译者表示:把两篇文章揉合到了一起。
原文自:Defeating ioli with radare2
和Crackme solution from pancake
需要:
crackme 0x00
第一个crackme,非常简单。
✘ ⮀ ~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x00
IOLI Crackme Level 0x00
Password: 1234
Invalid Password!
⮀ ~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ r2 -w ./crackme0x00
-- I script in C, because fuck you.
[0x08048360]> aa
[0x08048360]> pdf@sym.main
| ; DATA XREF from 0x08048377 (fcn.08048356)
/ (fcn) sym.main 127
| 0x08048414 55 push ebp
| 0x08048415 89e5 mov ebp, esp
| 0x08048417 83ec28 sub esp, 0x28
| 0x0804841a 83e4f0 and esp, 0xfffffff0
| 0x0804841d b800000000 mov eax, 0x0
| 0x08048422 83c00f add eax, 0xf
| 0x08048425 83c00f add eax, 0xf
| 0x08048428 c1e804 shr eax, 0x4
| 0x0804842b c1e004 shl eax, 0x4
| 0x0804842e 29c4 sub esp, eax
| 0x08048430 c7042468850. mov dword [esp], str.IOLI_Crackme_Level_0x00_n ; str.IOLI_Crackme_Level_0x00_n
| 0x08048437 e804ffffff call sym.imp.printf ; (fcn.08048336)
| fcn.08048336(unk) ; sym.imp.printf
| 0x0804843c c7042481850. mov dword [esp], str.Password_ ; str.Password_
| 0x08048443 e8f8feffff call sym.imp.printf ; (fcn.08048336)
| fcn.08048336() ; sym.imp.printf
| 0x08048448 8d45e8 lea eax, [ebp-0x18]
| 0x0804844b 89442404 mov [esp+0x4], eax
| 0x0804844f c704248c850. mov dword [esp], 0x804858c ; 0x0804858c
| 0x08048456 e8d5feffff call sym.imp.scanf ; (fcn.08048326)
| fcn.08048326() ; sym.imp.scanf
| 0x0804845b 8d45e8 lea eax, [ebp-0x18]
| 0x0804845e c74424048f8. mov dword [esp+0x4], str.250382 ; str.250382
| 0x08048466 890424 mov [esp], eax
| 0x08048469 e8e2feffff call sym.imp.strcmp ; (fcn.08048346)
| fcn.08048346() ; sym.imp.strcmp
| 0x0804846e 85c0 test eax, eax
| ,=< 0x08048470 740e je 0x8048480
| | 0x08048472 c7042496850. mov dword [esp], str.Invalid_Password__n ; str.Invalid_Password__n
| | 0x08048479 e8c2feffff call sym.imp.printf ; (fcn.08048336)
| | fcn.08048336() ; sym.imp.printf
| ,==< 0x0804847e eb0c jmp 0x804848c ; (sym.main)
| || ; JMP XREF from 0x08048470 (unk)
| |`-> 0x08048480 c70424a9850. mov dword [esp], str.Password_OK____n ; str.Password_OK____n
| | 0x08048487 e8b4feffff call sym.imp.printf ; (fcn.08048336)
| | fcn.08048336() ; sym.imp.printf
| `--> 0x0804848c b800000000 mov eax, 0x0
| 0x08048491 c9 leave
\ 0x08048492 c3 ret
[0x08048360]> s 0x0804847e
[0x0804847e]> wx eb
[0x0804847e]> px 20
- offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
0x0804847e eb0c c704 24a9 8504 08e8 b4fe ffff b800 ....$...........
0x0804848e 0000 00c9 ....
[0x0804847e]> pD 20
| ,=< 0x0804847e eb0c jmp 0x804848c ; (sym.main)
| | ; JMP XREF from 0x08048470 (unk)
| | 0x08048480 c70424a9850. mov dword [esp], str.Password_OK____n ; str.Password_OK____n
| | 0x08048487 e8b4feffff call sym.imp.printf ; (fcn.08048336)
| | fcn.08048336() ; sym.imp.printf
| `-> 0x0804848c b800000000 mov eax, 0x0
| 0x08048491 c9 leave
[0x08048470]> q
输入任何密码。
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x00
IOLI Crackme Level 0x00
Password: 12345
Password OK :)
crackme0x01
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x01
IOLI Crackme Level 0x01
Password: 12345
Invalid Password!
反汇编我们看到有个跳转到OK的je,改成jmp
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ r2 -w ./crackme0x01
-- Deltify your life with radare2
[0x08048330]> aa
[0x08048330]> pdf@sym.main
| ; DATA XREF from 0x08048347 (fcn.08048322)
/ (fcn) sym.main 113
| 0x080483e4 55 push ebp
| 0x080483e5 89e5 mov ebp, esp
| 0x080483e7 83ec18 sub esp, 0x18
| 0x080483ea 83e4f0 and esp, 0xfffffff0
| 0x080483ed b800000000 mov eax, 0x0
| 0x080483f2 83c00f add eax, 0xf
| 0x080483f5 83c00f add eax, 0xf
| 0x080483f8 c1e804 shr eax, 0x4
| 0x080483fb c1e004 shl eax, 0x4
| 0x080483fe 29c4 sub esp, eax
| 0x08048400 c7042428850. mov dword [esp], str.IOLI_Crackme_Level_0x01_n ; str.IOLI_Crackme_Level_0x01_n
| 0x08048407 e810ffffff call sym.imp.printf ; (fcn.08048312)
| fcn.08048312(unk) ; sym.imp.printf
| 0x0804840c c7042441850. mov dword [esp], str.Password_ ; str.Password_
| 0x08048413 e804ffffff call sym.imp.printf ; (fcn.08048312)
| fcn.08048312() ; sym.imp.printf
| 0x08048418 8d45fc lea eax, [ebp-0x4]
| 0x0804841b 89442404 mov [esp+0x4], eax
| 0x0804841f c704244c850. mov dword [esp], 0x804854c ; 0x0804854c
| 0x08048426 e8e1feffff call sym.imp.scanf ; (fcn.08048302)
| fcn.08048302() ; sym.imp.scanf
| 0x0804842b 817dfc9a140. cmp dword [ebp-0x4], 0x149a
| ,=< 0x08048432 740e je 0x8048442
| | 0x08048434 c704244f850. mov dword [esp], str.Invalid_Password__n ; str.Invalid_Password__n
| | 0x0804843b e8dcfeffff call sym.imp.printf ; (fcn.08048312)
| | fcn.08048312() ; sym.imp.printf
| ,==< 0x08048440 eb0c jmp 0x804844e ; (sym.main)
| || ; JMP XREF from 0x08048432 (unk)
| |`-> 0x08048442 c7042462850. mov dword [esp], str.Password_OK____n ; str.Password_OK____n
| | 0x08048449 e8cefeffff call sym.imp.printf ; (fcn.08048312)
| | fcn.08048312() ; sym.imp.printf
| `--> 0x0804844e b800000000 mov eax, 0x0
| 0x08048453 c9 leave
\ 0x08048454 c3 ret
[0x08048330]> s 0x08048432
[0x08048432]> wx eb
[0x08048432]> q
接着输入任何密码:
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x01
IOLI Crackme Level 0x01
Password: 12345
Password OK :)
crackme0x02
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x02
IOLI Crackme Level 0x02
Password: 12345
Invalid Password!
这回还是个比较,将后面的je判断改成nop。有兴趣还可以笔算下怎么生成的密码。
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ r2 -w ./crackme0x02
-- Invert the block bytes using the 'I' key in visual mode
[0x08048330]> aa
[0x08048330]> pdf@sym.main
| ; DATA XREF from 0x08048347 (fcn.08048322)
/ (fcn) sym.main 144
| 0x080483e4 55 push ebp
| 0x080483e5 89e5 mov ebp, esp
| 0x080483e7 83ec18 sub esp, 0x18
| 0x080483ea 83e4f0 and esp, 0xfffffff0
| 0x080483ed b800000000 mov eax, 0x0
| 0x080483f2 83c00f add eax, 0xf
| 0x080483f5 83c00f add eax, 0xf
| 0x080483f8 c1e804 shr eax, 0x4
| 0x080483fb c1e004 shl eax, 0x4
| 0x080483fe 29c4 sub esp, eax
| 0x08048400 c7042448850. mov dword [esp], str.IOLI_Crackme_Level_0x02_n ; str.IOLI_Crackme_Level_0x02_n
| 0x08048407 e810ffffff call sym.imp.printf ; (fcn.08048312)
| fcn.08048312(unk) ; sym.imp.printf
| 0x0804840c c7042461850. mov dword [esp], str.Password_ ; str.Password_
| 0x08048413 e804ffffff call sym.imp.printf ; (fcn.08048312)
| fcn.08048312() ; sym.imp.printf
| 0x08048418 8d45fc lea eax, [ebp-0x4]
| 0x0804841b 89442404 mov [esp+0x4], eax
| 0x0804841f c704246c850. mov dword [esp], 0x804856c ; 0x0804856c
| 0x08048426 e8e1feffff call sym.imp.scanf ; (fcn.08048302)
| fcn.08048302() ; sym.imp.scanf
| 0x0804842b c745f85a000. mov dword [ebp-0x8], 0x5a ; 0x0000005a
| 0x08048432 c745f4ec010. mov dword [ebp-0xc], 0x1ec ; 0x000001ec
| 0x08048439 8b55f4 mov edx, [ebp-0xc]
| 0x0804843c 8d45f8 lea eax, [ebp-0x8]
| 0x0804843f 0110 add [eax], edx
| 0x08048441 8b45f8 mov eax, [ebp-0x8]
| 0x08048444 0faf45f8 imul eax, [ebp-0x8]
| 0x08048448 8945f4 mov [ebp-0xc], eax
| 0x0804844b 8b45fc mov eax, [ebp-0x4]
| 0x0804844e 3b45f4 cmp eax, [ebp-0xc]
| ,=< 0x08048451 750e jne 0x8048461
| | 0x08048453 c704246f850. mov dword [esp], str.Password_OK____n ; str.Password_OK____n
| | 0x0804845a e8bdfeffff call sym.imp.printf ; (fcn.08048312)
| | fcn.08048312() ; sym.imp.printf
| ,==< 0x0804845f eb0c jmp 0x804846d ; (sym.main)
| || ; JMP XREF from 0x08048451 (unk)
| |`-> 0x08048461 c704247f850. mov dword [esp], str.Invalid_Password__n ; str.Invalid_Password__n
| | 0x08048468 e8affeffff call sym.imp.printf ; (fcn.08048312)
| | fcn.08048312() ; sym.imp.printf
| `--> 0x0804846d b800000000 mov eax, 0x0
| 0x08048472 c9 leave
\ 0x08048473 c3 ret
[0x08048330]> s 0x08048451
[0x08048451]> wx 9090
[0x08048451]> px 10
- offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
0x08048451 9090 c704 246f 8504 08e8 ....$o....
[0x08048451]> q
输入任何密码:
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x02
IOLI Crackme Level 0x02
Password: 12345
Password OK :)
crackme0x03
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x03
IOLI Crackme Level 0x03
Password: 12345
Invalid Password!
这回发现难一些了,没有明文字符串。main函数调用一个test,test又调用shift。虽然不知道这些函数是干嘛的。但发现sym.test中有两个似乎加密过的字符串,可能对应invalid和Ok两个字符串。
猜测sym.shift是一种移位加密方法。
基本上可以猜出来0x0804848a是OK的地方
✘ ⮀ ~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ r2 -w ./crackme0x03
-- Use zoom.byte=entropy and press 'z' in visual mode to zoom out to see the entropy of the whole file
[0x08048360]> aa
[0x08048360]> pdf@sym.main
| ; UNKNOWN XREF from 0x0804847a (unk)
| ; DATA XREF from 0x08048377 (fcn.08048356)
/ (fcn) sym.main 128
| 0x08048498 55 push ebp
| 0x08048499 89e5 mov ebp, esp
| 0x0804849b 83ec18 sub esp, 0x18
| 0x0804849e 83e4f0 and esp, 0xfffffff0
| 0x080484a1 b800000000 mov eax, 0x0
| 0x080484a6 83c00f add eax, 0xf
| 0x080484a9 83c00f add eax, 0xf
| 0x080484ac c1e804 shr eax, 0x4
| 0x080484af c1e004 shl eax, 0x4
| 0x080484b2 29c4 sub esp, eax
| 0x080484b4 c7042410860. mov dword [esp], str.IOLI_Crackme_Level_0x03_n ; str.IOLI_Crackme_Level_0x03_n
| 0x080484bb e890feffff call sym.imp.printf
| sym.imp.printf(unk)
| 0x080484c0 c7042429860. mov dword [esp], str.Password_ ; str.Password_
| 0x080484c7 e884feffff call sym.imp.printf
| sym.imp.printf()
| 0x080484cc 8d45fc lea eax, [ebp-0x4]
| 0x080484cf 89442404 mov [esp+0x4], eax
| 0x080484d3 c7042434860. mov dword [esp], 0x8048634 ; 0x08048634
| 0x080484da e851feffff call sym.imp.scanf
| sym.imp.scanf()
| 0x080484df c745f85a000. mov dword [ebp-0x8], 0x5a ; 0x0000005a
| 0x080484e6 c745f4ec010. mov dword [ebp-0xc], 0x1ec ; 0x000001ec
| 0x080484ed 8b55f4 mov edx, [ebp-0xc]
| 0x080484f0 8d45f8 lea eax, [ebp-0x8]
| 0x080484f3 0110 add [eax], edx
| 0x080484f5 8b45f8 mov eax, [ebp-0x8]
| 0x080484f8 0faf45f8 imul eax, [ebp-0x8]
| 0x080484fc 8945f4 mov [ebp-0xc], eax
| 0x080484ff 8b45f4 mov eax, [ebp-0xc]
| 0x08048502 89442404 mov [esp+0x4], eax
| 0x08048506 8b45fc mov eax, [ebp-0x4]
| 0x08048509 890424 mov [esp], eax
| 0x0804850c e85dffffff call sym.test
| sym.test()
| 0x08048511 b800000000 mov eax, 0x0
| 0x08048516 c9 leave
\ 0x08048517 c3 ret
[0x08048360]> pdf@sym.test
| ; UNKNOWN XREF from 0x0804846e (unk)
| ; CALL XREF from 0x0804850c (unk)
/ (fcn) sym.test 42
| 0x0804846e 55 push ebp
| 0x0804846f 89e5 mov ebp, esp
| 0x08048471 83ec08 sub esp, 0x8
| 0x08048474 8b4508 mov eax, [ebp+0x8]
| 0x08048477 3b450c cmp eax, [ebp+0xc]
| ,=< 0x0804847a 740e je loc.0804848a
| | 0x0804847c c70424ec850. mov dword [esp], str.Lqydolg_Sdvvzrug_ ; str.Lqydolg_Sdvvzrug_
| | 0x08048483 e88cffffff call sym.shift
| | sym.shift(unk)
| ,==< 0x08048488 eb0c jmp loc.08048496
| || ; JMP XREF from 0x0804847a (unk)
|- loc.0804848a 14
| |`-> 0x0804848a c70424fe850. mov dword [esp], str.Sdvvzrug_RN______ ; str.Sdvvzrug_RN______
| | 0x08048491 e87effffff call sym.shift
| | sym.shift()
| | ; JMP XREF from 0x08048488 (unk)
|- loc.08048496 2
| `--> 0x08048496 c9 leave
\ 0x08048497 c3 ret
[0x08048360]> s 0x0804847a
[0x0804847a]> px 20
- offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
0x0804847a 7400 0000 24ec 8504 08e8 8cff ffff eb0c t...$...........
0x0804848a c704 24fe ..$.
[0x0804847a]> wx eb
[0x0804847a]> px 20
- offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
0x0804847a eb0e c704 24ec 8504 08e8 8cff ffff eb0c ....$...........
0x0804848a c704 24fe ..$.
[0x0804847a]> pdf@sym.test
| ; UNKNOWN XREF from 0x0804846e (unk)
| ; CALL XREF from 0x0804850c (unk)
/ (fcn) sym.test 42
| 0x0804846e 55 push ebp
| 0x0804846f 89e5 mov ebp, esp
| 0x08048471 83ec08 sub esp, 0x8
| 0x08048474 8b4508 mov eax, [ebp+0x8]
| 0x08048477 3b450c cmp eax, [ebp+0xc]
| ,=< 0x0804847a eb0e jmp loc.0804848a
| | 0x0804847c c70424ec850. mov dword [esp], str.Lqydolg_Sdvvzrug_ ; str.Lqydolg_Sdvvzrug_
| | 0x08048483 e88cffffff call sym.shift
| | sym.shift(unk)
| ,==< 0x08048488 eb0c jmp loc.08048496
| || ; JMP XREF from 0x0804847a (unk)
|- loc.0804848a 14
| |`-> 0x0804848a c70424fe850. mov dword [esp], str.Sdvvzrug_RN______ ; str.Sdvvzrug_RN______
| | 0x08048491 e87effffff call sym.shift
| | sym.shift()
| | ; JMP XREF from 0x08048488 (unk)
|- loc.08048496 2
| `--> 0x08048496 c9 leave
\ 0x08048497 c3 ret
[0x0804847a]> q
输入任意密码
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x03
IOLI Crackme Level 0x03
Password: 12345
Password OK!!! :)
crackme0x04
尝试12345竟然成功了……这不重要,README中给出了所有crackme的密码方便破解。
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x04
IOLI Crackme Level 0x04
Password: aaaaa
Password Incorrect!
又一个叫sym.check的函数,里头赫然写着明文的invalid和ok。仍然是将判断跳转改成什么都不做。
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ r2 -w ./crackme0x04
-- Interpret your own radare2 scripts with '. <path-to-your-script>'. Similar to the bash source alias command.
[0x080483d0]> aa
[0x080483d0]> pdf@sym.main
| ; UNKNOWN XREF from 0x08048509 (unk)
| ; DATA XREF from 0x080483e7 (fcn.080483ba)
/ (fcn) sym.main 92
| 0x08048509 55 push ebp
| 0x0804850a 89e5 mov ebp, esp
| 0x0804850c 81ec88000000 sub esp, 0x88
| 0x08048512 83e4f0 and esp, 0xfffffff0
| 0x08048515 b800000000 mov eax, 0x0
| 0x0804851a 83c00f add eax, 0xf
| 0x0804851d 83c00f add eax, 0xf
| 0x08048520 c1e804 shr eax, 0x4
| 0x08048523 c1e004 shl eax, 0x4
| 0x08048526 29c4 sub esp, eax
| 0x08048528 c704245e860. mov dword [esp], str.IOLI_Crackme_Level_0x04_n ; str.IOLI_Crackme_Level_0x04_n
| 0x0804852f e860feffff call sym.imp.printf
| sym.imp.printf(unk)
| 0x08048534 c7042477860. mov dword [esp], str.Password_ ; str.Password_
| 0x0804853b e854feffff call sym.imp.printf
| sym.imp.printf()
| 0x08048540 8d4588 lea eax, [ebp-0x78]
| 0x08048543 89442404 mov [esp+0x4], eax
| 0x08048547 c7042482860. mov dword [esp], 0x8048682 ; 0x08048682
| 0x0804854e e821feffff call sym.imp.scanf
| sym.imp.scanf()
| 0x08048553 8d4588 lea eax, [ebp-0x78]
| 0x08048556 890424 mov [esp], eax
| 0x08048559 e826ffffff call sym.check
| sym.check()
| 0x0804855e b800000000 mov eax, 0x0
| 0x08048563 c9 leave
\ 0x08048564 c3 ret
[0x080483d0]> pdf@sym.check
| ; CALL XREF from 0x08048559 (unk)
/ (fcn) sym.check 133
| 0x08048484 55 push ebp
| 0x08048485 89e5 mov ebp, esp
| 0x08048487 83ec28 sub esp, 0x28
| 0x0804848a c745f800000. mov dword [ebp-0x8], 0x0
| 0x08048491 c745f400000. mov dword [ebp-0xc], 0x0
| .---> 0x08048498 8b4508 mov eax, [ebp+0x8]
| | 0x0804849b 890424 mov [esp], eax
| | 0x0804849e e8e1feffff call sym.imp.strlen ; (fcn.0804837a)
| | fcn.0804837a(unk) ; sym.imp.strlen
| | 0x080484a3 3945f4 cmp [ebp-0xc], eax
| | ,=< 0x080484a6 7353 jae 0x80484fb
| | | 0x080484a8 8b45f4 mov eax, [ebp-0xc]
| | | 0x080484ab 034508 add eax, [ebp+0x8]
| | | 0x080484ae 0fb600 movzx eax, byte [eax]
| | | 0x080484b1 8845f3 mov [ebp-0xd], al
| | | 0x080484b4 8d45fc lea eax, [ebp-0x4]
| | | 0x080484b7 89442408 mov [esp+0x8], eax
| | | 0x080484bb c7442404388. mov dword [esp+0x4], 0x8048638 ; 0x08048638
| | | 0x080484c3 8d45f3 lea eax, [ebp-0xd]
| | | 0x080484c6 890424 mov [esp], eax
| | | 0x080484c9 e8d6feffff call sym.imp.sscanf ; (fcn.0804839a)
| | | fcn.0804839a() ; sym.imp.sscanf
| | | 0x080484ce 8b55fc mov edx, [ebp-0x4]
| | | 0x080484d1 8d45f8 lea eax, [ebp-0x8]
| | | 0x080484d4 0110 add [eax], edx
| | | 0x080484d6 837df80f cmp dword [ebp-0x8], 0xf
| |,==< 0x080484da 7518 jne 0x80484f4
| ||| 0x080484dc c704243b860. mov dword [esp], str.Password_OK__n ; str.Password_OK__n
| ||| 0x080484e3 e8acfeffff call sym.imp.printf
| ||| sym.imp.printf()
| ||| 0x080484e8 c7042400000. mov dword [esp], 0x0
| ||| 0x080484ef e8c0feffff call sym.imp.exit ; (fcn.080483aa)
| ||| fcn.080483aa() ; sym.imp.exit
| |`--> 0x080484f4 8d45f4 lea eax, [ebp-0xc]
| | | 0x080484f7 ff00 inc dword [eax]
| `===< 0x080484f9 eb9d jmp 0x8048498 ; (sym.check)
| | ; JMP XREF from 0x080484a6 (unk)
| `-> 0x080484fb c7042449860. mov dword [esp], str.Password_Incorrect__n ; str.Password_Incorrect__n
| 0x08048502 e88dfeffff call sym.imp.printf
| sym.imp.printf()
| 0x08048507 c9 leave
\ 0x08048508 c3 ret
[0x080483d0]> s 0x080484da
[0x080484da]> wx 9090
[0x080484da]> q
输入任何密码:
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x04
IOLI Crackme Level 0x04
Password: aaaaa
Password OK!
crackme0x05
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x05
IOLI Crackme Level 0x05
Password: 12345
Password Incorrect!
sym.parell? 在三个地方都有判断,更改到让程序直接执行到OK字符串位置。
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ r2 -w ./crackme0x05
-- Use -e bin.strings=false to disable search for strings when loading the binary.
[0x080483d0]> aa
[0x080483d0]> pdf@sym.main
| ; UNKNOWN XREF from 0x080484ea (unk)
| ; DATA XREF from 0x080483e7 (fcn.080483ba)
/ (fcn) sym.main 92
| 0x08048540 55 push ebp
| 0x08048541 89e5 mov ebp, esp
| 0x08048543 81ec88000000 sub esp, 0x88
| 0x08048549 83e4f0 and esp, 0xfffffff0
| 0x0804854c b800000000 mov eax, 0x0
| 0x08048551 83c00f add eax, 0xf
| 0x08048554 83c00f add eax, 0xf
| 0x08048557 c1e804 shr eax, 0x4
| 0x0804855a c1e004 shl eax, 0x4
| 0x0804855d 29c4 sub esp, eax
| 0x0804855f c704248e860. mov dword [esp], str.IOLI_Crackme_Level_0x05_n ; str.IOLI_Crackme_Level_0x05_n
| 0x08048566 e829feffff call sym.imp.printf
| sym.imp.printf(unk)
| 0x0804856b c70424a7860. mov dword [esp], str.Password_ ; str.Password_
| 0x08048572 e81dfeffff call sym.imp.printf
| sym.imp.printf()
| 0x08048577 8d4588 lea eax, [ebp-0x78]
| 0x0804857a 89442404 mov [esp+0x4], eax
| 0x0804857e c70424b2860. mov dword [esp], 0x80486b2 ; 0x080486b2
| 0x08048585 e8eafdffff call sym.imp.scanf
| sym.imp.scanf()
| 0x0804858a 8d4588 lea eax, [ebp-0x78]
| 0x0804858d 890424 mov [esp], eax
| 0x08048590 e833ffffff call sym.check
| sym.check()
| 0x08048595 b800000000 mov eax, 0x0
| 0x0804859a c9 leave
\ 0x0804859b c3 ret
[0x080483d0]> pdf@sym.check
| | ; UNKNOWN XREF from 0x080484c8 (unk)
| | ; CALL XREF from 0x08048590 (unk)
/ (fcn) sym.check 120
| | 0x080484c8 55 push ebp
| | 0x080484c9 89e5 mov ebp, esp
| | 0x080484cb 83ec28 sub esp, 0x28
| | 0x080484ce c745f800000. mov dword [ebp-0x8], 0x0
| | 0x080484d5 c745f400000. mov dword [ebp-0xc], 0x0
| | ; JMP XREF from 0x08048530 (unk)
|- loc.080484dc 100
| |.---> 0x080484dc 8b4508 mov eax, [ebp+0x8]
| || 0x080484df 890424 mov [esp], eax
| || 0x080484e2 e89dfeffff call sym.imp.strlen
| || sym.imp.strlen(unk)
| || 0x080484e7 3945f4 cmp [ebp-0xc], eax
| || ,=< 0x080484ea 7346 jae loc.08048532
| || | 0x080484ec 8b45f4 mov eax, [ebp-0xc]
| || | 0x080484ef 034508 add eax, [ebp+0x8]
| || | 0x080484f2 0fb600 movzx eax, byte [eax]
| || | 0x080484f5 8845f3 mov [ebp-0xd], al
| || | 0x080484f8 8d45fc lea eax, [ebp-0x4]
| || | 0x080484fb 89442408 mov [esp+0x8], eax
| || | 0x080484ff c7442404688. mov dword [esp+0x4], 0x8048668 ; 0x08048668
| || | 0x08048507 8d45f3 lea eax, [ebp-0xd]
| || | 0x0804850a 890424 mov [esp], eax
| || | 0x0804850d e892feffff call sym.imp.sscanf
| || | sym.imp.sscanf()
| || | 0x08048512 8b55fc mov edx, [ebp-0x4]
| || | 0x08048515 8d45f8 lea eax, [ebp-0x8]
| || | 0x08048518 0110 add [eax], edx
| || | 0x0804851a 837df810 cmp dword [ebp-0x8], 0x10
| ||,==< 0x0804851e 750b jne loc.0804852b
| |||| 0x08048520 8b4508 mov eax, [ebp+0x8]
| |||| 0x08048523 890424 mov [esp], eax
| |||| 0x08048526 e859ffffff call sym.parell
| |||| sym.parell()
| ||| ; JMP XREF from 0x0804851e (unk)
|- loc.0804852b 21
| ||`--> 0x0804852b 8d45f4 lea eax, [ebp-0xc]
| || | 0x0804852e ff00 inc dword [eax]
| |`===< 0x08048530 ebaa jmp loc.080484dc
| | | ; JMP XREF from 0x080484ea (unk)
|- loc.08048532 14
| | `-> 0x08048532 c7042479860. mov dword [esp], str.Password_Incorrect__n ; str.Password_Incorrect__n
| 0x08048539 e856feffff call sym.imp.printf
| sym.imp.printf()
| 0x0804853e c9 leave
\ 0x0804853f c3 ret
[0x080483d0]> pdf@sym.parell
| ; CALL XREF from 0x08048526 (unk)
/ (fcn) sym.parell 68
| 0x08048484 55 push ebp
| 0x08048485 89e5 mov ebp, esp
| 0x08048487 83ec18 sub esp, 0x18
| 0x0804848a 8d45fc lea eax, [ebp-0x4]
| 0x0804848d 89442408 mov [esp+0x8], eax
| 0x08048491 c7442404688. mov dword [esp+0x4], 0x8048668 ; 0x08048668
| 0x08048499 8b4508 mov eax, [ebp+0x8]
| 0x0804849c 890424 mov [esp], eax
| 0x0804849f e800ffffff call sym.imp.sscanf
| sym.imp.sscanf(unk)
| 0x080484a4 8b45fc mov eax, [ebp-0x4]
| 0x080484a7 83e001 and eax, 0x1
| 0x080484aa 85c0 test eax, eax
| ,=< 0x080484ac 7518 jne 0x80484c6
| | 0x080484ae c704246b860. mov dword [esp], str.Password_OK__n ; str.Password_OK__n
| | 0x080484b5 e8dafeffff call sym.imp.printf
| | sym.imp.printf()
| | 0x080484ba c7042400000. mov dword [esp], 0x0
| | 0x080484c1 e8eefeffff call sym.imp.exit ; (fcn.080483aa)
| | fcn.080483aa() ; sym.imp.exit
| | ; JMP XREF from 0x080484ac (unk)
| `-> 0x080484c6 c9 leave
\ 0x080484c7 c3 ret
[0x080483d0]> s 0x080484ea
[0x080484ea]> wx 9090
[0x080484ea]> s 0x0804851e
[0x0804851e]> wx 9090
[0x0804851e]> s 0x080484ac
[0x080484ac]> wx 9090
[0x080484ac]> q
输入任意密码
✘ ⮀ ~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x05
IOLI Crackme Level 0x05
Password: 12345
Password OK!
crackme0x06
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x06
IOLI Crackme Level 0x06
Password: 12345
Password Incorrect!
破解么,又不需要知道程序逻辑,只要让程序运行到想要的代码块就好。于是……把所有跳转灭掉。
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ r2 -w ./crackme0x06
-- Dissasemble? No dissasemble, no dissassemble!!!!!
[0x08048400]> aa
[0x08048400]> pdf@sym.main
| ; UNKNOWN XREF from 0x080485aa (unk)
| ; DATA XREF from 0x08048417 (fcn.080483ee)
/ (fcn) sym.main 99
| 0x08048607 55 push ebp
| 0x08048608 89e5 mov ebp, esp
| 0x0804860a 81ec88000000 sub esp, 0x88
| 0x08048610 83e4f0 and esp, 0xfffffff0
| 0x08048613 b800000000 mov eax, 0x0
| 0x08048618 83c00f add eax, 0xf
| 0x0804861b 83c00f add eax, 0xf
| 0x0804861e c1e804 shr eax, 0x4
| 0x08048621 c1e004 shl eax, 0x4
| 0x08048624 29c4 sub esp, eax
| 0x08048626 c7042463870. mov dword [esp], str.IOLI_Crackme_Level_0x06_n ; str.IOLI_Crackme_Level_0x06_n
| 0x0804862d e886fdffff call sym.imp.printf
| sym.imp.printf(unk)
| 0x08048632 c704247c870. mov dword [esp], str.Password_ ; str.Password_
| 0x08048639 e87afdffff call sym.imp.printf
| sym.imp.printf()
| 0x0804863e 8d4588 lea eax, [ebp-0x78]
| 0x08048641 89442404 mov [esp+0x4], eax
| 0x08048645 c7042487870. mov dword [esp], 0x8048787 ; 0x08048787
| 0x0804864c e847fdffff call sym.imp.scanf
| sym.imp.scanf()
| 0x08048651 8b4510 mov eax, [ebp+0x10]
| 0x08048654 89442404 mov [esp+0x4], eax
| 0x08048658 8d4588 lea eax, [ebp-0x78]
| 0x0804865b 890424 mov [esp], eax
| 0x0804865e e825ffffff call sym.check
| sym.check()
| 0x08048663 b800000000 mov eax, 0x0
| 0x08048668 c9 leave
\ 0x08048669 c3 ret
[0x08048400]> pdf@sym.check
| ; UNKNOWN XREF from 0x0804854e (unk)
| ; CALL XREF from 0x0804865e (unk)
/ (fcn) sym.check 127
| 0x08048588 55 push ebp
| 0x08048589 89e5 mov ebp, esp
| 0x0804858b 83ec28 sub esp, 0x28
| 0x0804858e c745f800000. mov dword [ebp-0x8], 0x0
| 0x08048595 c745f400000. mov dword [ebp-0xc], 0x0
| ; JMP XREF from 0x080485f7 (unk)
|- loc.0804859c 107
| .---> 0x0804859c 8b4508 mov eax, [ebp+0x8]
| | 0x0804859f 890424 mov [esp], eax
| | 0x080485a2 e801feffff call sym.imp.strlen
| | sym.imp.strlen(unk)
| | 0x080485a7 3945f4 cmp [ebp-0xc], eax
| | ,=< 0x080485aa 734d jae loc.080485f9
| | | 0x080485ac 8b45f4 mov eax, [ebp-0xc]
| | | 0x080485af 034508 add eax, [ebp+0x8]
| | | 0x080485b2 0fb600 movzx eax, byte [eax]
| | | 0x080485b5 8845f3 mov [ebp-0xd], al
| | | 0x080485b8 8d45fc lea eax, [ebp-0x4]
| | | 0x080485bb 89442408 mov [esp+0x8], eax
| | | 0x080485bf c74424043d8. mov dword [esp+0x4], 0x804873d ; 0x0804873d
| | | 0x080485c7 8d45f3 lea eax, [ebp-0xd]
| | | 0x080485ca 890424 mov [esp], eax
| | | 0x080485cd e8f6fdffff call sym.imp.sscanf
| | | sym.imp.sscanf()
| | | 0x080485d2 8b55fc mov edx, [ebp-0x4]
| | | 0x080485d5 8d45f8 lea eax, [ebp-0x8]
| | | 0x080485d8 0110 add [eax], edx
| | | 0x080485da 837df810 cmp dword [ebp-0x8], 0x10
| |,==< 0x080485de 7512 jne loc.080485f2
| ||| 0x080485e0 8b450c mov eax, [ebp+0xc]
| ||| 0x080485e3 89442404 mov [esp+0x4], eax
| ||| 0x080485e7 8b4508 mov eax, [ebp+0x8]
| ||| 0x080485ea 890424 mov [esp], eax
| ||| 0x080485ed e828ffffff call sym.parell
| ||| sym.parell()
| || ; JMP XREF from 0x080485de (unk)
|- loc.080485f2 21
| |`--> 0x080485f2 8d45f4 lea eax, [ebp-0xc]
| | | 0x080485f5 ff00 inc dword [eax]
| `===< 0x080485f7 eba3 jmp loc.0804859c
| | ; JMP XREF from 0x080485aa (unk)
|- loc.080485f9 14
| `-> 0x080485f9 c704244e870. mov dword [esp], str.Password_Incorrect__n ; str.Password_Incorrect__n
| 0x08048600 e8b3fdffff call sym.imp.printf
| sym.imp.printf()
| 0x08048605 c9 leave
\ 0x08048606 c3 ret
[0x08048400]> pdf@sym.parell
| ; UNKNOWN XREF from 0x0804851a (unk)
| ; CALL XREF from 0x080485ed (unk)
/ (fcn) sym.parell 110
| 0x0804851a 55 push ebp
| 0x0804851b 89e5 mov ebp, esp
| 0x0804851d 83ec18 sub esp, 0x18
| 0x08048520 8d45fc lea eax, [ebp-0x4]
| 0x08048523 89442408 mov [esp+0x8], eax
| 0x08048527 c74424043d8. mov dword [esp+0x4], 0x804873d ; 0x0804873d
| 0x0804852f 8b4508 mov eax, [ebp+0x8]
| 0x08048532 890424 mov [esp], eax
| 0x08048535 e88efeffff call sym.imp.sscanf
| sym.imp.sscanf(unk)
| 0x0804853a 8b450c mov eax, [ebp+0xc]
| 0x0804853d 89442404 mov [esp+0x4], eax
| 0x08048541 8b45fc mov eax, [ebp-0x4]
| 0x08048544 890424 mov [esp], eax
| 0x08048547 e868ffffff call sym.dummy
| sym.dummy()
| 0x0804854c 85c0 test eax, eax
| ,=< 0x0804854e 7436 je loc.08048586
| | 0x08048550 c745f800000. mov dword [ebp-0x8], 0x0
| | ; JMP XREF from 0x08048584 (unk)
|- loc.08048557 49
| | 0x08048557 837df809 cmp dword [ebp-0x8], 0x9
| ,==< 0x0804855b 7f29 jg loc.08048586
| || 0x0804855d 8b45fc mov eax, [ebp-0x4]
| || 0x08048560 83e001 and eax, 0x1
| || 0x08048563 85c0 test eax, eax
| ,===< 0x08048565 7518 jne loc.0804857f
| ||| 0x08048567 c7042440870. mov dword [esp], str.Password_OK__n ; str.Password_OK__n
| ||| 0x0804856e e845feffff call sym.imp.printf
| ||| sym.imp.printf()
| ||| 0x08048573 c7042400000. mov dword [esp], 0x0
| ||| 0x0804857a e869feffff call sym.imp.exit
| ||| sym.imp.exit()
| | ; JMP XREF from 0x08048565 (unk)
|- loc.0804857f 9
| `---> 0x0804857f 8d45f8 lea eax, [ebp-0x8]
| || 0x08048582 ff00 inc dword [eax]
| || 0x08048584 ebd1 jmp loc.08048557
| || ; JMP XREF from 0x0804854e (unk)
| || ; JMP XREF from 0x0804855b (unk)
|- loc.08048586 2
| ``-> 0x08048586 c9 leave
\ 0x08048587 c3 ret
[0x08048400]> s 0x080485aa
[0x080485aa]> wx 9090
[0x080485aa]> s 0x080485de
[0x080485de]> wx 9090
[0x080485de]> s 0x0804854e
[0x0804854e]> wx 9090
[0x0804854e]> s 0x0804855b
[0x0804855b]> wx 9090
[0x0804855b]> s 0x08048565
[0x08048565]> wx 9090
[0x08048565]> q
输入任意密码:
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x06
IOLI Crackme Level 0x06
Password: 123456
Password OK!
crackme0x07
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x07
IOLI Crackme Level 0x07
Password: 12345
Password Incorrect!
这次函数名都变了。大致搜索下就找到Ok代码段,把所有跳转清除。
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ r2 -w ./crackme0x07
-- Wow, my cat knows radare2 hotkeys better than me!
[0x08048400]> aa
[0x08048400]> pdf@main
| ; UNKNOWN XREF from 0x08048643 (fcn.080485b9)
| ; DATA XREF from 0x08048417 (entry0)
/ (fcn) main 99
| 0x0804867d 55 push ebp
| 0x0804867e 89e5 mov ebp, esp
| 0x08048680 81ec88000000 sub esp, 0x88
| 0x08048686 83e4f0 and esp, 0xfffffff0
| 0x08048689 b800000000 mov eax, 0x0
| 0x0804868e 83c00f add eax, 0xf
| 0x08048691 83c00f add eax, 0xf
| 0x08048694 c1e804 shr eax, 0x4
| 0x08048697 c1e004 shl eax, 0x4
| 0x0804869a 29c4 sub esp, eax
| 0x0804869c c70424d9870. mov dword [esp], str.IOLI_Crackme_Level_0x07_n ; str.IOLI_Crackme_Level_0x07_n
| 0x080486a3 e810fdffff call sym.imp.printf
| sym.imp.printf(unk)
| 0x080486a8 c70424f2870. mov dword [esp], str.Password_ ; str.Password_
| 0x080486af e804fdffff call sym.imp.printf
| sym.imp.printf()
| 0x080486b4 8d4588 lea eax, [ebp-0x78]
| 0x080486b7 89442404 mov [esp+0x4], eax
| 0x080486bb c70424fd870. mov dword [esp], 0x80487fd ; 0x080487fd
| 0x080486c2 e8d1fcffff call sym.imp.scanf
| sym.imp.scanf()
| 0x080486c7 8b4510 mov eax, [ebp+0x10]
| 0x080486ca 89442404 mov [esp+0x4], eax
| 0x080486ce 8d4588 lea eax, [ebp-0x78]
| 0x080486d1 890424 mov [esp], eax
| 0x080486d4 e8e0feffff call fcn.080485b9
| fcn.080485b9()
| 0x080486d9 b800000000 mov eax, 0x0
| 0x080486de c9 leave
\ 0x080486df c3 ret
[0x08048400]> pdf@fcn.080485b9
; UNKNOWN XREF from 0x08048576 (fcn.08048524)
; CALL XREF from 0x080486d4 (unk)
/ (fcn) fcn.080485b9 196
| 0x080485b9 55 push ebp
| 0x080485ba 89e5 mov ebp, esp
| 0x080485bc 83ec28 sub esp, 0x28
| 0x080485bf c745f800000. mov dword [ebp-0x8], 0x0
| 0x080485c6 c745f400000. mov dword [ebp-0xc], 0x0
| ; JMP XREF from 0x08048628 (fcn.080485b9)
|- fcn.080485cd 176
| .---> 0x080485cd 8b4508 mov eax, [ebp+0x8]
| | 0x080485d0 890424 mov [esp], eax
| | 0x080485d3 e8d0fdffff call sym.imp.strlen
| | sym.imp.strlen(unk)
| | 0x080485d8 3945f4 cmp [ebp-0xc], eax
| | ,=< 0x080485db 734d jae loc.0804862a
| | | 0x080485dd 8b45f4 mov eax, [ebp-0xc]
| | | 0x080485e0 034508 add eax, [ebp+0x8]
| | | 0x080485e3 0fb600 movzx eax, byte [eax]
| | | 0x080485e6 8845f3 mov [ebp-0xd], al
| | | 0x080485e9 8d45fc lea eax, [ebp-0x4]
| | | 0x080485ec 89442408 mov [esp+0x8], eax
| | | 0x080485f0 c7442404c28. mov dword [esp+0x4], 0x80487c2 ; 0x080487c2
| | | 0x080485f8 8d45f3 lea eax, [ebp-0xd]
| | | 0x080485fb 890424 mov [esp], eax
| | | 0x080485fe e8c5fdffff call sym.imp.sscanf
| | | sym.imp.sscanf()
| | | 0x08048603 8b55fc mov edx, [ebp-0x4]
| | | 0x08048606 8d45f8 lea eax, [ebp-0x8]
| | | 0x08048609 0110 add [eax], edx
| | | 0x0804860b 837df810 cmp dword [ebp-0x8], 0x10
| |,==< 0x0804860f 7512 jne loc.08048623
| ||| 0x08048611 8b450c mov eax, [ebp+0xc]
| ||| 0x08048614 89442404 mov [esp+0x4], eax
| ||| 0x08048618 8b4508 mov eax, [ebp+0x8]
| ||| 0x0804861b 890424 mov [esp], eax
| ||| 0x0804861e e81fffffff call fcn.08048542
| ||| fcn.08048542()
| || ; JMP XREF from 0x0804860f (fcn.080485b9)
|- loc.08048623 90
| |`--> 0x08048623 8d45f4 lea eax, [ebp-0xc]
| | | 0x08048626 ff00 inc dword [eax]
| `===< 0x08048628 eba3 jmp fcn.080485cd
| | ; JMP XREF from 0x080485db (fcn.080485b9)
|- loc.0804862a 83
| `-> 0x0804862a e8f5feffff call fcn.08048524
| | > fcn.08048524()
| 0x0804862f 8b450c mov eax, [ebp+0xc]
| 0x08048632 89442404 mov [esp+0x4], eax
| 0x08048636 8b45fc mov eax, [ebp-0x4]
| 0x08048639 890424 mov [esp], eax
| 0x0804863c e873feffff call fcn.080484b4
| fcn.080484b4() ; entry0+180
| 0x08048641 85c0 test eax, eax
| ,====< 0x08048643 7436 je loc.0804867b
| | 0x08048645 c745f400000. mov dword [ebp-0xc], 0x0
| | ; JMP XREF from 0x08048679 (fcn.080485b9)
|- loc.0804864c 49
| | 0x0804864c 837df409 cmp dword [ebp-0xc], 0x9
| ,=====< 0x08048650 7f29 jg loc.0804867b
| || 0x08048652 8b45fc mov eax, [ebp-0x4]
| || 0x08048655 83e001 and eax, 0x1
| || 0x08048658 85c0 test eax, eax
| ,======< 0x0804865a 7518 jne loc.08048674
| ||| 0x0804865c c70424d3870. mov dword [esp], str.wtf__n ; str.wtf__n
| ||| 0x08048663 e850fdffff call sym.imp.printf
| ||| sym.imp.printf()
| ||| 0x08048668 c7042400000. mov dword [esp], 0x0
| ||| 0x0804866f e874fdffff call sym.imp.exit
| ||| sym.imp.exit()
| | ; JMP XREF from 0x0804865a (fcn.080485b9)
|- loc.08048674 9
| `------> 0x08048674 8d45f4 lea eax, [ebp-0xc]
| || 0x08048677 ff00 inc dword [eax]
| || 0x08048679 ebd1 jmp loc.0804864c
| || ; JMP XREF from 0x08048643 (fcn.080485b9)
| || ; JMP XREF from 0x08048650 (fcn.080485b9)
|- loc.0804867b 2
| ``----> 0x0804867b c9 leave
\ 0x0804867c c3 ret
[0x08048400]> pdf@fcn.08048542
; CALL XREF from 0x0804861e (fcn.080485b9)
/ (fcn) fcn.08048542 119
| 0x08048542 55 push ebp
| 0x08048543 89e5 mov ebp, esp
| 0x08048545 83ec18 sub esp, 0x18
| 0x08048548 8d45fc lea eax, [ebp-0x4]
| 0x0804854b 89442408 mov [esp+0x8], eax
| 0x0804854f c7442404c28. mov dword [esp+0x4], 0x80487c2 ; 0x080487c2
| 0x08048557 8b4508 mov eax, [ebp+0x8]
| 0x0804855a 890424 mov [esp], eax
| 0x0804855d e866feffff call sym.imp.sscanf
| sym.imp.sscanf(unk)
| 0x08048562 8b450c mov eax, [ebp+0xc]
| 0x08048565 89442404 mov [esp+0x4], eax
| 0x08048569 8b45fc mov eax, [ebp-0x4]
| 0x0804856c 890424 mov [esp], eax
| 0x0804856f e840ffffff call fcn.080484b4
| fcn.080484b4() ; entry0+180
| 0x08048574 85c0 test eax, eax
| ,=< 0x08048576 743f je loc.080485b7
| | 0x08048578 c745f800000. mov dword [ebp-0x8], 0x0
| | ; JMP XREF from 0x080485b5 (fcn.08048524)
|- loc.0804857f 58
| | 0x0804857f 837df809 cmp dword [ebp-0x8], 0x9
| ,==< 0x08048583 7f32 jg loc.080485b7
| || 0x08048585 8b45fc mov eax, [ebp-0x4]
| || 0x08048588 83e001 and eax, 0x1
| || 0x0804858b 85c0 test eax, eax
| ,===< 0x0804858d 7521 jne loc.080485b0
| ||| 0x0804858f 833d2ca0040. cmp dword [0x804a02c], 0x1
| ,====< 0x08048596 750c jne loc.080485a4
| |||| 0x08048598 c70424c5870. mov dword [esp], str.Password_OK__n ; str.Password_OK__n
| |||| 0x0804859f e814feffff call sym.imp.printf
| |||| sym.imp.printf()
| | ; JMP XREF from 0x08048596 (fcn.08048524)
|- loc.080485a4 21
| `----> 0x080485a4 c7042400000. mov dword [esp], 0x0
| ||| 0x080485ab e838feffff call sym.imp.exit
| ||| sym.imp.exit()
| | ; JMP XREF from 0x0804858d (fcn.08048524)
|- loc.080485b0 9
| `---> 0x080485b0 8d45f8 lea eax, [ebp-0x8]
| || 0x080485b3 ff00 inc dword [eax]
| || 0x080485b5 ebc8 jmp loc.0804857f
| || ; JMP XREF from 0x08048576 (fcn.08048524)
| || ; JMP XREF from 0x08048583 (fcn.08048524)
|- loc.080485b7 2
| ``-> 0x080485b7 c9 leave
\ 0x080485b8 c3 ret
[0x08048400]> s 0x080485db
[0x080485db]> wx 9090
[0x080485db]> s 0x0804860f
[0x0804860f]> wx 9090
[0x0804860f]> s 0x08048576
[0x08048576]> wx 9090
[0x08048576]> s 0x08048583
[0x08048583]> wx 9090
[0x08048583]> s 0x0804858d
[0x0804858d]> wx 9090
[0x0804858d]> s 0x08048596
[0x08048596]> wx 9090
[0x08048596]> q
输入任意密码
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x07
IOLI Crackme Level 0x07
Password: 12345
Password OK!
crackme0x08
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x08
IOLI Crackme Level 0x08
Password: 12345
Password Incorrect!
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ r2 -w ./crackme0x08
-- THE ONLY WINNING MOVE IS NOT TO PLAY.
[0x08048400]> aa
[0x08048400]> pdf@main
| ; UNKNOWN XREF from 0x08048643 (unk)
| ; DATA XREF from 0x08048417 (fcn.080483ee)
/ (fcn) sym.main 99
| 0x0804867d 55 push ebp
| 0x0804867e 89e5 mov ebp, esp
| 0x08048680 81ec88000000 sub esp, 0x88
| 0x08048686 83e4f0 and esp, 0xfffffff0
| 0x08048689 b800000000 mov eax, 0x0
| 0x0804868e 83c00f add eax, 0xf
| 0x08048691 83c00f add eax, 0xf
| 0x08048694 c1e804 shr eax, 0x4
| 0x08048697 c1e004 shl eax, 0x4
| 0x0804869a 29c4 sub esp, eax
| 0x0804869c c70424d9870. mov dword [esp], str.IOLI_Crackme_Level_0x08_n ; str.IOLI_Crackme_Level_0x08_n
| 0x080486a3 e810fdffff call sym.imp.printf
| sym.imp.printf(unk)
| 0x080486a8 c70424f2870. mov dword [esp], str.Password_ ; str.Password_
| 0x080486af e804fdffff call sym.imp.printf
| sym.imp.printf()
| 0x080486b4 8d4588 lea eax, [ebp-0x78]
| 0x080486b7 89442404 mov [esp+0x4], eax
| 0x080486bb c70424fd870. mov dword [esp], 0x80487fd ; 0x080487fd
| 0x080486c2 e8d1fcffff call sym.imp.scanf
| sym.imp.scanf()
| 0x080486c7 8b4510 mov eax, [ebp+0x10]
| 0x080486ca 89442404 mov [esp+0x4], eax
| 0x080486ce 8d4588 lea eax, [ebp-0x78]
| 0x080486d1 890424 mov [esp], eax
| 0x080486d4 e8e0feffff call sym.check
| sym.check()
| 0x080486d9 b800000000 mov eax, 0x0
| 0x080486de c9 leave
\ 0x080486df c3 ret
[0x08048400]> pdf@sym.check
| ; UNKNOWN XREF from 0x08048576 (unk)
| ; CALL XREF from 0x080486d4 (unk)
/ (fcn) sym.check 196
| 0x080485b9 55 push ebp
| 0x080485ba 89e5 mov ebp, esp
| 0x080485bc 83ec28 sub esp, 0x28
| 0x080485bf c745f800000. mov dword [ebp-0x8], 0x0
| 0x080485c6 c745f400000. mov dword [ebp-0xc], 0x0
| ; JMP XREF from 0x08048628 (unk)
|- fcn.080485cd 176
| .---> 0x080485cd 8b4508 mov eax, [ebp+0x8]
| | 0x080485d0 890424 mov [esp], eax
| | 0x080485d3 e8d0fdffff call sym.imp.strlen
| | sym.imp.strlen(unk)
| | 0x080485d8 3945f4 cmp [ebp-0xc], eax
| | ,=< 0x080485db 734d jae loc.0804862a
| | | 0x080485dd 8b45f4 mov eax, [ebp-0xc]
| | | 0x080485e0 034508 add eax, [ebp+0x8]
| | | 0x080485e3 0fb600 movzx eax, byte [eax]
| | | 0x080485e6 8845f3 mov [ebp-0xd], al
| | | 0x080485e9 8d45fc lea eax, [ebp-0x4]
| | | 0x080485ec 89442408 mov [esp+0x8], eax
| | | 0x080485f0 c7442404c28. mov dword [esp+0x4], 0x80487c2 ; 0x080487c2
| | | 0x080485f8 8d45f3 lea eax, [ebp-0xd]
| | | 0x080485fb 890424 mov [esp], eax
| | | 0x080485fe e8c5fdffff call sym.imp.sscanf
| | | sym.imp.sscanf()
| | | 0x08048603 8b55fc mov edx, [ebp-0x4]
| | | 0x08048606 8d45f8 lea eax, [ebp-0x8]
| | | 0x08048609 0110 add [eax], edx
| | | 0x0804860b 837df810 cmp dword [ebp-0x8], 0x10
| |,==< 0x0804860f 7512 jne loc.08048623
| ||| 0x08048611 8b450c mov eax, [ebp+0xc]
| ||| 0x08048614 89442404 mov [esp+0x4], eax
| ||| 0x08048618 8b4508 mov eax, [ebp+0x8]
| ||| 0x0804861b 890424 mov [esp], eax
| ||| 0x0804861e e81fffffff call sym.parell
| ||| sym.parell()
| || ; JMP XREF from 0x0804860f (unk)
|- loc.08048623 90
| |`--> 0x08048623 8d45f4 lea eax, [ebp-0xc]
| | | 0x08048626 ff00 inc dword [eax]
| `===< 0x08048628 eba3 jmp fcn.080485cd
| | ; JMP XREF from 0x080485db (unk)
|- loc.0804862a 83
| `-> 0x0804862a e8f5feffff call sym.che
| | > sym.che()
| 0x0804862f 8b450c mov eax, [ebp+0xc]
| 0x08048632 89442404 mov [esp+0x4], eax
| 0x08048636 8b45fc mov eax, [ebp-0x4]
| 0x08048639 890424 mov [esp], eax
| 0x0804863c e873feffff call sym.dummy
| sym.dummy()
| 0x08048641 85c0 test eax, eax
| ,====< 0x08048643 7436 je loc.0804867b
| | 0x08048645 c745f400000. mov dword [ebp-0xc], 0x0
| | ; JMP XREF from 0x08048679 (unk)
|- loc.0804864c 49
| | 0x0804864c 837df409 cmp dword [ebp-0xc], 0x9
| ,=====< 0x08048650 7f29 jg loc.0804867b
| || 0x08048652 8b45fc mov eax, [ebp-0x4]
| || 0x08048655 83e001 and eax, 0x1
| || 0x08048658 85c0 test eax, eax
| ,======< 0x0804865a 7518 jne loc.08048674
| ||| 0x0804865c c70424d3870. mov dword [esp], str.wtf__n ; str.wtf__n
| ||| 0x08048663 e850fdffff call sym.imp.printf
| ||| sym.imp.printf()
| ||| 0x08048668 c7042400000. mov dword [esp], 0x0
| ||| 0x0804866f e874fdffff call sym.imp.exit
| ||| sym.imp.exit()
| | ; JMP XREF from 0x0804865a (unk)
|- loc.08048674 9
| `------> 0x08048674 8d45f4 lea eax, [ebp-0xc]
| || 0x08048677 ff00 inc dword [eax]
| || 0x08048679 ebd1 jmp loc.0804864c
| || ; JMP XREF from 0x08048643 (unk)
| || ; JMP XREF from 0x08048650 (unk)
|- loc.0804867b 2
| ``----> 0x0804867b c9 leave
\ 0x0804867c c3 ret
[0x08048400]> pdf@sym.che
| ; UNKNOWN XREF from 0x08048524 (unk)
| ; CALL XREF from 0x0804862a (unk)
/ (fcn) sym.che 149
| 0x08048524 55 push ebp
| 0x08048525 89e5 mov ebp, esp
| 0x08048527 83ec08 sub esp, 0x8
| 0x0804852a c70424ad870. mov dword [esp], str.Password_Incorrect__n ; str.Password_Incorrect__n
| 0x08048531 e882feffff call sym.imp.printf
| sym.imp.printf(unk)
| 0x08048536 c7042400000. mov dword [esp], 0x0
| 0x0804853d e8a6feffff call sym.imp.exit
| sym.imp.exit()
| ; CALL XREF from 0x0804861e (unk)
/ (fcn) sym.parell 119
| 0x08048542 55 push ebp
| 0x08048543 89e5 mov ebp, esp
| 0x08048545 83ec18 sub esp, 0x18
| 0x08048548 8d45fc lea eax, [ebp-0x4]
| 0x0804854b 89442408 mov [esp+0x8], eax
| 0x0804854f c7442404c28. mov dword [esp+0x4], 0x80487c2 ; 0x080487c2
| 0x08048557 8b4508 mov eax, [ebp+0x8]
| 0x0804855a 890424 mov [esp], eax
| 0x0804855d e866feffff call sym.imp.sscanf
| sym.imp.sscanf(unk)
| 0x08048562 8b450c mov eax, [ebp+0xc]
| 0x08048565 89442404 mov [esp+0x4], eax
| 0x08048569 8b45fc mov eax, [ebp-0x4]
| 0x0804856c 890424 mov [esp], eax
| 0x0804856f e840ffffff call sym.dummy
| sym.dummy()
| 0x08048574 85c0 test eax, eax
| ,=< 0x08048576 743f je loc.080485b7
| | 0x08048578 c745f800000. mov dword [ebp-0x8], 0x0
| | ; JMP XREF from 0x080485b5 (unk)
|- loc.0804857f 58
| | 0x0804857f 837df809 cmp dword [ebp-0x8], 0x9
| ,==< 0x08048583 7f32 jg loc.080485b7
| || 0x08048585 8b45fc mov eax, [ebp-0x4]
| || 0x08048588 83e001 and eax, 0x1
| || 0x0804858b 85c0 test eax, eax
| ,===< 0x0804858d 7521 jne loc.080485b0
| ||| 0x0804858f 833d2ca0040. cmp dword [sym.LOL], 0x1
| ,====< 0x08048596 750c jne loc.080485a4
| |||| 0x08048598 c70424c5870. mov dword [esp], str.Password_OK__n ; str.Password_OK__n
| |||| 0x0804859f e814feffff call sym.imp.printf
| |||| sym.imp.printf()
| | ; JMP XREF from 0x08048596 (unk)
|- loc.080485a4 21
| `----> 0x080485a4 c7042400000. mov dword [esp], 0x0
| ||| 0x080485ab e838feffff call sym.imp.exit
| ||| sym.imp.exit()
| | ; JMP XREF from 0x0804858d (unk)
|- loc.080485b0 9
| `---> 0x080485b0 8d45f8 lea eax, [ebp-0x8]
| || 0x080485b3 ff00 inc dword [eax]
| || 0x080485b5 ebc8 jmp loc.0804857f
| || ; JMP XREF from 0x08048576 (unk)
| || ; JMP XREF from 0x08048583 (unk)
|- loc.080485b7 2
| ``-> 0x080485b7 c9 leave
\ 0x080485b8 c3 ret
[0x08048400]> s 0x080485db
[0x080485db]> wx 9090
[0x080485db]> s 0x0804860f
[0x0804860f]> wx 9090
[0x0804860f]> s 0x08048576
[0x08048576]> wx 9090
[0x08048576]> s 0x08048583
[0x08048583]> wx 9090
[0x08048583]> s 0x0804858d
[0x0804858d]> wx 9090
[0x0804858d]> s 0x08048596
[0x08048596]> wx 9090
[0x08048596]> q
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x08
IOLI Crackme Level 0x08
Password: 12345
Password OK!
crackme0x09
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x09
IOLI Crackme Level 0x09
Password: 12345
Password Incorrect!
稍微计算下。看出来ebp作为某个时刻的栈顶指针用来索引字符串。一番搜索在某个printf中发现了OK
✘ ⮀ ~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ r2 -w ./crackme0x09
-- Use scr.accel to browse the file faster!
[0x08048420]> aa
[0x08048420]> pdf@main
| ; UNKNOWN XREF from 0x080486ae (fcn.08048616)
| ; DATA XREF from 0x08048437 (entry0)
/ (fcn) main 120
| 0x080486ee 55 push ebp
| 0x080486ef 89e5 mov ebp, esp
| 0x080486f1 53 push ebx
| 0x080486f2 81ec84000000 sub esp, 0x84
| 0x080486f8 e869000000 call fcn.08048766
| fcn.08048766(unk, unk)
| 0x080486fd 81c3f7180000 add ebx, 0x18f7
| 0x08048703 83e4f0 and esp, 0xfffffff0
| 0x08048706 b800000000 mov eax, 0x0
| 0x0804870b 83c00f add eax, 0xf
| 0x0804870e 83c00f add eax, 0xf
| 0x08048711 c1e804 shr eax, 0x4
| 0x08048714 c1e004 shl eax, 0x4
| 0x08048717 29c4 sub esp, eax
| 0x08048719 8d8375e8ffff lea eax, [ebx-0x178b]
| 0x0804871f 890424 mov [esp], eax
| 0x08048722 e8b9fcffff call sym.imp.printf
| sym.imp.printf()
| 0x08048727 8d838ee8ffff lea eax, [ebx-0x1772]
| 0x0804872d 890424 mov [esp], eax
| 0x08048730 e8abfcffff call sym.imp.printf
| sym.imp.printf()
| 0x08048735 8d4588 lea eax, [ebp-0x78]
| 0x08048738 89442404 mov [esp+0x4], eax
| 0x0804873c 8d8399e8ffff lea eax, [ebx-0x1767]
| 0x08048742 890424 mov [esp], eax
| 0x08048745 e876fcffff call sym.imp.scanf
| sym.imp.scanf()
| 0x0804874a 8b4510 mov eax, [ebp+0x10]
| 0x0804874d 89442404 mov [esp+0x4], eax
| 0x08048751 8d4588 lea eax, [ebp-0x78]
| 0x08048754 890424 mov [esp], eax
| 0x08048757 e8bafeffff call fcn.08048616
| fcn.08048616()
| 0x0804875c b800000000 mov eax, 0x0
| 0x08048761 8b5dfc mov ebx, [ebp-0x4]
| 0x08048764 c9 leave
\ 0x08048765 c3 ret
[0x08048420]> pdf@fcn.08048616
; UNKNOWN XREF from 0x080485cb (fcn.0804855d)
; CALL XREF from 0x08048757 (unk)
/ (fcn) fcn.08048616 216
| 0x08048616 55 push ebp
| 0x08048617 89e5 mov ebp, esp
| 0x08048619 53 push ebx
| 0x0804861a 83ec24 sub esp, 0x24
| 0x0804861d e844010000 call fcn.08048766
| fcn.08048766(unk, unk)
| 0x08048622 81c3d2190000 add ebx, 0x19d2
| 0x08048628 c745f400000. mov dword [ebp-0xc], 0x0
| 0x0804862f c745f000000. mov dword [ebp-0x10], 0x0
| ; JMP XREF from 0x08048693 (fcn.08048616)
|- fcn.08048636 184
| .---> 0x08048636 8b4508 mov eax, [ebp+0x8]
| | 0x08048639 890424 mov [esp], eax
| | 0x0804863c e88ffdffff call sym.imp.strlen
| | sym.imp.strlen()
| | 0x08048641 3945f0 cmp [ebp-0x10], eax
| | ,=< 0x08048644 734f jae loc.08048695
| | | 0x08048646 8b45f0 mov eax, [ebp-0x10]
| | | 0x08048649 034508 add eax, [ebp+0x8]
| | | 0x0804864c 0fb600 movzx eax, byte [eax]
| | | 0x0804864f 8845ef mov [ebp-0x11], al
| | | 0x08048652 8d45f8 lea eax, [ebp-0x8]
| | | 0x08048655 89442408 mov [esp+0x8], eax
| | | 0x08048659 8d835ee8ffff lea eax, [ebx-0x17a2]
| | | 0x0804865f 89442404 mov [esp+0x4], eax
| | | 0x08048663 8d45ef lea eax, [ebp-0x11]
| | | 0x08048666 890424 mov [esp], eax
| | | 0x08048669 e882fdffff call sym.imp.sscanf
| | | sym.imp.sscanf()
| | | 0x0804866e 8b55f8 mov edx, [ebp-0x8]
| | | 0x08048671 8d45f4 lea eax, [ebp-0xc]
| | | 0x08048674 0110 add [eax], edx
| | | 0x08048676 837df410 cmp dword [ebp-0xc], 0x10
| |,==< 0x0804867a 7512 jne loc.0804868e
| ||| 0x0804867c 8b450c mov eax, [ebp+0xc]
| ||| 0x0804867f 89442404 mov [esp+0x4], eax
| ||| 0x08048683 8b4508 mov eax, [ebp+0x8]
| ||| 0x08048686 890424 mov [esp], eax
| ||| 0x08048689 e8fbfeffff call fcn.08048589
| ||| fcn.08048589()
| || ; JMP XREF from 0x0804867a (fcn.08048616)
|- loc.0804868e 96
| |`--> 0x0804868e 8d45f0 lea eax, [ebp-0x10]
| | | 0x08048691 ff00 inc dword [eax]
| `===< 0x08048693 eba1 jmp fcn.08048636
| | ; JMP XREF from 0x08048644 (fcn.08048616)
|- loc.08048695 89
| `-> 0x08048695 e8c3feffff call fcn.0804855d
| | > fcn.0804855d()
| 0x0804869a 8b450c mov eax, [ebp+0xc]
| 0x0804869d 89442404 mov [esp+0x4], eax
| 0x080486a1 8b45f8 mov eax, [ebp-0x8]
| 0x080486a4 890424 mov [esp], eax
| 0x080486a7 e828feffff call fcn.080484d4
| fcn.080484d4() ; entry0+180
| 0x080486ac 85c0 test eax, eax
| ,====< 0x080486ae 7438 je loc.080486e8
| | 0x080486b0 c745f000000. mov dword [ebp-0x10], 0x0
| | ; JMP XREF from 0x080486e6 (fcn.08048616)
|- loc.080486b7 55
| | 0x080486b7 837df009 cmp dword [ebp-0x10], 0x9
| ,=====< 0x080486bb 7f2b jg loc.080486e8
| || 0x080486bd 8b45f8 mov eax, [ebp-0x8]
| || 0x080486c0 83e001 and eax, 0x1
| || 0x080486c3 85c0 test eax, eax
| ,======< 0x080486c5 751a jne loc.080486e1
| ||| 0x080486c7 8d836fe8ffff lea eax, [ebx-0x1791]
| ||| 0x080486cd 890424 mov [esp], eax
| ||| 0x080486d0 e80bfdffff call sym.imp.printf
| ||| sym.imp.printf()
| ||| 0x080486d5 c7042400000. mov dword [esp], 0x0
| ||| 0x080486dc e82ffdffff call sym.imp.exit
| ||| sym.imp.exit()
| | ; JMP XREF from 0x080486c5 (fcn.08048616)
|- loc.080486e1 13
| `------> 0x080486e1 8d45f0 lea eax, [ebp-0x10]
| || 0x080486e4 ff00 inc dword [eax]
| || 0x080486e6 ebcf jmp loc.080486b7
| || ; JMP XREF from 0x080486ae (fcn.08048616)
| || ; JMP XREF from 0x080486bb (fcn.08048616)
|- loc.080486e8 6
| ``----> 0x080486e8 83c424 add esp, 0x24
| 0x080486eb 5b pop ebx
| 0x080486ec 5d pop ebp
\ 0x080486ed c3 ret
[0x08048420]> pdf@fcn.08048589
; CALL XREF from 0x08048689 (fcn.08048616)
/ (fcn) fcn.08048589 141
| 0x08048589 55 push ebp
| 0x0804858a 89e5 mov ebp, esp
| 0x0804858c 53 push ebx
| 0x0804858d 83ec14 sub esp, 0x14
| 0x08048590 e8d1010000 call fcn.08048766
| fcn.08048766(unk, unk)
| 0x08048595 81c35f1a0000 add ebx, 0x1a5f
| 0x0804859b 8d45f8 lea eax, [ebp-0x8]
| 0x0804859e 89442408 mov [esp+0x8], eax
| 0x080485a2 8d835ee8ffff lea eax, [ebx-0x17a2]
| 0x080485a8 89442404 mov [esp+0x4], eax
| 0x080485ac 8b4508 mov eax, [ebp+0x8]
| 0x080485af 890424 mov [esp], eax
| 0x080485b2 e839feffff call sym.imp.sscanf
| sym.imp.sscanf()
| 0x080485b7 8b450c mov eax, [ebp+0xc]
| 0x080485ba 89442404 mov [esp+0x4], eax
| 0x080485be 8b45f8 mov eax, [ebp-0x8]
| 0x080485c1 890424 mov [esp], eax
| 0x080485c4 e80bffffff call fcn.080484d4
| fcn.080484d4() ; entry0+180
| 0x080485c9 85c0 test eax, eax
| ,=< 0x080485cb 7443 je loc.08048610
| | 0x080485cd c745f400000. mov dword [ebp-0xc], 0x0
| | ; JMP XREF from 0x0804860e (fcn.0804855d)
|- loc.080485d4 66
| | 0x080485d4 837df409 cmp dword [ebp-0xc], 0x9
| ,==< 0x080485d8 7f36 jg loc.08048610
| || 0x080485da 8b45f8 mov eax, [ebp-0x8]
| || 0x080485dd 83e001 and eax, 0x1
| || 0x080485e0 85c0 test eax, eax
| ,===< 0x080485e2 7525 jne loc.08048609
| ||| 0x080485e4 8b83fcffffff mov eax, [ebx-0x4]
| ||| 0x080485ea 833801 cmp dword [eax], 0x1
| ,====< 0x080485ed 750e jne loc.080485fd
| |||| 0x080485ef 8d8361e8ffff lea eax, [ebx-0x179f]
| |||| 0x080485f5 890424 mov [esp], eax
| |||| 0x080485f8 e8e3fdffff call sym.imp.printf
| |||| sym.imp.printf()
| | ; JMP XREF from 0x080485ed (fcn.0804855d)
|- loc.080485fd 25
| `----> 0x080485fd c7042400000. mov dword [esp], 0x0
| ||| 0x08048604 e807feffff call sym.imp.exit
| ||| sym.imp.exit()
| | ; JMP XREF from 0x080485e2 (fcn.0804855d)
|- loc.08048609 13
| `---> 0x08048609 8d45f4 lea eax, [ebp-0xc]
| || 0x0804860c ff00 inc dword [eax]
| || 0x0804860e ebc4 jmp loc.080485d4
| || ; JMP XREF from 0x080485cb (fcn.0804855d)
| || ; JMP XREF from 0x080485d8 (fcn.0804855d)
|- loc.08048610 6
| ``-> 0x08048610 83c414 add esp, 0x14
| 0x08048613 5b pop ebx
| 0x08048614 5d pop ebp
\ 0x08048615 c3 ret
[0x08048420]> s
0x8048420
[0x08048420]> s 0x08048644
[0x08048644]> wx 9090
[0x08048644]> s 0x0804867a
[0x0804867a]> wx 9090
[0x0804867a]> s 0x080485cb
[0x080485cb]> wx 9090
[0x080485cb]> s 0x080485d8
[0x080485d8]> wx 9090
[0x080485d8]> s 0x080485e2
[0x080485e2]> wx 9090
[0x080485e2]> s 0x080485ed
[0x080485ed]> wx 9090
[0x0804852d]> s 0x080485c4
[0x080485c4]> wx 9090909090
[0x080485c4]> q
~/Work/project/reverse/IOLI-crackme/bin-linux ⮀ ./crackme0x09
IOLI Crackme Level 0x09
Password: 12345
Password OK!
这不叫逆向……这叫把目标代码之外的东西都注释掉……
到此,忽然觉得吧,少了点东西。
- r2的动态调试功能
- 说好的reverse-engineer
I find an interesting book: RE-for-beginers