All the exercises solved so far, had one thing in common: there was only one solution for the problem. Crackme0x04 does not inherit that characteristic because it has multiple solutions and has some tricks to calculate those solutions when compared to the previous crackme.
Getting the Crackme0x04 password through analysis
afll shows two functions, the main and the check. Let’s print them.
Well, we can see the same as in the previous exercises, the prints of all those strings and the request for input.
I put a breakpoint right after the scanf instruction, ran the program to insert 957 as input, but when I went to check the value stored in the variable local_78h, I was surprised. Instead of seeing 0x3bd in the variable I saw this.
That’s ASCII. This means that our input is being treated as a string. Not a problem!
Let’s see what’s in the check function.
Check function is not a dummy function anymore… But let me guide you through the code!
First, the length of our “string” is calculated and the value is saved in eax. Don’t forget that our input is represented by arg_8h variable.
local_ch saves the position our string, so it’s an index.
The next instruction suggests that we’re about to enter in a loop, that will only end when we reach the end of our string. But this doesn’t seem the best path to follow, because if this happens, we’ll jump to the string “Password incorrect”.
The next two instructions, makes our position in the input string move forward. The following instructions until sscanf, extract a digit (a char, actually) from the input string in the index local_ch. The sscanf seems to be converting the ASCII to hexadecimal.
As you can see, the number converted will be added to local_8h, so this variable will be a counter. And guess what? If that counter happens to hold 0xf (or 15 in decimal)… JACKPOT!!! If not, we keep converting the chars in the string that we inserted until the sum results in 0xf or the string ends.
Can you see the big picture now?
This crackme just collects our input and sum the digits in it, from left to right. If it sums to 15 at any point, you’ll get a “Password OK” message. That’s all.
Getting the Crackme0x04 password through program modification
At this point, program analysis is far more difficult than crack the program. Personally, I’m much more interested in dissect this exercises and understand how they work than crack them.
If you’re like me and want to understand what is happening on the program stack and, at the same time keep tabs in all variables and registers you will “waste” much more time when compared to program patch. Consequently, you’ll get a deeper knowledge not only in this particular program but also in assembly. That’s where I’m aiming.
Moving to program patch, if you’re lazy, you can just replace a jump instruction at the right place, making the program accept any input.
I tried save the value 0xf in local_8h between the sscanf and compare instructions but sadly I couldn’t. I think it has something to do with the instructions size but I’m still looking into it. Let me show you.
I’ve been trying to get around this for the last couple days, but I guess I need to dedicate some time to this issue. If you know the reason for this to happen, leave me a comment or email me. I’ll be very grateful!
So I moved on, and contrary to what I wanted, I used a lazy method: inserted a compare instruction and a jump to the “Password OK” string. Here’s the code.
Simple. Let’s test it.
How did you crack this one? Let me know!!!