Crackme0x03 Dissected with Radare2

Crackme0x03 is the first of this series of exercises to have more that one function. It actually has three (important) functions, described below:

main function, where the core code is

test function, which tests our input and decides the flow of the program

shift function, responsible for decrypt the string

Getting the Crackme0x03 password through analysis

From now on, I’ll jump the part where I check what the program does, because they all test a string/value.

So, let’s check the functions in this program.

Let me give you some insight of all the functions and disclose the solution for this crackme along the way.

The main

This main function starts to print some strings to guide the user and then, asks for a password. This section of code is very similarly to the one in the crackme0x02 until instruction mov eax, dword[local_ch].

Solution

As you can imagine, the solution is the same for both of this exercises, but you can confirm it executing the program (obviously) or setting a breakpoint after the imul instruction.

From this point forward, it’s all about saving to the stack the value that the user provided and the result of all this calculations. This values are the parameters for the next function.

The test

The values in the stack are now arg_8h and arg_ch. arg_8h has the input provided by the user and arg_ch has the result of a series of calculations. As one could expect, arg_ch has the solution for this crackme.

After the jump instruction, the stack holds an encrypted string. Well, the result of the compare instruction seems to determine which string will be saved, so we can assume that the strings are “Invalid Password” and “Password OK” like the previous exercises.

At this point, we could try to use an online decipher service. I’m sure it would give us the correct answer and save us trouble of looking into the next function. But hey, let’s not spare us all that fun!

The shift

This one took me a a minute to understand. local_7ch, arg_8h and local_78h are variables. The first is just a counter that ensures the termination of the program the moment that string is deciphered. The second holds the original encrypted string. The third and last, has the deciphered string.

To be brief, this function takes an encrypted string as parameter and deciphers it, char by char. The string was coded by a Caesar cipher, so this function just reverts that process. If you take a closer look and debug this function, you’ll notice that the cipher is shift (how convenient!) by 3, caused by the instruction “sub al, 3“.

Next post that I’ll make will be about the Radare2’s Visual mode and I’ll use this crackme to introduce it. In that video I’ll dissect this shift function.

Getting the Crackme0x03 password through program modification

In the last exercise I overwritten the jump instruction with a nop so that the program can accept any password. This time, I’m going a little further an replace that instruction by a unconditional jump. This has to be done in the test function, because that’s where the comparison occurs.

Now, wa jmp 0x804848a @ 0x0804847a is the command to type.

Everything looks ok, so let’s check it.

Done!

Walkthrough video