IOLI 0x03

    It looks straightforward except the function . This is unusual to call a function with same two parameters , so I speculate that the decompiler has gone wrong. we can check it in disassembly.

    1. [0x08048360]> pdf@sym.main
    2. ...
    3.            0x080484fc      8945f4         mov dword [var_ch], eax
    4.            0x080484ff      8b45f4         mov eax, dword [var_ch]
    5.            0x08048502      89442404       mov dword [var_sp_4h], eax   ; uint32_t arg_ch
    6.            0x08048506      8b45fc         mov eax, dword [var_4h]
    7.            0x08048509      890424         mov dword [esp], eax         ; int32_t arg_8h
    8.            0x0804850c      e85dffffff     call sym.test
    9. ...

    Take a look at sym.test. It’s a two path conditional jump which compares two parameters and then do shift. We can guess that shift is most likely the decryption part (shift cipher, e.g. Caesar cipher).

    1. /* r2dec pseudo code output */
    2. /* ./crackme0x03 @ 0x804846e */
    3. #include <stdint.h>
    5. int32_t test (int32_t arg_8h, uint32_t arg_ch) {
    7.     if (eax != arg_ch) {
    8.     } else {
    9.         shift ("Sdvvzrug#RN$$$#=,");
    10.     }
    11.     return eax;
    12. }

    you can read the assembly code and find the decryption is actually a “sub al, 0x3”. we can write a python script for it:

    1. print(''.join([chr(ord(i)-0x3) for i in 'SdvvzrugRN$$$']))
    2. print(''.join([chr(ord(i)-0x3) for i in 'LqydolgSdvvzrug$']))

    By the way, u can also open the file and use write data command to decrypt data.

    1. r2 -w ./crackme0x03
    2. [0x08048360]> aaa
    3. [0x08048360]> fs strings
    4. [0x08048360]> f
    5. 0x080485ec 18 str.Lqydolg_Sdvvzrug
    6. 0x080485fe 18 str.Sdvvzrug_RN
    8. 0x08048629 11 str.Password:
    9. [0x08048360]> s str.Lqydolg_Sdvvzrug
    10. [0x080485ec]> px
    11. - offset -   0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF
    12. 0x080485ec  496e 7661 6c69 6420 5061 7373 776f 7264  Invalid Password
    13. 0x080485fc  2100 5364 7676 7a72 7567 2352 4e24 2424  !.Sdvvzrug#RN$$$
    14. 0x0804860c  233d 2c00 494f 4c49 2043 7261 636b 6d65  #=,.IOLI Crackme
    15. 0x0804861c  204c 6576 656c 2030 7830 330a 0050 6173   Level 0x03..Pas
    16. 0x0804862c  7377 6f72 643a 2000 2564 0000 0000 0000  sword: .%d......
    17. [0x080485ec]> wos 0x03 @ str.Sdvvzrug_RN!17
    18. [0x080485ec]> px
    19. - offset -   0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF
    20. 0x080485ec  496e 7661 6c69 6420 5061 7373 776f 7264  Invalid Password
    21. 0x080485fc  2100 5061 7373 776f 7264 204f 4b21 2121  !.Password OK!!!
    22. 0x0804860c  203a 2900 494f 4c49 2043 7261 636b 6d65   :).IOLI Crackme
    23. 0x0804861c  204c 6576 656c 2030 7830 330a 0050 6173   Level 0x03..Pas
    24. 0x0804862c  7377 6f72 643a 2000 2564 0000 0000 0000  sword: .%d......