#iolichallenges

Run pdf @ main and we see a sym.check function at 0x08048559;

pdf @ sym.check:

At this address, we see something is compared to the integer 15 (0xf).

0x080484d6      837df80f       cmp dword [var_8h], 0xf

Tracing back, we see strlen function is called to get the string length(i.e. number of characters) of the input

|       :   0x0804849b      890424         mov dword [esp], eax

|       :   0x0804849e      e8e1feffff     call sym.imp.strlen         ; size_t strlen(const char *s)

Sscanf is called to get a character from our password.

|      |:   0x080484c6      890424         mov dword [esp], eax

|      |:   0x080484c9      e8d6feffff     call sym.imp.sscanf 

With the loop for len times, which len is the length of our password, these number add together, and compare with 0xf(aka 15). So let’s try password with all digits adding up to 15.

0x0804849e    e8e1feffff   call 0x108048384 ; (sym.imp.strlen)

|     |     0x080484a3    3945f4       cmp [ebp-0xc], eax   ;;compare the length of input with counter

|     | ,== length, jump to the addr

|     | |   0x080484a8    8b45f4       mov eax, [ebp-0xc]   ;;get value from counter which is index

|     | |   0x080484ab    034508       add eax, [ebp+0x8]   ;;get eax = &(input[index])

|     | |   0x080484ae    0fb600       movzx eax, byte [eax] ;;get eax = input[index]

|     | |   ;-- eip:

|     | |   0x080484b1    8845f3       mov [ebp-0xd], al   ;; [ebp=0xd] = input[index]

|     | |   0x080484b4    8d45fc       lea eax, [ebp-0x4]  ;;get addr of [ebp-0x4]

|     | |   0x080484b7    89442408     mov [esp+0x8], eax  ;;pass this addr as param which is ret value

|     | |   0x080484bb    c7442404388. mov dword [esp+0x4], str.d   ;;pass "%d" as parm for sscanf()

|     | |   0x080484c3    8d45f3       lea eax, [ebp-0xd]  ;;get addr of input[index]

|     | |   0x080484c6 b  890424       mov [esp], eax      ;;pass it as param to sscanf()

|     | |   ; CODE (CALL) XREF from 0x080483a4 (fcn.0804839a)

|     | |   0x080484c9    e8d6feffff   call 0x1080483a4 ; (sym.imp.sscanf)

|     | |      sym.imp.sscanf()

|     | |   0x080484ce    8b55fc       mov edx, [ebp-0x4]  ;;move ret value from sscanf to edx

|     | |   0x080484d1    8d45f8       lea eax, [ebp-0x8]  ;;get addr of total sum

|     | |   0x080484d4    0110         add [eax], edx      ;;add ret value to total sum

|     | |   0x080484d6    837df80f     cmp dword [ebp-0x8], 0xf  ;;compare total sum with 0x0f

|     |,== 0x080484f4    8d45f4       lea eax, [ebp-0xc]  ;;get counter address

|     | |   0x080484f7    ff00         inc dword [eax]     ;;increase counter by 1

As usual, run:

r2 -w ./crackme0x03

[0x08048360]> aa

[0x08048360]> pdf @ main

Inspecting the main function, there is a sym.test function at 0x0804850c.

Let’s take a look at sym.test:

0x0804847a      740e           je 0x804848a

We can try change this je to jmp.

Here, the instruction 'je 0x804848a' corresponds to the bytes '740e', if we change the '74' for an 'eb' we will change the 'je' to a  'jmp'. You can see the 'eb' is used for jmp at 0x08048488.

After seeking to the current position, use the 'wx' command to write hex values:

./crackme0x03 IOLI Crackme Level 0x03 Password: hi Password OK!!! :)

A first look at the main function is to do something at 0x08048451, which does a jump to “Invalid password” if not equal (to password). Edit this to a nop so it does nothing. Write bytes using the w command. 

So we can use the wx command to write a nop @ 0x08048451. To do this, we need to open r2 in write mode (I switched to cse to run the modified program):

r2 -w crackme0x02

The s command seeks to the given address.

pd N disassembles N instructions.

And it worked!

As usual run it first. Method from the previous crackme did not work for this one

$ ./crackme0x01 IOLI Crackme Level 0x01 Password: password Invalid Password!

Let’s disassemble it with r2. (These commands can be found simply using ? within r2.)

aa tells radare2 to analyse the whole binary.

pdf stands for “Print Disassemble Function”.

I can’t see anything useful, let’s look at the main function:

At 0x08048432 there is a je instruction (conditional jump), if we change it to jmp (unconditional jump), we might be successful.

At 0x0804842b there is a cmp instruction, with a constant, 0x149a, which is a hexadecimal number. We try convert it using radare’s ? command, which returns the answer in a variety of bases.

Here I guess it’s comparing the hex to user input ---- If we look at the top variable section we see var-4h is associated at [ebp-0x4], which may be holding a local uninitialised variable.

Try 5274 as the password and it worked!

Let’s run it first.

$ ./crackme0x00 IOLI Crackme Level 0x00 Password: password Invalid Password!

Hint is string, so I tried the following:

$ strings crackme0x00 ......

IOLI Crackme Level 0x00 Password: 250382 Invalid Password! Password OK :)

......

Noticed the 250382 might be the password. Now let’s use r2.

$ rabin2 -z ./crackme0x00 Num Paddr      Vaddr      Len Size Section  Type  String 000 0x00000568 0x08048568  24  25 (.rodata) ascii IOLI Crackme Level 0x00\n 001 0x00000581 0x08048581  10  11 (.rodata) ascii Password:  002 0x0000058f 0x0804858f   6   7 (.rodata) ascii 250382 003 0x00000596 0x08048596  18  19 (.rodata) ascii Invalid Password!\n 004 0x000005a9 0x080485a9  15  16 (.rodata) ascii Password OK :)\n

Rabin2 is the “binary program info extractor” from Radare2; -z extracts the strings from the binary data section. (use rabin2 -h to see more options) Alternatively, use iz to list all the strings in the data section within r2. Try this number and it worked.