Defeating ioli with radare2

Just For fun

译者表示:把两篇文章揉合到了一起。

原文自:Defeating ioli with radare2Crackme solution from pancake 需要:

crackme 0x00

第一个crackme,非常简单。

 ✘ ⮀ ~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x00
IOLI Crackme Level 0x00
Password: 1234
Invalid Password!

⮀ ~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ r2 -w ./crackme0x00
 -- I script in C, because fuck you.
[0x08048360]> aa
[0x08048360]> pdf@sym.main
|          ; DATA XREF from 0x08048377 (fcn.08048356)
/ (fcn) sym.main 127
|          0x08048414    55           push ebp
|          0x08048415    89e5         mov ebp, esp
|          0x08048417    83ec28       sub esp, 0x28
|          0x0804841a    83e4f0       and esp, 0xfffffff0
|          0x0804841d    b800000000   mov eax, 0x0
|          0x08048422    83c00f       add eax, 0xf
|          0x08048425    83c00f       add eax, 0xf
|          0x08048428    c1e804       shr eax, 0x4
|          0x0804842b    c1e004       shl eax, 0x4
|          0x0804842e    29c4         sub esp, eax
|          0x08048430    c7042468850. mov dword [esp], str.IOLI_Crackme_Level_0x00_n ; str.IOLI_Crackme_Level_0x00_n
|          0x08048437    e804ffffff   call sym.imp.printf ; (fcn.08048336)
|             fcn.08048336(unk) ; sym.imp.printf
|          0x0804843c    c7042481850. mov dword [esp], str.Password_ ; str.Password_
|          0x08048443    e8f8feffff   call sym.imp.printf ; (fcn.08048336)
|             fcn.08048336() ; sym.imp.printf
|          0x08048448    8d45e8       lea eax, [ebp-0x18]
|          0x0804844b    89442404     mov [esp+0x4], eax
|          0x0804844f    c704248c850. mov dword [esp], 0x804858c ;  0x0804858c 
|          0x08048456    e8d5feffff   call sym.imp.scanf ; (fcn.08048326)
|             fcn.08048326() ; sym.imp.scanf
|          0x0804845b    8d45e8       lea eax, [ebp-0x18]
|          0x0804845e    c74424048f8. mov dword [esp+0x4], str.250382 ; str.250382
|          0x08048466    890424       mov [esp], eax
|          0x08048469    e8e2feffff   call sym.imp.strcmp ; (fcn.08048346)
|             fcn.08048346() ; sym.imp.strcmp
|          0x0804846e    85c0         test eax, eax
|      ,=< 0x08048470    740e         je 0x8048480
|      |   0x08048472    c7042496850. mov dword [esp], str.Invalid_Password__n ; str.Invalid_Password__n
|      |   0x08048479    e8c2feffff   call sym.imp.printf ; (fcn.08048336)
|      |      fcn.08048336() ; sym.imp.printf
|     ,==< 0x0804847e    eb0c         jmp 0x804848c ; (sym.main)
|     ||   ; JMP XREF from 0x08048470 (unk)
|     |`-> 0x08048480    c70424a9850. mov dword [esp], str.Password_OK____n ; str.Password_OK____n
|     |    0x08048487    e8b4feffff   call sym.imp.printf ; (fcn.08048336)
|     |       fcn.08048336() ; sym.imp.printf
|     `--> 0x0804848c    b800000000   mov eax, 0x0
|          0x08048491    c9           leave
\          0x08048492    c3           ret
[0x08048360]> s 0x0804847e
[0x0804847e]> wx eb
[0x0804847e]> px 20
- offset -   0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF
0x0804847e  eb0c c704 24a9 8504 08e8 b4fe ffff b800  ....$...........
0x0804848e  0000 00c9                                ....            
[0x0804847e]> pD 20
|      ,=< 0x0804847e    eb0c         jmp 0x804848c ; (sym.main)
|      |   ; JMP XREF from 0x08048470 (unk)
|      |   0x08048480    c70424a9850. mov dword [esp], str.Password_OK____n ; str.Password_OK____n
|      |   0x08048487    e8b4feffff   call sym.imp.printf ; (fcn.08048336)
|      |      fcn.08048336() ; sym.imp.printf
|      `-> 0x0804848c    b800000000   mov eax, 0x0
|          0x08048491    c9           leave
[0x08048470]> q

输入任何密码。

 ~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x00
IOLI Crackme Level 0x00
Password: 12345
Password OK :)

crackme0x01

 ~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x01
IOLI Crackme Level 0x01
Password: 12345
Invalid Password!

反汇编我们看到有个跳转到=OK=的=je=,改成=jmp=

 ~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ r2 -w ./crackme0x01
 -- Deltify your life with radare2
[0x08048330]> aa
[0x08048330]> pdf@sym.main 
|          ; DATA XREF from 0x08048347 (fcn.08048322)
/ (fcn) sym.main 113
|          0x080483e4    55           push ebp
|          0x080483e5    89e5         mov ebp, esp
|          0x080483e7    83ec18       sub esp, 0x18
|          0x080483ea    83e4f0       and esp, 0xfffffff0
|          0x080483ed    b800000000   mov eax, 0x0
|          0x080483f2    83c00f       add eax, 0xf
|          0x080483f5    83c00f       add eax, 0xf
|          0x080483f8    c1e804       shr eax, 0x4
|          0x080483fb    c1e004       shl eax, 0x4
|          0x080483fe    29c4         sub esp, eax
|          0x08048400    c7042428850. mov dword [esp], str.IOLI_Crackme_Level_0x01_n ; str.IOLI_Crackme_Level_0x01_n
|          0x08048407    e810ffffff   call sym.imp.printf ; (fcn.08048312)
|             fcn.08048312(unk) ; sym.imp.printf
|          0x0804840c    c7042441850. mov dword [esp], str.Password_ ; str.Password_
|          0x08048413    e804ffffff   call sym.imp.printf ; (fcn.08048312)
|             fcn.08048312() ; sym.imp.printf
|          0x08048418    8d45fc       lea eax, [ebp-0x4]
|          0x0804841b    89442404     mov [esp+0x4], eax
|          0x0804841f    c704244c850. mov dword [esp], 0x804854c ;  0x0804854c 
|          0x08048426    e8e1feffff   call sym.imp.scanf ; (fcn.08048302)
|             fcn.08048302() ; sym.imp.scanf
|          0x0804842b    817dfc9a140. cmp dword [ebp-0x4], 0x149a
|      ,=< 0x08048432    740e         je 0x8048442
|      |   0x08048434    c704244f850. mov dword [esp], str.Invalid_Password__n ; str.Invalid_Password__n
|      |   0x0804843b    e8dcfeffff   call sym.imp.printf ; (fcn.08048312)
|      |      fcn.08048312() ; sym.imp.printf
|     ,==< 0x08048440    eb0c         jmp 0x804844e ; (sym.main)
|     ||   ; JMP XREF from 0x08048432 (unk)
|     |`-> 0x08048442    c7042462850. mov dword [esp], str.Password_OK____n ; str.Password_OK____n
|     |    0x08048449    e8cefeffff   call sym.imp.printf ; (fcn.08048312)
|     |       fcn.08048312() ; sym.imp.printf
|     `--> 0x0804844e    b800000000   mov eax, 0x0
|          0x08048453    c9           leave
\          0x08048454    c3           ret
[0x08048330]> s 0x08048432
[0x08048432]> wx eb
[0x08048432]> q

接着输入任何密码:

 ~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x01
IOLI Crackme Level 0x01
Password: 12345
Password OK :)

crackme0x02

 ~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x02
IOLI Crackme Level 0x02
Password: 12345
Invalid Password!

这回还是个比较,将后面的=je=判断改成=nop=。有兴趣还可以笔算下怎么生成的密码。

 ~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ r2 -w ./crackme0x02
 -- Invert the block bytes using the 'I' key in visual mode
[0x08048330]> aa
[0x08048330]> pdf@sym.main
|          ; DATA XREF from 0x08048347 (fcn.08048322)
/ (fcn) sym.main 144
|          0x080483e4    55           push ebp
|          0x080483e5    89e5         mov ebp, esp
|          0x080483e7    83ec18       sub esp, 0x18
|          0x080483ea    83e4f0       and esp, 0xfffffff0
|          0x080483ed    b800000000   mov eax, 0x0
|          0x080483f2    83c00f       add eax, 0xf
|          0x080483f5    83c00f       add eax, 0xf
|          0x080483f8    c1e804       shr eax, 0x4
|          0x080483fb    c1e004       shl eax, 0x4
|          0x080483fe    29c4         sub esp, eax
|          0x08048400    c7042448850. mov dword [esp], str.IOLI_Crackme_Level_0x02_n ; str.IOLI_Crackme_Level_0x02_n
|          0x08048407    e810ffffff   call sym.imp.printf ; (fcn.08048312)
|             fcn.08048312(unk) ; sym.imp.printf
|          0x0804840c    c7042461850. mov dword [esp], str.Password_ ; str.Password_
|          0x08048413    e804ffffff   call sym.imp.printf ; (fcn.08048312)
|             fcn.08048312() ; sym.imp.printf
|          0x08048418    8d45fc       lea eax, [ebp-0x4]
|          0x0804841b    89442404     mov [esp+0x4], eax
|          0x0804841f    c704246c850. mov dword [esp], 0x804856c ;  0x0804856c 
|          0x08048426    e8e1feffff   call sym.imp.scanf ; (fcn.08048302)
|             fcn.08048302() ; sym.imp.scanf
|          0x0804842b    c745f85a000. mov dword [ebp-0x8], 0x5a ;  0x0000005a 
|          0x08048432    c745f4ec010. mov dword [ebp-0xc], 0x1ec ;  0x000001ec 
|          0x08048439    8b55f4       mov edx, [ebp-0xc]
|          0x0804843c    8d45f8       lea eax, [ebp-0x8]
|          0x0804843f    0110         add [eax], edx
|          0x08048441    8b45f8       mov eax, [ebp-0x8]
|          0x08048444    0faf45f8     imul eax, [ebp-0x8]
|          0x08048448    8945f4       mov [ebp-0xc], eax
|          0x0804844b    8b45fc       mov eax, [ebp-0x4]
|          0x0804844e    3b45f4       cmp eax, [ebp-0xc]
|      ,=< 0x08048451    750e         jne 0x8048461
|      |   0x08048453    c704246f850. mov dword [esp], str.Password_OK____n ; str.Password_OK____n
|      |   0x0804845a    e8bdfeffff   call sym.imp.printf ; (fcn.08048312)
|      |      fcn.08048312() ; sym.imp.printf
|     ,==< 0x0804845f    eb0c         jmp 0x804846d ; (sym.main)
|     ||   ; JMP XREF from 0x08048451 (unk)
|     |`-> 0x08048461    c704247f850. mov dword [esp], str.Invalid_Password__n ; str.Invalid_Password__n
|     |    0x08048468    e8affeffff   call sym.imp.printf ; (fcn.08048312)
|     |       fcn.08048312() ; sym.imp.printf
|     `--> 0x0804846d    b800000000   mov eax, 0x0
|          0x08048472    c9           leave
\          0x08048473    c3           ret
[0x08048330]> s 0x08048451
[0x08048451]> wx 9090
[0x08048451]> px 10
- offset -   0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF
0x08048451  9090 c704 246f 8504 08e8                 ....$o....      
[0x08048451]> q

输入任何密码:

 ~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x02
IOLI Crackme Level 0x02
Password: 12345
Password OK :)

crackme0x03

 ~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x03
IOLI Crackme Level 0x03
Password: 12345
Invalid Password!

这回发现难一些了,没有明文字符串。main函数调用一个=test=,=test=又调用=shift=。虽然不知道这些函数是干嘛的。但发现=sym.test=中有两个似乎加密过的字符串,可能对应=invalid=和=Ok=两个字符串。

猜测=sym.shift=是一种移位加密方法。

基本上可以猜出来=0x0804848a=是=OK=的地方

 ✘ ⮀ ~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ r2 -w ./crackme0x03
 -- Use zoom.byte=entropy and press 'z' in visual mode to zoom out to see the entropy of the whole file
[0x08048360]> aa
[0x08048360]> pdf@sym.main
|          ; UNKNOWN XREF from 0x0804847a (unk)
|          ; DATA XREF from 0x08048377 (fcn.08048356)
/ (fcn) sym.main 128
|          0x08048498    55           push ebp
|          0x08048499    89e5         mov ebp, esp
|          0x0804849b    83ec18       sub esp, 0x18
|          0x0804849e    83e4f0       and esp, 0xfffffff0
|          0x080484a1    b800000000   mov eax, 0x0
|          0x080484a6    83c00f       add eax, 0xf
|          0x080484a9    83c00f       add eax, 0xf
|          0x080484ac    c1e804       shr eax, 0x4
|          0x080484af    c1e004       shl eax, 0x4
|          0x080484b2    29c4         sub esp, eax
|          0x080484b4    c7042410860. mov dword [esp], str.IOLI_Crackme_Level_0x03_n ; str.IOLI_Crackme_Level_0x03_n
|          0x080484bb    e890feffff   call sym.imp.printf
|             sym.imp.printf(unk)
|          0x080484c0    c7042429860. mov dword [esp], str.Password_ ; str.Password_
|          0x080484c7    e884feffff   call sym.imp.printf
|             sym.imp.printf()
|          0x080484cc    8d45fc       lea eax, [ebp-0x4]
|          0x080484cf    89442404     mov [esp+0x4], eax
|          0x080484d3    c7042434860. mov dword [esp], 0x8048634 ;  0x08048634 
|          0x080484da    e851feffff   call sym.imp.scanf
|             sym.imp.scanf()
|          0x080484df    c745f85a000. mov dword [ebp-0x8], 0x5a ;  0x0000005a 
|          0x080484e6    c745f4ec010. mov dword [ebp-0xc], 0x1ec ;  0x000001ec 
|          0x080484ed    8b55f4       mov edx, [ebp-0xc]
|          0x080484f0    8d45f8       lea eax, [ebp-0x8]
|          0x080484f3    0110         add [eax], edx
|          0x080484f5    8b45f8       mov eax, [ebp-0x8]
|          0x080484f8    0faf45f8     imul eax, [ebp-0x8]
|          0x080484fc    8945f4       mov [ebp-0xc], eax
|          0x080484ff    8b45f4       mov eax, [ebp-0xc]
|          0x08048502    89442404     mov [esp+0x4], eax
|          0x08048506    8b45fc       mov eax, [ebp-0x4]
|          0x08048509    890424       mov [esp], eax
|          0x0804850c    e85dffffff   call sym.test
|             sym.test()
|          0x08048511    b800000000   mov eax, 0x0
|          0x08048516    c9           leave
\          0x08048517    c3           ret
[0x08048360]> pdf@sym.test
|          ; UNKNOWN XREF from 0x0804846e (unk)
|          ; CALL XREF from 0x0804850c (unk)
/ (fcn) sym.test 42
|          0x0804846e    55           push ebp
|          0x0804846f    89e5         mov ebp, esp
|          0x08048471    83ec08       sub esp, 0x8
|          0x08048474    8b4508       mov eax, [ebp+0x8]
|          0x08048477    3b450c       cmp eax, [ebp+0xc]
|      ,=< 0x0804847a    740e         je loc.0804848a
|      |   0x0804847c    c70424ec850. mov dword [esp], str.Lqydolg_Sdvvzrug_ ; str.Lqydolg_Sdvvzrug_
|      |   0x08048483    e88cffffff   call sym.shift
|      |      sym.shift(unk)
|     ,==< 0x08048488    eb0c         jmp loc.08048496
|     ||   ; JMP XREF from 0x0804847a (unk)
|- loc.0804848a 14
|     |`-> 0x0804848a    c70424fe850. mov dword [esp], str.Sdvvzrug_RN______ ; str.Sdvvzrug_RN______
|     |    0x08048491    e87effffff   call sym.shift
|     |       sym.shift()
|     |    ; JMP XREF from 0x08048488 (unk)
|- loc.08048496 2
|     `--> 0x08048496    c9           leave
\          0x08048497    c3           ret
[0x08048360]> s 0x0804847a
[0x0804847a]> px 20
- offset -   0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF
0x0804847a  7400 0000 24ec 8504 08e8 8cff ffff eb0c  t...$...........
0x0804848a  c704 24fe                                ..$.            
[0x0804847a]> wx eb
[0x0804847a]> px 20
- offset -   0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF
0x0804847a  eb0e c704 24ec 8504 08e8 8cff ffff eb0c  ....$...........
0x0804848a  c704 24fe                                ..$.            
[0x0804847a]> pdf@sym.test
|          ; UNKNOWN XREF from 0x0804846e (unk)
|          ; CALL XREF from 0x0804850c (unk)
/ (fcn) sym.test 42
|          0x0804846e    55           push ebp
|          0x0804846f    89e5         mov ebp, esp
|          0x08048471    83ec08       sub esp, 0x8
|          0x08048474    8b4508       mov eax, [ebp+0x8]
|          0x08048477    3b450c       cmp eax, [ebp+0xc]
|      ,=< 0x0804847a    eb0e         jmp loc.0804848a
|      |   0x0804847c    c70424ec850. mov dword [esp], str.Lqydolg_Sdvvzrug_ ; str.Lqydolg_Sdvvzrug_
|      |   0x08048483    e88cffffff   call sym.shift
|      |      sym.shift(unk)
|     ,==< 0x08048488    eb0c         jmp loc.08048496
|     ||   ; JMP XREF from 0x0804847a (unk)
|- loc.0804848a 14
|     |`-> 0x0804848a    c70424fe850. mov dword [esp], str.Sdvvzrug_RN______ ; str.Sdvvzrug_RN______
|     |    0x08048491    e87effffff   call sym.shift
|     |       sym.shift()
|     |    ; JMP XREF from 0x08048488 (unk)
|- loc.08048496 2
|     `--> 0x08048496    c9           leave
\          0x08048497    c3           ret
[0x0804847a]> q

输入任意密码

 ~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x03                
IOLI Crackme Level 0x03
Password: 12345
Password OK!!! :)

crackme0x04

尝试12345竟然成功了……这不重要,README中给出了所有crackme的密码方便破解。

 ~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x04
IOLI Crackme Level 0x04
Password: aaaaa
Password Incorrect!

又一个叫=sym.check=的函数,里头赫然写着明文的=invalid=和=ok=。仍然是将判断跳转改成什么都不做。

 ~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ r2 -w ./crackme0x04
 -- Interpret your own radare2 scripts with '. <path-to-your-script>'. Similar to the bash source alias command.
[0x080483d0]> aa
[0x080483d0]> pdf@sym.main
|          ; UNKNOWN XREF from 0x08048509 (unk)
|          ; DATA XREF from 0x080483e7 (fcn.080483ba)
/ (fcn) sym.main 92
|          0x08048509    55           push ebp
|          0x0804850a    89e5         mov ebp, esp
|          0x0804850c    81ec88000000 sub esp, 0x88
|          0x08048512    83e4f0       and esp, 0xfffffff0
|          0x08048515    b800000000   mov eax, 0x0
|          0x0804851a    83c00f       add eax, 0xf
|          0x0804851d    83c00f       add eax, 0xf
|          0x08048520    c1e804       shr eax, 0x4
|          0x08048523    c1e004       shl eax, 0x4
|          0x08048526    29c4         sub esp, eax
|          0x08048528    c704245e860. mov dword [esp], str.IOLI_Crackme_Level_0x04_n ; str.IOLI_Crackme_Level_0x04_n
|          0x0804852f    e860feffff   call sym.imp.printf
|             sym.imp.printf(unk)
|          0x08048534    c7042477860. mov dword [esp], str.Password_ ; str.Password_
|          0x0804853b    e854feffff   call sym.imp.printf
|             sym.imp.printf()
|          0x08048540    8d4588       lea eax, [ebp-0x78]
|          0x08048543    89442404     mov [esp+0x4], eax
|          0x08048547    c7042482860. mov dword [esp], 0x8048682 ;  0x08048682 
|          0x0804854e    e821feffff   call sym.imp.scanf
|             sym.imp.scanf()
|          0x08048553    8d4588       lea eax, [ebp-0x78]
|          0x08048556    890424       mov [esp], eax
|          0x08048559    e826ffffff   call sym.check
|             sym.check()
|          0x0804855e    b800000000   mov eax, 0x0
|          0x08048563    c9           leave
\          0x08048564    c3           ret
[0x080483d0]> pdf@sym.check
|          ; CALL XREF from 0x08048559 (unk)
/ (fcn) sym.check 133
|          0x08048484    55           push ebp
|          0x08048485    89e5         mov ebp, esp
|          0x08048487    83ec28       sub esp, 0x28
|          0x0804848a    c745f800000. mov dword [ebp-0x8], 0x0
|          0x08048491    c745f400000. mov dword [ebp-0xc], 0x0
|    .---> 0x08048498    8b4508       mov eax, [ebp+0x8]
|    |     0x0804849b    890424       mov [esp], eax
|    |     0x0804849e    e8e1feffff   call sym.imp.strlen ; (fcn.0804837a)
|    |        fcn.0804837a(unk) ; sym.imp.strlen
|    |     0x080484a3    3945f4       cmp [ebp-0xc], eax
|    | ,=< 0x080484a6    7353         jae 0x80484fb
|    | |   0x080484a8    8b45f4       mov eax, [ebp-0xc]
|    | |   0x080484ab    034508       add eax, [ebp+0x8]
|    | |   0x080484ae    0fb600       movzx eax, byte [eax]
|    | |   0x080484b1    8845f3       mov [ebp-0xd], al
|    | |   0x080484b4    8d45fc       lea eax, [ebp-0x4]
|    | |   0x080484b7    89442408     mov [esp+0x8], eax
|    | |   0x080484bb    c7442404388. mov dword [esp+0x4], 0x8048638 ;  0x08048638 
|    | |   0x080484c3    8d45f3       lea eax, [ebp-0xd]
|    | |   0x080484c6    890424       mov [esp], eax
|    | |   0x080484c9    e8d6feffff   call sym.imp.sscanf ; (fcn.0804839a)
|    | |      fcn.0804839a() ; sym.imp.sscanf
|    | |   0x080484ce    8b55fc       mov edx, [ebp-0x4]
|    | |   0x080484d1    8d45f8       lea eax, [ebp-0x8]
|    | |   0x080484d4    0110         add [eax], edx
|    | |   0x080484d6    837df80f     cmp dword [ebp-0x8], 0xf
|    |,==< 0x080484da    7518         jne 0x80484f4
|    |||   0x080484dc    c704243b860. mov dword [esp], str.Password_OK__n ; str.Password_OK__n
|    |||   0x080484e3    e8acfeffff   call sym.imp.printf
|    |||      sym.imp.printf()
|    |||   0x080484e8    c7042400000. mov dword [esp], 0x0
|    |||   0x080484ef    e8c0feffff   call sym.imp.exit ; (fcn.080483aa)
|    |||      fcn.080483aa() ; sym.imp.exit
|    |`--> 0x080484f4    8d45f4       lea eax, [ebp-0xc]
|    | |   0x080484f7    ff00         inc dword [eax]
|    `===< 0x080484f9    eb9d         jmp 0x8048498 ; (sym.check)
|      |   ; JMP XREF from 0x080484a6 (unk)
|      `-> 0x080484fb    c7042449860. mov dword [esp], str.Password_Incorrect__n ; str.Password_Incorrect__n
|          0x08048502    e88dfeffff   call sym.imp.printf
|             sym.imp.printf()
|          0x08048507    c9           leave
\          0x08048508    c3           ret
[0x080483d0]> s 0x080484da
[0x080484da]> wx 9090
[0x080484da]> q

输入任何密码:

 ~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x04
IOLI Crackme Level 0x04
Password: aaaaa
Password OK!

crackme0x05

 ~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x05
IOLI Crackme Level 0x05
Password: 12345
Password Incorrect!

sym.parell? 在三个地方都有判断,更改到让程序直接执行到=OK=字符串位置。

 ~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ r2 -w ./crackme0x05
 -- Use -e bin.strings=false to disable search for strings when loading the binary.
[0x080483d0]> aa
[0x080483d0]> pdf@sym.main
|          ; UNKNOWN XREF from 0x080484ea (unk)
|          ; DATA XREF from 0x080483e7 (fcn.080483ba)
/ (fcn) sym.main 92
|          0x08048540    55           push ebp
|          0x08048541    89e5         mov ebp, esp
|          0x08048543    81ec88000000 sub esp, 0x88
|          0x08048549    83e4f0       and esp, 0xfffffff0
|          0x0804854c    b800000000   mov eax, 0x0
|          0x08048551    83c00f       add eax, 0xf
|          0x08048554    83c00f       add eax, 0xf
|          0x08048557    c1e804       shr eax, 0x4
|          0x0804855a    c1e004       shl eax, 0x4
|          0x0804855d    29c4         sub esp, eax
|          0x0804855f    c704248e860. mov dword [esp], str.IOLI_Crackme_Level_0x05_n ; str.IOLI_Crackme_Level_0x05_n
|          0x08048566    e829feffff   call sym.imp.printf
|             sym.imp.printf(unk)
|          0x0804856b    c70424a7860. mov dword [esp], str.Password_ ; str.Password_
|          0x08048572    e81dfeffff   call sym.imp.printf
|             sym.imp.printf()
|          0x08048577    8d4588       lea eax, [ebp-0x78]
|          0x0804857a    89442404     mov [esp+0x4], eax
|          0x0804857e    c70424b2860. mov dword [esp], 0x80486b2 ;  0x080486b2 
|          0x08048585    e8eafdffff   call sym.imp.scanf
|             sym.imp.scanf()
|          0x0804858a    8d4588       lea eax, [ebp-0x78]
|          0x0804858d    890424       mov [esp], eax
|          0x08048590    e833ffffff   call sym.check
|             sym.check()
|          0x08048595    b800000000   mov eax, 0x0
|          0x0804859a    c9           leave
\          0x0804859b    c3           ret
[0x080483d0]> pdf@sym.check 
|   |      ; UNKNOWN XREF from 0x080484c8 (unk)
|   |      ; CALL XREF from 0x08048590 (unk)
/ (fcn) sym.check 120
|   |      0x080484c8    55           push ebp
|   |      0x080484c9    89e5         mov ebp, esp
|   |      0x080484cb    83ec28       sub esp, 0x28
|   |      0x080484ce    c745f800000. mov dword [ebp-0x8], 0x0
|   |      0x080484d5    c745f400000. mov dword [ebp-0xc], 0x0
|   |      ; JMP XREF from 0x08048530 (unk)
|- loc.080484dc 100
|   |.---> 0x080484dc    8b4508       mov eax, [ebp+0x8]
|   ||     0x080484df    890424       mov [esp], eax
|   ||     0x080484e2    e89dfeffff   call sym.imp.strlen
|   ||        sym.imp.strlen(unk)
|   ||     0x080484e7    3945f4       cmp [ebp-0xc], eax
|   || ,=< 0x080484ea    7346         jae loc.08048532
|   || |   0x080484ec    8b45f4       mov eax, [ebp-0xc]
|   || |   0x080484ef    034508       add eax, [ebp+0x8]
|   || |   0x080484f2    0fb600       movzx eax, byte [eax]
|   || |   0x080484f5    8845f3       mov [ebp-0xd], al
|   || |   0x080484f8    8d45fc       lea eax, [ebp-0x4]
|   || |   0x080484fb    89442408     mov [esp+0x8], eax
|   || |   0x080484ff    c7442404688. mov dword [esp+0x4], 0x8048668 ;  0x08048668 
|   || |   0x08048507    8d45f3       lea eax, [ebp-0xd]
|   || |   0x0804850a    890424       mov [esp], eax
|   || |   0x0804850d    e892feffff   call sym.imp.sscanf
|   || |      sym.imp.sscanf()
|   || |   0x08048512    8b55fc       mov edx, [ebp-0x4]
|   || |   0x08048515    8d45f8       lea eax, [ebp-0x8]
|   || |   0x08048518    0110         add [eax], edx
|   || |   0x0804851a    837df810     cmp dword [ebp-0x8], 0x10
|   ||,==< 0x0804851e    750b         jne loc.0804852b
|   ||||   0x08048520    8b4508       mov eax, [ebp+0x8]
|   ||||   0x08048523    890424       mov [esp], eax
|   ||||   0x08048526    e859ffffff   call sym.parell
|   ||||      sym.parell()
|   |||    ; JMP XREF from 0x0804851e (unk)
|- loc.0804852b 21
|   ||`--> 0x0804852b    8d45f4       lea eax, [ebp-0xc]
|   || |   0x0804852e    ff00         inc dword [eax]
|   |`===< 0x08048530    ebaa         jmp loc.080484dc
|   |  |   ; JMP XREF from 0x080484ea (unk)
|- loc.08048532 14
|   |  `-> 0x08048532    c7042479860. mov dword [esp], str.Password_Incorrect__n ; str.Password_Incorrect__n
|          0x08048539    e856feffff   call sym.imp.printf
|             sym.imp.printf()
|          0x0804853e    c9           leave
\          0x0804853f    c3           ret
[0x080483d0]> pdf@sym.parell 
|          ; CALL XREF from 0x08048526 (unk)
/ (fcn) sym.parell 68
|          0x08048484    55           push ebp
|          0x08048485    89e5         mov ebp, esp
|          0x08048487    83ec18       sub esp, 0x18
|          0x0804848a    8d45fc       lea eax, [ebp-0x4]
|          0x0804848d    89442408     mov [esp+0x8], eax
|          0x08048491    c7442404688. mov dword [esp+0x4], 0x8048668 ;  0x08048668 
|          0x08048499    8b4508       mov eax, [ebp+0x8]
|          0x0804849c    890424       mov [esp], eax
|          0x0804849f    e800ffffff   call sym.imp.sscanf
|             sym.imp.sscanf(unk)
|          0x080484a4    8b45fc       mov eax, [ebp-0x4]
|          0x080484a7    83e001       and eax, 0x1
|          0x080484aa    85c0         test eax, eax
|      ,=< 0x080484ac    7518         jne 0x80484c6
|      |   0x080484ae    c704246b860. mov dword [esp], str.Password_OK__n ; str.Password_OK__n
|      |   0x080484b5    e8dafeffff   call sym.imp.printf
|      |      sym.imp.printf()
|      |   0x080484ba    c7042400000. mov dword [esp], 0x0
|      |   0x080484c1    e8eefeffff   call sym.imp.exit ; (fcn.080483aa)
|      |      fcn.080483aa() ; sym.imp.exit
|      |   ; JMP XREF from 0x080484ac (unk)
|      `-> 0x080484c6    c9           leave
\          0x080484c7    c3           ret
[0x080483d0]> s 0x080484ea
[0x080484ea]> wx 9090
[0x080484ea]> s 0x0804851e
[0x0804851e]> wx 9090
[0x0804851e]> s 0x080484ac
[0x080484ac]> wx 9090
[0x080484ac]> q

输入任意密码

 ✘ ⮀ ~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x05      
IOLI Crackme Level 0x05
Password: 12345
Password OK!

crackme0x06

 ~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x06
IOLI Crackme Level 0x06
Password: 12345
Password Incorrect!

破解么,又不需要知道程序逻辑,只要让程序运行到想要的代码块就好。于是……把所有跳转灭掉。

 ~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ r2 -w ./crackme0x06
 -- Dissasemble? No dissasemble, no dissassemble!!!!!
[0x08048400]> aa
[0x08048400]> pdf@sym.main
|          ; UNKNOWN XREF from 0x080485aa (unk)
|          ; DATA XREF from 0x08048417 (fcn.080483ee)
/ (fcn) sym.main 99
|          0x08048607    55           push ebp
|          0x08048608    89e5         mov ebp, esp
|          0x0804860a    81ec88000000 sub esp, 0x88
|          0x08048610    83e4f0       and esp, 0xfffffff0
|          0x08048613    b800000000   mov eax, 0x0
|          0x08048618    83c00f       add eax, 0xf
|          0x0804861b    83c00f       add eax, 0xf
|          0x0804861e    c1e804       shr eax, 0x4
|          0x08048621    c1e004       shl eax, 0x4
|          0x08048624    29c4         sub esp, eax
|          0x08048626    c7042463870. mov dword [esp], str.IOLI_Crackme_Level_0x06_n ; str.IOLI_Crackme_Level_0x06_n
|          0x0804862d    e886fdffff   call sym.imp.printf
|             sym.imp.printf(unk)
|          0x08048632    c704247c870. mov dword [esp], str.Password_ ; str.Password_
|          0x08048639    e87afdffff   call sym.imp.printf
|             sym.imp.printf()
|          0x0804863e    8d4588       lea eax, [ebp-0x78]
|          0x08048641    89442404     mov [esp+0x4], eax
|          0x08048645    c7042487870. mov dword [esp], 0x8048787 ;  0x08048787 
|          0x0804864c    e847fdffff   call sym.imp.scanf
|             sym.imp.scanf()
|          0x08048651    8b4510       mov eax, [ebp+0x10]
|          0x08048654    89442404     mov [esp+0x4], eax
|          0x08048658    8d4588       lea eax, [ebp-0x78]
|          0x0804865b    890424       mov [esp], eax
|          0x0804865e    e825ffffff   call sym.check
|             sym.check()
|          0x08048663    b800000000   mov eax, 0x0
|          0x08048668    c9           leave
\          0x08048669    c3           ret
[0x08048400]> pdf@sym.check 
|          ; UNKNOWN XREF from 0x0804854e (unk)
|          ; CALL XREF from 0x0804865e (unk)
/ (fcn) sym.check 127
|          0x08048588    55           push ebp
|          0x08048589    89e5         mov ebp, esp
|          0x0804858b    83ec28       sub esp, 0x28
|          0x0804858e    c745f800000. mov dword [ebp-0x8], 0x0
|          0x08048595    c745f400000. mov dword [ebp-0xc], 0x0
|          ; JMP XREF from 0x080485f7 (unk)
|- loc.0804859c 107
|    .---> 0x0804859c    8b4508       mov eax, [ebp+0x8]
|    |     0x0804859f    890424       mov [esp], eax
|    |     0x080485a2    e801feffff   call sym.imp.strlen
|    |        sym.imp.strlen(unk)
|    |     0x080485a7    3945f4       cmp [ebp-0xc], eax
|    | ,=< 0x080485aa    734d         jae loc.080485f9
|    | |   0x080485ac    8b45f4       mov eax, [ebp-0xc]
|    | |   0x080485af    034508       add eax, [ebp+0x8]
|    | |   0x080485b2    0fb600       movzx eax, byte [eax]
|    | |   0x080485b5    8845f3       mov [ebp-0xd], al
|    | |   0x080485b8    8d45fc       lea eax, [ebp-0x4]
|    | |   0x080485bb    89442408     mov [esp+0x8], eax
|    | |   0x080485bf    c74424043d8. mov dword [esp+0x4], 0x804873d ;  0x0804873d 
|    | |   0x080485c7    8d45f3       lea eax, [ebp-0xd]
|    | |   0x080485ca    890424       mov [esp], eax
|    | |   0x080485cd    e8f6fdffff   call sym.imp.sscanf
|    | |      sym.imp.sscanf()
|    | |   0x080485d2    8b55fc       mov edx, [ebp-0x4]
|    | |   0x080485d5    8d45f8       lea eax, [ebp-0x8]
|    | |   0x080485d8    0110         add [eax], edx
|    | |   0x080485da    837df810     cmp dword [ebp-0x8], 0x10
|    |,==< 0x080485de    7512         jne loc.080485f2
|    |||   0x080485e0    8b450c       mov eax, [ebp+0xc]
|    |||   0x080485e3    89442404     mov [esp+0x4], eax
|    |||   0x080485e7    8b4508       mov eax, [ebp+0x8]
|    |||   0x080485ea    890424       mov [esp], eax
|    |||   0x080485ed    e828ffffff   call sym.parell
|    |||      sym.parell()
|    ||    ; JMP XREF from 0x080485de (unk)
|- loc.080485f2 21
|    |`--> 0x080485f2    8d45f4       lea eax, [ebp-0xc]
|    | |   0x080485f5    ff00         inc dword [eax]
|    `===< 0x080485f7    eba3         jmp loc.0804859c
|      |   ; JMP XREF from 0x080485aa (unk)
|- loc.080485f9 14
|      `-> 0x080485f9    c704244e870. mov dword [esp], str.Password_Incorrect__n ; str.Password_Incorrect__n
|          0x08048600    e8b3fdffff   call sym.imp.printf
|             sym.imp.printf()
|          0x08048605    c9           leave
\          0x08048606    c3           ret
[0x08048400]> pdf@sym.parell 
|          ; UNKNOWN XREF from 0x0804851a (unk)
|          ; CALL XREF from 0x080485ed (unk)
/ (fcn) sym.parell 110
|          0x0804851a    55           push ebp
|          0x0804851b    89e5         mov ebp, esp
|          0x0804851d    83ec18       sub esp, 0x18
|          0x08048520    8d45fc       lea eax, [ebp-0x4]
|          0x08048523    89442408     mov [esp+0x8], eax
|          0x08048527    c74424043d8. mov dword [esp+0x4], 0x804873d ;  0x0804873d 
|          0x0804852f    8b4508       mov eax, [ebp+0x8]
|          0x08048532    890424       mov [esp], eax
|          0x08048535    e88efeffff   call sym.imp.sscanf
|             sym.imp.sscanf(unk)
|          0x0804853a    8b450c       mov eax, [ebp+0xc]
|          0x0804853d    89442404     mov [esp+0x4], eax
|          0x08048541    8b45fc       mov eax, [ebp-0x4]
|          0x08048544    890424       mov [esp], eax
|          0x08048547    e868ffffff   call sym.dummy
|             sym.dummy()
|          0x0804854c    85c0         test eax, eax
|      ,=< 0x0804854e    7436         je loc.08048586
|      |   0x08048550    c745f800000. mov dword [ebp-0x8], 0x0
|      |   ; JMP XREF from 0x08048584 (unk)
|- loc.08048557 49
|      |   0x08048557    837df809     cmp dword [ebp-0x8], 0x9
|     ,==< 0x0804855b    7f29         jg loc.08048586
|     ||   0x0804855d    8b45fc       mov eax, [ebp-0x4]
|     ||   0x08048560    83e001       and eax, 0x1
|     ||   0x08048563    85c0         test eax, eax
|    ,===< 0x08048565    7518         jne loc.0804857f
|    |||   0x08048567    c7042440870. mov dword [esp], str.Password_OK__n ; str.Password_OK__n
|    |||   0x0804856e    e845feffff   call sym.imp.printf
|    |||      sym.imp.printf()
|    |||   0x08048573    c7042400000. mov dword [esp], 0x0
|    |||   0x0804857a    e869feffff   call sym.imp.exit
|    |||      sym.imp.exit()
|    |     ; JMP XREF from 0x08048565 (unk)
|- loc.0804857f 9
|    `---> 0x0804857f    8d45f8       lea eax, [ebp-0x8]
|     ||   0x08048582    ff00         inc dword [eax]
|     ||   0x08048584    ebd1         jmp loc.08048557
|     ||   ; JMP XREF from 0x0804854e (unk)
|     ||   ; JMP XREF from 0x0804855b (unk)
|- loc.08048586 2
|     ``-> 0x08048586    c9           leave
\          0x08048587    c3           ret
[0x08048400]> s 0x080485aa
[0x080485aa]> wx 9090
[0x080485aa]> s 0x080485de
[0x080485de]> wx 9090
[0x080485de]> s 0x0804854e
[0x0804854e]> wx 9090
[0x0804854e]> s 0x0804855b
[0x0804855b]> wx 9090
[0x0804855b]> s 0x08048565
[0x08048565]> wx 9090
[0x08048565]> q

输入任意密码:

 ~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x06
IOLI Crackme Level 0x06
Password: 123456
Password OK!

crackme0x07

 ~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x07
IOLI Crackme Level 0x07
Password: 12345
Password Incorrect!

这次函数名都变了。大致搜索下就找到=Ok=代码段,把所有跳转清除。

 ~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ r2 -w ./crackme0x07
 -- Wow, my cat knows radare2 hotkeys better than me!
[0x08048400]> aa
[0x08048400]> pdf@main
|          ; UNKNOWN XREF from 0x08048643 (fcn.080485b9)
|          ; DATA XREF from 0x08048417 (entry0)
/ (fcn) main 99
|          0x0804867d    55           push ebp
|          0x0804867e    89e5         mov ebp, esp
|          0x08048680    81ec88000000 sub esp, 0x88
|          0x08048686    83e4f0       and esp, 0xfffffff0
|          0x08048689    b800000000   mov eax, 0x0
|          0x0804868e    83c00f       add eax, 0xf
|          0x08048691    83c00f       add eax, 0xf
|          0x08048694    c1e804       shr eax, 0x4
|          0x08048697    c1e004       shl eax, 0x4
|          0x0804869a    29c4         sub esp, eax
|          0x0804869c    c70424d9870. mov dword [esp], str.IOLI_Crackme_Level_0x07_n ; str.IOLI_Crackme_Level_0x07_n
|          0x080486a3    e810fdffff   call sym.imp.printf
|             sym.imp.printf(unk)
|          0x080486a8    c70424f2870. mov dword [esp], str.Password_ ; str.Password_
|          0x080486af    e804fdffff   call sym.imp.printf
|             sym.imp.printf()
|          0x080486b4    8d4588       lea eax, [ebp-0x78]
|          0x080486b7    89442404     mov [esp+0x4], eax
|          0x080486bb    c70424fd870. mov dword [esp], 0x80487fd ;  0x080487fd 
|          0x080486c2    e8d1fcffff   call sym.imp.scanf
|             sym.imp.scanf()
|          0x080486c7    8b4510       mov eax, [ebp+0x10]
|          0x080486ca    89442404     mov [esp+0x4], eax
|          0x080486ce    8d4588       lea eax, [ebp-0x78]
|          0x080486d1    890424       mov [esp], eax
|          0x080486d4    e8e0feffff   call fcn.080485b9
|             fcn.080485b9()
|          0x080486d9    b800000000   mov eax, 0x0
|          0x080486de    c9           leave
\          0x080486df    c3           ret
[0x08048400]> pdf@fcn.080485b9
            ; UNKNOWN XREF from 0x08048576 (fcn.08048524)
            ; CALL XREF from 0x080486d4 (unk)
/ (fcn) fcn.080485b9 196
|           0x080485b9    55           push ebp
|           0x080485ba    89e5         mov ebp, esp
|           0x080485bc    83ec28       sub esp, 0x28
|           0x080485bf    c745f800000. mov dword [ebp-0x8], 0x0
|           0x080485c6    c745f400000. mov dword [ebp-0xc], 0x0
|           ; JMP XREF from 0x08048628 (fcn.080485b9)
|- fcn.080485cd 176
|     .---> 0x080485cd    8b4508       mov eax, [ebp+0x8]
|     |     0x080485d0    890424       mov [esp], eax
|     |     0x080485d3    e8d0fdffff   call sym.imp.strlen
|     |        sym.imp.strlen(unk)
|     |     0x080485d8    3945f4       cmp [ebp-0xc], eax
|     | ,=< 0x080485db    734d         jae loc.0804862a
|     | |   0x080485dd    8b45f4       mov eax, [ebp-0xc]
|     | |   0x080485e0    034508       add eax, [ebp+0x8]
|     | |   0x080485e3    0fb600       movzx eax, byte [eax]
|     | |   0x080485e6    8845f3       mov [ebp-0xd], al
|     | |   0x080485e9    8d45fc       lea eax, [ebp-0x4]
|     | |   0x080485ec    89442408     mov [esp+0x8], eax
|     | |   0x080485f0    c7442404c28. mov dword [esp+0x4], 0x80487c2 ;  0x080487c2 
|     | |   0x080485f8    8d45f3       lea eax, [ebp-0xd]
|     | |   0x080485fb    890424       mov [esp], eax
|     | |   0x080485fe    e8c5fdffff   call sym.imp.sscanf
|     | |      sym.imp.sscanf()
|     | |   0x08048603    8b55fc       mov edx, [ebp-0x4]
|     | |   0x08048606    8d45f8       lea eax, [ebp-0x8]
|     | |   0x08048609    0110         add [eax], edx
|     | |   0x0804860b    837df810     cmp dword [ebp-0x8], 0x10
|     |,==< 0x0804860f    7512         jne loc.08048623
|     |||   0x08048611    8b450c       mov eax, [ebp+0xc]
|     |||   0x08048614    89442404     mov [esp+0x4], eax
|     |||   0x08048618    8b4508       mov eax, [ebp+0x8]
|     |||   0x0804861b    890424       mov [esp], eax
|     |||   0x0804861e    e81fffffff   call fcn.08048542
|     |||      fcn.08048542()
|     ||    ; JMP XREF from 0x0804860f (fcn.080485b9)
|- loc.08048623 90
|     |`--> 0x08048623    8d45f4       lea eax, [ebp-0xc]
|     | |   0x08048626    ff00         inc dword [eax]
|     `===< 0x08048628    eba3         jmp fcn.080485cd
|       |   ; JMP XREF from 0x080485db (fcn.080485b9)
|- loc.0804862a 83
|       `-> 0x0804862a    e8f5feffff   call fcn.08048524
|       | >    fcn.08048524()
|           0x0804862f    8b450c       mov eax, [ebp+0xc]
|           0x08048632    89442404     mov [esp+0x4], eax
|           0x08048636    8b45fc       mov eax, [ebp-0x4]
|           0x08048639    890424       mov [esp], eax
|           0x0804863c    e873feffff   call fcn.080484b4
|              fcn.080484b4() ; entry0+180
|           0x08048641    85c0         test eax, eax
|    ,====< 0x08048643    7436         je loc.0804867b
|    |      0x08048645    c745f400000. mov dword [ebp-0xc], 0x0
|    |      ; JMP XREF from 0x08048679 (fcn.080485b9)
|- loc.0804864c 49
|    |      0x0804864c    837df409     cmp dword [ebp-0xc], 0x9
|   ,=====< 0x08048650    7f29         jg loc.0804867b
|   ||      0x08048652    8b45fc       mov eax, [ebp-0x4]
|   ||      0x08048655    83e001       and eax, 0x1
|   ||      0x08048658    85c0         test eax, eax
|  ,======< 0x0804865a    7518         jne loc.08048674
|  |||      0x0804865c    c70424d3870. mov dword [esp], str.wtf__n ; str.wtf__n
|  |||      0x08048663    e850fdffff   call sym.imp.printf
|  |||         sym.imp.printf()
|  |||      0x08048668    c7042400000. mov dword [esp], 0x0
|  |||      0x0804866f    e874fdffff   call sym.imp.exit
|  |||         sym.imp.exit()
|  |        ; JMP XREF from 0x0804865a (fcn.080485b9)
|- loc.08048674 9
|  `------> 0x08048674    8d45f4       lea eax, [ebp-0xc]
|   ||      0x08048677    ff00         inc dword [eax]
|   ||      0x08048679    ebd1         jmp loc.0804864c
|   ||      ; JMP XREF from 0x08048643 (fcn.080485b9)
|   ||      ; JMP XREF from 0x08048650 (fcn.080485b9)
|- loc.0804867b 2
|   ``----> 0x0804867b    c9           leave
\           0x0804867c    c3           ret
[0x08048400]> pdf@fcn.08048542
           ; CALL XREF from 0x0804861e (fcn.080485b9)
/ (fcn) fcn.08048542 119
|          0x08048542    55           push ebp
|          0x08048543    89e5         mov ebp, esp
|          0x08048545    83ec18       sub esp, 0x18
|          0x08048548    8d45fc       lea eax, [ebp-0x4]
|          0x0804854b    89442408     mov [esp+0x8], eax
|          0x0804854f    c7442404c28. mov dword [esp+0x4], 0x80487c2 ;  0x080487c2 
|          0x08048557    8b4508       mov eax, [ebp+0x8]
|          0x0804855a    890424       mov [esp], eax
|          0x0804855d    e866feffff   call sym.imp.sscanf
|             sym.imp.sscanf(unk)
|          0x08048562    8b450c       mov eax, [ebp+0xc]
|          0x08048565    89442404     mov [esp+0x4], eax
|          0x08048569    8b45fc       mov eax, [ebp-0x4]
|          0x0804856c    890424       mov [esp], eax
|          0x0804856f    e840ffffff   call fcn.080484b4
|             fcn.080484b4() ; entry0+180
|          0x08048574    85c0         test eax, eax
|      ,=< 0x08048576    743f         je loc.080485b7
|      |   0x08048578    c745f800000. mov dword [ebp-0x8], 0x0
|      |   ; JMP XREF from 0x080485b5 (fcn.08048524)
|- loc.0804857f 58
|      |   0x0804857f    837df809     cmp dword [ebp-0x8], 0x9
|     ,==< 0x08048583    7f32         jg loc.080485b7
|     ||   0x08048585    8b45fc       mov eax, [ebp-0x4]
|     ||   0x08048588    83e001       and eax, 0x1
|     ||   0x0804858b    85c0         test eax, eax
|    ,===< 0x0804858d    7521         jne loc.080485b0
|    |||   0x0804858f    833d2ca0040. cmp dword [0x804a02c], 0x1
|   ,====< 0x08048596    750c         jne loc.080485a4
|   ||||   0x08048598    c70424c5870. mov dword [esp], str.Password_OK__n ; str.Password_OK__n
|   ||||   0x0804859f    e814feffff   call sym.imp.printf
|   ||||      sym.imp.printf()
|   |      ; JMP XREF from 0x08048596 (fcn.08048524)
|- loc.080485a4 21
|   `----> 0x080485a4    c7042400000. mov dword [esp], 0x0
|    |||   0x080485ab    e838feffff   call sym.imp.exit
|    |||      sym.imp.exit()
|    |     ; JMP XREF from 0x0804858d (fcn.08048524)
|- loc.080485b0 9
|    `---> 0x080485b0    8d45f8       lea eax, [ebp-0x8]
|     ||   0x080485b3    ff00         inc dword [eax]
|     ||   0x080485b5    ebc8         jmp loc.0804857f
|     ||   ; JMP XREF from 0x08048576 (fcn.08048524)
|     ||   ; JMP XREF from 0x08048583 (fcn.08048524)
|- loc.080485b7 2
|     ``-> 0x080485b7    c9           leave
\          0x080485b8    c3           ret
[0x08048400]> s 0x080485db
[0x080485db]> wx 9090
[0x080485db]> s 0x0804860f
[0x0804860f]> wx 9090
[0x0804860f]> s 0x08048576
[0x08048576]> wx 9090
[0x08048576]> s 0x08048583
[0x08048583]> wx 9090
[0x08048583]> s 0x0804858d
[0x0804858d]> wx 9090
[0x0804858d]> s 0x08048596
[0x08048596]> wx 9090
[0x08048596]> q

输入任意密码

 ~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x07
IOLI Crackme Level 0x07
Password: 12345
Password OK!

crackme0x08

 ~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x08
IOLI Crackme Level 0x08
Password: 12345
Password Incorrect!

 ~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ r2 -w ./crackme0x08
 -- THE ONLY WINNING MOVE IS NOT TO PLAY.
[0x08048400]> aa
[0x08048400]> pdf@main 
|          ; UNKNOWN XREF from 0x08048643 (unk)
|          ; DATA XREF from 0x08048417 (fcn.080483ee)
/ (fcn) sym.main 99
|          0x0804867d    55           push ebp
|          0x0804867e    89e5         mov ebp, esp
|          0x08048680    81ec88000000 sub esp, 0x88
|          0x08048686    83e4f0       and esp, 0xfffffff0
|          0x08048689    b800000000   mov eax, 0x0
|          0x0804868e    83c00f       add eax, 0xf
|          0x08048691    83c00f       add eax, 0xf
|          0x08048694    c1e804       shr eax, 0x4
|          0x08048697    c1e004       shl eax, 0x4
|          0x0804869a    29c4         sub esp, eax
|          0x0804869c    c70424d9870. mov dword [esp], str.IOLI_Crackme_Level_0x08_n ; str.IOLI_Crackme_Level_0x08_n
|          0x080486a3    e810fdffff   call sym.imp.printf
|             sym.imp.printf(unk)
|          0x080486a8    c70424f2870. mov dword [esp], str.Password_ ; str.Password_
|          0x080486af    e804fdffff   call sym.imp.printf
|             sym.imp.printf()
|          0x080486b4    8d4588       lea eax, [ebp-0x78]
|          0x080486b7    89442404     mov [esp+0x4], eax
|          0x080486bb    c70424fd870. mov dword [esp], 0x80487fd ;  0x080487fd 
|          0x080486c2    e8d1fcffff   call sym.imp.scanf
|             sym.imp.scanf()
|          0x080486c7    8b4510       mov eax, [ebp+0x10]
|          0x080486ca    89442404     mov [esp+0x4], eax
|          0x080486ce    8d4588       lea eax, [ebp-0x78]
|          0x080486d1    890424       mov [esp], eax
|          0x080486d4    e8e0feffff   call sym.check
|             sym.check()
|          0x080486d9    b800000000   mov eax, 0x0
|          0x080486de    c9           leave
\          0x080486df    c3           ret
[0x08048400]> pdf@sym.check
|           ; UNKNOWN XREF from 0x08048576 (unk)
|           ; CALL XREF from 0x080486d4 (unk)
/ (fcn) sym.check 196
|           0x080485b9    55           push ebp
|           0x080485ba    89e5         mov ebp, esp
|           0x080485bc    83ec28       sub esp, 0x28
|           0x080485bf    c745f800000. mov dword [ebp-0x8], 0x0
|           0x080485c6    c745f400000. mov dword [ebp-0xc], 0x0
|           ; JMP XREF from 0x08048628 (unk)
|- fcn.080485cd 176
|     .---> 0x080485cd    8b4508       mov eax, [ebp+0x8]
|     |     0x080485d0    890424       mov [esp], eax
|     |     0x080485d3    e8d0fdffff   call sym.imp.strlen
|     |        sym.imp.strlen(unk)
|     |     0x080485d8    3945f4       cmp [ebp-0xc], eax
|     | ,=< 0x080485db    734d         jae loc.0804862a
|     | |   0x080485dd    8b45f4       mov eax, [ebp-0xc]
|     | |   0x080485e0    034508       add eax, [ebp+0x8]
|     | |   0x080485e3    0fb600       movzx eax, byte [eax]
|     | |   0x080485e6    8845f3       mov [ebp-0xd], al
|     | |   0x080485e9    8d45fc       lea eax, [ebp-0x4]
|     | |   0x080485ec    89442408     mov [esp+0x8], eax
|     | |   0x080485f0    c7442404c28. mov dword [esp+0x4], 0x80487c2 ;  0x080487c2 
|     | |   0x080485f8    8d45f3       lea eax, [ebp-0xd]
|     | |   0x080485fb    890424       mov [esp], eax
|     | |   0x080485fe    e8c5fdffff   call sym.imp.sscanf
|     | |      sym.imp.sscanf()
|     | |   0x08048603    8b55fc       mov edx, [ebp-0x4]
|     | |   0x08048606    8d45f8       lea eax, [ebp-0x8]
|     | |   0x08048609    0110         add [eax], edx
|     | |   0x0804860b    837df810     cmp dword [ebp-0x8], 0x10
|     |,==< 0x0804860f    7512         jne loc.08048623
|     |||   0x08048611    8b450c       mov eax, [ebp+0xc]
|     |||   0x08048614    89442404     mov [esp+0x4], eax
|     |||   0x08048618    8b4508       mov eax, [ebp+0x8]
|     |||   0x0804861b    890424       mov [esp], eax
|     |||   0x0804861e    e81fffffff   call sym.parell
|     |||      sym.parell()
|     ||    ; JMP XREF from 0x0804860f (unk)
|- loc.08048623 90
|     |`--> 0x08048623    8d45f4       lea eax, [ebp-0xc]
|     | |   0x08048626    ff00         inc dword [eax]
|     `===< 0x08048628    eba3         jmp fcn.080485cd
|       |   ; JMP XREF from 0x080485db (unk)
|- loc.0804862a 83
|       `-> 0x0804862a    e8f5feffff   call sym.che
|       | >    sym.che()
|           0x0804862f    8b450c       mov eax, [ebp+0xc]
|           0x08048632    89442404     mov [esp+0x4], eax
|           0x08048636    8b45fc       mov eax, [ebp-0x4]
|           0x08048639    890424       mov [esp], eax
|           0x0804863c    e873feffff   call sym.dummy
|              sym.dummy()
|           0x08048641    85c0         test eax, eax
|    ,====< 0x08048643    7436         je loc.0804867b
|    |      0x08048645    c745f400000. mov dword [ebp-0xc], 0x0
|    |      ; JMP XREF from 0x08048679 (unk)
|- loc.0804864c 49
|    |      0x0804864c    837df409     cmp dword [ebp-0xc], 0x9
|   ,=====< 0x08048650    7f29         jg loc.0804867b
|   ||      0x08048652    8b45fc       mov eax, [ebp-0x4]
|   ||      0x08048655    83e001       and eax, 0x1
|   ||      0x08048658    85c0         test eax, eax
|  ,======< 0x0804865a    7518         jne loc.08048674
|  |||      0x0804865c    c70424d3870. mov dword [esp], str.wtf__n ; str.wtf__n
|  |||      0x08048663    e850fdffff   call sym.imp.printf
|  |||         sym.imp.printf()
|  |||      0x08048668    c7042400000. mov dword [esp], 0x0
|  |||      0x0804866f    e874fdffff   call sym.imp.exit
|  |||         sym.imp.exit()
|  |        ; JMP XREF from 0x0804865a (unk)
|- loc.08048674 9
|  `------> 0x08048674    8d45f4       lea eax, [ebp-0xc]
|   ||      0x08048677    ff00         inc dword [eax]
|   ||      0x08048679    ebd1         jmp loc.0804864c
|   ||      ; JMP XREF from 0x08048643 (unk)
|   ||      ; JMP XREF from 0x08048650 (unk)
|- loc.0804867b 2
|   ``----> 0x0804867b    c9           leave
\           0x0804867c    c3           ret
[0x08048400]> pdf@sym.che
|          ; UNKNOWN XREF from 0x08048524 (unk)
|          ; CALL XREF from 0x0804862a (unk)
/ (fcn) sym.che 149
|          0x08048524    55           push ebp
|          0x08048525    89e5         mov ebp, esp
|          0x08048527    83ec08       sub esp, 0x8
|          0x0804852a    c70424ad870. mov dword [esp], str.Password_Incorrect__n ; str.Password_Incorrect__n
|          0x08048531    e882feffff   call sym.imp.printf
|             sym.imp.printf(unk)
|          0x08048536    c7042400000. mov dword [esp], 0x0
|          0x0804853d    e8a6feffff   call sym.imp.exit
|             sym.imp.exit()
|          ; CALL XREF from 0x0804861e (unk)
/ (fcn) sym.parell 119
|          0x08048542    55           push ebp
|          0x08048543    89e5         mov ebp, esp
|          0x08048545    83ec18       sub esp, 0x18
|          0x08048548    8d45fc       lea eax, [ebp-0x4]
|          0x0804854b    89442408     mov [esp+0x8], eax
|          0x0804854f    c7442404c28. mov dword [esp+0x4], 0x80487c2 ;  0x080487c2 
|          0x08048557    8b4508       mov eax, [ebp+0x8]
|          0x0804855a    890424       mov [esp], eax
|          0x0804855d    e866feffff   call sym.imp.sscanf
|             sym.imp.sscanf(unk)
|          0x08048562    8b450c       mov eax, [ebp+0xc]
|          0x08048565    89442404     mov [esp+0x4], eax
|          0x08048569    8b45fc       mov eax, [ebp-0x4]
|          0x0804856c    890424       mov [esp], eax
|          0x0804856f    e840ffffff   call sym.dummy
|             sym.dummy()
|          0x08048574    85c0         test eax, eax
|      ,=< 0x08048576    743f         je loc.080485b7
|      |   0x08048578    c745f800000. mov dword [ebp-0x8], 0x0
|      |   ; JMP XREF from 0x080485b5 (unk)
|- loc.0804857f 58
|      |   0x0804857f    837df809     cmp dword [ebp-0x8], 0x9
|     ,==< 0x08048583    7f32         jg loc.080485b7
|     ||   0x08048585    8b45fc       mov eax, [ebp-0x4]
|     ||   0x08048588    83e001       and eax, 0x1
|     ||   0x0804858b    85c0         test eax, eax
|    ,===< 0x0804858d    7521         jne loc.080485b0
|    |||   0x0804858f    833d2ca0040. cmp dword [sym.LOL], 0x1
|   ,====< 0x08048596    750c         jne loc.080485a4
|   ||||   0x08048598    c70424c5870. mov dword [esp], str.Password_OK__n ; str.Password_OK__n
|   ||||   0x0804859f    e814feffff   call sym.imp.printf
|   ||||      sym.imp.printf()
|   |      ; JMP XREF from 0x08048596 (unk)
|- loc.080485a4 21
|   `----> 0x080485a4    c7042400000. mov dword [esp], 0x0
|    |||   0x080485ab    e838feffff   call sym.imp.exit
|    |||      sym.imp.exit()
|    |     ; JMP XREF from 0x0804858d (unk)
|- loc.080485b0 9
|    `---> 0x080485b0    8d45f8       lea eax, [ebp-0x8]
|     ||   0x080485b3    ff00         inc dword [eax]
|     ||   0x080485b5    ebc8         jmp loc.0804857f
|     ||   ; JMP XREF from 0x08048576 (unk)
|     ||   ; JMP XREF from 0x08048583 (unk)
|- loc.080485b7 2
|     ``-> 0x080485b7    c9           leave
\          0x080485b8    c3           ret
[0x08048400]> s 0x080485db
[0x080485db]> wx 9090
[0x080485db]> s 0x0804860f
[0x0804860f]> wx 9090
[0x0804860f]> s 0x08048576
[0x08048576]> wx 9090
[0x08048576]> s 0x08048583
[0x08048583]> wx 9090
[0x08048583]> s 0x0804858d
[0x0804858d]> wx 9090
[0x0804858d]> s 0x08048596
[0x08048596]> wx 9090
[0x08048596]> q

 ~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x08
IOLI Crackme Level 0x08
Password: 12345
Password OK!

crackme0x09

 ~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x09
IOLI Crackme Level 0x09
Password: 12345
Password Incorrect!

稍微计算下。看出来=ebp=作为某个时刻的栈顶指针用来索引字符串。一番搜索在某个=printf=中发现了=OK=

✘ ⮀ ~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ r2 -w ./crackme0x09
 -- Use scr.accel to browse the file faster!
[0x08048420]> aa
[0x08048420]> pdf@main
|          ; UNKNOWN XREF from 0x080486ae (fcn.08048616)
|          ; DATA XREF from 0x08048437 (entry0)
/ (fcn) main 120
|          0x080486ee    55           push ebp
|          0x080486ef    89e5         mov ebp, esp
|          0x080486f1    53           push ebx
|          0x080486f2    81ec84000000 sub esp, 0x84
|          0x080486f8    e869000000   call fcn.08048766
|             fcn.08048766(unk, unk)
|          0x080486fd    81c3f7180000 add ebx, 0x18f7
|          0x08048703    83e4f0       and esp, 0xfffffff0
|          0x08048706    b800000000   mov eax, 0x0
|          0x0804870b    83c00f       add eax, 0xf
|          0x0804870e    83c00f       add eax, 0xf
|          0x08048711    c1e804       shr eax, 0x4
|          0x08048714    c1e004       shl eax, 0x4
|          0x08048717    29c4         sub esp, eax
|          0x08048719    8d8375e8ffff lea eax, [ebx-0x178b]
|          0x0804871f    890424       mov [esp], eax
|          0x08048722    e8b9fcffff   call sym.imp.printf
|             sym.imp.printf()
|          0x08048727    8d838ee8ffff lea eax, [ebx-0x1772]
|          0x0804872d    890424       mov [esp], eax
|          0x08048730    e8abfcffff   call sym.imp.printf
|             sym.imp.printf()
|          0x08048735    8d4588       lea eax, [ebp-0x78]
|          0x08048738    89442404     mov [esp+0x4], eax
|          0x0804873c    8d8399e8ffff lea eax, [ebx-0x1767]
|          0x08048742    890424       mov [esp], eax
|          0x08048745    e876fcffff   call sym.imp.scanf
|             sym.imp.scanf()
|          0x0804874a    8b4510       mov eax, [ebp+0x10]
|          0x0804874d    89442404     mov [esp+0x4], eax
|          0x08048751    8d4588       lea eax, [ebp-0x78]
|          0x08048754    890424       mov [esp], eax
|          0x08048757    e8bafeffff   call fcn.08048616
|             fcn.08048616()
|          0x0804875c    b800000000   mov eax, 0x0
|          0x08048761    8b5dfc       mov ebx, [ebp-0x4]
|          0x08048764    c9           leave
\          0x08048765    c3           ret
[0x08048420]> pdf@fcn.08048616
            ; UNKNOWN XREF from 0x080485cb (fcn.0804855d)
            ; CALL XREF from 0x08048757 (unk)
/ (fcn) fcn.08048616 216
|           0x08048616    55           push ebp
|           0x08048617    89e5         mov ebp, esp
|           0x08048619    53           push ebx
|           0x0804861a    83ec24       sub esp, 0x24
|           0x0804861d    e844010000   call fcn.08048766
|              fcn.08048766(unk, unk)
|           0x08048622    81c3d2190000 add ebx, 0x19d2
|           0x08048628    c745f400000. mov dword [ebp-0xc], 0x0
|           0x0804862f    c745f000000. mov dword [ebp-0x10], 0x0
|           ; JMP XREF from 0x08048693 (fcn.08048616)
|- fcn.08048636 184
|     .---> 0x08048636    8b4508       mov eax, [ebp+0x8]
|     |     0x08048639    890424       mov [esp], eax
|     |     0x0804863c    e88ffdffff   call sym.imp.strlen
|     |        sym.imp.strlen()
|     |     0x08048641    3945f0       cmp [ebp-0x10], eax
|     | ,=< 0x08048644    734f         jae loc.08048695
|     | |   0x08048646    8b45f0       mov eax, [ebp-0x10]
|     | |   0x08048649    034508       add eax, [ebp+0x8]
|     | |   0x0804864c    0fb600       movzx eax, byte [eax]
|     | |   0x0804864f    8845ef       mov [ebp-0x11], al
|     | |   0x08048652    8d45f8       lea eax, [ebp-0x8]
|     | |   0x08048655    89442408     mov [esp+0x8], eax
|     | |   0x08048659    8d835ee8ffff lea eax, [ebx-0x17a2]
|     | |   0x0804865f    89442404     mov [esp+0x4], eax
|     | |   0x08048663    8d45ef       lea eax, [ebp-0x11]
|     | |   0x08048666    890424       mov [esp], eax
|     | |   0x08048669    e882fdffff   call sym.imp.sscanf
|     | |      sym.imp.sscanf()
|     | |   0x0804866e    8b55f8       mov edx, [ebp-0x8]
|     | |   0x08048671    8d45f4       lea eax, [ebp-0xc]
|     | |   0x08048674    0110         add [eax], edx
|     | |   0x08048676    837df410     cmp dword [ebp-0xc], 0x10
|     |,==< 0x0804867a    7512         jne loc.0804868e
|     |||   0x0804867c    8b450c       mov eax, [ebp+0xc]
|     |||   0x0804867f    89442404     mov [esp+0x4], eax
|     |||   0x08048683    8b4508       mov eax, [ebp+0x8]
|     |||   0x08048686    890424       mov [esp], eax
|     |||   0x08048689    e8fbfeffff   call fcn.08048589
|     |||      fcn.08048589()
|     ||    ; JMP XREF from 0x0804867a (fcn.08048616)
|- loc.0804868e 96
|     |`--> 0x0804868e    8d45f0       lea eax, [ebp-0x10]
|     | |   0x08048691    ff00         inc dword [eax]
|     `===< 0x08048693    eba1         jmp fcn.08048636
|       |   ; JMP XREF from 0x08048644 (fcn.08048616)
|- loc.08048695 89
|       `-> 0x08048695    e8c3feffff   call fcn.0804855d
|       | >    fcn.0804855d()
|           0x0804869a    8b450c       mov eax, [ebp+0xc]
|           0x0804869d    89442404     mov [esp+0x4], eax
|           0x080486a1    8b45f8       mov eax, [ebp-0x8]
|           0x080486a4    890424       mov [esp], eax
|           0x080486a7    e828feffff   call fcn.080484d4
|              fcn.080484d4() ; entry0+180
|           0x080486ac    85c0         test eax, eax
|    ,====< 0x080486ae    7438         je loc.080486e8
|    |      0x080486b0    c745f000000. mov dword [ebp-0x10], 0x0
|    |      ; JMP XREF from 0x080486e6 (fcn.08048616)
|- loc.080486b7 55
|    |      0x080486b7    837df009     cmp dword [ebp-0x10], 0x9
|   ,=====< 0x080486bb    7f2b         jg loc.080486e8
|   ||      0x080486bd    8b45f8       mov eax, [ebp-0x8]
|   ||      0x080486c0    83e001       and eax, 0x1
|   ||      0x080486c3    85c0         test eax, eax
|  ,======< 0x080486c5    751a         jne loc.080486e1
|  |||      0x080486c7    8d836fe8ffff lea eax, [ebx-0x1791]
|  |||      0x080486cd    890424       mov [esp], eax
|  |||      0x080486d0    e80bfdffff   call sym.imp.printf
|  |||         sym.imp.printf()
|  |||      0x080486d5    c7042400000. mov dword [esp], 0x0
|  |||      0x080486dc    e82ffdffff   call sym.imp.exit
|  |||         sym.imp.exit()
|  |        ; JMP XREF from 0x080486c5 (fcn.08048616)
|- loc.080486e1 13
|  `------> 0x080486e1    8d45f0       lea eax, [ebp-0x10]
|   ||      0x080486e4    ff00         inc dword [eax]
|   ||      0x080486e6    ebcf         jmp loc.080486b7
|   ||      ; JMP XREF from 0x080486ae (fcn.08048616)
|   ||      ; JMP XREF from 0x080486bb (fcn.08048616)
|- loc.080486e8 6
|   ``----> 0x080486e8    83c424       add esp, 0x24
|           0x080486eb    5b           pop ebx
|           0x080486ec    5d           pop ebp
\           0x080486ed    c3           ret
[0x08048420]> pdf@fcn.08048589
           ; CALL XREF from 0x08048689 (fcn.08048616)
/ (fcn) fcn.08048589 141
|          0x08048589    55           push ebp
|          0x0804858a    89e5         mov ebp, esp
|          0x0804858c    53           push ebx
|          0x0804858d    83ec14       sub esp, 0x14
|          0x08048590    e8d1010000   call fcn.08048766
|             fcn.08048766(unk, unk)
|          0x08048595    81c35f1a0000 add ebx, 0x1a5f
|          0x0804859b    8d45f8       lea eax, [ebp-0x8]
|          0x0804859e    89442408     mov [esp+0x8], eax
|          0x080485a2    8d835ee8ffff lea eax, [ebx-0x17a2]
|          0x080485a8    89442404     mov [esp+0x4], eax
|          0x080485ac    8b4508       mov eax, [ebp+0x8]
|          0x080485af    890424       mov [esp], eax
|          0x080485b2    e839feffff   call sym.imp.sscanf
|             sym.imp.sscanf()
|          0x080485b7    8b450c       mov eax, [ebp+0xc]
|          0x080485ba    89442404     mov [esp+0x4], eax
|          0x080485be    8b45f8       mov eax, [ebp-0x8]
|          0x080485c1    890424       mov [esp], eax
|          0x080485c4    e80bffffff   call fcn.080484d4
|             fcn.080484d4() ; entry0+180
|          0x080485c9    85c0         test eax, eax
|      ,=< 0x080485cb    7443         je loc.08048610
|      |   0x080485cd    c745f400000. mov dword [ebp-0xc], 0x0
|      |   ; JMP XREF from 0x0804860e (fcn.0804855d)
|- loc.080485d4 66
|      |   0x080485d4    837df409     cmp dword [ebp-0xc], 0x9
|     ,==< 0x080485d8    7f36         jg loc.08048610
|     ||   0x080485da    8b45f8       mov eax, [ebp-0x8]
|     ||   0x080485dd    83e001       and eax, 0x1
|     ||   0x080485e0    85c0         test eax, eax
|    ,===< 0x080485e2    7525         jne loc.08048609
|    |||   0x080485e4    8b83fcffffff mov eax, [ebx-0x4]
|    |||   0x080485ea    833801       cmp dword [eax], 0x1
|   ,====< 0x080485ed    750e         jne loc.080485fd
|   ||||   0x080485ef    8d8361e8ffff lea eax, [ebx-0x179f]
|   ||||   0x080485f5    890424       mov [esp], eax
|   ||||   0x080485f8    e8e3fdffff   call sym.imp.printf
|   ||||      sym.imp.printf()
|   |      ; JMP XREF from 0x080485ed (fcn.0804855d)
|- loc.080485fd 25
|   `----> 0x080485fd    c7042400000. mov dword [esp], 0x0
|    |||   0x08048604    e807feffff   call sym.imp.exit
|    |||      sym.imp.exit()
|    |     ; JMP XREF from 0x080485e2 (fcn.0804855d)
|- loc.08048609 13
|    `---> 0x08048609    8d45f4       lea eax, [ebp-0xc]
|     ||   0x0804860c    ff00         inc dword [eax]
|     ||   0x0804860e    ebc4         jmp loc.080485d4
|     ||   ; JMP XREF from 0x080485cb (fcn.0804855d)
|     ||   ; JMP XREF from 0x080485d8 (fcn.0804855d)
|- loc.08048610 6
|     ``-> 0x08048610    83c414       add esp, 0x14
|          0x08048613    5b           pop ebx
|          0x08048614    5d           pop ebp
\          0x08048615    c3           ret
[0x08048420]> s 
0x8048420
[0x08048420]> s 0x08048644
[0x08048644]> wx 9090
[0x08048644]> s 0x0804867a
[0x0804867a]> wx 9090
[0x0804867a]> s 0x080485cb
[0x080485cb]> wx 9090
[0x080485cb]> s 0x080485d8
[0x080485d8]> wx 9090
[0x080485d8]> s 0x080485e2
[0x080485e2]> wx 9090
[0x080485e2]> s 0x080485ed
[0x080485ed]> wx 9090
[0x0804852d]> s 0x080485c4
[0x080485c4]> wx 9090909090
[0x080485c4]> q

 ~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x09
IOLI Crackme Level 0x09
Password: 12345
Password OK!

这不叫逆向……这叫把目标代码之外的东西都注释掉……

到此,忽然觉得吧,少了点东西。

  • r2的动态调试功能
  • 说好的reverse-engineer

I find an interesting book: RE-for-beginers