radare-doc 1:1.5.2-4 / usr / share / doc / radare-doc / html / Section22.2.2.html

This file is indexed.

/usr/share/doc/radare-doc/html/Section22.2.2.html is in radare-doc 1:1.5.2-4.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=US-ASCII">
<title>Level 0x01 - change a jump</title>
<link rel="previous" href="Section22.2.1.html">
<link rel="ToC" href="contents.html">
<link rel="next" href="Section22.2.3.html">
</head>
<body>
<h1><a name="ioli-01"></a>22.2.2 Level 0x01 - change a jump</h1>
<p>
Let's run the crackme:
</p>
<pre><code> $ ./crackme0x01
 IOLI Crackme Level 0x01
 Password: foo
 Invalid Password!
</code></pre>
<p>
As we can see, the goal is to patch the binary file to accept any password. We will proceed as in the previous level, first we open the file with radare, change the seek to sym.main and create a code graph:
</p>
<pre><code> $ radare crackme0x01
 open ro crackme0x01
 Adding strings &amp; symbol flags for crackme0x01
 14 symbols added.
 6 strings added.
 [0x08048330]&gt; s sym.main
 [0x080483E4]&gt; ag
</code></pre>
<p>
TODO: http://radare.nopcode.org/img/wk/crackme0x01-sym.main.png
</p>
<p>
Let's take a closer look into the disassembly:
</p>
<p>
TODO: http://radare.nopcode.org/img/wk/crackme0x01_pD_sym.main.png
</p>
<p>
As you can see, it calls scanf() with "%d" so this time it expects an integer instead of a string, at offset 0x804842b it compares the value got by scanf with 0x149a and branches to password ok or password invalid depending on the result of this comparison.
</p>
<p>
Let's use radare to calculate the decimal value of 0x149a:
</p>
<pre><code> [0x080483E4]&gt; ? 0x149a
 0x149A ; 5274d ; 12232o ; 1001 1010  
 [0x080483E4]&gt; 
</code></pre>
<p>
We can see 0x149A in hex, and then the corresponding decimal, octal and binary values. So now we know the right password for this level is 5274 (in decimal).
</p>
<p>
Now let's patch the binary, we have to patch the conditional jump at offset 0x08048432, again we need to convert the opcode "jz" to "jmp" (goto). So we have to change the byte 0x74 to 0xeb.
</p>
<p>
Here we change the seek to the right offset, switch to write mode, patch the opcode byte, return the seek position to main and graph the patched code to see it follows the path we wanted:
</p>
<pre><code> [0x080483E4]&gt; s 0x08048432
 [0x08048432]&gt; eval cfg.write = true
 warning: Opening file in read-write mode
 open rw crackme0x01
 [0x08048432]&gt; wx eb
 [0x08048432]&gt; s sym.main
 [0x080483E4]&gt; ag
</code></pre>
<p>
Here's the resulting graph:
</p>
<p>
TODO: http://radare.nopcode.org/img/wk/crackme0x01-sym.main_cracked.png
</p>
<p>
And finally try it:
</p>
<pre><code> $ ./crackme0x01
 IOLI Crackme Level 0x01
 Password: foo
 Password OK :)
</code></pre>
<p>
Done! :D
</p>

<!-- version IDs:
$Id: radare.but 2009-04-25 pancake $
-->
</body>
</html>

APT Browse - Built by Thomas Orozco.