Crackme0x01 Dissected with Radare2

Crackme0x01 Dissected with Radare2

In order to have some insight of what are we dealing with, let’s run the Crackme0x01 program first.

crackme0x01

Password Challenge! Apparently, its just a simple program that tests a password entered by the user. Let’s dig in, starting Radare2 with analyze and debug options (check Radare Basics to find out how).

Analysis

So, first thing, let’s look at the functions present in the binary. IMHO, it’s always a good idea take a peek in the program functions with the aim of getting to know the program and its abilities.

afll

At the address 0x080483e4 we have the main function. We can also see scanf function that will collect our input and the printf function, responsible for printing all the messages.

If we go ahead and seek to the main function we should notice that the address in the prompt changed.

Before we jump into the assembly code, let’s take a look at all the strings in this data section and if we are lucky enough, maybe we can see the clear text password.

iz

No luck today…

Let’s see the code in the main function.pdf

We can identify where each one of the strings is being printed, as well as the call to the scanf function. We can also see a compare instruction which seems a good place to start.

Obviously the result of this instruction must me true, because if it isn’t, the flow of this program will lead to a “Invalid Password”Β string and that’s definitely what we don’t want. Stripping this instruction apart, we’ve got a local variable (local_4h) and a value. The variable must be the place where the input collected was stored and the value must be the solution! Notice that the value is represented in hexadecimal and the program will most likely accept base 10 input aka decimal. Let’s first convert the value and then confirm if 0x149a is the solution.

Solution for Crackme0x01

Solution

Yep! 5274 is the solution for Crackme0x01, the magic password. Be aware that I could play with the instructions, changing the jump instruction to an unconditional jump in order to accept any value/password or even replace that value in the compare instruction but let’s leave that for another exercise. Honestly, I only know how to replace that value for another value, but I don’t know how to replace it with a string. YET πŸ™‚

Check the walkthrough video for this exercise.

6 thoughts on “Crackme0x01 Dissected with Radare2

  1. Hi! Thank you very much for this tutorial, it has been very helpful since I’ve been learning reverse engineering stuff these past weeks. I have a little problem: when listing all the functions and their location in memory, it doesn’t show me the main function as yours, it seems like a different syntax or something, there’s any way I can fix this? Here’s a capture. https://k60.kn3.net/F/C/3/4/5/0/1FC.png
    Thanks in advance!

    1. Hi Luis.
      First of all, I’m pleased to know that you’re enjoying my posts. That means a lot!
      Second, let me just insist that I’m taking the first steps in reverse engineering and radare2.
      What you see when you type afll is the same that happens to me when I try to open a Windows executable in radare2 using a Linux as host.
      Are you starting radare with “A” flag? I googled a little bit and found this thread that might interest you.
      Can you seek to those functions?

      I hope to hear from you soon,
      MOVEAX.ME

  2. Inside the r2 command line make sure to run `aaa` or `aaaa`. opening the file with -A like `radare2 -A crackme0x1` will also do the trick

    1. Hello caffix,

      You’re right! Notice that I refer that in the first lines of this post and left a link to Radare Basics where I explain that.
      I’m glad to see that I have someone outhere reviewing my posts πŸ™‚ .

      Thank you very much,
      MOVEAX.ME

  3. Hey! Glad to see you sharing your experiences with this great tool, radare2. πŸ™‚

    However curious to know, would you be sharing the crackme binaries along with your analysis notes? That would be helpful indeed if you are at all planning to share the same.

    Cheers!

    1. Hi ping24,

      Glad to know that you’re enjoying.
      I didn’t think about that when I started this blog. However, I’ve been studying a method to explain every instruction in a more visual way, but so far, I didn’t find one.
      I’ve already tried some tools but they doesn’t fit for what I want.
      So for now, I think I’ll keep making these kind of posts and at the end, I’ll make a wrap up.
      Uploading the binaries with the notes seems like a good alternative πŸ˜‰
      Thank you for the tip.

      Best Regards,
      MOVEAX.ME

Leave a Reply

Your email address will not be published. Required fields are marked *