22.2.3 Level 0x02 - nop a jump

Let's run the crackme:

 $ ./crackme0x02
 IOLI Crackme Level 0x02
 Password: foo
 Invalid Password!

As we can see, the goal is to patch the binary file to accept any password. We will proceed as in the previous level, first we open the file with radare, change the seek to sym.main and create a code graph:

 $ radare crackme0x02
 open ro crackme0x02
 Adding strings & symbol flags for crackme0x02
 14 symbols added.
 6 strings added.
 [0x08048330]> s sym.main
 [0x080483E4]> ag

TODO: http://radare.nopcode.org/img/wk/crackme0x02-sym.main.png

Let's take a closer look at the disassembly:

TODO: http://radare.nopcode.org/img/wk/crackme0x02_pD_sym.main.png

This time the condition that makes the code branch is a jnz (jump if not zero), so if we make the jump we'll go through the "invalid password" block. We have to nop the jump to make the instruction pointer go to the next instruction, which will make the code flow to the "password ok" block.

To crack that, we open the file in write mode, and write two nop's (0x90) in the right place, substituting the "jnz" opcode, and use the print hex and print disassembly commands to make sure we've patched it correctly:

TODO: http://radare.nopcode.org/img/wk/crackme0x02-patch.png

Here's the graph output of the cracked program:

TODO: http://radare.nopcode.org/img/wk/crackme0x02-sym.main_cracked.png

Now just try if it works:

 $ ./crackme0x02
 IOLI Crackme Level 0x02
 Password: foo
 Password OK :)

Done! :D