Press "Enter" to skip to content

IOLI Crackme 0x01 solution

Hi,

Let’s continue our IOLI’s journey with level 0x01
If we run the binary we can see this behavior.

ruben@kali:~/IOLI-crackme/bin-linux$ ./crackme0x01
IOLI Crackme Level 0x01
Password: aaa
Invalid Password!

After loading this binary in Radare2:

List all binary function’s.

[0x08048330]> afl
0x080482d4 1 23 sym._init
0x080482fc 1 6 sym.imp.__libc_start_main
0x0804830c 1 6 sym.imp.scanf
0x0804831c 1 6 sym.imp.printf
0x08048330 1 33 entry0
0x08048354 3 33 fcn.08048354
0x08048380 6 47 sym.__do_global_dtors_aux
0x080483b0 4 50 sym.frame_dummy
0x080483e4 4 113 main
0x08048460 4 99 sym.__libc_csu_init
0x080484d0 1 5 sym.__libc_csu_fini
0x080484d5 1 4 sym.__i686.get_pc_thunk.bx
0x080484e0 4 35 sym.__do_global_ctors_aux
0x08048504 1 26 sym._fini

Disassemble the main function:

[0x08048330]> pdf @sym.main
;-- main:
/ (fcn) main 113
| main ();
| ; var int local_4h @ ebp-0x4
| ; var int local_4h_2 @ esp+0x4
| ; DATA XREF from 0x08048347 (entry0)
| 0x080483e4 55 push ebp
| 0x080483e5 89e5 mov ebp, esp
| 0x080483e7 83ec18 sub esp, 0x18
| 0x080483ea 83e4f0 and esp, 0xfffffff0
| 0x080483ed b800000000 mov eax, 0
| 0x080483f2 83c00f add eax, 0xf
| 0x080483f5 83c00f add eax, 0xf
| 0x080483f8 c1e804 shr eax, 4
| 0x080483fb c1e004 shl eax, 4
| 0x080483fe 29c4 sub esp, eax
| 0x08048400 c70424288504. mov dword [esp], str.IOLI_Crackme_Level_0x01_n ; [0x8048528:4]=0x494c4f49 ; "IOLI Crackme Level 0x01\n"
| 0x08048407 e810ffffff call sym.imp.printf ; int printf(const char *format)
| 0x0804840c c70424418504. mov dword [esp], str.Password: ; [0x8048541:4]=0x73736150 ; "Password: "
| 0x08048413 e804ffffff call sym.imp.printf ; int printf(const char *format)
| 0x08048418 8d45fc lea eax, [local_4h]
| 0x0804841b 89442404 mov dword [local_4h_2], eax
| 0x0804841f c704244c8504. mov dword [esp], 0x804854c ; [0x804854c:4]=0x49006425
| 0x08048426 e8e1feffff call sym.imp.scanf ; int scanf(const char *format)
| 0x0804842b 817dfc9a1400. cmp dword [local_4h], 0x149a ; [0x149a:4]=-1
| ,=< 0x08048432 740e je 0x8048442
| | 0x08048434 c704244f8504. mov dword [esp], str.Invalid_Password__n ; [0x804854f:4]=0x61766e49 ; "Invalid Password!\n"
| | 0x0804843b e8dcfeffff call sym.imp.printf ; int printf(const char *format)
| ,==< 0x08048440 eb0c jmp 0x804844e | || ; JMP XREF from 0x08048432 (main) | |-&gt; 0x08048442 c70424628504. mov dword [esp], str.Password_OK_:__n ; [0x8048562:4]=0x73736150 ; "Password OK :)\n"
| | 0x08048449 e8cefeffff call sym.imp.printf ; int printf(const char *format)
| | ; JMP XREF from 0x08048440 (main)
|
--> 0x0804844e b800000000 mov eax, 0
| 0x08048453 c9 leave
\ 0x08048454 c3 ret

Look into 0x0804842b, there is a cmp command with a suspicious value.

If we convert the number to decimal we obtain 5274

? 0x149a
hex 0x149a
octal 012232
unit 5.2K
segment 0000:049a
int32 5274
string "\x9a\x14"
binary 0b0001010010011010
fvalue: 5274.0
float: 0.000000f
double: 0.000000
trits 0t21020100

Now let’s try again:

ruben@kali:~/IOLI-crackme/bin-linux$ ./crackme0x01
IOLI Crackme Level 0x01
Password: 5274
Password OK :)

Level solved!

See you at the next level.

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.