Crackme0x06 Dissected with Radare2

Crackme0x06 Dissected with Radare2

Crackme0x06! A new exercise, a new function. Also, some new tricks are used to obtain the so wanted “Password OK”.

This exercise is very alike the previous one, so I won’t go through the functions already explained.

 

Getting the Crackme0x06 password through analysis

As usual, let’s check the functions available.

afll for crackme0x06

We’ve got a new function: dummy.

One of the conditions that we saw before, must be met if we want to jump to this function, we need to sum from left to right until we get 0x10 (16 in decimal). If this condition is met, we are on the right path, and will go to dummy function.

Let’s take a peek into this function.

dummy

There’s a lot going on here. This (not so) dummy function messed up my brain with all those “eax*4”.

Before we continue, let me show you something that I saw when I started debugging this function.

afvd

LS_COLORS?! Are we painting now???

I didn’t know what to expect at this point, so I googled for this, and ended up finding that this is an environment variable…

So you can follow my explanation, let me go ahead and tell you that this function looks for something in your environment variables, looping through all of them.

Moving on, at the beginning of this function, we see a reset to the local_4h, which is an index.

The next few instructions until the compare, ensures that you get an “Invalid password” if all the environment variables are compared and the desired on is not found. arg_ch as you’ve seen, holds a pointer to the first environment variable.

Pay attention to the manipulation of ecx and edx registers, at 0x080484d7 address and the next one. ecx will hold the step that will be used to jump to the next environment variable. edx has a copy of the address where the first environment variable is located.

The way used to iterate over all the environment variables is a sum between these two registers as you can see at 0x080484f6 address.

env_vars

This is what happens. edx is “the same” as arg_ch and ecx represents each box of the middle column, where each box has a size of 4 bytes (that eax*4) and holds the address of each environment variable.

Now, we see a 3 being moved to local_8h and the string “LOLO” being loaded to local_4h_2 and after that, we see a strncmp. This strncmp function takes three arguments: two strings and the size. Obviously, the 3 is the size and the “LOLO” is one of the two string. The last string is the environment variable. Notice that only three characters will be compared, so you’ll be actually comparing “LOL” with something. The following test instruction is easy, because strncmp returns 0 if (in this case) the first 3 bytes of both strings match.

In that case, we’ll leave the function with 1 loaded into the eax register.

Returning to parell function, and as crackme0x05, we will check if the number provided is even.

Solution

To solve crackme0x06 exercise the following conditions must be met:

  • We must sum the digits of the number provided, from the left to right, until we get 0x10
  • We must set the environment variable LOL
  • The number must be even

To set an environment variable, use the command “export LOL=something“. You can also execute the exercise as “LOL=something ./crackme0x06″

 

Modifying Crackme0x06 to accept any password

To make this crackme accept any password we can simply make the following modifications.

In the check function, replace the jae for an unconditional jump to the sym.parell’s call.

jmp
jmp in sym.check

Next, we go to dummy function and again, replace the je for an unconditional jump to 0x08048505 address making the program exit this function.

jmp
jmp in sym.dummy

After this, the program still checks if we inserted an even number. We don’t want that. So let’s clear the eax register in the and instruction.

and
and in sym.parell

I think this is enough. Let’s confirm.

solution of crackme0x06

Yep. Seems cracked 😉

Notice that you no longer need the environment variable.

Do you have a more clever way to crack this one?

 

Walkthrough video

https://www.youtube.com/watch?v=ZGMM8Km67T8

2 thoughts on “Crackme0x06 Dissected with Radare2

  1. Hello again,
    just one question, how can you know which is the passed argument to some function, for example if you see the parell function before calling dummy we can see the following instructions:
    “mov eax, dword [arg_ch]
    mov dword [local_4h_2], eax
    mov eax, dword [local_4h]
    mov dword [esp], eax
    call sym.dummy”
    wee can see dummy has only one argument, so I supossed it was the one in the stack, but is not this one, the one passed is local_4h_2, if Im not wrong.
    So how can we know this? It is just a matter of looking at the function code?
    In that case how can I see for example the instruccions for sscanf function, I have tried
    s sym.imp.sscanf
    pdf
    but I obtain this
    / (fcn) sym.imp.sscanf 6
    | sym.imp.sscanf ();
    | ; CALL XREF from 0x08048535 (sym.parell)
    | ; CALL XREF from 0x080485cd (sym.check)
    \ 0x080483c8 ff2510a00408 jmp dword [reloc.sscanf_16] ; 0x804a010
    but I dont understand this.
    The same question but for how to know where a function returns what it computes, is it just a conduct code between programmers, looking at the code or what?

    Thanks for all.

    1. Hello again vlo,

      Glad to see that you’re following my posts.
      dummy needs your environment variables so it can check if “LOL” is present. local_4h_2 is used to pass the ENV VARS. You can confirm this inside the parell function. Then, go into dummy and confirm that the address of arg_ch is the same of local_4h_2. Answering to your question, yes, it’s just a matter of looking to the code. Programs can manipulate the registers and variables in order to pass values to it’s functions.
      Having said that, it can manipulate those registers and variables to return values. In dummy, notice that if “LOL” is one of the ENV VARS, local_8h_2 will hold “1” which will be moved to eax and then the function exits. After this, the value of eax is tested so it’s pretty clear that eax was used to return the value.

      Hope I was clear,
      MOVEAX.ME

Leave a Reply

Your email address will not be published. Required fields are marked *