Crackme0x06 Dissected with Radare2

Crackme0x06! A new exercise, a new function. Also, some new tricks are used to obtain the so wanted “Password OK”.

This exercise is very alike the previous one, so I won’t go through the functions already explained.

Getting the Crackme0x06 password through analysis

As usual, let’s check the functions available.

We’ve got a new function: dummy.

One of the conditions that we saw before, must be met if we want to jump to this function, we need to sum from left to right until we get 0x10 (16 in decimal). If this condition is met, we are on the right path, and will go to dummy function.

Let’s take a peek into this function.

There’s a lot going on here. This (not so) dummy function messed up my brain with all those “eax*4”.

Before we continue, let me show you something that I saw when I started debugging this function.

LS_COLORS?! Are we painting now???

I didn’t know what to expect at this point, so I googled for this, and ended up finding that this is an environment variable…

So you can follow my explanation, let me go ahead and tell you that this function looks for something in your environment variables, looping through all of them.

Moving on, at the beginning of this function, we see a reset to the local_4h, which is an index.

The next few instructions until the compare, ensures that you get an “Invalid password” if all the environment variables are compared and the desired on is not found. arg_ch as you’ve seen, holds a pointer to the first environment variable.

Pay attention to the manipulation of ecx and edx registers, at 0x080484d7 address and the next one. ecx will hold the step that will be used to jump to the next environment variable. edx has a copy of the address where the first environment variable is located.

The way used to iterate over all the environment variables is a sum between these two registers as you can see at 0x080484f6 address.

This is what happens. edx is “the same” as arg_ch and ecx represents each box of the middle column, where each box has a size of 4 bytes (that eax*4) and holds the address of each environment variable.

Now, we see a 3 being moved to local_8h and the string “LOLO” being loaded to local_4h_2 and after that, we see a strncmp. This strncmp function takes three arguments: two strings and the size. Obviously, the 3 is the size and the “LOLO” is one of the two string. The last string is the environment variable. Notice that only three characters will be compared, so you’ll be actually comparing “LOL” with something. The following test instruction is easy, because strncmp returns 0 if (in this case) the first 3 bytes of both strings match.

In that case, we’ll leave the function with 1 loaded into the eax register.

Returning to parell function, and as crackme0x05, we will check if the number provided is even.

Solution

To solve crackme0x06 exercise the following conditions must be met:

We must sum the digits of the number provided, from the left to right, until we get 0x10

We must set the environment variable LOL

The number must be even

To set an environment variable, use the command “export LOL=something“. You can also execute the exercise as “LOL=something ./crackme0x06″

Modifying Crackme0x06 to accept any password

To make this crackme accept any password we can simply make the following modifications.

In the check function, replace the jae for an unconditional jump to the sym.parell’s call.

Next, we go to dummy function and again, replace the je for an unconditional jump to 0x08048505 address making the program exit this function.

After this, the program still checks if we inserted an even number. We don’t want that. So let’s clear the eax register in the and instruction.

I think this is enough. Let’s confirm.

Yep. Seems cracked 😉

Notice that you no longer need the environment variable.

Do you have a more clever way to crack this one?

Walkthrough video