xoru on 4:07 PM 03/19/2019: Potential spoiler ahead!
Fun! I found two ways of solving this one;
* Run it through the likes of IDA64 and Ghidra, whereas Ghidra helped me with looking past mangled names. Like this, the steps the code makes were good to follow and the password could be constructed.
* Run it in gdb and break at the comparison in the (I don't want to spoil anything) function that verifies things; then I simply displayed the second parameter register.
On a sidenote, how on earth do I submit a solution?
exhumer on 6:48 PM 03/19/2019: @xoru follow the solutions tab beside the comments tab. they provide the instructions.
b0b501337 on 9:44 PM 03/19/2019: Is part of the challenge cracking the zip file? I can't find the password. Was more interested in learning x86 disassembly and re than password cracking.
xoru on 12:19 AM 03/20/2019: @exhumer thank you, I didn't notice it was a clickable entity. Cheers!
@b0b501337 You will find the password in the FAQ, it's crackmes.one (and if you encounter a crackme in which that password does not work, use crackmes.de)
Loz on 12:53 PM 03/31/2019: @xoru good job! if you want check out the level 2 i just posted
defghij on 12:05 AM 04/20/2019: Thanks for posting this. As someone beginning to learn RE I really enjoyed this.
Sn0kr45h on 12:34 AM 05/02/2019: This was a fun simple puzzle. I used a technique similar to @xoru, but using Hopper v4. Unfortunately Hopper doesn't demangle C++ names, but it does allow you one to see in the pseudo-code where you are currently debugging.
I'd definitely thumbs up this crackme for beginners like myself.
pwn on 8:22 AM 07/29/2019: zip file is password protected what's the password to unzip
chfle on 7:09 PM 11/22/2020: bd4c217637bc828982c090b2de41b84d
Elephant on 3:01 PM 07/02/2025: FLAG:"cracked"
004012f4
00401306 // the total of adding "de"+"k"+"car"+"c"
00401306 for (int32_t i = 0; i
You must be logged in to submit a writeup
Solution by xoru: Fun crackme to start out with. Thanks for sharing!
Solution by HCF: This is my solution:
Length Check in Check Password Function:
At a point in the Check Password function, a check is made on the string length, which must be 7 characters long.
0x00005555555552b3 : mov DWORD PTR [rbp-0x18],0xfffffff9
0x00005555555552d8 : mov eax,DWORD PTR [rbp-0x18]
0x00005555555552db : neg eax
0x00005555555552dd : cdqe
0x00005555555552df : cmp rdx,rax
0x00005555555552e2 : sete al
0x00005555555552e5 : test al,al
0x00005555555552e7 : je 0x5555555553c8
Loading Constant Strings into rsi:
In these 3 points, constant strings are loaded into the rsi variable
0x0000555555555298 : lea rsi,[rip+0xd66] # 0x555555556005
0x000055555555529f : mov rdi,rax
0x0000555555555317 : lea rsi,[rip+0xceb] # 0x555555556009
0x000055555555531e : mov rdi,ra
0x0000555555555326 : lea rax,[rbp-0x60]
0x000055555555532a : lea rsi,[rip+0xcda] # 0x55555555600b
End of assembler dump.
(gdb) x/s $rsi
0x555555556005: "dec"
(gdb) b *0x000055555555531e
Breakpoint 6 at 0x55555555531e
(gdb) c
Continuing.