pranav's FindMySecret

Author:
pranav

Language:
C/C++

Upload:
2021-01-18 04:52

Download

Platform:
Windows

Difficulty:
2.5

Quality:
3.7

Arch:
x86

Downloads:
12

Size:
7.51 KB

Writeups:
3

Comments:
28

Description

This one is a little different, that it is not about hardcoded password. Still no complex mathematical encryption and stuff, so should be fairly easy. Give it a try!

Comments (28)
Writeups (3)

You must be logged in to post a comment

Snowball on 2021-01-22 21:56: Is it expected that we reverse without a decompiler like IDA's. I'm currently trying to solve it in assembly, and a specific function is currently troubling me due to what looks like floating point stuff

pranav on 2021-01-23 02:35: Yes, there is a small mathematic equation for randomization.. Message me at PranavAppu007 on discord if you want help..

pranav on 2021-01-23 02:44: You might want to use a tool tho, I think it's a little big to handle without a tool, but then again if you are a pro then you can handle

Snowball on 2021-01-23 12:48: Thanks a lot for the reply. I'll keep trying in pure assembly, and I am currently studying floating point calculations in assembly for the first time, so if I am still stuck after studying, then I'll contact you. Thanks for an interesting challenge so far!

Snowball on 2021-01-23 12:49: I am using IDA though (Just not their C - decompiler)

idoed on 2021-01-23 13:34: i cant unzip it because it request password. is it part of the challenge?

pranav on 2021-01-23 14:55: Well, for all crackmes in this website, they add their on password, which is crackmes.one. Check FAQ.

4epuxa on 2021-01-26 01:17: 3313 answer

pranav on 2021-01-26 01:57: 4epuxa not really, it generated the number randomly, so the solution is just explaining how you cracked it. Post it in the solutions.

4epuxa on 2021-01-29 04:57: pranav i did it

4epuxa on 2021-01-29 05:24: But during the analysis crackme didnt want to run and also there were some endless loops or what? Could you please tell me about anti-debugging you have used?

mohammadali on 2021-01-29 11:08: i am actually working on a way to patch all the crackmes, if any one wants to help please mail me at zakazeke8@gmail.com , i am planning to patch every crackme by building another executable that do api hooks, so that when an specific api function is called in the crackme, the hook will be triggered and we will place our code after, i got some nice ideas :) any help ?! plz (c/cpp project)

pranav on 2021-01-29 14:39: 4epuxa join on the discord server and look for PranavAppu007..

pranav on 2021-01-29 14:40: mohammadali wow that is some hard stuff! could you please explain using an example?

4epuxa on 2021-01-29 19:20: What a discord server? Could you please help me?

pranav on 2021-01-30 02:58: https://discord.gg/2pPV3yq open this link and you can join crackmes discord server.. I'm inside that( you might want to create an account..)

mohammadali on 2021-02-02 04:36: @pranav: example: /* ** Simple MessageBoxA hook using the classic 5 byte relative jump technique without a trampoline. ** Instead of bypassing the hook in the proxy function when passing execution to MessageBoxA, we ** will simply re-write the original bytes, unhooking the function. */ #include #include #pragma comment(lib,"user32.lib") char saved_buffer[5]; // buffer to save the original bytes FARPROC hooked_address= NULL; // The proxy function we will jump to after the hook has been installed int __stdcall proxy_function(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType) { std::cout

mohammadali on 2021-02-02 04:39: @pranav : sorry i didnt know there is a limits in the comments you can view: https://github.com/jayo78/basic-hooking/blob/master/hook_v1.cpp to see what i am talking about although this code hooks from inside the same process, we can do more work to make it a (global api hook). so then we can hook function(s) called by crackme.exe and place our function(s) instead

pranav on 2021-02-02 05:53: mohammadali I couldn't completely understand what is going on in hook installation.. But I can see that you have modified MEssageBoxA function with a jump to some custom function, so that if you call MessageBoxA your function will be called. Also, is your project working on crackmes? Have you tried it with my crackme?

mohammadali on 2021-02-03 12:51: that is what i mean, i need more time, idk there is a crackme with messagebox to show the password. i can hook printf() or strcmp() or strlen() ... but in the example on github the hook was to replace the function in the same process. hooking in a different process is a whole different thing. you can google it, it is called global api hooks. this way i can run an api monitor on the crack me, get the api calls, and hook the interesting calls. but i need help!

juansacco on 2021-02-14 09:26: __int16 *result; // eax double input_key; // [esp+10h] [ebp-8h] if ( !byte_406034 ) { real_key = real_key * 10000.0; byte_406034 = 1; } input_key = (double)*a1; if ( real_key

juansacco on 2021-02-14 09:27: [Click to reveal]

MaxP on 2021-02-22 15:06: I'm stumbling over this loop: 00401844 | 0FB745 F0 | MOVZX EAX,WORD PTR SS:[EBP-0x10] 00401848 | 66:85C0 | TEST AX,AX 0040184B | 75 F7 | JNE findmysecret.401844 Why isn't that an infinite loop? The data copied to EAX should be constant, so the jump condition should never change. But it does after roughly 30 rounds, and it also changes the random number stored at 0x4063E8. Why and how?

pranav on 2021-02-25 15:50: MaxP unless ebp-0x10 is accessible from another thread..

bus@cu on 2021-02-28 19:47: I sent my solution on February 5th and it is not yet validated???

mohammadali on 2021-03-14 16:36: i coundnt resist and here u go : https://github.com/ORCA666/patched-files/tree/main/pranav's%20FindMySecret

puelo on 2021-06-27 16:11: int timestamp = time(); rndNumber = (timestamp % 50) / 50; (until rndNumber 0.0) int i = 5; while (i != 0) { rndNumber = (1.0 - rndNumber) * 3.8 * rndNumber; i--; }

puelo on 2021-06-27 16:13: forgot at the end: rndNumber = floor(rndNumber * 10000);

Show all spoilers

You must be logged in to submit a writeup

Solution by 4epuxa on 2021-01-30 17:29:

Download

Solution by sank2014 on 2021-02-02 08:08:
Roughly explained what i did

Download

Solution by 7cherubin on 2022-01-03 15:22:
The program calls a function which generates the secret number. time(0) is called to get a seed for its pseudorandomizer algorithm. Then it performs a few simple calculations against the seed and converts it into a floating point number. It proceeds to perform some further calculations and returns and stores the number. The program then requests input from the user. Another function is called where the guess is converted into a floating point value. If the secret number and the user's guess are the same, as a truncated value, then the program ends up at the success branch whithin a separate "decision" function which prints the result. The aforementioned solution, however, does not explain the strange number that is printed before the program exits. Out of curiosity I decided to investigate and found out that the program simply prints that address. Maybe an easter egg? 420... blaze it? 69... best position? 18... yeah...

Download