Crackme0x09 Dissected with Radare2

The IOLI-Crackme’s exercises have come to an end. Crackme0x09 is the last exercise of this series. Let’s start analyzing the Assembly to see what changed since the last exercise.

Getting the Crackme0x09 password through analysis

When we check the available functions, we’re able to notice that the names have changed again, as they are similar to the native functions.

Another detail is that there are no strings visible in the code. Although, we can see there are strings in this little program if we list them all.

So, how are they being printed???

If the code wasn’t the same as Crackme0x08, this little trick could have been more difficult to spot. We can only identify strings being printed because of the call to the printf function (the native one). Before of those calls, we always see an address being loaded to EAX register, and then passed to the printf function throughout the stack. Also, we always see a numeric value being subtracted to EBX register, which means that EBX is used as a base pointer.

At the beginning of every function we see a call to fcn.08048766 function, which changes the value of EBX. So after that call, EBX will have the base value from where will be calculated all the addresses that contains our strings.

Let me now guide you step by step so you can understand where the strings are located. Let’s start with sub.strlen_616 function.

sub.strlen_616

This function corresponds to sym.check, from the previous exercise.

Here we see two printf calls and the base value of EBX, after the changes at the beginning of this function occur, is 0x08049ff4.

0x08049ff4 – 0x17a2 = 0x08048852

If we check what’s in that address, using pf command, we get the following output.

As you should remember, %d is a format that will be passed to the sscanf native function. Let’s see the next string.

0x08049ff4 – 0x1791 = 0x08048863 => wtf?

sub.printf_55d

This function corresponds to sym.che, from the previous exercise.

0x08049ff4 – 0x17b7 = 0x0804883d => Password Incorrect!

sub.sscanf_589

This function corresponds to sym.parell, from the previous exercise.

The first string is already translated. It’s the %d.

0x08049ff4 – 0x179f = 0x08048855 => Password OK!

sub.strncmp_4d4

This function corresponds to sym.dummy, from the previous exercise.

0x08049ff4 – 0x17bc = 0x08048838 => LOLO

To finish this translation, let’s also do this for the strings in the main function.

main

0x08049ff4 – 0x178b = 0x08048869 => IOLI Crackme Level 0x09

0x08049ff4 – 0x1772 = 0x08048882 => Password:

0x08049ff4 – 0x1767 = 0x0804888d => %s

You can confirm all the addresses in the second image of this post, the one that corresponds to iz command.

Solution

And again, the solution for crackme0x09 is this set of conditions:

We must sum the digits of the number provided, from the left to right, until we get 0x10

We must set the environment variable LOL

The number must be even

The number must be less or equal than 2,147,299,998

Modifying Crackme0x09 to accept any password

Once more, I’m going to be super lazy and make the program jump right to the “Password OK!” after receiving the input. Let’s do it.

That address right after the unconditional jump is the first instruction to print the “Password OK!”.

Time to see if that worked.

Done!

Walkthrough video