ttlhacker's jittery



10:10 PM 01/20/2019


Unix/linux etc.


Another x86_64 linux crackme, written in C and (a huge amount of) assembler. While it does not have any anti-debugging features, it is a ridiculously complex pile of self-modifying code, taking the ideas of my previous crackme (hell86) to another level of difficulty and hopefully adding something unique and interesting on top of it. The program prompts for an input and then tells you if it's correct or wrong. It does not take input from the command line. Like before, patching the binary is not a valid solution. Good luck! I hope you'll find this one just as interesting as my previous crackme. SHA256: 57aa4a74af67ad9a6f33ae92f26deff3877ae648b4688c87df20c9ce53d2a723 jittery

K2000 on 7:16 PM 01/21/2019: Can you make one for Windows ? VirtualBox is not working properly for me.

ttlhacker on 7:29 PM 01/21/2019: @K2000 The crackme runs fine under the "Windows Subsystem for Linux" (also known as "Bash on Ubuntu on Windows"), you can use that to crack it on Windows instead of Linux. It's not really feasible for me to make a native Windows version, unfortunately, because the thing heavily depends on interoperability between C and assembly code, and thus on the Unix/Linux calling convention. Changing that would require a rewrite of large portions of its code... And this thing is more than 3000 lines long.

K2000 on 8:53 PM 01/21/2019: I see. I will try that. Thanks.

ttlhacker on 9:02 PM 01/21/2019: @K2000 I just noticed that there's a memory corruption bug in the crackme... You can start cracking it on Windows, but it'll crash after the first verification step. I've sent a fixed version to s4r so he can update it here on the site. (In case you're wondering: I did a malloc(strlen(str)) in my custom strdup routine so the code writes out-of-bounds and corrupts the heap, which is pretty embarrassing.)

s4r on 12:13 AM 01/24/2019: Updated ! :)

4aca7f6c on 4:51 PM 01/27/2019: This was incredible! Each time I thought I was on the last layer of things I needed to figure out, there was another layer waiting for me. You are a mad scientist ttlhacker! sha256(flag) = 638da17366d6d99d7a60568a8eba64a71217743f602d9ca2cb961f063bb093b6

ttlhacker on 5:28 PM 01/27/2019: @4aca7f6c Thanks a lot! I'm glad you enjoyed it! Now I'm curious about how you solved it... What was the hardest thing for you to figure out? (By the way, you're incredibly quick!)

4aca7f6c on 8:22 PM 01/27/2019: @ttlhacker I'll definitely write up a solution at some point, but this one was complicated enough that it'll take some thinking about the best way to do that. I don't want to say too much in a comment because I don't want to spoil it for anyone else. I ended up writing a program to just "compile" (if that's even the right word) the whole thing at once, then statically analyzed the result. Of course, this meant I had to learn how to compile it in the first place, which was by far the most challenging part for me. And naturally I outsmarted myself: I had my compiler simply ignore all the blocks that weren't valid code, which meant that one kind of really super important block was totally missing without my realizing it. It took me a long time to figure that one out. Thanks again for this! I've never written a crackme before, but there have been a few on this site that have made me want to try to write one; this is one of them.

s4r on 11:56 PM 01/28/2019: Thanks ttlhacker, that was one of the best crackme I solved. It took me literally 4 days! I used a different method than 4aca7f6c, and solved it dynamically with dynamorio. My main problem was to find the first check on the password (length check), and obviously, print out the instruction of the VM. SHA1(flag) = e6cfd29b61e7006e8bf7573cd638bae85bb2d5e1

ttlhacker on 12:49 AM 01/29/2019: Very, very well done, 4aca7f6c and s4r! That's two very interesting methods to solve this crackme - I guess the only thing missing now is someone writing a custom disassembler, like 4aca7f6c did for hell86! I really wouldn't have expected someone to "compile" it all into x86 code and then analyze it statically, that's just crazy. Expect another crackme from me in the future, but don't worry, it'll take me a few months, I guess! Let's see what kind of crazy stuff I can come up with... :P

pinnn on 7:36 PM 03/13/2019: SHA384(flag) = 5E3AB460964BF49263043C6E98BBA2DC6C4443C02D9AD5C24664FD649DF44C423C54D57D72D80E7E0914DF6596734525 Interesting crackme, but the difficult definitely not 5, maybe 4.