Lets download them
wget https://github.com/radareorg/radare2book/raw/master/crackmes/ioli/IOLI-crackme.tar.gz \
&& tar xvzf ./IOLI-crackme.tar.gz
crackme0x00
First lets see what happens when its ran.
% ./crackme0x00
IOLI Crackme Level 0x00
Password:
Invalid Password!
Lets see where Password: is in the strings of the binary.
% strings ./crackme0x00 | grep -B1 -A1 Password
IOLI Crackme Level 0x00
Password:
250382
Invalid Password!
Password OK :)
GCC: (GNU) 3.4.6 (Gentoo 3.4.6-r2, ssp-3.4.6-1.0, pie-8.7.10)
Alright, there is a number there, lets use that as the password.
%echo "250382" | ./crackme0x00
IOLI Crackme Level 0x00
Password:
Password OK :)
crackme0x01
Moving on, lets see how this one behaves when executed.
% ./crackme0x01
IOLI Crackme Level 0x01
Password:
Invalid Password!
Like last time lets looks at the =strings= of the binary.
% strings ./crackme0x01
Not so lucky this time, lets dig in a bit more with radare2
import r2pipe
f = "crackme0x01"
r = r2pipe.open(f)
r.cmd("aaa")
print(r.cmd("pdf@main"))
/ (fcn) main 113
| main (int argc, char **argv, char **envp);
| ; var unsigned int local_4h @ ebp-0x4
| ; var int local_4h_2 @ esp+0x4
| ; DATA XREF from entry0 (0x8048347)
| 0x080483e4 55 push ebp
| 0x080483e5 89e5 mov ebp, esp
| 0x080483e7 83ec18 sub esp, 0x18
| 0x080483ea 83e4f0 and esp, 0xfffffff0
| 0x080483ed b800000000 mov eax, 0
| 0x080483f2 83c00f add eax, 0xf
| 0x080483f5 83c00f add eax, 0xf
| 0x080483f8 c1e804 shr eax, 4
| 0x080483fb c1e004 shl eax, 4
| 0x080483fe 29c4 sub esp, eax
| 0x08048400 c70424288504. mov dword [esp], str.IOLI_Crackme_Level_0x01 ; [0x8048528:4]=0x494c4f49 ; "IOLI Crackme Level 0x01\n" ; const char *format
| 0x08048407 e810ffffff call sym.imp.printf ; int printf(const char *format)
| 0x0804840c c70424418504. mov dword [esp], str.Password: ; [0x8048541:4]=0x73736150 ; "Password: " ; const char *format
| 0x08048413 e804ffffff call sym.imp.printf ; int printf(const char *format)
| 0x08048418 8d45fc lea eax, dword [local_4h]
| 0x0804841b 89442404 mov dword [local_4h_2], eax
| 0x0804841f c704244c8504. mov dword [esp], 0x804854c ; [0x804854c:4]=0x49006425 ; const char *format
| 0x08048426 e8e1feffff call sym.imp.scanf ; int scanf(const char *format)
| 0x0804842b 817dfc9a1400. cmp dword [local_4h], 0x149a
| ,=< 0x08048432 740e je 0x8048442
| | 0x08048434 c704244f8504. mov dword [esp], str.Invalid_Password ; [0x804854f:4]=0x61766e49 ; "Invalid Password!\n" ; const char *format
| | 0x0804843b e8dcfeffff call sym.imp.printf ; int printf(const char *format)
| ,==< 0x08048440 eb0c jmp 0x804844e
| || ; CODE XREF from main (0x8048432)
| |`-> 0x08048442 c70424628504. mov dword [esp], str.Password_OK_: ; [0x8048562:4]=0x73736150 ; "Password OK :)\n" ; const char *format
| | 0x08048449 e8cefeffff call sym.imp.printf ; int printf(const char *format)
| | ; CODE XREF from main (0x8048440)
| `--> 0x0804844e b800000000 mov eax, 0
| 0x08048453 c9 leave
\ 0x08048454 c3 ret
Here is the disassembly of the main function of the binary, notice the cmp dword [local_4h], 0x149a at 0x0804842b. This looks to be comparing 0x149a, but 0x149a is hex.
Using radare2 again, it can give us all other numeric values for 0x149a
r2 -c "? 0x149a" --
hex 0x149a
octal 012232
unit 5.2K
segment 0000:049a
int32 5274
string "\x9a\x14"
binary 0b0001010010011010
fvalue: 5274.0
float: 0.000000f
double: 0.000000
trits 0t21020100
Now that we have all other numeric values for 0x149a lets try that int32 number.
% echo "5274" | ./crackme0x01
IOLI Crackme Level 0x01
Password:
Password OK :)
crackme0x02
Lets start things off with looking at the output of =strings=.
% strings ./crackme0x02
Like last time nothing jumps out as potentially being the password, Lets review the main function in radare2 again.
import r2pipe
f = "crackme0x02"
r = r2pipe.open(f)
r.cmd("aaa")
print(r.cmd("pdf@main"))
/ (fcn) main 144
| main (int argc, char **argv, char **envp);
| ; var unsigned int local_ch @ ebp-0xc
| ; var signed int local_8h @ ebp-0x8
| ; var int local_4h @ ebp-0x4
| ; var int local_4h_2 @ esp+0x4
| ; DATA XREF from entry0 (0x8048347)
| 0x080483e4 55 push ebp
| 0x080483e5 89e5 mov ebp, esp
| 0x080483e7 83ec18 sub esp, 0x18
| 0x080483ea 83e4f0 and esp, 0xfffffff0
| 0x080483ed b800000000 mov eax, 0
| 0x080483f2 83c00f add eax, 0xf
| 0x080483f5 83c00f add eax, 0xf
| 0x080483f8 c1e804 shr eax, 4
| 0x080483fb c1e004 shl eax, 4
| 0x080483fe 29c4 sub esp, eax
| 0x08048400 c70424488504. mov dword [esp], str.IOLI_Crackme_Level_0x02 ; [0x8048548:4]=0x494c4f49 ; "IOLI Crackme Level 0x02\n" ; const char *format
| 0x08048407 e810ffffff call sym.imp.printf ; int printf(const char *format)
| 0x0804840c c70424618504. mov dword [esp], str.Password: ; [0x8048561:4]=0x73736150 ; "Password: " ; const char *format
| 0x08048413 e804ffffff call sym.imp.printf ; int printf(const char *format)
| 0x08048418 8d45fc lea eax, dword [local_4h]
| 0x0804841b 89442404 mov dword [local_4h_2], eax
| 0x0804841f c704246c8504. mov dword [esp], 0x804856c ; [0x804856c:4]=0x50006425 ; const char *format
| 0x08048426 e8e1feffff call sym.imp.scanf ; int scanf(const char *format)
| 0x0804842b c745f85a0000. mov dword [local_8h], 0x5a ; 'Z' ; 90
| 0x08048432 c745f4ec0100. mov dword [local_ch], 0x1ec ; 492
| 0x08048439 8b55f4 mov edx, dword [local_ch]
| 0x0804843c 8d45f8 lea eax, dword [local_8h]
| 0x0804843f 0110 add dword [eax], edx
| 0x08048441 8b45f8 mov eax, dword [local_8h]
| 0x08048444 0faf45f8 imul eax, dword [local_8h]
| 0x08048448 8945f4 mov dword [local_ch], eax
| 0x0804844b 8b45fc mov eax, dword [local_4h]
| 0x0804844e 3b45f4 cmp eax, dword [local_ch]
| ,=< 0x08048451 750e jne 0x8048461
| | 0x08048453 c704246f8504. mov dword [esp], str.Password_OK_: ; [0x804856f:4]=0x73736150 ; "Password OK :)\n" ; const char *format
| | 0x0804845a e8bdfeffff call sym.imp.printf ; int printf(const char *format)
| ,==< 0x0804845f eb0c jmp 0x804846d
| || ; CODE XREF from main (0x8048451)
| |`-> 0x08048461 c704247f8504. mov dword [esp], str.Invalid_Password ; [0x804857f:4]=0x61766e49 ; "Invalid Password!\n" ; const char *format
| | 0x08048468 e8affeffff call sym.imp.printf ; int printf(const char *format)
| | ; CODE XREF from main (0x804845f)
| `--> 0x0804846d b800000000 mov eax, 0
| 0x08048472 c9 leave
\ 0x08048473 c3 ret
Here it looks it moves a value into the eax register at runtime and then jumps if not equal to the value, lets try to find that value of the eax register at runtime.
% echo "test" | \
r2 -AAA ./crackme0x02 -d -c "db 0x0804844b" -c "dc" -c "dr"
eax = 0x00052b24
ebx = 0x00000000
ecx = 0x00000000
edx = 0x000001ec
esi = 0xf7ee0000
edi = 0xf7ee0000
esp = 0xff9c4410
ebp = 0xff9c4438
eip = 0x0804844b
eflags = 0x00000206
oeax = 0xffffffff
Now to get the int32 value of the eax register value.
% r2 -c "? 0x00052b24" -- | grep int32
int32 338724
Time to see if this was correct
% echo "338724" | ./crackme0x02
IOLI Crackme Level 0x02
Password:
Password OK :)