Crackme0x07 Dissected with Radare2

Crackme0x07 is the exercise of this week. New tricks are used to make our task more difficult. This tricks includes function names identical to native functions. Let’s see.

Getting the Crackme0x07 password through analysis

Those functions in purple are the ones that need our attention.

Let’s now “divide and conquer”…

sub.LOLO_4b4

Just like the previous exercise, this one requires an environment variable “LOL” in order to obtain the “Password OK”. This function is responsible for checking if that variable exists. The code is very similar to sym.dummy from the last crackme.

sub.Password_Incorrect__n_524

This one just prints the “Password Incorrect” and exits the program. We definitely don’t want to execute this function 🙂

sub.sscanf_542



The name of this function is very alike to the native function sscanf. Aside that, it will convert the number provided by you to an integer because, as you know, the input provided to the program is a set of ASCII characters.

Next, it will call sub.LOLO_4b4 and it will also print the “Password OK!” if all conditions are met.

About the last function, let me take a short break to explain something. During the past week, I read a few posts (I always do, to ensure that I’m not forgetting anything) explaining that the following section of code tests the size of your input and if has more than 9 digits, you will fail.

Let me go ahead and tell you that this is NOT true! This section of code checks if the number provided is even, but you could believe that this portion of code checks if the length of your number is greater than 9 and let me tell you why.

If you notice, sscanf will return an integer. The range of this data type is from -2,147,483,648 to 2,147,483,647. So, as you can imagine, the greater number that you can provide is 2,147,299,998 which has 10 digits, and still obtain the “Password OK!”.

Now that this issue is clarified, let’s move on.

sub.strlen_5b9

Again, the name of this function is very similar to the native function strlen. But this function, tests if the sum of the digits (from your input) from left to right, at any point, results in 0x10 (16 in decimal). This is not something new. It also calls sub.sscanf_542 and sub.Password_Incorrect__n_524.

At the end of the function, we can see instructions to print a “wtf” string. For now, I think it’s just a decoy, because this section of code won’t be executed.

Solution

Again, to solve the crackme0x07 the following conditions must be met:

We must sum the digits of the number provided, from the left to right, until we get 0x10

We must set the environment variable LOL

The number must be even

The number must be less or equal than 2,147,299,998

Modifying Crackme0x07 to accept any password

Let’s be SUPER lazy and make just one modification, so this program can accept anything.

Let’s make this crackme collect our input and jump right to “Password OK!”.

And now, let’s see if it worked…

Done! No environment variable need!

How did you do it?

Walkthrough video