Author:
alperaktasm

Language:
C/C++

Upload:
5:26 PM 03/15/2024

Download

Platform
Windows

Difficulty:
3.0

Quality:
4.0

Arch:
x86

Description

Very basic crypto challenge. Understand the logic and get the flag.

• Comments
• Solutions

justAuser on 5:57 PM 03/19/2024: 0055119B | 68 D0315500 | push self_modify.5531D0 | 5531D0:"s3Lf-m0dIFY" This?

alperaktasm on 7:39 PM 03/19/2024: NO! This is the XOR key. Examine it properly.

nightxyz on 8:33 PM 03/19/2024: ZAYOTEM{FACTS_CAN_BE_SO_MISLEADING}

cnathansmith on 4:59 PM 03/20/2024: @nightxyz is this like his Heaven's Gate one where the encoded flag is just buried in the binary and not actually accessible with any kind of input? I feel like that violates the spirit of how these are supposed to be structured but would appreciate a write-up showing what we were expected to do if you get a chance.

nightxyz on 5:39 PM 03/20/2024: @cnathansmith Yes, it is burried inside binary and i think it doesn't execute it. I examined the code and several function calls adds numbers like sub_691170. i manually changed EIP to .text.00691614 marking with Ctrl-N key on IDA Pro after sub_6915D0 executed. Then pressing F8 key displayed the Flag. .text:00691614 call sub_691170 .text:00691619 lea eax, [esp+28h+flOldProtect] .text:0069161D push eax ; lpflOldProtect .text:0069161E push 40h ; '@' ; flNewProtect .text:00691620 push 80h ; dwSize .text:00691625 push offset sub_691170 ; lpAddress .text:0069162A call ds:VirtualProtect .text:00691630 push offset asc_6931DC ; "..." .text:00691635 lea ecx, [esp+2Ch+Block] ; void * .text:00691639 call sub_691720 .text:0069163E call sub_6914B0 .text:00691643 call sub_6914E0 .text:00691648 call sub_691510 .text:0069164D call sub_691540 .text:00691652 call sub_691570 .text:00691657 call sub_6915A0 .text:0069165C call sub_6915D0

nightxyz on 5:40 PM 03/20/2024: @cnathansmith As you said, there is no input even with commandline or argv ,argc etc..

cnathansmith on 12:36 AM 03/22/2024: @nightxyz Cool, thank you!

abc00012345 on 10:38 AM 04/04/2024: Anyone solved it?

potichek on 11:45 AM 04/20/2024: I would like to add in the description what should happen when hacking, this is not there, so I decided that the correct answer in the console should look like this: “s3Lf-m0dIFY”. Therefore, I changed the addressing of the lines in the output to [ebp - 50] and then jumped to terminate the program

i1s0txgw9z on 7:31 PM 05/03/2024: beautiful crackme, very original ;) Only I think it is a bit complex with those who are not familiar with windows API like VirtualProtec. My solution was: observe what part of code is made writable by VirtualProtect, dump that section to the first VirtualProtect and the second, observe what changed (really?! only 1 byte!? this is very sneaky of you!), patch the code so I could recall the modfied func. Fortunately I didn't spend much time deciphering all those calls in between! Thanks

You must me logged to submit a solution