IOLI 0x01

    Let’s check for strings with rabin2.

    2. [Strings]
    3. nth paddr      vaddr      len size section type  string
    4. -------------------------------------------------------
    5. 0   0x00000528 0x08048528 24  25   .rodata ascii IOLI Crackme Level 0x01\n
    7. 3   0x00000562 0x08048562 15  16   .rodata ascii Password OK :)\n

    This isn’t going to be as easy as 0x00. Let’s try disassembly with r2.

    “aa” tells r2 to analyze the whole binary, which gets you symbol names, among things.

    “pdf” stands for

    • Disassemble

    • Function

    This will print the disassembly of the main function, or the main() that everyone knows. You can see several things as well: weird names, arrows, etc.

    If you look carefully, you’ll see a cmp instruction, with a constant, 0x149a. cmp is an x86 compare instruction, and the 0x in front of it specifies it is in base 16, or hex (hexadecimal).

    1. 0x0804842b    817dfc9a140. cmp dword [ebp + 0xfffffffc], 0x149a

    You can use radare2’s command to display 0x149a in another numeric base.

    So now we know that 0x149a is 5274 in decimal. Let’s try this as a password.

    1. $ ./crackme0x01
    2. IOLI Crackme Level 0x01
    3. Password: 5274

    Bingo, the password was 5274. In this case, the password function at 0x0804842b was comparing the input against the value, 0x149a in hex. Since user input is usually decimal, it was a safe bet that the input was intended to be in decimal, or 5274. Now, since we’re hackers, and curiosity drives us, let’s see what happens when we input in hex.

    And this concludes IOLI 0x01.