IOLI 0x05

the check() function:

/* r2dec pseudo code output */
/* ./crackme0x05 @ 0x80484c8 */
#include <stdint.h>
int32_t check (char * s) {
    char * var_dh;
    uint32_t var_ch;
    uint32_t var_8h;
    int32_t var_4h;
    char * format;
    int32_t var_sp_8h;
    var_8h = 0;
    var_ch = 0;
    do {
        eax = s;
        eax = strlen (eax);
        if (var_ch >= eax) {
            goto label_0;
        }
        eax = var_ch;
        eax += s;
        eax = *(eax);
        var_dh = al;
        eax = &var_dh;
        sscanf (eax, eax, 0x8048668);            // 0x8048668 is %d
        edx = var_4h;
        eax = &var_8h;
        *(eax) += edx;
        if (var_8h == 0x10) {
            eax = s;
            parell (eax);
        }
        eax = &var_ch;
        *(eax)++;
    } while (1);
label_0:
    printf ("Password Incorrect!\n");
    return eax;
}

The same, we can write our own C-like pseudo code.

[0x08048484]> s sym.parell
[0x08048484]> pdd@sym.parell
/* r2dec pseudo code output */
/* ./crackme0x05 @ 0x8048484 */
#include <stdint.h>
uint32_t parell (char * s) {
    char * format;
    int32_t var_8h;
    eax = &var_4h;
    eax = s;
    sscanf (eax, eax, 0x8048668);
    eax = var_4h;
    eax &= 1;
    if (eax == 0) {
        printf ("Password OK!\n");
        exit (0);
    }
    return eax;
}

the decompiled code looks well except the sscanf() function. It can be easily corrected by checking the assembly code.

The mov dword [esp], eax is the nearest instruction to sscanf (and it’s equivalent to a push instruction). It stores the string ‘s’ to the stack top (arg1). mov dword [var_sp_4h], 0x8048668 push ‘%d’ as arg2 into stack. var_8h (esp + 0x8) which keeps the address of var_4h is the arg3.

uint32_t parell (char * s) {
    sscanf (s, %d, &var_4h);
    if ((var_4h & 1) == 0) {
        printf ("Password OK!\n");
        exit(0);
    }
}

Now there are 2 constraints:

• Digit Sum is 16 (0x10)
• Must be an odd number (1 & number == 0)

The password is at our fingertips now.