevel0x02
│ 0x08048407 e810ffffff call sym.imp.printf
│ 0x0804840c c70424618504. mov dword [esp], str.Password:
│ 0x08048413 e804ffffff call sym.imp.printf
│ 0x08048418 8d45fc lea eax, dword [local4h]
│ 0x0804841b 89442404 mov dword [local4h2], eax
│ 0x0804841f c704246c8504. mov dword [esp], 0x804856c
│ 0x08048426 e8e1feffff call sym.imp.scanf
│ 0x0804842b c745f85a0000. mov dword [local8h], 0x5a
│ 0x08048432 c745f4ec0100. mov dword [localch], 0x1ec
│ 0x08048439 8b55f4 mov edx, dword [localch]
│ 0x0804843c 8d45f8 lea eax, dword [local8h]
│ 0x0804843f 0110 add dword [eax], edx
│ 0x08048441 8b45f8 mov eax, dword [local8h]
│ 0x08048444 0faf45f8 imul eax, dword [local8h]
│ 0x08048448 8945f4 mov dword [localch], eax
│ 0x0804844b 8b45fc mov eax, dword [local4h]
│ 0x0804844e 3b45f4 cmp eax, dword [localch]
│ 0x08048451 90 nop ; no operation
│ 0x08048452 90 nop ; no operation
│ 0x08048453 c704246f8504. mov dword [esp], str.PasswordOK:
│ 0x0804845a e8bdfeffff call sym.imp.printf
│ ┌─< 0x0804845f eb0c jmp 0x804846d ; jump
│ │ ; CODE XREF from main (0x8048451)
│ │ 0x08048461 c704247f8504. mov dword [esp], str.InvalidPassword
│ │ 0x08048468 e8affeffff call sym.imp.printf
│ │ ; CODE XREF from main (0x804845f)
│ └─> 0x0804846d b800000000 mov eax, 0
│ 0x08048472 c9 leave
└ 0x08048473 c3 ret
*
root@kali:~/IOLI-crackme/bin-linux# ./crackme0x02_patch
IOLI Crackme Level 0x02
Password: 11
Password OK :)

Show Comments