Upload:
5:26 PM 03/15/2024
Description
Very basic crypto challenge. Understand the logic and get the flag.
You must be logged in to post a comment
justAuser on 5:57 PM 03/19/2024: 0055119B | 68 D0315500 | push self_modify.5531D0 | 5531D0:"s3Lf-m0dIFY"
This?
alperaktasm on 7:39 PM 03/19/2024: NO! This is the XOR key. Examine it properly.
nightxyz on 8:33 PM 03/19/2024: ZAYOTEM{FACTS_CAN_BE_SO_MISLEADING}
cnathansmith on 4:59 PM 03/20/2024: @nightxyz is this like his Heaven's Gate one where the encoded flag is just buried in the binary and not actually accessible with any kind of input?
I feel like that violates the spirit of how these are supposed to be structured but would appreciate a write-up showing what we were expected to do if you get a chance.
nightxyz on 5:39 PM 03/20/2024: @cnathansmith Yes, it is burried inside binary and i think it doesn't execute it. I examined the code and several function calls adds numbers like sub_691170. i manually changed EIP to .text.00691614 marking with Ctrl-N key on IDA Pro after sub_6915D0 executed. Then pressing F8 key displayed the Flag.
.text:00691614 call sub_691170
.text:00691619 lea eax, [esp+28h+flOldProtect]
.text:0069161D push eax ; lpflOldProtect
.text:0069161E push 40h ; '@' ; flNewProtect
.text:00691620 push 80h ; dwSize
.text:00691625 push offset sub_691170 ; lpAddress
.text:0069162A call ds:VirtualProtect
.text:00691630 push offset asc_6931DC ; "..."
.text:00691635 lea ecx, [esp+2Ch+Block] ; void *
.text:00691639 call sub_691720
.text:0069163E call sub_6914B0
.text:00691643 call sub_6914E0
.text:00691648 call sub_691510
.text:0069164D call sub_691540
.text:00691652 call sub_691570
.text:00691657 call sub_6915A0
.text:0069165C call sub_6915D0
nightxyz on 5:40 PM 03/20/2024: @cnathansmith As you said, there is no input even with commandline or argv ,argc etc..
cnathansmith on 12:36 AM 03/22/2024: @nightxyz Cool, thank you!
abc00012345 on 10:38 AM 04/04/2024: Anyone solved it?
potichek on 11:45 AM 04/20/2024: I would like to add in the description what should happen when hacking, this is not there, so I decided that the correct answer in the console should look like this: “s3Lf-m0dIFY”. Therefore, I changed the addressing of the lines in the output to [ebp - 50] and then jumped to terminate the program
i1s0txgw9z on 7:31 PM 05/03/2024: beautiful crackme, very original ;) Only I think it is a bit complex with those who are not familiar with windows API like VirtualProtec. My solution was: observe what part of code is made writable by VirtualProtect, dump that section to the first VirtualProtect and the second, observe what changed (really?! only 1 byte!? this is very sneaky of you!), patch the code so I could recall the modfied func. Fortunately I didn't spend much time deciphering all those calls in between! Thanks
You must be logged in to submit a writeup