This time I’m tackling , the third of the series. To solve this we will use ’s macros and unicorn emulation. Let’s jump right in! this beautiful crackme radare2 Some Introductory Analysis The crackme asks for a 4 digit password that the user needs to input one digit at the time. Similar to a PIN. Looking at main we can see the “check_code_int” function is called near the end of its largest block. A quick look at the “check_code_int” function reveals a chain of “if” blocks ending on checks between and , one for every digit. eax ebx The blocks are almost identical, they all do some calculation, then compare the value of against the expected value stored in . If the condition is met there's a jump to the next block, if not they return an error code. ebx eax Solution 1: Using radare2 macros In order to get the correct password, we can check for the value of to get each digit. Here are the commands to extract the code using radare2: eax at compare time db sym.check_code_int+0x00001289-0x00001265 db sym.check_code_int+0x000012b7-0x00001265 db sym.check_code_int+0x000012e2-0x00001265 db sym.check_code_int+0x0000130d-0x00001265 dc 1 1 1 1 !rm ./crack_code (eax_replace, dr ebx=`dr eax` | tee -a crack_code, dc) .(eax_replace )@@=0 1 2 3 !cat ./crack_code # up relative breakpoints. one per cmp instruction set # execute program # input four digits (doesn 't matter which ones) # define a macro that replaces the value # of ebx with the content of eax and stores it into a file # use the macro # show the results Here is the beautiful macro in action Now we can go ahead and open the chest! Solution 2: Bruteforce powered by GEF and unicorn-engine Another way to solve this is to brute-force the password. Since there’s a reasonable amount of valid PINs (10000, to be specific) this wouldn't take too long. We can emulate the function that checks each digit testing every combination until we get the expected state at the end. This can be done with ease using the functionality for emulation that generates a unicorn python script we can then modify and adapt for our purposes. GEF emu -t 0x0000555555555328 -s -o emu.py # 1 - step through the code gdb in # 2 - reach the start of the check function # my the starts at 0x555555555269 in case function # and ends at 0x555555555328 # 3 - use the GEF emu : command The command above will generate an emulation template for us. We will need to modify it slightly in order to make the emulation run for each possible PIN code until it finds the correct answer. We can use python’s , to generate the pins and repeat the process until we get at the end of an emulation run. itertools rax=1 Here we can see the whole thing took around 7 minutes to complete. It’s not the most efficient method in the world but it gets the job done. There are certainly a lot of tweaks we could do to make it more performant if needed. You can get the full emulation script from and try it yourself. my Github Final thoughts Radare2 macros are awesome! We could go a step further and generate an r2script to automate the task using the macros we wrote earlier. Emulation is super useful for dealing with obfuscated code and doing brute-force. Unicorn-engine is a great tool and GEF command makes our lives a lot easier. Another alternative to emulation would be to try dynamic instrumentation. But I’ll leave that for a future post. Hope you enjoyed this one! Follow me on and for more content like this! Twitter Medium
