Crackmes

Author:
RedXen

Language:
C/C++

Upload:
1:05 PM 07/25/2022

Download

Platform
Windows

Difficulty:
1.4

Quality:
3.4

Arch:
x86

Description

A CrackMe written in C that uses a file for authentication.

Comments
Solutions

xlISinner on 11:48 PM 08/10/2022: W269N-WFGWX-YVC9B-4J6C9-T83GX at data:00404004 _password

shadow299 on 8:07 AM 08/11/2022: Easy one. just put the key in that bin file. if yo want to change the password just edit the memory.

mohamed_haroon on 9:45 PM 09/09/2022: password is V2VsbCBkb25lISBUaGlzIGFwcGxpY2F0aW9uIHdhcyB3cml0dGVuIGluIHB1cmUgQywgYW5kIHlvdSBjcmFja2VkIGl0Lg==

mohamed_haroon on 9:52 PM 09/09/2022: W269N-WFGWX-YVC9B-4J6C9-T83GX

ShadowCracker on 1:29 AM 09/14/2022: this app open password.bin file with rb mode and check content with W269N-WFGWX-YVC9B-4J6C9-T83GX .:)

sweety on 2:46 PM 09/19/2022: data - 0x404004 | _password password - W269N-WFGWX-YVC9B-4J6C9-T83GX

juniorrumiche on 5:19 PM 09/27/2022: password=W269N-WFGWX-YVC9B-4J6C9-T83GX using xdbg go to 00401576 go change jne to je.... also using hex workshop open the file and go to offset 00000976 and change 75 to 74

elegance on 10:54 PM 10/05/2022: W269N-WFGWX-YVC9B-4J6C9-T83GX super easy

Jeudy on 2:34 PM 10/10/2022: Solution by: Jeu Type of compiler: Visual C++/C Difficulty: Medium 00401501 /$ 55 PUSH EBP 00401502 |. 89E5 MOV EBP,ESP 00401504 |. 83EC 48 SUB ESP,0x48 00401507 |. E8 D9FFFFFF CALL C_File_C.004014E5 0040150C |. 83F8 01 CMP EAX,0x1 0040150F |. 75 07 JNZ SHORT C_File_C.00401518 00401511 |. B8 01000000 MOV EAX,0x1 00401516 |. EB 4F JMP SHORT C_File_C.00401567 00401518 | C74424 04 835MOV DWORD PTR SS:[ESP+0x4],C_File_C.0040; ||||ASCII "rb" 00401520 |. C70424 765040MOV DWORD PTR SS:[ESP],C_File_C.00405076 ; ||||ASCII "password.bin" 00401527 |. E8 8C260000 CALL ; |||\fopen 0040152C |. 8945 F4 MOV DWORD PTR SS:[EBP-0xC],EAX ; ||| 0040152F |. 8D45 D6 LEA EAX,DWORD PTR SS:[EBP-0x2A] ; ||| 00401532 |. 894424 08 MOV DWORD PTR SS:[ESP+0x8],EAX ; ||| 00401536 |. C74424 04 865MOV DWORD PTR SS:[ESP+0x4],C_File_C.0040; |||ASCII "%s" 0040153E |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-0xC] ; ||| 00401541 |. 890424 MOV DWORD PTR SS:[ESP],EAX ; ||| 00401544 |. E8 5F260000 CALL ; ||\fscanf 00401549 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-0xC] ; || 0040154C |. 890424 MOV DWORD PTR SS:[ESP],EAX ; || 0040154F |. E8 6C260000 CALL ; |\fclose 00401554 |. C74424 04 044MOV DWORD PTR SS:[ESP+0x4],C_File_C.0040; |ASCII "W269N-WFGWX-YVC9B-4J6C9-T83GX" 0040155C |. 8D45 D6 LEA EAX,DWORD PTR SS:[EBP-0x2A] ; | 0040155F |. 890424 MOV DWORD PTR SS:[ESP],EAX ; | 00401562 |. E8 01260000 CALL ; \strcmp 00401567 | C9 LEAVE 00401568 \. C3 RETN Well, he is the part of the assembler code with the program uses apis and functions to compare your passwords.bin keyfile to autentification... Use the serial is the easy way but patching is hard. You see cmp eax,1 and conditional jump down mov eax,1 this nopping conditional jump you patching the authentification program algorithm. Remember XOR EAX,EAX to patch the algorithm of the program. Just like that: 00401501 /$ 55 PUSH EBP 00401502 |. 89E5 MOV EBP,ESP 00401504 |. 83EC 48 SUB ESP,0x48 00401507 |. E8 D9FFFFFF CALL C_File_C.004014E5 0040150C |. 83F8 01 CMP EAX,0x1 0040150F 90 NOP 00401510 90 NOP 00401511 31C0 XOR EAX,EAX 00401513 90 NOP 00401514 90 NOP 00401515 90 NOP 00401516 |. EB 4F JMP SHORT C_File_C.00401567 00401518 | C74424 04 835MOV DWORD PTR SS:[ESP+0x4],C_File_C.0040; ||||ASCII "rb" 00401520 |. C70424 765040MOV DWORD PTR SS:[ESP],C_File_C.00405076 ; ||||ASCII "password.bin" 00401527 |. E8 8C260000 CALL ; |||\fopen 0040152C |. 8945 F4 MOV DWORD PTR SS:[EBP-0xC],EAX ; ||| 0040152F |. 8D45 D6 LEA EAX,DWORD PTR SS:[EBP-0x2A] ; ||| 00401532 |. 894424 08 MOV DWORD PTR SS:[ESP+0x8],EAX ; ||| 00401536 |. C74424 04 865MOV DWORD PTR SS:[ESP+0x4],C_File_C.0040; |||ASCII "%s" 0040153E |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-0xC] ; ||| 00401541 |. 890424 MOV DWORD PTR SS:[ESP],EAX ; ||| 00401544 |. E8 5F260000 CALL ; ||\fscanf 00401549 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-0xC] ; || 0040154C |. 890424 MOV DWORD PTR SS:[ESP],EAX ; || 0040154F |. E8 6C260000 CALL ; |\fclose 00401554 |. C74424 04 044MOV DWORD PTR SS:[ESP+0x4],C_File_C.0040; |ASCII "W269N-WFGWX-YVC9B-4J6C9-T83GX" 0040155C |. 8D45 D6 LEA EAX,DWORD PTR SS:[EBP-0x2A] ; | 0040155F |. 890424 MOV DWORD PTR SS:[ESP],EAX ; | 00401562 |. E8 01260000 CALL ; \strcmp 00401567 | C9 LEAVE 00401568 \. C3 RETN And you write this nops and xors you bypass the authetification and break the algorithm of the program because the serial number is in strings reference and is the easy way, but patching not. By Jeu.

fa0xke on 6:23 PM 10/12/2022: W269N-WFGWX-YVC9B-4J6C9-T83GX

Pavlovich on 10:33 PM 11/14/2022: Simple revers :) Password is W269N-WFGWX-YVC9B-4J6C9-T83GX

wimm on 7:34 PM 12/07/2022: W269N-WFGWX-YVC9B-4J6C9-T83GX

Ivy04 on 2:56 PM 03/24/2023: W269N-WFGWX-YVC9B-4J6C9-T83GX

mr.penis on 2:14 PM 08/09/2024: Stream = fopen("password.bin", "rb"); fscanf(Stream, "%s", Str1); fclose(Stream); return strcmp(Str1, password);

You must me logged to submit a solution

crackmes.one

crackmes.one

RedXen's C File CrackMe