sym.imp.__libc_start_main 6 0x8048388 | MATCH (1.000000) | 0x8048388 6 sym.imp.__libc_start_main

sym.imp.scanf 6 0x8048398 | MATCH (1.000000) | 0x8048398 6 sym.imp.scanf

sym.imp.strlen 6 0x80483a8 | MATCH (1.000000) | 0x80483a8 6 sym.imp.strlen

sym.imp.printf 6 0x80483b8 | MATCH (1.000000) | 0x80483b8 6 sym.imp.printf

sym.imp.sscanf 6 0x80483c8 | MATCH (1.000000) | 0x80483c8 6 sym.imp.sscanf

sym.imp.strncmp 6 0x80483d8 | MATCH (1.000000) | 0x80483d8 6 sym.imp.strncmp

sym.imp.exit 6 0x80483e8 | MATCH (1.000000) | 0x80483e8 6 sym.imp.exit

entry0 33 0x8048400 | MATCH (1.000000) | 0x8048400 33 entry0

fcn.08048424 33 0x8048424 | MATCH (1.000000) | 0x8048424 33 fcn.08048424

fcn.08048450 47 0x8048450 | MATCH (1.000000) | 0x8048450 47 sym.__do_global_dtors_aux

fcn.08048480 50 0x8048480 | MATCH (1.000000) | 0x8048480 50 sym.frame_dummy

fcn.080484b4 112 0x80484b4 | MATCH (1.000000) | 0x80484b4 112 sym.dummy

fcn.08048524 30 0x8048524 | MATCH (1.000000) | 0x8048524 30 sym.che

fcn.08048542 119 0x8048542 | MATCH (1.000000) | 0x8048542 119 sym.parell

fcn.080485b9 118 0x80485b9 | MATCH (1.000000) | 0x80485b9 118 sym.check

main 92 0x804867d | MATCH (1.000000) | 0x804867d 92 main

fcn.08048755 4 0x8048755 | MATCH (1.000000) | 0x8048755 4 sym.__i686.get_pc_thunk.bx

fcn.08048760 35 0x8048760 | MATCH (1.000000) | 0x8048760 35 sym.__do_global_ctors_aux

fcn.0804878d 17 0x804878d | NEW (0.000000)

sym.__libc_csu_init 99 0x80486e0 | NEW (0.000000)

sym.__libc_csu_fini 5 0x8048750 | NEW (0.000000)

sym._fini 26 0x8048784 | NEW (0.000000)

Hints: crackme0x09 hides the format string (%d and %s), and nothing more than 0x08.

$ export LOLA=help

$ ./crackme0x09

IOLI Crackme Level 0x09

Password: 12346

Password OK!

After a few years of missing out on wargames at Hacktivity, this year I've finally found the time to begin, and almost finish (yeah, I'm quite embarrassed about that unfinished webhack :) ) one of them. There were 3 different games at the conf, and I've chosen the one that was provided by avatao. It consisted of 8 challenges, most of them being basic web hacking stuff, one sandbox escape, one simple buffer overflow exploitation, and there were two reverse engineering exercises too. You can find these challenges on https://platform.avatao.com.

I've decided to solve the reversing challenges using radare2, a free and open source reverse engineering framework. I have first learned about r2 back in 2011. during a huge project, where I had to reverse a massive, 11MB statically linked ELF. I simply needed something that I could easily patch Linux ELFs with. Granted, back then I've used r2 alongside IDA, and only for smaller tasks, but I loved the whole concept at first sight. Since then, radare2 evolved a lot, and I was planning for some time now to solve some crackmes with the framework, and write writeups about them. Well, this CTF gave me the perfect opportunity :)

Because this writeup aims to show some of r2's features besides how the crackmes can be solved, I will explain every r2 command I use in blockquote paragraphs like this one:

If you know r2, and just interested in the crackme, feel free to skip those parts! Also keep in mind please, that because of this tutorial style I'm going to do a lot of stuff that you just don't do during a CTF, because there is no time for proper bookkeeping (e.g. flag every memory area according to its purpose), and with such small executables you can succeed without doing these stuff.

A few advice if you are interested in learning radare2 (and frankly, if you are into RE, you should be interested in learning r2 :) ):

The framework has a lot of supplementary executables and a vast amount of functionality - and they are very well documented. I encourage you to read the available docs, and use the built-in help (by appending a ? to any command) extensively! E.g.:

[0x00000000]> ?

Usage: [.][times][cmd][~grep][@[@iter]addr!size][|>pipe] ; ...

Append '?' to any char command to get detailed help

Prefix with number to repeat command N times (f.ex: 3x)

|%var =valueAlias for 'env' command

| *off[=[0x]value] Pointer read/write data/values (see ?v, wx, wv)

| (macro arg0 arg1) Manage scripting macros

| .[-|(m)|f|!sh|cmd] Define macro or load r2, cparse or rlang file

| = [cmd] Run this command via rap://

| / Search for bytes, regexps, patterns, ..

| ! [cmd] Run given command as in system(3)

| # [algo] [len] Calculate hash checksum of current block

| #!lang [..] Hashbang to run an rlang script

| a Perform analysis of code

| b Get or change block size

...

[0x00000000]> a?

|Usage: a[abdefFghoprxstc] [...]

| ab [hexpairs] analyze bytes

| aa analyze all (fcns + bbs) (aa0 to avoid sub renaming)

| ac [cycles] analyze which op could be executed in [cycles]

| ad analyze data trampoline (wip)

| ad [from] [to] analyze data pointers to (from-to)

| ae [expr] analyze opcode eval expression (see ao)

| af[rnbcsl?+-*] analyze Functions

| aF same as above, but using anal.depth=1

...

Also, the project is under heavy development, there is no day without commits to the GitHub repo. So, as the readme says, you should always use the git version!

Some highly recommended reading materials:

   • Cheatsheet by pwntester

   • Radare2 Book

   • Radare2 Blog

   • Radare2 Wiki

OK, enough of praising r2, lets start reversing this stuff. First, you have to know your enemy:

[0x00 avatao]$ rabin2 -I reverse4

pic false

canary true

nx true

crypto false

va true

intrp /lib64/ld-linux-x86-64.so.2

bintype elf

class ELF64

lang c

arch x86

bits 64

machine AMD x86-64 architecture

os linux

subsys linux

endian little

stripped true

static false

linenum false

lsyms false

relocs false

rpath NONE

binsz 8620