Emmm......I’m guessing the same password may still work for this one, cuz it works for 0x07, and I’m right. Still same logic as the previous one, will take a close look later.

$ LOLO= ./crackme0x08 IOLI Crackme Level 0x08 Password: 88 Password OK!

$ LOLO= ./crackme0x07 IOLI Crackme Level 0x07 Password: 88 Password OK!

Logic is the same as level 0x06 though. I’ll have a close look at the difference when I have time.

Main function calls fcn.080485b9

pdf @ fcn.080485b9

Everything’s the same as the last level except the parameters of sym.check

0x08048651    8b4510       mov eax, [ebp+0x10]    ;get the environment value  0x08048654    89442404     mov [esp+0x4], eax     ;pass it to check() 0x08048658    8d4588       lea eax, [ebp-0x78]    ;get password address

0x0804865b    890424       mov [esp], eax         ;pass it to check()

0x0804865e    e825ffffff   call 0x108048588 ; (sym.check)

The main function prints out the title and string password. Then it gets the user input and stores it to the [var_78h]. The [arg_10h] is the variable of environment variable in bash. So the parameter for sym.check() is environment variable and user input. Read about parameter passing in assembly here.

Inside sym.check, it again checks the user input with 0x10 (int 16) at 0x080485da and calls sym.parell, passing the two arguments.

Sym.parell then calls sym.dummy, passing on the arguments (usr input and environment variable).

Note inside sym.dummy:

0x080484ee      c74424043887.  mov dword [var_4h_2], str.LOLO 

0x080484f6      8b0411         mov eax, dword [ecx + edx]

 0x080484f9      890424         mov dword [esp], eax

0x080484fc      e8d7feffff     call sym.imp.strncmp 

The program is looping through the environment variables to see if there is an environment variable string named ‘LOLO’ and returns 1 if LOLO exists. To crack it, supply LOLO to the program.  Read about setting env variables here.

$ LOLO= ./crackme0x06 IOLI Crackme Level 0x06 Password: 88 Password OK!

Alternatively,

$ export LOLO=

Again there is a sym.check function called inside main. pdf @ sym.check:

 0x0804851a      837df810       cmp dword [var_8h], 0x10

Spot the comparison. 0x10 is int 16. Similar to the last crackme (0x04), let’s try 88 as the password (8+8=16):

./crackme0x05 IOLI Crackme Level 0x05 Password: 88 Password OK!

However, trying the other possibilities: 97, 79, 907 does not seem to work, but 970 works:

./crackme0x05 IOLI Crackme Level 0x05 Password: 97 Password Incorrect!

./crackme0x05 IOLI Crackme Level 0x05 Password: 970 Password OK!

I want to continue looking at the function to see why it’s causing this.

At 0x08048526, sym.check calls sym.parell. Inside sym.parell:

and eax, 1 gets the first bit of eax (the least significant bit);

test eax, eax is the same as and eax, eax (bitwise and) except that it doesn't store the result in eax. So eax isn't affected by the test, but the zero-flag is. The jne branch will be taken if not equal (zero-flag=0) --> i.e. when ZF=1 --> and ZF=1 if eax contains 1. Conversely if eax contains zero, ZF=0, the jump via jne will not happen.

Therefore, in the sym.parell function, the program reads the user input as a whole integer. As long as the input number is even number, it will output “correct password”.

0x0804851e      750b           jne 0x804852b (sym.check

0x080484ea      7346           jae 0x8048532  (sym.check

0x080484ac      7518           jne 0x80484c6  (sym.parell

I try to change the instruction at 0x080484ac to a nop so it will not jump and print str.Password_OK, but failed. Turns out we need to edit all of the above three addresses to a nop in order to make the program accept any password: wx 9090 @ address