IOLI Crackme 0x03 solution

Hi,

Another IOLI crackme solution.

root@kali:~/IOLI-crackme/bin-linux# r2 crackme0x03

[0x08048360]> aaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Constructing a function name for fcn. and sym.func. functions (aan)
[x] Type matching analysis for all functions (afta)
[x] Use -AA or aaaa to perform additional experimental analysis.

[0x08048360]> pdf @sym.main
*;-- main:
┌ (fcn) sym.main 128
│ sym.main (int argc, char argv, char envp);
│ ; var int localch @ ebp-0xc
│ ; var signed int local8h @ ebp-0x8
│ ; var int local4h @ ebp-0x4
│ ; var int local4h2 @ esp+0x4
│ ; DATA XREF from entry0 (0x8048377)
│ 0x08048498 55 push ebp
│ 0x08048499 89e5 mov ebp, esp
│ 0x0804849b 83ec18 sub esp, 0x18
│ 0x0804849e 83e4f0 and esp, 0xfffffff0
│ 0x080484a1 b800000000 mov eax, 0
│ 0x080484a6 83c00f add eax, 0xf
│ 0x080484a9 83c00f add eax, 0xf
│ 0x080484ac c1e804 shr eax, 4
│ 0x080484af c1e004 shl eax, 4
│ 0x080484b2 29c4 sub esp, eax
│ 0x080484b4 c70424108604. mov dword [esp], str.IOLICrackmeLevel0x03
│ 0x080484bb e890feffff call sym.imp.printf
│ 0x080484c0 c70424298604. mov dword [esp], str.Password:
│ 0x080484c7 e884feffff call sym.imp.printf
│ 0x080484cc 8d45fc lea eax, dword [local4h]
│ 0x080484cf 89442404 mov dword [local4h2], eax
│ 0x080484d3 c70424348604. mov dword [esp], 0x8048634
│ 0x080484da e851feffff call sym.imp.scanf
│ 0x080484df c745f85a0000. mov dword [local8h], 0x5a
│ 0x080484e6 c745f4ec0100. mov dword [localch], 0x1ec
│ 0x080484ed 8b55f4 mov edx, dword [localch]
│ 0x080484f0 8d45f8 lea eax, dword [local8h]
│ 0x080484f3 0110 add dword [eax], edx
│ 0x080484f5 8b45f8 mov eax, dword [local8h]
│ 0x080484f8 0faf45f8 imul eax, dword [local8h]
│ 0x080484fc 8945f4 mov dword [localch], eax
│ 0x080484ff 8b45f4 mov eax, dword [localch]
│ 0x08048502 89442404 mov dword [local4h2], eax
│ 0x08048506 8b45fc mov eax, dword [local4h]
│ 0x08048509 890424 mov dword [esp], eax
│ 0x0804850c e85dffffff call sym.test
│ 0x08048511 b800000000 mov eax, 0
│ 0x08048516 c9 leave
└ 0x08048517 c3 ret *

[0x08048360]> pdf @sym.test
*┌ (fcn) sym.test 42
│ sym.test (int arg8h, unsigned int argch);
│ ; arg int arg8h @ ebp+0x8
│ ; arg unsigned int argch @ ebp+0xc
│ ; CALL XREF from sym.main (0x804850c)
│ 0x0804846e 55 push ebp
│ 0x0804846f 89e5 mov ebp, esp
│ 0x08048471 83ec08 sub esp, 8
│ 0x08048474 8b4508 mov eax, dword [arg8h]
│ 0x08048477 3b450c cmp eax, dword [argch]
│ ┌─< 0x0804847a 740e je 0x804848a
│ │ 0x0804847c c70424ec8504. mov dword [esp], str.LqydolgSdvvzrug
│ │ 0x08048483 e88cffffff call sym.shift
│ ┌──< 0x08048488 eb0c jmp 0x8048496
│ ││ ; CODE XREF from sym.test (0x804847a)
│ │└─> 0x0804848a c70424fe8504. mov dword [esp], str.SdvvzrugRN
│ │ 0x08048491 e87effffff call sym.shift
│ │ ; CODE XREF from sym.test (0x8048488)
│ └──> 0x08048496 c9 leave
└ 0x08048497 c3 ret
*

root@kali:~/IOLI-crackme/bin-linux# r2 -w crackme0x03_patch
[0x08048360]> s 0x0804847a

[0x0804847a]> wx eb
[0x0804847a]> pdf @sym.test
*┌ (fcn) sym.test 42
│ sym.test (int arg8h, unsigned int argch);
│ ; arg int arg8h @ ebp+0x8
│ ; arg unsigned int argch @ ebp+0xc
│ ; CALL XREF from sym.main (0x804850c)
│ 0x0804846e 55 push ebp
│ 0x0804846f 89e5 mov ebp, esp
│ 0x08048471 83ec08 sub esp, 8
│ 0x08048474 8b4508 mov eax, dword [arg8h]
│ 0x08048477 3b450c cmp eax, dword [argch]
│ ┌─< 0x0804847a eb0e jmp 0x804848a ; unconditional jump
│ │ 0x0804847c c70424ec8504. mov dword [esp], str.LqydolgSdvvzrug
│ │ 0x08048483 e88cffffff call sym.shift
│ ┌──< 0x08048488 eb0c jmp 0x8048496
│ ││ ; CODE XREF from sym.test (0x804847a)
│ │└─> 0x0804848a c70424fe8504. mov dword [esp], str.SdvvzrugRN
│ │ 0x08048491 e87effffff call sym.shift
│ │ ; CODE XREF from sym.test (0x8048488)
│ └──> 0x08048496 c9 leave
└ 0x08048497 c3 ret *

root@kali:~/IOLI-crackme/bin-linux# ./crackme0x03_patch
IOLI Crackme Level 0x03
Password: 22222
Password OK!!! :)

Show Comments