Defeating ioli with radare2
Published on Aug 08, 2014
译者表示:把两篇文章揉合到了一起。
原文自:Defeating ioli with radare2 和Crackme solution from pancake 需要:
- radare2
- asm cheat sheet
- IOLI crackme suite(another mirror)
crackme 0x00
第一个crackme,非常简单。
✘ ⮀ ~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x00 IOLI Crackme Level 0x00 Password: 1234 Invalid Password! ⮀ ~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ r2 -w ./crackme0x00 -- I script in C, because fuck you. [0x08048360]> aa [0x08048360]> [email protected] | ; DATA XREF from 0x08048377 (fcn.08048356) / (fcn) sym.main 127 | 0x08048414 55 push ebp | 0x08048415 89e5 mov ebp, esp | 0x08048417 83ec28 sub esp, 0x28 | 0x0804841a 83e4f0 and esp, 0xfffffff0 | 0x0804841d b800000000 mov eax, 0x0 | 0x08048422 83c00f add eax, 0xf | 0x08048425 83c00f add eax, 0xf | 0x08048428 c1e804 shr eax, 0x4 | 0x0804842b c1e004 shl eax, 0x4 | 0x0804842e 29c4 sub esp, eax | 0x08048430 c7042468850. mov dword [esp], str.IOLI_Crackme_Level_0x00_n ; str.IOLI_Crackme_Level_0x00_n | 0x08048437 e804ffffff call sym.imp.printf ; (fcn.08048336) | fcn.08048336(unk) ; sym.imp.printf | 0x0804843c c7042481850. mov dword [esp], str.Password_ ; str.Password_ | 0x08048443 e8f8feffff call sym.imp.printf ; (fcn.08048336) | fcn.08048336() ; sym.imp.printf | 0x08048448 8d45e8 lea eax, [ebp-0x18] | 0x0804844b 89442404 mov [esp+0x4], eax | 0x0804844f c704248c850. mov dword [esp], 0x804858c ; 0x0804858c | 0x08048456 e8d5feffff call sym.imp.scanf ; (fcn.08048326) | fcn.08048326() ; sym.imp.scanf | 0x0804845b 8d45e8 lea eax, [ebp-0x18] | 0x0804845e c74424048f8. mov dword [esp+0x4], str.250382 ; str.250382 | 0x08048466 890424 mov [esp], eax | 0x08048469 e8e2feffff call sym.imp.strcmp ; (fcn.08048346) | fcn.08048346() ; sym.imp.strcmp | 0x0804846e 85c0 test eax, eax | ,=< 0x08048470 740e je 0x8048480 | | 0x08048472 c7042496850. mov dword [esp], str.Invalid_Password__n ; str.Invalid_Password__n | | 0x08048479 e8c2feffff call sym.imp.printf ; (fcn.08048336) | | fcn.08048336() ; sym.imp.printf | ,==< 0x0804847e eb0c jmp 0x804848c ; (sym.main) | || ; JMP XREF from 0x08048470 (unk) | |`-> 0x08048480 c70424a9850. mov dword [esp], str.Password_OK____n ; str.Password_OK____n | | 0x08048487 e8b4feffff call sym.imp.printf ; (fcn.08048336) | | fcn.08048336() ; sym.imp.printf | `--> 0x0804848c b800000000 mov eax, 0x0 | 0x08048491 c9 leave \ 0x08048492 c3 ret [0x08048360]> s 0x0804847e [0x0804847e]> wx eb [0x0804847e]> px 20 - offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF 0x0804847e eb0c c704 24a9 8504 08e8 b4fe ffff b800 ....$........... 0x0804848e 0000 00c9 .... [0x0804847e]> pD 20 | ,=< 0x0804847e eb0c jmp 0x804848c ; (sym.main) | | ; JMP XREF from 0x08048470 (unk) | | 0x08048480 c70424a9850. mov dword [esp], str.Password_OK____n ; str.Password_OK____n | | 0x08048487 e8b4feffff call sym.imp.printf ; (fcn.08048336) | | fcn.08048336() ; sym.imp.printf | `-> 0x0804848c b800000000 mov eax, 0x0 | 0x08048491 c9 leave [0x08048470]> q
输入任何密码。
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x00 IOLI Crackme Level 0x00 Password: 12345 Password OK :)
crackme0x01
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x01 IOLI Crackme Level 0x01 Password: 12345 Invalid Password!
反汇编我们看到有个跳转到=OK=的=je=,改成=jmp=
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ r2 -w ./crackme0x01 -- Deltify your life with radare2 [0x08048330]> aa [0x08048330]> [email protected] | ; DATA XREF from 0x08048347 (fcn.08048322) / (fcn) sym.main 113 | 0x080483e4 55 push ebp | 0x080483e5 89e5 mov ebp, esp | 0x080483e7 83ec18 sub esp, 0x18 | 0x080483ea 83e4f0 and esp, 0xfffffff0 | 0x080483ed b800000000 mov eax, 0x0 | 0x080483f2 83c00f add eax, 0xf | 0x080483f5 83c00f add eax, 0xf | 0x080483f8 c1e804 shr eax, 0x4 | 0x080483fb c1e004 shl eax, 0x4 | 0x080483fe 29c4 sub esp, eax | 0x08048400 c7042428850. mov dword [esp], str.IOLI_Crackme_Level_0x01_n ; str.IOLI_Crackme_Level_0x01_n | 0x08048407 e810ffffff call sym.imp.printf ; (fcn.08048312) | fcn.08048312(unk) ; sym.imp.printf | 0x0804840c c7042441850. mov dword [esp], str.Password_ ; str.Password_ | 0x08048413 e804ffffff call sym.imp.printf ; (fcn.08048312) | fcn.08048312() ; sym.imp.printf | 0x08048418 8d45fc lea eax, [ebp-0x4] | 0x0804841b 89442404 mov [esp+0x4], eax | 0x0804841f c704244c850. mov dword [esp], 0x804854c ; 0x0804854c | 0x08048426 e8e1feffff call sym.imp.scanf ; (fcn.08048302) | fcn.08048302() ; sym.imp.scanf | 0x0804842b 817dfc9a140. cmp dword [ebp-0x4], 0x149a | ,=< 0x08048432 740e je 0x8048442 | | 0x08048434 c704244f850. mov dword [esp], str.Invalid_Password__n ; str.Invalid_Password__n | | 0x0804843b e8dcfeffff call sym.imp.printf ; (fcn.08048312) | | fcn.08048312() ; sym.imp.printf | ,==< 0x08048440 eb0c jmp 0x804844e ; (sym.main) | || ; JMP XREF from 0x08048432 (unk) | |`-> 0x08048442 c7042462850. mov dword [esp], str.Password_OK____n ; str.Password_OK____n | | 0x08048449 e8cefeffff call sym.imp.printf ; (fcn.08048312) | | fcn.08048312() ; sym.imp.printf | `--> 0x0804844e b800000000 mov eax, 0x0 | 0x08048453 c9 leave \ 0x08048454 c3 ret [0x08048330]> s 0x08048432 [0x08048432]> wx eb [0x08048432]> q
接着输入任何密码:
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x01 IOLI Crackme Level 0x01 Password: 12345 Password OK :)
crackme0x02
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x02 IOLI Crackme Level 0x02 Password: 12345 Invalid Password!
这回还是个比较,将后面的=je=判断改成=nop=。有兴趣还可以笔算下怎么生成的密码。
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ r2 -w ./crackme0x02 -- Invert the block bytes using the 'I' key in visual mode [0x08048330]> aa [0x08048330]> [email protected] | ; DATA XREF from 0x08048347 (fcn.08048322) / (fcn) sym.main 144 | 0x080483e4 55 push ebp | 0x080483e5 89e5 mov ebp, esp | 0x080483e7 83ec18 sub esp, 0x18 | 0x080483ea 83e4f0 and esp, 0xfffffff0 | 0x080483ed b800000000 mov eax, 0x0 | 0x080483f2 83c00f add eax, 0xf | 0x080483f5 83c00f add eax, 0xf | 0x080483f8 c1e804 shr eax, 0x4 | 0x080483fb c1e004 shl eax, 0x4 | 0x080483fe 29c4 sub esp, eax | 0x08048400 c7042448850. mov dword [esp], str.IOLI_Crackme_Level_0x02_n ; str.IOLI_Crackme_Level_0x02_n | 0x08048407 e810ffffff call sym.imp.printf ; (fcn.08048312) | fcn.08048312(unk) ; sym.imp.printf | 0x0804840c c7042461850. mov dword [esp], str.Password_ ; str.Password_ | 0x08048413 e804ffffff call sym.imp.printf ; (fcn.08048312) | fcn.08048312() ; sym.imp.printf | 0x08048418 8d45fc lea eax, [ebp-0x4] | 0x0804841b 89442404 mov [esp+0x4], eax | 0x0804841f c704246c850. mov dword [esp], 0x804856c ; 0x0804856c | 0x08048426 e8e1feffff call sym.imp.scanf ; (fcn.08048302) | fcn.08048302() ; sym.imp.scanf | 0x0804842b c745f85a000. mov dword [ebp-0x8], 0x5a ; 0x0000005a | 0x08048432 c745f4ec010. mov dword [ebp-0xc], 0x1ec ; 0x000001ec | 0x08048439 8b55f4 mov edx, [ebp-0xc] | 0x0804843c 8d45f8 lea eax, [ebp-0x8] | 0x0804843f 0110 add [eax], edx | 0x08048441 8b45f8 mov eax, [ebp-0x8] | 0x08048444 0faf45f8 imul eax, [ebp-0x8] | 0x08048448 8945f4 mov [ebp-0xc], eax | 0x0804844b 8b45fc mov eax, [ebp-0x4] | 0x0804844e 3b45f4 cmp eax, [ebp-0xc] | ,=< 0x08048451 750e jne 0x8048461 | | 0x08048453 c704246f850. mov dword [esp], str.Password_OK____n ; str.Password_OK____n | | 0x0804845a e8bdfeffff call sym.imp.printf ; (fcn.08048312) | | fcn.08048312() ; sym.imp.printf | ,==< 0x0804845f eb0c jmp 0x804846d ; (sym.main) | || ; JMP XREF from 0x08048451 (unk) | |`-> 0x08048461 c704247f850. mov dword [esp], str.Invalid_Password__n ; str.Invalid_Password__n | | 0x08048468 e8affeffff call sym.imp.printf ; (fcn.08048312) | | fcn.08048312() ; sym.imp.printf | `--> 0x0804846d b800000000 mov eax, 0x0 | 0x08048472 c9 leave \ 0x08048473 c3 ret [0x08048330]> s 0x08048451 [0x08048451]> wx 9090 [0x08048451]> px 10 - offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF 0x08048451 9090 c704 246f 8504 08e8 ....$o.... [0x08048451]> q
输入任何密码:
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x02 IOLI Crackme Level 0x02 Password: 12345 Password OK :)
crackme0x03
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x03 IOLI Crackme Level 0x03 Password: 12345 Invalid Password!
这回发现难一些了,没有明文字符串。main函数调用一个=test=,=test=又调用=shift=。虽然不知道这些函数是干嘛的。但发现=sym.test=中有两个似乎加密过的字符串,可能对应=invalid=和=Ok=两个字符串。
猜测=sym.shift=是一种移位加密方法。
基本上可以猜出来=0x0804848a=是=OK=的地方
✘ ⮀ ~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ r2 -w ./crackme0x03 -- Use zoom.byte=entropy and press 'z' in visual mode to zoom out to see the entropy of the whole file [0x08048360]> aa [0x08048360]> [email protected] | ; UNKNOWN XREF from 0x0804847a (unk) | ; DATA XREF from 0x08048377 (fcn.08048356) / (fcn) sym.main 128 | 0x08048498 55 push ebp | 0x08048499 89e5 mov ebp, esp | 0x0804849b 83ec18 sub esp, 0x18 | 0x0804849e 83e4f0 and esp, 0xfffffff0 | 0x080484a1 b800000000 mov eax, 0x0 | 0x080484a6 83c00f add eax, 0xf | 0x080484a9 83c00f add eax, 0xf | 0x080484ac c1e804 shr eax, 0x4 | 0x080484af c1e004 shl eax, 0x4 | 0x080484b2 29c4 sub esp, eax | 0x080484b4 c7042410860. mov dword [esp], str.IOLI_Crackme_Level_0x03_n ; str.IOLI_Crackme_Level_0x03_n | 0x080484bb e890feffff call sym.imp.printf | sym.imp.printf(unk) | 0x080484c0 c7042429860. mov dword [esp], str.Password_ ; str.Password_ | 0x080484c7 e884feffff call sym.imp.printf | sym.imp.printf() | 0x080484cc 8d45fc lea eax, [ebp-0x4] | 0x080484cf 89442404 mov [esp+0x4], eax | 0x080484d3 c7042434860. mov dword [esp], 0x8048634 ; 0x08048634 | 0x080484da e851feffff call sym.imp.scanf | sym.imp.scanf() | 0x080484df c745f85a000. mov dword [ebp-0x8], 0x5a ; 0x0000005a | 0x080484e6 c745f4ec010. mov dword [ebp-0xc], 0x1ec ; 0x000001ec | 0x080484ed 8b55f4 mov edx, [ebp-0xc] | 0x080484f0 8d45f8 lea eax, [ebp-0x8] | 0x080484f3 0110 add [eax], edx | 0x080484f5 8b45f8 mov eax, [ebp-0x8] | 0x080484f8 0faf45f8 imul eax, [ebp-0x8] | 0x080484fc 8945f4 mov [ebp-0xc], eax | 0x080484ff 8b45f4 mov eax, [ebp-0xc] | 0x08048502 89442404 mov [esp+0x4], eax | 0x08048506 8b45fc mov eax, [ebp-0x4] | 0x08048509 890424 mov [esp], eax | 0x0804850c e85dffffff call sym.test | sym.test() | 0x08048511 b800000000 mov eax, 0x0 | 0x08048516 c9 leave \ 0x08048517 c3 ret [0x08048360]> [email protected] | ; UNKNOWN XREF from 0x0804846e (unk) | ; CALL XREF from 0x0804850c (unk) / (fcn) sym.test 42 | 0x0804846e 55 push ebp | 0x0804846f 89e5 mov ebp, esp | 0x08048471 83ec08 sub esp, 0x8 | 0x08048474 8b4508 mov eax, [ebp+0x8] | 0x08048477 3b450c cmp eax, [ebp+0xc] | ,=< 0x0804847a 740e je loc.0804848a | | 0x0804847c c70424ec850. mov dword [esp], str.Lqydolg_Sdvvzrug_ ; str.Lqydolg_Sdvvzrug_ | | 0x08048483 e88cffffff call sym.shift | | sym.shift(unk) | ,==< 0x08048488 eb0c jmp loc.08048496 | || ; JMP XREF from 0x0804847a (unk) |- loc.0804848a 14 | |`-> 0x0804848a c70424fe850. mov dword [esp], str.Sdvvzrug_RN______ ; str.Sdvvzrug_RN______ | | 0x08048491 e87effffff call sym.shift | | sym.shift() | | ; JMP XREF from 0x08048488 (unk) |- loc.08048496 2 | `--> 0x08048496 c9 leave \ 0x08048497 c3 ret [0x08048360]> s 0x0804847a [0x0804847a]> px 20 - offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF 0x0804847a 7400 0000 24ec 8504 08e8 8cff ffff eb0c t...$........... 0x0804848a c704 24fe ..$. [0x0804847a]> wx eb [0x0804847a]> px 20 - offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF 0x0804847a eb0e c704 24ec 8504 08e8 8cff ffff eb0c ....$........... 0x0804848a c704 24fe ..$. [0x0804847a]> [email protected] | ; UNKNOWN XREF from 0x0804846e (unk) | ; CALL XREF from 0x0804850c (unk) / (fcn) sym.test 42 | 0x0804846e 55 push ebp | 0x0804846f 89e5 mov ebp, esp | 0x08048471 83ec08 sub esp, 0x8 | 0x08048474 8b4508 mov eax, [ebp+0x8] | 0x08048477 3b450c cmp eax, [ebp+0xc] | ,=< 0x0804847a eb0e jmp loc.0804848a | | 0x0804847c c70424ec850. mov dword [esp], str.Lqydolg_Sdvvzrug_ ; str.Lqydolg_Sdvvzrug_ | | 0x08048483 e88cffffff call sym.shift | | sym.shift(unk) | ,==< 0x08048488 eb0c jmp loc.08048496 | || ; JMP XREF from 0x0804847a (unk) |- loc.0804848a 14 | |`-> 0x0804848a c70424fe850. mov dword [esp], str.Sdvvzrug_RN______ ; str.Sdvvzrug_RN______ | | 0x08048491 e87effffff call sym.shift | | sym.shift() | | ; JMP XREF from 0x08048488 (unk) |- loc.08048496 2 | `--> 0x08048496 c9 leave \ 0x08048497 c3 ret [0x0804847a]> q
输入任意密码
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x03 IOLI Crackme Level 0x03 Password: 12345 Password OK!!! :)
crackme0x04
尝试12345竟然成功了……这不重要,README中给出了所有crackme的密码方便破解。
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x04 IOLI Crackme Level 0x04 Password: aaaaa Password Incorrect!
又一个叫=sym.check=的函数,里头赫然写着明文的=invalid=和=ok=。仍然是将判断跳转改成什么都不做。
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ r2 -w ./crackme0x04 -- Interpret your own radare2 scripts with '. <path-to-your-script>'. Similar to the bash source alias command. [0x080483d0]> aa [0x080483d0]> [email protected] | ; UNKNOWN XREF from 0x08048509 (unk) | ; DATA XREF from 0x080483e7 (fcn.080483ba) / (fcn) sym.main 92 | 0x08048509 55 push ebp | 0x0804850a 89e5 mov ebp, esp | 0x0804850c 81ec88000000 sub esp, 0x88 | 0x08048512 83e4f0 and esp, 0xfffffff0 | 0x08048515 b800000000 mov eax, 0x0 | 0x0804851a 83c00f add eax, 0xf | 0x0804851d 83c00f add eax, 0xf | 0x08048520 c1e804 shr eax, 0x4 | 0x08048523 c1e004 shl eax, 0x4 | 0x08048526 29c4 sub esp, eax | 0x08048528 c704245e860. mov dword [esp], str.IOLI_Crackme_Level_0x04_n ; str.IOLI_Crackme_Level_0x04_n | 0x0804852f e860feffff call sym.imp.printf | sym.imp.printf(unk) | 0x08048534 c7042477860. mov dword [esp], str.Password_ ; str.Password_ | 0x0804853b e854feffff call sym.imp.printf | sym.imp.printf() | 0x08048540 8d4588 lea eax, [ebp-0x78] | 0x08048543 89442404 mov [esp+0x4], eax | 0x08048547 c7042482860. mov dword [esp], 0x8048682 ; 0x08048682 | 0x0804854e e821feffff call sym.imp.scanf | sym.imp.scanf() | 0x08048553 8d4588 lea eax, [ebp-0x78] | 0x08048556 890424 mov [esp], eax | 0x08048559 e826ffffff call sym.check | sym.check() | 0x0804855e b800000000 mov eax, 0x0 | 0x08048563 c9 leave \ 0x08048564 c3 ret [0x080483d0]> [email protected] | ; CALL XREF from 0x08048559 (unk) / (fcn) sym.check 133 | 0x08048484 55 push ebp | 0x08048485 89e5 mov ebp, esp | 0x08048487 83ec28 sub esp, 0x28 | 0x0804848a c745f800000. mov dword [ebp-0x8], 0x0 | 0x08048491 c745f400000. mov dword [ebp-0xc], 0x0 | .---> 0x08048498 8b4508 mov eax, [ebp+0x8] | | 0x0804849b 890424 mov [esp], eax | | 0x0804849e e8e1feffff call sym.imp.strlen ; (fcn.0804837a) | | fcn.0804837a(unk) ; sym.imp.strlen | | 0x080484a3 3945f4 cmp [ebp-0xc], eax | | ,=< 0x080484a6 7353 jae 0x80484fb | | | 0x080484a8 8b45f4 mov eax, [ebp-0xc] | | | 0x080484ab 034508 add eax, [ebp+0x8] | | | 0x080484ae 0fb600 movzx eax, byte [eax] | | | 0x080484b1 8845f3 mov [ebp-0xd], al | | | 0x080484b4 8d45fc lea eax, [ebp-0x4] | | | 0x080484b7 89442408 mov [esp+0x8], eax | | | 0x080484bb c7442404388. mov dword [esp+0x4], 0x8048638 ; 0x08048638 | | | 0x080484c3 8d45f3 lea eax, [ebp-0xd] | | | 0x080484c6 890424 mov [esp], eax | | | 0x080484c9 e8d6feffff call sym.imp.sscanf ; (fcn.0804839a) | | | fcn.0804839a() ; sym.imp.sscanf | | | 0x080484ce 8b55fc mov edx, [ebp-0x4] | | | 0x080484d1 8d45f8 lea eax, [ebp-0x8] | | | 0x080484d4 0110 add [eax], edx | | | 0x080484d6 837df80f cmp dword [ebp-0x8], 0xf | |,==< 0x080484da 7518 jne 0x80484f4 | ||| 0x080484dc c704243b860. mov dword [esp], str.Password_OK__n ; str.Password_OK__n | ||| 0x080484e3 e8acfeffff call sym.imp.printf | ||| sym.imp.printf() | ||| 0x080484e8 c7042400000. mov dword [esp], 0x0 | ||| 0x080484ef e8c0feffff call sym.imp.exit ; (fcn.080483aa) | ||| fcn.080483aa() ; sym.imp.exit | |`--> 0x080484f4 8d45f4 lea eax, [ebp-0xc] | | | 0x080484f7 ff00 inc dword [eax] | `===< 0x080484f9 eb9d jmp 0x8048498 ; (sym.check) | | ; JMP XREF from 0x080484a6 (unk) | `-> 0x080484fb c7042449860. mov dword [esp], str.Password_Incorrect__n ; str.Password_Incorrect__n | 0x08048502 e88dfeffff call sym.imp.printf | sym.imp.printf() | 0x08048507 c9 leave \ 0x08048508 c3 ret [0x080483d0]> s 0x080484da [0x080484da]> wx 9090 [0x080484da]> q
输入任何密码:
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x04 IOLI Crackme Level 0x04 Password: aaaaa Password OK!
crackme0x05
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x05 IOLI Crackme Level 0x05 Password: 12345 Password Incorrect!
sym.parell? 在三个地方都有判断,更改到让程序直接执行到=OK=字符串位置。
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ r2 -w ./crackme0x05 -- Use -e bin.strings=false to disable search for strings when loading the binary. [0x080483d0]> aa [0x080483d0]> [email protected] | ; UNKNOWN XREF from 0x080484ea (unk) | ; DATA XREF from 0x080483e7 (fcn.080483ba) / (fcn) sym.main 92 | 0x08048540 55 push ebp | 0x08048541 89e5 mov ebp, esp | 0x08048543 81ec88000000 sub esp, 0x88 | 0x08048549 83e4f0 and esp, 0xfffffff0 | 0x0804854c b800000000 mov eax, 0x0 | 0x08048551 83c00f add eax, 0xf | 0x08048554 83c00f add eax, 0xf | 0x08048557 c1e804 shr eax, 0x4 | 0x0804855a c1e004 shl eax, 0x4 | 0x0804855d 29c4 sub esp, eax | 0x0804855f c704248e860. mov dword [esp], str.IOLI_Crackme_Level_0x05_n ; str.IOLI_Crackme_Level_0x05_n | 0x08048566 e829feffff call sym.imp.printf | sym.imp.printf(unk) | 0x0804856b c70424a7860. mov dword [esp], str.Password_ ; str.Password_ | 0x08048572 e81dfeffff call sym.imp.printf | sym.imp.printf() | 0x08048577 8d4588 lea eax, [ebp-0x78] | 0x0804857a 89442404 mov [esp+0x4], eax | 0x0804857e c70424b2860. mov dword [esp], 0x80486b2 ; 0x080486b2 | 0x08048585 e8eafdffff call sym.imp.scanf | sym.imp.scanf() | 0x0804858a 8d4588 lea eax, [ebp-0x78] | 0x0804858d 890424 mov [esp], eax | 0x08048590 e833ffffff call sym.check | sym.check() | 0x08048595 b800000000 mov eax, 0x0 | 0x0804859a c9 leave \ 0x0804859b c3 ret [0x080483d0]> [email protected] | | ; UNKNOWN XREF from 0x080484c8 (unk) | | ; CALL XREF from 0x08048590 (unk) / (fcn) sym.check 120 | | 0x080484c8 55 push ebp | | 0x080484c9 89e5 mov ebp, esp | | 0x080484cb 83ec28 sub esp, 0x28 | | 0x080484ce c745f800000. mov dword [ebp-0x8], 0x0 | | 0x080484d5 c745f400000. mov dword [ebp-0xc], 0x0 | | ; JMP XREF from 0x08048530 (unk) |- loc.080484dc 100 | |.---> 0x080484dc 8b4508 mov eax, [ebp+0x8] | || 0x080484df 890424 mov [esp], eax | || 0x080484e2 e89dfeffff call sym.imp.strlen | || sym.imp.strlen(unk) | || 0x080484e7 3945f4 cmp [ebp-0xc], eax | || ,=< 0x080484ea 7346 jae loc.08048532 | || | 0x080484ec 8b45f4 mov eax, [ebp-0xc] | || | 0x080484ef 034508 add eax, [ebp+0x8] | || | 0x080484f2 0fb600 movzx eax, byte [eax] | || | 0x080484f5 8845f3 mov [ebp-0xd], al | || | 0x080484f8 8d45fc lea eax, [ebp-0x4] | || | 0x080484fb 89442408 mov [esp+0x8], eax | || | 0x080484ff c7442404688. mov dword [esp+0x4], 0x8048668 ; 0x08048668 | || | 0x08048507 8d45f3 lea eax, [ebp-0xd] | || | 0x0804850a 890424 mov [esp], eax | || | 0x0804850d e892feffff call sym.imp.sscanf | || | sym.imp.sscanf() | || | 0x08048512 8b55fc mov edx, [ebp-0x4] | || | 0x08048515 8d45f8 lea eax, [ebp-0x8] | || | 0x08048518 0110 add [eax], edx | || | 0x0804851a 837df810 cmp dword [ebp-0x8], 0x10 | ||,==< 0x0804851e 750b jne loc.0804852b | |||| 0x08048520 8b4508 mov eax, [ebp+0x8] | |||| 0x08048523 890424 mov [esp], eax | |||| 0x08048526 e859ffffff call sym.parell | |||| sym.parell() | ||| ; JMP XREF from 0x0804851e (unk) |- loc.0804852b 21 | ||`--> 0x0804852b 8d45f4 lea eax, [ebp-0xc] | || | 0x0804852e ff00 inc dword [eax] | |`===< 0x08048530 ebaa jmp loc.080484dc | | | ; JMP XREF from 0x080484ea (unk) |- loc.08048532 14 | | `-> 0x08048532 c7042479860. mov dword [esp], str.Password_Incorrect__n ; str.Password_Incorrect__n | 0x08048539 e856feffff call sym.imp.printf | sym.imp.printf() | 0x0804853e c9 leave \ 0x0804853f c3 ret [0x080483d0]> [email protected] | ; CALL XREF from 0x08048526 (unk) / (fcn) sym.parell 68 | 0x08048484 55 push ebp | 0x08048485 89e5 mov ebp, esp | 0x08048487 83ec18 sub esp, 0x18 | 0x0804848a 8d45fc lea eax, [ebp-0x4] | 0x0804848d 89442408 mov [esp+0x8], eax | 0x08048491 c7442404688. mov dword [esp+0x4], 0x8048668 ; 0x08048668 | 0x08048499 8b4508 mov eax, [ebp+0x8] | 0x0804849c 890424 mov [esp], eax | 0x0804849f e800ffffff call sym.imp.sscanf | sym.imp.sscanf(unk) | 0x080484a4 8b45fc mov eax, [ebp-0x4] | 0x080484a7 83e001 and eax, 0x1 | 0x080484aa 85c0 test eax, eax | ,=< 0x080484ac 7518 jne 0x80484c6 | | 0x080484ae c704246b860. mov dword [esp], str.Password_OK__n ; str.Password_OK__n | | 0x080484b5 e8dafeffff call sym.imp.printf | | sym.imp.printf() | | 0x080484ba c7042400000. mov dword [esp], 0x0 | | 0x080484c1 e8eefeffff call sym.imp.exit ; (fcn.080483aa) | | fcn.080483aa() ; sym.imp.exit | | ; JMP XREF from 0x080484ac (unk) | `-> 0x080484c6 c9 leave \ 0x080484c7 c3 ret [0x080483d0]> s 0x080484ea [0x080484ea]> wx 9090 [0x080484ea]> s 0x0804851e [0x0804851e]> wx 9090 [0x0804851e]> s 0x080484ac [0x080484ac]> wx 9090 [0x080484ac]> q
输入任意密码
✘ ⮀ ~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x05 IOLI Crackme Level 0x05 Password: 12345 Password OK!
crackme0x06
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x06 IOLI Crackme Level 0x06 Password: 12345 Password Incorrect!
破解么,又不需要知道程序逻辑,只要让程序运行到想要的代码块就好。于是……把所有跳转灭掉。
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ r2 -w ./crackme0x06 -- Dissasemble? No dissasemble, no dissassemble!!!!! [0x08048400]> aa [0x08048400]> [email protected] | ; UNKNOWN XREF from 0x080485aa (unk) | ; DATA XREF from 0x08048417 (fcn.080483ee) / (fcn) sym.main 99 | 0x08048607 55 push ebp | 0x08048608 89e5 mov ebp, esp | 0x0804860a 81ec88000000 sub esp, 0x88 | 0x08048610 83e4f0 and esp, 0xfffffff0 | 0x08048613 b800000000 mov eax, 0x0 | 0x08048618 83c00f add eax, 0xf | 0x0804861b 83c00f add eax, 0xf | 0x0804861e c1e804 shr eax, 0x4 | 0x08048621 c1e004 shl eax, 0x4 | 0x08048624 29c4 sub esp, eax | 0x08048626 c7042463870. mov dword [esp], str.IOLI_Crackme_Level_0x06_n ; str.IOLI_Crackme_Level_0x06_n | 0x0804862d e886fdffff call sym.imp.printf | sym.imp.printf(unk) | 0x08048632 c704247c870. mov dword [esp], str.Password_ ; str.Password_ | 0x08048639 e87afdffff call sym.imp.printf | sym.imp.printf() | 0x0804863e 8d4588 lea eax, [ebp-0x78] | 0x08048641 89442404 mov [esp+0x4], eax | 0x08048645 c7042487870. mov dword [esp], 0x8048787 ; 0x08048787 | 0x0804864c e847fdffff call sym.imp.scanf | sym.imp.scanf() | 0x08048651 8b4510 mov eax, [ebp+0x10] | 0x08048654 89442404 mov [esp+0x4], eax | 0x08048658 8d4588 lea eax, [ebp-0x78] | 0x0804865b 890424 mov [esp], eax | 0x0804865e e825ffffff call sym.check | sym.check() | 0x08048663 b800000000 mov eax, 0x0 | 0x08048668 c9 leave \ 0x08048669 c3 ret [0x08048400]> [email protected] | ; UNKNOWN XREF from 0x0804854e (unk) | ; CALL XREF from 0x0804865e (unk) / (fcn) sym.check 127 | 0x08048588 55 push ebp | 0x08048589 89e5 mov ebp, esp | 0x0804858b 83ec28 sub esp, 0x28 | 0x0804858e c745f800000. mov dword [ebp-0x8], 0x0 | 0x08048595 c745f400000. mov dword [ebp-0xc], 0x0 | ; JMP XREF from 0x080485f7 (unk) |- loc.0804859c 107 | .---> 0x0804859c 8b4508 mov eax, [ebp+0x8] | | 0x0804859f 890424 mov [esp], eax | | 0x080485a2 e801feffff call sym.imp.strlen | | sym.imp.strlen(unk) | | 0x080485a7 3945f4 cmp [ebp-0xc], eax | | ,=< 0x080485aa 734d jae loc.080485f9 | | | 0x080485ac 8b45f4 mov eax, [ebp-0xc] | | | 0x080485af 034508 add eax, [ebp+0x8] | | | 0x080485b2 0fb600 movzx eax, byte [eax] | | | 0x080485b5 8845f3 mov [ebp-0xd], al | | | 0x080485b8 8d45fc lea eax, [ebp-0x4] | | | 0x080485bb 89442408 mov [esp+0x8], eax | | | 0x080485bf c74424043d8. mov dword [esp+0x4], 0x804873d ; 0x0804873d | | | 0x080485c7 8d45f3 lea eax, [ebp-0xd] | | | 0x080485ca 890424 mov [esp], eax | | | 0x080485cd e8f6fdffff call sym.imp.sscanf | | | sym.imp.sscanf() | | | 0x080485d2 8b55fc mov edx, [ebp-0x4] | | | 0x080485d5 8d45f8 lea eax, [ebp-0x8] | | | 0x080485d8 0110 add [eax], edx | | | 0x080485da 837df810 cmp dword [ebp-0x8], 0x10 | |,==< 0x080485de 7512 jne loc.080485f2 | ||| 0x080485e0 8b450c mov eax, [ebp+0xc] | ||| 0x080485e3 89442404 mov [esp+0x4], eax | ||| 0x080485e7 8b4508 mov eax, [ebp+0x8] | ||| 0x080485ea 890424 mov [esp], eax | ||| 0x080485ed e828ffffff call sym.parell | ||| sym.parell() | || ; JMP XREF from 0x080485de (unk) |- loc.080485f2 21 | |`--> 0x080485f2 8d45f4 lea eax, [ebp-0xc] | | | 0x080485f5 ff00 inc dword [eax] | `===< 0x080485f7 eba3 jmp loc.0804859c | | ; JMP XREF from 0x080485aa (unk) |- loc.080485f9 14 | `-> 0x080485f9 c704244e870. mov dword [esp], str.Password_Incorrect__n ; str.Password_Incorrect__n | 0x08048600 e8b3fdffff call sym.imp.printf | sym.imp.printf() | 0x08048605 c9 leave \ 0x08048606 c3 ret [0x08048400]> [email protected] | ; UNKNOWN XREF from 0x0804851a (unk) | ; CALL XREF from 0x080485ed (unk) / (fcn) sym.parell 110 | 0x0804851a 55 push ebp | 0x0804851b 89e5 mov ebp, esp | 0x0804851d 83ec18 sub esp, 0x18 | 0x08048520 8d45fc lea eax, [ebp-0x4] | 0x08048523 89442408 mov [esp+0x8], eax | 0x08048527 c74424043d8. mov dword [esp+0x4], 0x804873d ; 0x0804873d | 0x0804852f 8b4508 mov eax, [ebp+0x8] | 0x08048532 890424 mov [esp], eax | 0x08048535 e88efeffff call sym.imp.sscanf | sym.imp.sscanf(unk) | 0x0804853a 8b450c mov eax, [ebp+0xc] | 0x0804853d 89442404 mov [esp+0x4], eax | 0x08048541 8b45fc mov eax, [ebp-0x4] | 0x08048544 890424 mov [esp], eax | 0x08048547 e868ffffff call sym.dummy | sym.dummy() | 0x0804854c 85c0 test eax, eax | ,=< 0x0804854e 7436 je loc.08048586 | | 0x08048550 c745f800000. mov dword [ebp-0x8], 0x0 | | ; JMP XREF from 0x08048584 (unk) |- loc.08048557 49 | | 0x08048557 837df809 cmp dword [ebp-0x8], 0x9 | ,==< 0x0804855b 7f29 jg loc.08048586 | || 0x0804855d 8b45fc mov eax, [ebp-0x4] | || 0x08048560 83e001 and eax, 0x1 | || 0x08048563 85c0 test eax, eax | ,===< 0x08048565 7518 jne loc.0804857f | ||| 0x08048567 c7042440870. mov dword [esp], str.Password_OK__n ; str.Password_OK__n | ||| 0x0804856e e845feffff call sym.imp.printf | ||| sym.imp.printf() | ||| 0x08048573 c7042400000. mov dword [esp], 0x0 | ||| 0x0804857a e869feffff call sym.imp.exit | ||| sym.imp.exit() | | ; JMP XREF from 0x08048565 (unk) |- loc.0804857f 9 | `---> 0x0804857f 8d45f8 lea eax, [ebp-0x8] | || 0x08048582 ff00 inc dword [eax] | || 0x08048584 ebd1 jmp loc.08048557 | || ; JMP XREF from 0x0804854e (unk) | || ; JMP XREF from 0x0804855b (unk) |- loc.08048586 2 | ``-> 0x08048586 c9 leave \ 0x08048587 c3 ret [0x08048400]> s 0x080485aa [0x080485aa]> wx 9090 [0x080485aa]> s 0x080485de [0x080485de]> wx 9090 [0x080485de]> s 0x0804854e [0x0804854e]> wx 9090 [0x0804854e]> s 0x0804855b [0x0804855b]> wx 9090 [0x0804855b]> s 0x08048565 [0x08048565]> wx 9090 [0x08048565]> q
输入任意密码:
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x06 IOLI Crackme Level 0x06 Password: 123456 Password OK!
crackme0x07
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x07 IOLI Crackme Level 0x07 Password: 12345 Password Incorrect!
这次函数名都变了。大致搜索下就找到=Ok=代码段,把所有跳转清除。
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ r2 -w ./crackme0x07 -- Wow, my cat knows radare2 hotkeys better than me! [0x08048400]> aa [0x08048400]> pdf@main | ; UNKNOWN XREF from 0x08048643 (fcn.080485b9) | ; DATA XREF from 0x08048417 (entry0) / (fcn) main 99 | 0x0804867d 55 push ebp | 0x0804867e 89e5 mov ebp, esp | 0x08048680 81ec88000000 sub esp, 0x88 | 0x08048686 83e4f0 and esp, 0xfffffff0 | 0x08048689 b800000000 mov eax, 0x0 | 0x0804868e 83c00f add eax, 0xf | 0x08048691 83c00f add eax, 0xf | 0x08048694 c1e804 shr eax, 0x4 | 0x08048697 c1e004 shl eax, 0x4 | 0x0804869a 29c4 sub esp, eax | 0x0804869c c70424d9870. mov dword [esp], str.IOLI_Crackme_Level_0x07_n ; str.IOLI_Crackme_Level_0x07_n | 0x080486a3 e810fdffff call sym.imp.printf | sym.imp.printf(unk) | 0x080486a8 c70424f2870. mov dword [esp], str.Password_ ; str.Password_ | 0x080486af e804fdffff call sym.imp.printf | sym.imp.printf() | 0x080486b4 8d4588 lea eax, [ebp-0x78] | 0x080486b7 89442404 mov [esp+0x4], eax | 0x080486bb c70424fd870. mov dword [esp], 0x80487fd ; 0x080487fd | 0x080486c2 e8d1fcffff call sym.imp.scanf | sym.imp.scanf() | 0x080486c7 8b4510 mov eax, [ebp+0x10] | 0x080486ca 89442404 mov [esp+0x4], eax | 0x080486ce 8d4588 lea eax, [ebp-0x78] | 0x080486d1 890424 mov [esp], eax | 0x080486d4 e8e0feffff call fcn.080485b9 | fcn.080485b9() | 0x080486d9 b800000000 mov eax, 0x0 | 0x080486de c9 leave \ 0x080486df c3 ret [0x08048400]> [email protected] ; UNKNOWN XREF from 0x08048576 (fcn.08048524) ; CALL XREF from 0x080486d4 (unk) / (fcn) fcn.080485b9 196 | 0x080485b9 55 push ebp | 0x080485ba 89e5 mov ebp, esp | 0x080485bc 83ec28 sub esp, 0x28 | 0x080485bf c745f800000. mov dword [ebp-0x8], 0x0 | 0x080485c6 c745f400000. mov dword [ebp-0xc], 0x0 | ; JMP XREF from 0x08048628 (fcn.080485b9) |- fcn.080485cd 176 | .---> 0x080485cd 8b4508 mov eax, [ebp+0x8] | | 0x080485d0 890424 mov [esp], eax | | 0x080485d3 e8d0fdffff call sym.imp.strlen | | sym.imp.strlen(unk) | | 0x080485d8 3945f4 cmp [ebp-0xc], eax | | ,=< 0x080485db 734d jae loc.0804862a | | | 0x080485dd 8b45f4 mov eax, [ebp-0xc] | | | 0x080485e0 034508 add eax, [ebp+0x8] | | | 0x080485e3 0fb600 movzx eax, byte [eax] | | | 0x080485e6 8845f3 mov [ebp-0xd], al | | | 0x080485e9 8d45fc lea eax, [ebp-0x4] | | | 0x080485ec 89442408 mov [esp+0x8], eax | | | 0x080485f0 c7442404c28. mov dword [esp+0x4], 0x80487c2 ; 0x080487c2 | | | 0x080485f8 8d45f3 lea eax, [ebp-0xd] | | | 0x080485fb 890424 mov [esp], eax | | | 0x080485fe e8c5fdffff call sym.imp.sscanf | | | sym.imp.sscanf() | | | 0x08048603 8b55fc mov edx, [ebp-0x4] | | | 0x08048606 8d45f8 lea eax, [ebp-0x8] | | | 0x08048609 0110 add [eax], edx | | | 0x0804860b 837df810 cmp dword [ebp-0x8], 0x10 | |,==< 0x0804860f 7512 jne loc.08048623 | ||| 0x08048611 8b450c mov eax, [ebp+0xc] | ||| 0x08048614 89442404 mov [esp+0x4], eax | ||| 0x08048618 8b4508 mov eax, [ebp+0x8] | ||| 0x0804861b 890424 mov [esp], eax | ||| 0x0804861e e81fffffff call fcn.08048542 | ||| fcn.08048542() | || ; JMP XREF from 0x0804860f (fcn.080485b9) |- loc.08048623 90 | |`--> 0x08048623 8d45f4 lea eax, [ebp-0xc] | | | 0x08048626 ff00 inc dword [eax] | `===< 0x08048628 eba3 jmp fcn.080485cd | | ; JMP XREF from 0x080485db (fcn.080485b9) |- loc.0804862a 83 | `-> 0x0804862a e8f5feffff call fcn.08048524 | | > fcn.08048524() | 0x0804862f 8b450c mov eax, [ebp+0xc] | 0x08048632 89442404 mov [esp+0x4], eax | 0x08048636 8b45fc mov eax, [ebp-0x4] | 0x08048639 890424 mov [esp], eax | 0x0804863c e873feffff call fcn.080484b4 | fcn.080484b4() ; entry0+180 | 0x08048641 85c0 test eax, eax | ,====< 0x08048643 7436 je loc.0804867b | | 0x08048645 c745f400000. mov dword [ebp-0xc], 0x0 | | ; JMP XREF from 0x08048679 (fcn.080485b9) |- loc.0804864c 49 | | 0x0804864c 837df409 cmp dword [ebp-0xc], 0x9 | ,=====< 0x08048650 7f29 jg loc.0804867b | || 0x08048652 8b45fc mov eax, [ebp-0x4] | || 0x08048655 83e001 and eax, 0x1 | || 0x08048658 85c0 test eax, eax | ,======< 0x0804865a 7518 jne loc.08048674 | ||| 0x0804865c c70424d3870. mov dword [esp], str.wtf__n ; str.wtf__n | ||| 0x08048663 e850fdffff call sym.imp.printf | ||| sym.imp.printf() | ||| 0x08048668 c7042400000. mov dword [esp], 0x0 | ||| 0x0804866f e874fdffff call sym.imp.exit | ||| sym.imp.exit() | | ; JMP XREF from 0x0804865a (fcn.080485b9) |- loc.08048674 9 | `------> 0x08048674 8d45f4 lea eax, [ebp-0xc] | || 0x08048677 ff00 inc dword [eax] | || 0x08048679 ebd1 jmp loc.0804864c | || ; JMP XREF from 0x08048643 (fcn.080485b9) | || ; JMP XREF from 0x08048650 (fcn.080485b9) |- loc.0804867b 2 | ``----> 0x0804867b c9 leave \ 0x0804867c c3 ret [0x08048400]> [email protected] ; CALL XREF from 0x0804861e (fcn.080485b9) / (fcn) fcn.08048542 119 | 0x08048542 55 push ebp | 0x08048543 89e5 mov ebp, esp | 0x08048545 83ec18 sub esp, 0x18 | 0x08048548 8d45fc lea eax, [ebp-0x4] | 0x0804854b 89442408 mov [esp+0x8], eax | 0x0804854f c7442404c28. mov dword [esp+0x4], 0x80487c2 ; 0x080487c2 | 0x08048557 8b4508 mov eax, [ebp+0x8] | 0x0804855a 890424 mov [esp], eax | 0x0804855d e866feffff call sym.imp.sscanf | sym.imp.sscanf(unk) | 0x08048562 8b450c mov eax, [ebp+0xc] | 0x08048565 89442404 mov [esp+0x4], eax | 0x08048569 8b45fc mov eax, [ebp-0x4] | 0x0804856c 890424 mov [esp], eax | 0x0804856f e840ffffff call fcn.080484b4 | fcn.080484b4() ; entry0+180 | 0x08048574 85c0 test eax, eax | ,=< 0x08048576 743f je loc.080485b7 | | 0x08048578 c745f800000. mov dword [ebp-0x8], 0x0 | | ; JMP XREF from 0x080485b5 (fcn.08048524) |- loc.0804857f 58 | | 0x0804857f 837df809 cmp dword [ebp-0x8], 0x9 | ,==< 0x08048583 7f32 jg loc.080485b7 | || 0x08048585 8b45fc mov eax, [ebp-0x4] | || 0x08048588 83e001 and eax, 0x1 | || 0x0804858b 85c0 test eax, eax | ,===< 0x0804858d 7521 jne loc.080485b0 | ||| 0x0804858f 833d2ca0040. cmp dword [0x804a02c], 0x1 | ,====< 0x08048596 750c jne loc.080485a4 | |||| 0x08048598 c70424c5870. mov dword [esp], str.Password_OK__n ; str.Password_OK__n | |||| 0x0804859f e814feffff call sym.imp.printf | |||| sym.imp.printf() | | ; JMP XREF from 0x08048596 (fcn.08048524) |- loc.080485a4 21 | `----> 0x080485a4 c7042400000. mov dword [esp], 0x0 | ||| 0x080485ab e838feffff call sym.imp.exit | ||| sym.imp.exit() | | ; JMP XREF from 0x0804858d (fcn.08048524) |- loc.080485b0 9 | `---> 0x080485b0 8d45f8 lea eax, [ebp-0x8] | || 0x080485b3 ff00 inc dword [eax] | || 0x080485b5 ebc8 jmp loc.0804857f | || ; JMP XREF from 0x08048576 (fcn.08048524) | || ; JMP XREF from 0x08048583 (fcn.08048524) |- loc.080485b7 2 | ``-> 0x080485b7 c9 leave \ 0x080485b8 c3 ret [0x08048400]> s 0x080485db [0x080485db]> wx 9090 [0x080485db]> s 0x0804860f [0x0804860f]> wx 9090 [0x0804860f]> s 0x08048576 [0x08048576]> wx 9090 [0x08048576]> s 0x08048583 [0x08048583]> wx 9090 [0x08048583]> s 0x0804858d [0x0804858d]> wx 9090 [0x0804858d]> s 0x08048596 [0x08048596]> wx 9090 [0x08048596]> q
输入任意密码
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x07 IOLI Crackme Level 0x07 Password: 12345 Password OK!
crackme0x08
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x08 IOLI Crackme Level 0x08 Password: 12345 Password Incorrect! ~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ r2 -w ./crackme0x08 -- THE ONLY WINNING MOVE IS NOT TO PLAY. [0x08048400]> aa [0x08048400]> pdf@main | ; UNKNOWN XREF from 0x08048643 (unk) | ; DATA XREF from 0x08048417 (fcn.080483ee) / (fcn) sym.main 99 | 0x0804867d 55 push ebp | 0x0804867e 89e5 mov ebp, esp | 0x08048680 81ec88000000 sub esp, 0x88 | 0x08048686 83e4f0 and esp, 0xfffffff0 | 0x08048689 b800000000 mov eax, 0x0 | 0x0804868e 83c00f add eax, 0xf | 0x08048691 83c00f add eax, 0xf | 0x08048694 c1e804 shr eax, 0x4 | 0x08048697 c1e004 shl eax, 0x4 | 0x0804869a 29c4 sub esp, eax | 0x0804869c c70424d9870. mov dword [esp], str.IOLI_Crackme_Level_0x08_n ; str.IOLI_Crackme_Level_0x08_n | 0x080486a3 e810fdffff call sym.imp.printf | sym.imp.printf(unk) | 0x080486a8 c70424f2870. mov dword [esp], str.Password_ ; str.Password_ | 0x080486af e804fdffff call sym.imp.printf | sym.imp.printf() | 0x080486b4 8d4588 lea eax, [ebp-0x78] | 0x080486b7 89442404 mov [esp+0x4], eax | 0x080486bb c70424fd870. mov dword [esp], 0x80487fd ; 0x080487fd | 0x080486c2 e8d1fcffff call sym.imp.scanf | sym.imp.scanf() | 0x080486c7 8b4510 mov eax, [ebp+0x10] | 0x080486ca 89442404 mov [esp+0x4], eax | 0x080486ce 8d4588 lea eax, [ebp-0x78] | 0x080486d1 890424 mov [esp], eax | 0x080486d4 e8e0feffff call sym.check | sym.check() | 0x080486d9 b800000000 mov eax, 0x0 | 0x080486de c9 leave \ 0x080486df c3 ret [0x08048400]> [email protected] | ; UNKNOWN XREF from 0x08048576 (unk) | ; CALL XREF from 0x080486d4 (unk) / (fcn) sym.check 196 | 0x080485b9 55 push ebp | 0x080485ba 89e5 mov ebp, esp | 0x080485bc 83ec28 sub esp, 0x28 | 0x080485bf c745f800000. mov dword [ebp-0x8], 0x0 | 0x080485c6 c745f400000. mov dword [ebp-0xc], 0x0 | ; JMP XREF from 0x08048628 (unk) |- fcn.080485cd 176 | .---> 0x080485cd 8b4508 mov eax, [ebp+0x8] | | 0x080485d0 890424 mov [esp], eax | | 0x080485d3 e8d0fdffff call sym.imp.strlen | | sym.imp.strlen(unk) | | 0x080485d8 3945f4 cmp [ebp-0xc], eax | | ,=< 0x080485db 734d jae loc.0804862a | | | 0x080485dd 8b45f4 mov eax, [ebp-0xc] | | | 0x080485e0 034508 add eax, [ebp+0x8] | | | 0x080485e3 0fb600 movzx eax, byte [eax] | | | 0x080485e6 8845f3 mov [ebp-0xd], al | | | 0x080485e9 8d45fc lea eax, [ebp-0x4] | | | 0x080485ec 89442408 mov [esp+0x8], eax | | | 0x080485f0 c7442404c28. mov dword [esp+0x4], 0x80487c2 ; 0x080487c2 | | | 0x080485f8 8d45f3 lea eax, [ebp-0xd] | | | 0x080485fb 890424 mov [esp], eax | | | 0x080485fe e8c5fdffff call sym.imp.sscanf | | | sym.imp.sscanf() | | | 0x08048603 8b55fc mov edx, [ebp-0x4] | | | 0x08048606 8d45f8 lea eax, [ebp-0x8] | | | 0x08048609 0110 add [eax], edx | | | 0x0804860b 837df810 cmp dword [ebp-0x8], 0x10 | |,==< 0x0804860f 7512 jne loc.08048623 | ||| 0x08048611 8b450c mov eax, [ebp+0xc] | ||| 0x08048614 89442404 mov [esp+0x4], eax | ||| 0x08048618 8b4508 mov eax, [ebp+0x8] | ||| 0x0804861b 890424 mov [esp], eax | ||| 0x0804861e e81fffffff call sym.parell | ||| sym.parell() | || ; JMP XREF from 0x0804860f (unk) |- loc.08048623 90 | |`--> 0x08048623 8d45f4 lea eax, [ebp-0xc] | | | 0x08048626 ff00 inc dword [eax] | `===< 0x08048628 eba3 jmp fcn.080485cd | | ; JMP XREF from 0x080485db (unk) |- loc.0804862a 83 | `-> 0x0804862a e8f5feffff call sym.che | | > sym.che() | 0x0804862f 8b450c mov eax, [ebp+0xc] | 0x08048632 89442404 mov [esp+0x4], eax | 0x08048636 8b45fc mov eax, [ebp-0x4] | 0x08048639 890424 mov [esp], eax | 0x0804863c e873feffff call sym.dummy | sym.dummy() | 0x08048641 85c0 test eax, eax | ,====< 0x08048643 7436 je loc.0804867b | | 0x08048645 c745f400000. mov dword [ebp-0xc], 0x0 | | ; JMP XREF from 0x08048679 (unk) |- loc.0804864c 49 | | 0x0804864c 837df409 cmp dword [ebp-0xc], 0x9 | ,=====< 0x08048650 7f29 jg loc.0804867b | || 0x08048652 8b45fc mov eax, [ebp-0x4] | || 0x08048655 83e001 and eax, 0x1 | || 0x08048658 85c0 test eax, eax | ,======< 0x0804865a 7518 jne loc.08048674 | ||| 0x0804865c c70424d3870. mov dword [esp], str.wtf__n ; str.wtf__n | ||| 0x08048663 e850fdffff call sym.imp.printf | ||| sym.imp.printf() | ||| 0x08048668 c7042400000. mov dword [esp], 0x0 | ||| 0x0804866f e874fdffff call sym.imp.exit | ||| sym.imp.exit() | | ; JMP XREF from 0x0804865a (unk) |- loc.08048674 9 | `------> 0x08048674 8d45f4 lea eax, [ebp-0xc] | || 0x08048677 ff00 inc dword [eax] | || 0x08048679 ebd1 jmp loc.0804864c | || ; JMP XREF from 0x08048643 (unk) | || ; JMP XREF from 0x08048650 (unk) |- loc.0804867b 2 | ``----> 0x0804867b c9 leave \ 0x0804867c c3 ret [0x08048400]> [email protected] | ; UNKNOWN XREF from 0x08048524 (unk) | ; CALL XREF from 0x0804862a (unk) / (fcn) sym.che 149 | 0x08048524 55 push ebp | 0x08048525 89e5 mov ebp, esp | 0x08048527 83ec08 sub esp, 0x8 | 0x0804852a c70424ad870. mov dword [esp], str.Password_Incorrect__n ; str.Password_Incorrect__n | 0x08048531 e882feffff call sym.imp.printf | sym.imp.printf(unk) | 0x08048536 c7042400000. mov dword [esp], 0x0 | 0x0804853d e8a6feffff call sym.imp.exit | sym.imp.exit() | ; CALL XREF from 0x0804861e (unk) / (fcn) sym.parell 119 | 0x08048542 55 push ebp | 0x08048543 89e5 mov ebp, esp | 0x08048545 83ec18 sub esp, 0x18 | 0x08048548 8d45fc lea eax, [ebp-0x4] | 0x0804854b 89442408 mov [esp+0x8], eax | 0x0804854f c7442404c28. mov dword [esp+0x4], 0x80487c2 ; 0x080487c2 | 0x08048557 8b4508 mov eax, [ebp+0x8] | 0x0804855a 890424 mov [esp], eax | 0x0804855d e866feffff call sym.imp.sscanf | sym.imp.sscanf(unk) | 0x08048562 8b450c mov eax, [ebp+0xc] | 0x08048565 89442404 mov [esp+0x4], eax | 0x08048569 8b45fc mov eax, [ebp-0x4] | 0x0804856c 890424 mov [esp], eax | 0x0804856f e840ffffff call sym.dummy | sym.dummy() | 0x08048574 85c0 test eax, eax | ,=< 0x08048576 743f je loc.080485b7 | | 0x08048578 c745f800000. mov dword [ebp-0x8], 0x0 | | ; JMP XREF from 0x080485b5 (unk) |- loc.0804857f 58 | | 0x0804857f 837df809 cmp dword [ebp-0x8], 0x9 | ,==< 0x08048583 7f32 jg loc.080485b7 | || 0x08048585 8b45fc mov eax, [ebp-0x4] | || 0x08048588 83e001 and eax, 0x1 | || 0x0804858b 85c0 test eax, eax | ,===< 0x0804858d 7521 jne loc.080485b0 | ||| 0x0804858f 833d2ca0040. cmp dword [sym.LOL], 0x1 | ,====< 0x08048596 750c jne loc.080485a4 | |||| 0x08048598 c70424c5870. mov dword [esp], str.Password_OK__n ; str.Password_OK__n | |||| 0x0804859f e814feffff call sym.imp.printf | |||| sym.imp.printf() | | ; JMP XREF from 0x08048596 (unk) |- loc.080485a4 21 | `----> 0x080485a4 c7042400000. mov dword [esp], 0x0 | ||| 0x080485ab e838feffff call sym.imp.exit | ||| sym.imp.exit() | | ; JMP XREF from 0x0804858d (unk) |- loc.080485b0 9 | `---> 0x080485b0 8d45f8 lea eax, [ebp-0x8] | || 0x080485b3 ff00 inc dword [eax] | || 0x080485b5 ebc8 jmp loc.0804857f | || ; JMP XREF from 0x08048576 (unk) | || ; JMP XREF from 0x08048583 (unk) |- loc.080485b7 2 | ``-> 0x080485b7 c9 leave \ 0x080485b8 c3 ret [0x08048400]> s 0x080485db [0x080485db]> wx 9090 [0x080485db]> s 0x0804860f [0x0804860f]> wx 9090 [0x0804860f]> s 0x08048576 [0x08048576]> wx 9090 [0x08048576]> s 0x08048583 [0x08048583]> wx 9090 [0x08048583]> s 0x0804858d [0x0804858d]> wx 9090 [0x0804858d]> s 0x08048596 [0x08048596]> wx 9090 [0x08048596]> q ~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x08 IOLI Crackme Level 0x08 Password: 12345 Password OK!
crackme0x09
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x09 IOLI Crackme Level 0x09 Password: 12345 Password Incorrect!
稍微计算下。看出来=ebp=作为某个时刻的栈顶指针用来索引字符串。一番搜索在某个=printf=中发现了=OK=
✘ ⮀ ~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ r2 -w ./crackme0x09 -- Use scr.accel to browse the file faster! [0x08048420]> aa [0x08048420]> pdf@main | ; UNKNOWN XREF from 0x080486ae (fcn.08048616) | ; DATA XREF from 0x08048437 (entry0) / (fcn) main 120 | 0x080486ee 55 push ebp | 0x080486ef 89e5 mov ebp, esp | 0x080486f1 53 push ebx | 0x080486f2 81ec84000000 sub esp, 0x84 | 0x080486f8 e869000000 call fcn.08048766 | fcn.08048766(unk, unk) | 0x080486fd 81c3f7180000 add ebx, 0x18f7 | 0x08048703 83e4f0 and esp, 0xfffffff0 | 0x08048706 b800000000 mov eax, 0x0 | 0x0804870b 83c00f add eax, 0xf | 0x0804870e 83c00f add eax, 0xf | 0x08048711 c1e804 shr eax, 0x4 | 0x08048714 c1e004 shl eax, 0x4 | 0x08048717 29c4 sub esp, eax | 0x08048719 8d8375e8ffff lea eax, [ebx-0x178b] | 0x0804871f 890424 mov [esp], eax | 0x08048722 e8b9fcffff call sym.imp.printf | sym.imp.printf() | 0x08048727 8d838ee8ffff lea eax, [ebx-0x1772] | 0x0804872d 890424 mov [esp], eax | 0x08048730 e8abfcffff call sym.imp.printf | sym.imp.printf() | 0x08048735 8d4588 lea eax, [ebp-0x78] | 0x08048738 89442404 mov [esp+0x4], eax | 0x0804873c 8d8399e8ffff lea eax, [ebx-0x1767] | 0x08048742 890424 mov [esp], eax | 0x08048745 e876fcffff call sym.imp.scanf | sym.imp.scanf() | 0x0804874a 8b4510 mov eax, [ebp+0x10] | 0x0804874d 89442404 mov [esp+0x4], eax | 0x08048751 8d4588 lea eax, [ebp-0x78] | 0x08048754 890424 mov [esp], eax | 0x08048757 e8bafeffff call fcn.08048616 | fcn.08048616() | 0x0804875c b800000000 mov eax, 0x0 | 0x08048761 8b5dfc mov ebx, [ebp-0x4] | 0x08048764 c9 leave \ 0x08048765 c3 ret [0x08048420]> [email protected] ; UNKNOWN XREF from 0x080485cb (fcn.0804855d) ; CALL XREF from 0x08048757 (unk) / (fcn) fcn.08048616 216 | 0x08048616 55 push ebp | 0x08048617 89e5 mov ebp, esp | 0x08048619 53 push ebx | 0x0804861a 83ec24 sub esp, 0x24 | 0x0804861d e844010000 call fcn.08048766 | fcn.08048766(unk, unk) | 0x08048622 81c3d2190000 add ebx, 0x19d2 | 0x08048628 c745f400000. mov dword [ebp-0xc], 0x0 | 0x0804862f c745f000000. mov dword [ebp-0x10], 0x0 | ; JMP XREF from 0x08048693 (fcn.08048616) |- fcn.08048636 184 | .---> 0x08048636 8b4508 mov eax, [ebp+0x8] | | 0x08048639 890424 mov [esp], eax | | 0x0804863c e88ffdffff call sym.imp.strlen | | sym.imp.strlen() | | 0x08048641 3945f0 cmp [ebp-0x10], eax | | ,=< 0x08048644 734f jae loc.08048695 | | | 0x08048646 8b45f0 mov eax, [ebp-0x10] | | | 0x08048649 034508 add eax, [ebp+0x8] | | | 0x0804864c 0fb600 movzx eax, byte [eax] | | | 0x0804864f 8845ef mov [ebp-0x11], al | | | 0x08048652 8d45f8 lea eax, [ebp-0x8] | | | 0x08048655 89442408 mov [esp+0x8], eax | | | 0x08048659 8d835ee8ffff lea eax, [ebx-0x17a2] | | | 0x0804865f 89442404 mov [esp+0x4], eax | | | 0x08048663 8d45ef lea eax, [ebp-0x11] | | | 0x08048666 890424 mov [esp], eax | | | 0x08048669 e882fdffff call sym.imp.sscanf | | | sym.imp.sscanf() | | | 0x0804866e 8b55f8 mov edx, [ebp-0x8] | | | 0x08048671 8d45f4 lea eax, [ebp-0xc] | | | 0x08048674 0110 add [eax], edx | | | 0x08048676 837df410 cmp dword [ebp-0xc], 0x10 | |,==< 0x0804867a 7512 jne loc.0804868e | ||| 0x0804867c 8b450c mov eax, [ebp+0xc] | ||| 0x0804867f 89442404 mov [esp+0x4], eax | ||| 0x08048683 8b4508 mov eax, [ebp+0x8] | ||| 0x08048686 890424 mov [esp], eax | ||| 0x08048689 e8fbfeffff call fcn.08048589 | ||| fcn.08048589() | || ; JMP XREF from 0x0804867a (fcn.08048616) |- loc.0804868e 96 | |`--> 0x0804868e 8d45f0 lea eax, [ebp-0x10] | | | 0x08048691 ff00 inc dword [eax] | `===< 0x08048693 eba1 jmp fcn.08048636 | | ; JMP XREF from 0x08048644 (fcn.08048616) |- loc.08048695 89 | `-> 0x08048695 e8c3feffff call fcn.0804855d | | > fcn.0804855d() | 0x0804869a 8b450c mov eax, [ebp+0xc] | 0x0804869d 89442404 mov [esp+0x4], eax | 0x080486a1 8b45f8 mov eax, [ebp-0x8] | 0x080486a4 890424 mov [esp], eax | 0x080486a7 e828feffff call fcn.080484d4 | fcn.080484d4() ; entry0+180 | 0x080486ac 85c0 test eax, eax | ,====< 0x080486ae 7438 je loc.080486e8 | | 0x080486b0 c745f000000. mov dword [ebp-0x10], 0x0 | | ; JMP XREF from 0x080486e6 (fcn.08048616) |- loc.080486b7 55 | | 0x080486b7 837df009 cmp dword [ebp-0x10], 0x9 | ,=====< 0x080486bb 7f2b jg loc.080486e8 | || 0x080486bd 8b45f8 mov eax, [ebp-0x8] | || 0x080486c0 83e001 and eax, 0x1 | || 0x080486c3 85c0 test eax, eax | ,======< 0x080486c5 751a jne loc.080486e1 | ||| 0x080486c7 8d836fe8ffff lea eax, [ebx-0x1791] | ||| 0x080486cd 890424 mov [esp], eax | ||| 0x080486d0 e80bfdffff call sym.imp.printf | ||| sym.imp.printf() | ||| 0x080486d5 c7042400000. mov dword [esp], 0x0 | ||| 0x080486dc e82ffdffff call sym.imp.exit | ||| sym.imp.exit() | | ; JMP XREF from 0x080486c5 (fcn.08048616) |- loc.080486e1 13 | `------> 0x080486e1 8d45f0 lea eax, [ebp-0x10] | || 0x080486e4 ff00 inc dword [eax] | || 0x080486e6 ebcf jmp loc.080486b7 | || ; JMP XREF from 0x080486ae (fcn.08048616) | || ; JMP XREF from 0x080486bb (fcn.08048616) |- loc.080486e8 6 | ``----> 0x080486e8 83c424 add esp, 0x24 | 0x080486eb 5b pop ebx | 0x080486ec 5d pop ebp \ 0x080486ed c3 ret [0x08048420]> [email protected] ; CALL XREF from 0x08048689 (fcn.08048616) / (fcn) fcn.08048589 141 | 0x08048589 55 push ebp | 0x0804858a 89e5 mov ebp, esp | 0x0804858c 53 push ebx | 0x0804858d 83ec14 sub esp, 0x14 | 0x08048590 e8d1010000 call fcn.08048766 | fcn.08048766(unk, unk) | 0x08048595 81c35f1a0000 add ebx, 0x1a5f | 0x0804859b 8d45f8 lea eax, [ebp-0x8] | 0x0804859e 89442408 mov [esp+0x8], eax | 0x080485a2 8d835ee8ffff lea eax, [ebx-0x17a2] | 0x080485a8 89442404 mov [esp+0x4], eax | 0x080485ac 8b4508 mov eax, [ebp+0x8] | 0x080485af 890424 mov [esp], eax | 0x080485b2 e839feffff call sym.imp.sscanf | sym.imp.sscanf() | 0x080485b7 8b450c mov eax, [ebp+0xc] | 0x080485ba 89442404 mov [esp+0x4], eax | 0x080485be 8b45f8 mov eax, [ebp-0x8] | 0x080485c1 890424 mov [esp], eax | 0x080485c4 e80bffffff call fcn.080484d4 | fcn.080484d4() ; entry0+180 | 0x080485c9 85c0 test eax, eax | ,=< 0x080485cb 7443 je loc.08048610 | | 0x080485cd c745f400000. mov dword [ebp-0xc], 0x0 | | ; JMP XREF from 0x0804860e (fcn.0804855d) |- loc.080485d4 66 | | 0x080485d4 837df409 cmp dword [ebp-0xc], 0x9 | ,==< 0x080485d8 7f36 jg loc.08048610 | || 0x080485da 8b45f8 mov eax, [ebp-0x8] | || 0x080485dd 83e001 and eax, 0x1 | || 0x080485e0 85c0 test eax, eax | ,===< 0x080485e2 7525 jne loc.08048609 | ||| 0x080485e4 8b83fcffffff mov eax, [ebx-0x4] | ||| 0x080485ea 833801 cmp dword [eax], 0x1 | ,====< 0x080485ed 750e jne loc.080485fd | |||| 0x080485ef 8d8361e8ffff lea eax, [ebx-0x179f] | |||| 0x080485f5 890424 mov [esp], eax | |||| 0x080485f8 e8e3fdffff call sym.imp.printf | |||| sym.imp.printf() | | ; JMP XREF from 0x080485ed (fcn.0804855d) |- loc.080485fd 25 | `----> 0x080485fd c7042400000. mov dword [esp], 0x0 | ||| 0x08048604 e807feffff call sym.imp.exit | ||| sym.imp.exit() | | ; JMP XREF from 0x080485e2 (fcn.0804855d) |- loc.08048609 13 | `---> 0x08048609 8d45f4 lea eax, [ebp-0xc] | || 0x0804860c ff00 inc dword [eax] | || 0x0804860e ebc4 jmp loc.080485d4 | || ; JMP XREF from 0x080485cb (fcn.0804855d) | || ; JMP XREF from 0x080485d8 (fcn.0804855d) |- loc.08048610 6 | ``-> 0x08048610 83c414 add esp, 0x14 | 0x08048613 5b pop ebx | 0x08048614 5d pop ebp \ 0x08048615 c3 ret [0x08048420]> s 0x8048420 [0x08048420]> s 0x08048644 [0x08048644]> wx 9090 [0x08048644]> s 0x0804867a [0x0804867a]> wx 9090 [0x0804867a]> s 0x080485cb [0x080485cb]> wx 9090 [0x080485cb]> s 0x080485d8 [0x080485d8]> wx 9090 [0x080485d8]> s 0x080485e2 [0x080485e2]> wx 9090 [0x080485e2]> s 0x080485ed [0x080485ed]> wx 9090 [0x0804852d]> s 0x080485c4 [0x080485c4]> wx 9090909090 [0x080485c4]> q ~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x09 IOLI Crackme Level 0x09 Password: 12345 Password OK!
这不叫逆向……这叫把目标代码之外的东西都注释掉……
到此,忽然觉得吧,少了点东西。
- r2的动态调试功能
- 说好的reverse-engineer
I find an interesting book: RE-for-beginers
