HN1 on 8:10 PM 07/23/2019:
Password: flag{th3_cr3d3n14ls_4r3_s4f3}
juansacco on 8:26 AM 07/30/2019: 1. Kernel32 - IsDebuggerPresent()
2. Bool
3. Flag was found using strings
THIRD STAGE
Please, input the password to the system:flag{th3_cr3d3n14ls_4r3_s4f3}
Congratulations, you have logged into the system.
unc4anny on 6:47 PM 08/10/2019: For future crackmes: If you can, try to strip out the symbols from the executables, it makes it too easy to get a password (ofc, if you are aiming for more difficult challenges)
Lowpoc on 2:07 PM 08/18/2019: Steps
1. change flag *setne* per *sete*, So I give a bypass on validation is anti-debug.
2. invert comp je in address 00000000004015D7 per jne, You will always skip step 2
3. in system contains log input password: flag{th3_cr3d3n14ls_4r3_s4f3} and congratulations guys.
0x255 on 8:41 AM 09/09/2019:
Its all you need to find the flag in this one.
rabin2 -z Parkour.exe | grep flag
madlogik on 4:22 AM 11/09/2019: Thanks for this multi-stage challenge.
My solution goes straight to stage 3 and provides you with the answer :D
[url=https://ibb.co/ZX5xMvb][img]https://i.ibb.co/ZX5xMvb/madlogik-cracked.png[/img][/url]
andrwn on 7:16 PM 01/05/2020: ease-peasy!
denisbiris on 9:26 AM 02/08/2020: I'm newer, but I succeeded :)
with "x64dbg"
Solution:
line "000000000040156E" replace: "test eax,eax" with "xor eax,eax"
line "0000000000401570" replace: "setne al" with "sete al"
line "0000000000401573" replace: "test al,al" with "xor al,al"
to get rid of first stage and second stage
line "00000000004015D7" replace: "je test.401607" with
"jne test.401607" to get rid of third stage
finally you are at the last stage:
"Please, input the password to the system:"
You can find the password in strings:
Password:"flag{th3_cr3d3n14ls_4r3_s4f3}"
To able to enter any password at the line "00000000004016B8"
replace: "je test.4016EC" with "jne test.4016EC" and now you can enter any passwords like this: "#:@/cracked.by_strixdb-2020" but not like this: "cracked by strixdb" (because doesen't work)
And finally: "Congratulations, you have logged into the system."
There were probably other methods, but this is my method :)
Thank you for sharing this, I was pleased to defend him :)
Mission Passed :D
Have a nice day ;)
Onyx_Pl01t on 2:17 PM 12/30/2021: Solution 2:
----------------------------------------------------------------------------------
Method 1:
line "0000000000401575" replace: "je parkour.401607" with "jmp parkour.401607"
line "00000000004015D7" replace: "je parkour.401607" with "jmp parkour.4015D9"
----------------------------------------------------------------------------------
Method 2:
line "000000000040156E" replace: "test eax,eax" to "xor eax,eax"
- why XOR? XOR is used to clear a register/flag so EAX will be cleaned as well as RAX since RAX is EAX in 32-bit register. so, ZF(zero-flag) will be set if the result of the previous operation is 0 (XOR eax, eax)and the JE also known as JZ(jump if zero) will jump to the specified address(second stage).
line "0000000000401570" replace: "setne al" to "sete al"
- setne set al to 1 if ZF is clear otherwise it sets it to 0. so, Set if Equal (sete)/ Set if Zero (setz) set the operand to 1 if ZF is set otherwise it sets it to 0.
line "0000000000401573" replace: "test al,al" to "xor al,al"
- When RIP is at line 40156E, ZF is 1 (that is, ZF is set). When it is at line 401570, AL = 1, ZF = 1. When it is at line 401575, ZF is 0. Boom, debugger verification has been bypassed. Anti-debug has been achieved.
line "00000000004015D3" replace: "cmp byte ptr ss:[rbp-41],0" to "cmp byte ptr ss:[rbp-41],1"
- Why to 1 ? as CMP affects CF, ZF, SF, OF, PF, AF thus, if the compare (CMP) is true, CF, ZF, SF, OF, PF or AF is set to 1 otherwise it set these to 0. so, in this case, ZF is set to 0 and we successfully bypassed second stage.
----------------------------------------------------------------------------------
At THIRD STAGE, the flag is already visible so use any debugger and you will get the flag.
1337ReverseEngineer on 9:19 PM 07/22/2022: easiest crackme of my life
x64dbg didn't get detected by IsDebuggerPresent
1337ReverseEngineer on 11:13 PM 07/22/2022: nvm I had scyllahide on :p
mohamed_haroon on 9:06 AM 10/07/2023: flag{th3_cr3d3n14ls_4r3_s4f3}