alperaktasm's self-modifying crackme

Author:
alperaktasm

Language:
C/C++

Upload:
2024-03-15 17:26

Download

Platform:
Windows

Difficulty:
3.0

Quality:
4.0

Arch:
x86

Downloads:
20

Size:
14.50 KB

Writeups:
0

Comments:
10

Description

Very basic crypto challenge. Understand the logic and get the flag.

Comments (10)
Writeups (0)

You must be logged in to post a comment

justAuser on 2024-03-19 17:57: 0055119B | 68 D0315500 | push self_modify.5531D0 | 5531D0:"s3Lf-m0dIFY" This?

alperaktasm on 2024-03-19 19:39: NO! This is the XOR key. Examine it properly.

nightxyz on 2024-03-19 20:33: [Click to reveal]

cnathansmith on 2024-03-20 16:59: @nightxyz is this like his Heaven's Gate one where the encoded flag is just buried in the binary and not actually accessible with any kind of input? I feel like that violates the spirit of how these are supposed to be structured but would appreciate a write-up showing what we were expected to do if you get a chance.

nightxyz on 2024-03-20 17:39: @cnathansmith Yes, it is burried inside binary and i think it doesn't execute it. I examined the code and several function calls adds numbers like sub_691170. i manually changed EIP to .text.00691614 marking with Ctrl-N key on IDA Pro after sub_6915D0 executed. Then pressing F8 key displayed the Flag. .text:00691614 call sub_691170 .text:00691619 lea eax, [esp+28h+flOldProtect] .text:0069161D push eax ; lpflOldProtect .text:0069161E push 40h ; '@' ; flNewProtect .text:00691620 push 80h ; dwSize .text:00691625 push offset sub_691170 ; lpAddress .text:0069162A call ds:VirtualProtect .text:00691630 push offset asc_6931DC ; "..." .text:00691635 lea ecx, [esp+2Ch+Block] ; void * .text:00691639 call sub_691720 .text:0069163E call sub_6914B0 .text:00691643 call sub_6914E0 .text:00691648 call sub_691510 .text:0069164D call sub_691540 .text:00691652 call sub_691570 .text:00691657 call sub_6915A0 .text:0069165C call sub_6915D0

nightxyz on 2024-03-20 17:40: @cnathansmith As you said, there is no input even with commandline or argv ,argc etc..

cnathansmith on 2024-03-22 00:36: @nightxyz Cool, thank you!

abc00012345 on 2024-04-04 10:38: Anyone solved it?

potichek on 2024-04-20 11:45: I would like to add in the description what should happen when hacking, this is not there, so I decided that the correct answer in the console should look like this: “s3Lf-m0dIFY”. Therefore, I changed the addressing of the lines in the output to [ebp - 50] and then jumped to terminate the program

i1s0txgw9z on 2024-05-03 19:31: beautiful crackme, very original ;) Only I think it is a bit complex with those who are not familiar with windows API like VirtualProtec. My solution was: observe what part of code is made writable by VirtualProtect, dump that section to the first VirtualProtect and the second, observe what changed (really?! only 1 byte!? this is very sneaky of you!), patch the code so I could recall the modfied func. Fortunately I didn't spend much time deciphering all those calls in between! Thanks

Show all spoilers

You must be logged in to submit a writeup

crackmes.one

crackmes.one

alperaktasm's self-modifying crackme