IOLI Crackme 0x01 solution

Let’s continue our IOLI’s journey with level 0x01

root@kali:~/IOLI-crackme/bin-linux# r2 crackme0x01

Analize the binary:

[0x08048330]> aaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Constructing a function name for fcn. and sym.func. functions (aan)
[x] Type matching analysis for all functions (afta)
[x] Use -AA or aaaa to perform additional experimental analysis.

Show function list:

0x08048330]> afl
0x080482d4    1 23     sym.init
0x080482fc    1 6      sym.imp.libcstartmain
0x0804830c    1 6      sym.imp.scanf
0x0804831c    1 6      sym.imp.printf0x
08048330      1 33     entry
00x08048354   3 33     fcn.08048354
0x08048380    6 47     sym.doglobaldtorsaux
0x080483b0    4 50     sym.framedummy
0x080483e4    4 113    main
0x08048460    4 99     sym.libccsuini
t0x080484d0   1 5      sym.libccsufini
0x080484d5    1 4      sym.i686.getpcthunk.bx
0x080484e0    4 35     sym.doglobalctorsaux
0x08048504    1 26     sym.fini*

Disassembled function main:

[0x08048330]> pdf @main`
┌ (fcn) main 113
│   main (int argc, char argv, char envp);
│           ; var unsigned int local4h @ ebp-0x4
│           ; var int local4h2 @ esp+0x4
│           ; DATA XREF from entry0 (0x8048347)
│           0x080483e4      55             push ebp                   
│           0x080483e5      89e5           mov ebp, esp               
│           0x080483e7      83ec18         sub esp, 0x18              
│           0x080483ea      83e4f0         and esp, 0xfffffff0        
│           0x080483ed      b800000000     mov eax, 0                
│           0x080483f2      83c00f         add eax, 0xf                
│           0x080483f5      83c00f         add eax, 0xf                
│           0x080483f8      c1e804         shr eax, 4                  
│           0x080483fb      c1e004         shl eax, 4                  
│           0x080483fe      29c4           sub esp, eax                
│           0x08048400      c70424288504.  mov dword [esp], str.IOLICrackmeLevel0x01
│           0x08048407      e810ffffff     call sym.imp.printf         
│           0x0804840c      c70424418504.  mov dword [esp], str.Password: ; [0x8048541:4]=0x73736150 ; "Password: "
│           0x08048413      e804ffffff     call sym.imp.printf         
│           0x08048418      8d45fc         lea eax, dword [local4h]   
│           0x0804841b      89442404       mov dword [local4h2], eax
│           0x0804841f      c704244c8504.  mov dword [esp], 0x804854c  
│           0x08048426      e8e1feffff     call sym.imp.scanf          
│           0x0804842b      817dfc9a1400.  cmp dword [local4h], 0x149a
│       ┌─< 0x08048432      740e           je 0x8048442               
│       │   0x08048434      c704244f8504.  mov dword [esp], str.InvalidPassword ; [0x804854f:4]=0x61766e49 ; "Invalid Password!\n"
│       
│   0x0804843b      e8dcfeffff     call sym.imp.printf         
│      ┌──< 0x08048440      eb0c           jmp 0x804844e               
│      ││   ; CODE XREF from main (0x8048432)
│      │└─> 0x08048442      c70424628504.  mov dword [esp], str.PasswordOK: ; [0x8048562:4]=0x73736150 ; "Password OK :)\n"
│      │    0x08048449      e8cefeffff     call sym.imp.printf         
│      │    ; CODE XREF from main (0x8048440)
│      └──> 0x0804844e      b800000000     mov eax, 0                
│           0x08048453      c9             leave                       
└           0x08048454      c3             ret *        
[0x08048330]> ? 0x149a
hex     0x149a
octal   012232
unit    5.2K
segment 0000:049a
int32   5274
string  "\x9a\x14"
binary  0b0001010010011010f
value: 5274.0
float:  0.000000f
double: 0.000000
trits   0t21020100*
[0x08048330]> ! ./crackme0x01
IOLI Crackme Level 0x01
Password: 5274
Password OK :)*