Skip to content

Crackme0x01 Dissected with Radare2

In order to have some insight of what are we dealing with, let’s run the Crackme0x01 program first.

crackme0x01

Password Challenge! Apparently, its just a simple program that tests a password entered by the user. Let’s dig in, starting Radare2 with analyze and debug options (check Radare Basics to find out how).

Analysis

So, first thing, let’s look at the functions present in the binary. IMHO, it’s always a good idea take a peek in the program functions with the aim of getting to know the program and its abilities.

afll

At the address 0x080483e4 we have the main function. We can also see scanf function that will collect our input and the printf function, responsible for printing all the messages.

If we go ahead and seek to the main function we should notice that the address in the prompt changed.

Before we jump into the assembly code, let’s take a look at all the strings in this data section and if we are lucky enough, maybe we can see the clear text password.

iz

No luck today…

Let’s see the code in the main function.pdf

We can identify where each one of the strings is being printed, as well as the call to the scanf function. We can also see a compare instruction which seems a good place to start.

Obviously the result of this instruction must me true, because if it isn’t, the flow of this program will lead to a “Invalid Password” string and that’s definitely what we don’t want. Stripping this instruction apart, we’ve got a local variable (local_4h) and a value. The variable must be the place where the input collected was stored and the value must be the solution! Notice that the value is represented in hexadecimal and the program will most likely accept base 10 input aka decimal. Let’s first convert the value and then confirm if 0x149a is the solution.

Solution for Crackme0x01

Solution

Yep! 5274 is the solution for Crackme0x01, the magic password. Be aware that I could play with the instructions, changing the jump instruction to an unconditional jump in order to accept any value/password or even replace that value in the compare instruction but let’s leave that for another exercise. Honestly, I only know how to replace that value for another value, but I don’t know how to replace it with a string. YET 🙂

Check the walkthrough video for this exercise.

Published inRadare2

10 Comments

  1. Luis Luis

    Hi! Thank you very much for this tutorial, it has been very helpful since I’ve been learning reverse engineering stuff these past weeks. I have a little problem: when listing all the functions and their location in memory, it doesn’t show me the main function as yours, it seems like a different syntax or something, there’s any way I can fix this? Here’s a capture. https://k60.kn3.net/F/C/3/4/5/0/1FC.png
    Thanks in advance!

    • moveax moveax

      Hi Luis.
      First of all, I’m pleased to know that you’re enjoying my posts. That means a lot!
      Second, let me just insist that I’m taking the first steps in reverse engineering and radare2.
      What you see when you type afll is the same that happens to me when I try to open a Windows executable in radare2 using a Linux as host.
      Are you starting radare with “A” flag? I googled a little bit and found this thread that might interest you.
      Can you seek to those functions?

      I hope to hear from you soon,
      MOVEAX.ME

  2. caffix caffix

    Inside the r2 command line make sure to run `aaa` or `aaaa`. opening the file with -A like `radare2 -A crackme0x1` will also do the trick

    • moveax moveax

      Hello caffix,

      You’re right! Notice that I refer that in the first lines of this post and left a link to Radare Basics where I explain that.
      I’m glad to see that I have someone outhere reviewing my posts 🙂 .

      Thank you very much,
      MOVEAX.ME

  3. ping24 ping24

    Hey! Glad to see you sharing your experiences with this great tool, radare2. 🙂

    However curious to know, would you be sharing the crackme binaries along with your analysis notes? That would be helpful indeed if you are at all planning to share the same.

    Cheers!

    • moveax moveax

      Hi ping24,

      Glad to know that you’re enjoying.
      I didn’t think about that when I started this blog. However, I’ve been studying a method to explain every instruction in a more visual way, but so far, I didn’t find one.
      I’ve already tried some tools but they doesn’t fit for what I want.
      So for now, I think I’ll keep making these kind of posts and at the end, I’ll make a wrap up.
      Uploading the binaries with the notes seems like a good alternative 😉
      Thank you for the tip.

      Best Regards,
      MOVEAX.ME

  4. Sosto Sosto

    Is it possible to have the binaries to train. Thanks in advance

    • MOVEAX MOVEAX

      Hello Sosto,

      Please check the original link where I got the exercises from.

      Best Regards,
      MOVEAX.ME

      • sosto sosto

        Thanks. Sorry. I posted the request twice. You can delete the second one.

        • MOVEAX MOVEAX

          Hello again,

          No problem 😉
          Enjoy it!

          MOVEAX.ME

Leave a Reply

Your email address will not be published. Required fields are marked *