Crackme0x08 Dissected with Radare2

Crackme0x08 Dissected with Radare2

It’s not something new that both password and the environment variable are the same for the last exercises. But the fact that the code itself is almost the same… Well, that’s boring! Anyway, let’s analyze crackme0x08 and see what it reserved for us.

Getting the Crackme0x08 password through analysis

afll of Crackme0x08

Contrary to what I expected, the name of the functions is very similar to the ones in Crackme0x06. I expected to see names like fcn.0804xxxx, the next step of “evolution” when compared to Crackme0x07.

Crackme0x08 has just one more function than the previous exercise, sym.che. But this does not mean that the code inside each function is the same.

Let’s start from the beginning and describe each function.

  • main

In the main function, all those strings that present the challenge are printed. Also, we’re asked for a password for this challenge. From here, we go to sym.check.

  • check

This is the function responsible for checking if the sum (remember, from left to right) of the digits of your password at any point results in 0x10. It is also the one that will call sym.parell and sym.che, but let’s try not call this last one 🙂

One more detail. There is an isolated section of code, the one that contains the “wtf” string. I’ve made some tests and couldn’t find a way to reach this set of instructions (without assembling more instruction, of course).

wtf

I do believe that this sample of code is somehow a decoy or a kind of goal, so you can make some modifications to the code in order to make this section reachable, for education purposes. But that’s just my guess.

It’s true that the previous Crackme had this piece of code, but I decided not to talk about it without making further tests.

  • parell

This is the function that will check if your number is even and delegate to dummy the task of checking if you have the “LOL” environment variable set. If at this point all the conditions are met, you will be presented with the “Password OK!” and the program will exit. The trick to check the parity of your number remains the same.

  • dummy

I won’t waste time describing this function because I already did it in Crackme0x06, and the code is very similar. For those that are not following my posts, this function is the one that will check if the environment variable “LOL” exists.

  • che

This is the function where you will end up if you forget to attend one of the conditions, the one that will print the “Password Incorrect!”. 7 lines of instruction to ruin your day…

There is not much to explain at the instruction’s level, the code is very similar to what I explained in the past posts. Anyway, if you have any question, feel free to send a message or leave a comment.

 

Solution

Once more, solving crackme0x08 means to meet some conditions:

  • We must sum the digits of the number provided, from the left to right, until we get 0x10
  • We must set the environment variable LOL
  • The number must be even
  • The number must be less or equal than 2,147,299,998

 

Modifying Crackme0x08 to accept any password

That piece of unreachable code… Such a waste! Let’s make it executable.

Notice that I can’t allow the upper code to be executed, because the program will try to check the parity of my input and the goal is to make this crackme accept any password.

So, why can’t we print both strings???

After collecting our input, let’s jump right to “wtf” string.

1st modification

Then, we jump to the “Password OK!” string. The address that you see right after the printf call is the instruction of the “Password OK!”.

2nd modification

Apart from what you pass as an input, you will always see two messages after providing a password: “wtf?” and “Password OK!”

Let’s confirm.

Result of Crackme0x08

Nailed!

 

Walkthrough video

Leave a Reply

Your email address will not be published. Required fields are marked *