In order to have some insight of what are we dealing with, let’s run the Crackme0x01 program first.
Password Challenge! Apparently, its just a simple program that tests a password entered by the user. Let’s dig in, starting Radare2 with analyze and debug options (check Radare Basics to find out how).
Analysis
So, first thing, let’s look at the functions present in the binary. IMHO, it’s always a good idea take a peek in the program functions with the aim of getting to know the program and its abilities.
At the address 0x080483e4 we have the main function. We can also see scanf function that will collect our input and the printf function, responsible for printing all the messages.
If we go ahead and seek to the main function we should notice that the address in the prompt changed.
Before we jump into the assembly code, let’s take a look at all the strings in this data section and if we are lucky enough, maybe we can see the clear text password.
No luck today…
Let’s see the code in the main function.
We can identify where each one of the strings is being printed, as well as the call to the scanf function. We can also see a compare instruction which seems a good place to start.
Obviously the result of this instruction must me true, because if it isn’t, the flow of this program will lead to a “Invalid Password” string and that’s definitely what we don’t want. Stripping this instruction apart, we’ve got a local variable (local_4h) and a value. The variable must be the place where the input collected was stored and the value must be the solution! Notice that the value is represented in hexadecimal and the program will most likely accept base 10 input aka decimal. Let’s first convert the value and then confirm if 0x149a is the solution.
Solution for Crackme0x01
Yep! 5274 is the solution for Crackme0x01, the magic password. Be aware that I could play with the instructions, changing the jump instruction to an unconditional jump in order to accept any value/password or even replace that value in the compare instruction but let’s leave that for another exercise. Honestly, I only know how to replace that value for another value, but I don’t know how to replace it with a string. YET 🙂
Check the walkthrough video for this exercise.