IOLI 0x01

This is the second IOLI crackme.

$ ./crackme0x01
IOLI Crackme Level 0x01
Password: test
Invalid Password!

Let's check for strings with rabin2.

$ rabin2 -z ./crackme0x01
vaddr=0x08048528 paddr=0x00000528 ordinal=000 sz=25 len=24 section=.rodata type=a string=IOLI Crackme Level 0x01\n
vaddr=0x08048541 paddr=0x00000541 ordinal=001 sz=11 len=10 section=.rodata type=a string=Password:
vaddr=0x0804854f paddr=0x0000054f ordinal=002 sz=19 len=18 section=.rodata type=a string=Invalid Password!\n
vaddr=0x08048562 paddr=0x00000562 ordinal=003 sz=16 len=15 section=.rodata type=a string=Password OK :)\n

This isn't going to be as easy as 0x00. Let's try disassembly with r2.

$ r2 ./crackme0x01 
-- Use `zoom.byte=printable` in zoom mode ('z' in Visual mode) to find strings
[0x08048330]> aa
[0x08048330]> pdf@main
/ (fcn) main 113
|          ; var int local_4 @ ebp-0x4
|          ; DATA XREF from 0x08048347 (entry0)
|          0x080483e4    55           push ebp
|          0x080483e5    89e5         mov ebp, esp
|          0x080483e7    83ec18       sub esp, 0x18
|          0x080483ea    83e4f0       and esp, -0x10
|          0x080483ed    b800000000   mov eax, 0
|          0x080483f2    83c00f       add eax, 0xf
|          0x080483f5    83c00f       add eax, 0xf
|          0x080483f8    c1e804       shr eax, 4
|          0x080483fb    c1e004       shl eax, 4
|          0x080483fe    29c4         sub esp, eax
|          0x08048400    c7042428850. mov dword [esp], str.IOLI_Crackme_Level_0x01_n ; [0x8048528:4]=0x494c4f49  ; "IOLI Crackme Level 0x01." @ 0x8048528
|          0x08048407    e810ffffff   call sym.imp.printf
|             sym.imp.printf(unk)
|          0x0804840c    c7042441850. mov dword [esp], str.Password_ ; [0x8048541:4]=0x73736150  ; "Password: " @ 0x8048541
|          0x08048413    e804ffffff   call sym.imp.printf
|             sym.imp.printf()
|          0x08048418    8d45fc       lea eax, dword [ebp + 0xfffffffc]
|          0x0804841b    89442404     mov dword [esp + 4], eax ; [0x4:4]=0x10101
|          0x0804841f    c704244c850. mov dword [esp], 0x804854c ; [0x804854c:4]=0x49006425  ; "%d" @ 0x804854c
|          0x08048426    e8e1feffff   call sym.imp.scanf
|             sym.imp.scanf()
|          0x0804842b    817dfc9a140. cmp dword [ebp + 0xfffffffc], 0x149a
|      ,=< 0x08048432    740e         je 0x8048442
|      |   0x08048434    c704244f850. mov dword [esp], str.Invalid_Password__n ; [0x804854f:4]=0x61766e49  ; "Invalid Password!." @ 0x804854f
|      |   0x0804843b    e8dcfeffff   call sym.imp.printf
|      |      sym.imp.printf()
|     ,==< 0x08048440    eb0c         jmp 0x804844e ; (main)
|     ||   ; JMP XREF from 0x08048432 (main)
|     |`-> 0x08048442    c7042462850. mov dword [esp], str.Password_OK____n ; [0x8048562:4]=0x73736150  ; "Password OK :)." @ 0x8048562
|     |    0x08048449    e8cefeffff   call sym.imp.printf
|     |       sym.imp.printf()
|     |    ; JMP XREF from 0x08048440 (main)
|     `--> 0x0804844e    b800000000   mov eax, 0
|          0x08048453    c9           leave
\          0x08048454    c3           ret

"aa" tells r2 to analyze the whole binary, which gets you symbol names, among things.

"pdf" stands for

Print
Disassemble
Function

This will print the disassembly of the main function, or the main() that everyone knows. You can see several things as well: weird names, arrows, etc.

"imp." stands for imports. Those are imported symbols, like printf()
"str." stands for strings. Those are strings (obviously).

If you look carefully, you'll see a cmp instruction, with a constant, 0x149a. cmp is an x86 compare instruction, and the 0x in front of it specifies it is in base 16, or hex (hexadecimal).

0x0804842b    817dfc9a140. cmp dword [ebp + 0xfffffffc], 0x149a

You can use radare2's ? command to get it in another numeric base.

[0x08048330]> ? 0x149a
5274 0x149a 012232 5.2K 0000:049a 5274 10011010 5274.0 0.000000

So now we know that 0x149a is 5274 in decimal. Let's try this as a password.

$ ./crackme0x01
IOLI Crackme Level 0x01
Password: 5274
Password OK :)

Bingo, the password was 5274. In this case, the password function at 0x0804842b was comparing the input against the value, 0x149a in hex. Since user input is usually decimal, it was a safe bet that the input was intended to be in decimal, or 5274. Now, since we're hackers, and curiosity drives us, let's see what happens when we input in hex.

$ ./crackme0x01
IOLI Crackme Level 0x01
Password: 0x149a
Invalid Password!

It was worth a shot, but it doesn't work. That's because scanf() will take the 0 in 0x149a to be a zero, rather than accepting the input as actually being the hex value.

And this concludes IOLI 0x01.

上一页IOLI 0x00 下一页Avatao R3v3rs3 4

最后更新于4年前

这有帮助吗？

$ rabin2 -z ./crackme0x01 vaddr=0x08048528 paddr=0x00000528 ordinal=000 sz=25 len=24 section=.rodata type=a string=IOLI Crackme Level 0x01\n vaddr=0x08048541 paddr=0x00000541 ordinal=001 sz=11 len=10 section=.rodata type=a string=Password: vaddr=0x0804854f paddr=0x0000054f ordinal=002 sz=19 len=18 section=.rodata type=a string=Invalid Password!\n vaddr=0x08048562 paddr=0x00000562 ordinal=003 sz=16 len=15 section=.rodata type=a string=Password OK :)\n

$ r2 ./crackme0x01 -- Use `zoom.byte=printable` in zoom mode ('z' in Visual mode) to find strings [0x08048330]> aa [0x08048330]> pdf@main / (fcn) main 113 | ; var int local_4 @ ebp-0x4 | ; DATA XREF from 0x08048347 (entry0) | 0x080483e4 55 push ebp | 0x080483e5 89e5 mov ebp, esp | 0x080483e7 83ec18 sub esp, 0x18 | 0x080483ea 83e4f0 and esp, -0x10 | 0x080483ed b800000000 mov eax, 0 | 0x080483f2 83c00f add eax, 0xf | 0x080483f5 83c00f add eax, 0xf | 0x080483f8 c1e804 shr eax, 4 | 0x080483fb c1e004 shl eax, 4 | 0x080483fe 29c4 sub esp, eax | 0x08048400 c7042428850. mov dword [esp], str.IOLI_Crackme_Level_0x01_n ; [0x8048528:4]=0x494c4f49 ; "IOLI Crackme Level 0x01." @ 0x8048528 | 0x08048407 e810ffffff call sym.imp.printf | sym.imp.printf(unk) | 0x0804840c c7042441850. mov dword [esp], str.Password_ ; [0x8048541:4]=0x73736150 ; "Password: " @ 0x8048541 | 0x08048413 e804ffffff call sym.imp.printf | sym.imp.printf() | 0x08048418 8d45fc lea eax, dword [ebp + 0xfffffffc] | 0x0804841b 89442404 mov dword [esp + 4], eax ; [0x4:4]=0x10101 | 0x0804841f c704244c850. mov dword [esp], 0x804854c ; [0x804854c:4]=0x49006425 ; "%d" @ 0x804854c | 0x08048426 e8e1feffff call sym.imp.scanf | sym.imp.scanf() | 0x0804842b 817dfc9a140. cmp dword [ebp + 0xfffffffc], 0x149a | ,=< 0x08048432 740e je 0x8048442 | | 0x08048434 c704244f850. mov dword [esp], str.Invalid_Password__n ; [0x804854f:4]=0x61766e49 ; "Invalid Password!." @ 0x804854f | | 0x0804843b e8dcfeffff call sym.imp.printf | | sym.imp.printf() | ,==< 0x08048440 eb0c jmp 0x804844e ; (main) | || ; JMP XREF from 0x08048432 (main) | |`-> 0x08048442 c7042462850. mov dword [esp], str.Password_OK____n ; [0x8048562:4]=0x73736150 ; "Password OK :)." @ 0x8048562 | | 0x08048449 e8cefeffff call sym.imp.printf | | sym.imp.printf() | | ; JMP XREF from 0x08048440 (main) | `--> 0x0804844e b800000000 mov eax, 0 | 0x08048453 c9 leave \ 0x08048454 c3 ret