genass3's Patch protect lite

Author:
genass3

Language:
C/C++

Upload:
2025-09-27 23:28

Download

Platform:
Windows

Difficulty:
3.5

Quality:
4.5

Arch:
x86-64

Downloads:
20

Size:
14.50 KB

Writeups:
1

Comments:
6

Description

The diff between other versions: - Rewrited pass verification algorithm (removed the hash algorithm) - Improved string encryption - Rewrited some obfuscation things (make it easier) Your main goal is to find the password, for every user password will be different.

Comments (6)
Writeups (1)

You must be logged in to post a comment

karabatik on 2025-09-28 15:25: Nice challenge, man. Here's the breakdown: It's a standard 64-bit console app compiled with MSVC. The first thing that caught my eye was that it dynamically resolves MessageBoxA using LoadLibraryA/GetProcAddress instead of static linking. The strings inside were obfuscated with a simple XOR (0x27); breaking that revealed the usual messages like 'Great job' and 'Try better'. It also had a neat little anti-patching mechanism: a separate thread constantly checks the CRC32 of the code section, and if it changes, the program kills itself with the exit code 0xDEADC0DE. The real logic starts in main. After getting user input, it uses cpuid to read the processor's family/model info and generates a constant C from it. It then calculates a checksum using each character of the input key, its index, and this constant C. The condition for a valid key is that the final checksum must equal C + 1505, so the key is completely CPU-specific. I just reversed the equation for my machine. C came out to be 164, making the target checksum 1669. I set the key length to 7, calculated the contribution of the trailing newline character, and used 'A' for the first six characters. From there, I just solved for the last character to satisfy the equation, which gave me the key 'AAAAAA''. Hitting Enter displayed the 'Great job' message, and the program exited successfully.

nightxyz on 2025-09-28 19:09: I set breakpoint at createthread api function and changed rsp+20 from 0 to 4 and thread started in suspended mode. Then it never bothered me. After Cpuid function, there is some mathematics, so i wrote a program in turbo pascal to achive my own unique password which related CPU information. Lots of password has found and i got 'great Job' message from all of them.Thanks karabatik for 0xDEADC0DE exit code information.

MateiM on 2025-10-01 16:34: [Click to reveal]# Password Validation Flow Diagram ``` ┌─────────────────────────────────────────────────────────────────────┐ │ CRACKME LITE ANALYSIS │ └─────────────────────────────────────────────────────────────────────┘ ┌─────────────────────────────────────────────────────────────────────┐ │ STEP 1: INITIALIZATION │ ├─────────────────────────────────────────────────────────────────────┤ │ • Initialize encrypted strings (XOR 0x27) │ │ • Calculate PE CRC32 for anti-tampering │ │ • Create monitoring thread │ │ • Display: "PatchCRC initialized" │ └─────────────────────────────────────────────────────────────────────┘ │ ▼ ┌─────────────────────────────────────────────────────────────────────┐ │ STEP 2: GET USER INPUT │ ├─────────────────────────────────────────────────────────────────────┤ │ • Prompt user for password │ │ • Read input with fgets() (max 256 chars) │ └─────────────────────────────────────────────────────────────────────┘ │ ▼ ┌─────────────────────────────────────────────────────────────────────┐ │ STEP 3: EXECUTE CPUID │ ├─────────────────────────────────────────────────────────────────────┤ │ Execute: CPUID with EAX=1 │ │ │ │ Extract from result: │ │ cpu_model = (EAX 4) & 0xF │ │ cpu_family = (EAX 8) & 0xF │ │ │ │ Adjust for extended values: │ │ if (family == 15): │ │ family += (EAX 20) & 0xFF │ │ if (family == 6 or family == 15): │ │ model += 16 * ((EAX 16) & 0xF) │ │ │ │ Calculate XOR key: │ │ family_model = cpu_family + cpu_model │ │ │ │ Example (your CPU): │ │ family_model = 26 (0x1A) │ └─────────────────────────────────────────────────────────────────────┘ │ ▼ ┌─────────────────────────────────────────────────────────────────────┐ │ STEP 4: CALCULATE CHECKSUM │ ├─────────────────────────────────────────────────────────────────────┤ │ checksum = 0 │ │ xor_key = family_model │ │ │ │ For each character at index i: │ │ temp = index XOR character_value │ │ checksum += xor_key XOR temp │ │ │ │ Example with password "AAAAAAAAAAAAAAAAA3": │ │ Index 0: temp = 0 XOR 65 = 65 │ │ checksum += 26 XOR 65 = 91 │ │ Index 1: temp = 1 XOR 65 = 64 │ │ checksum += 26 XOR 64 = 90 │ │ ... │ │ Index 17: temp = 17 XOR 51 = 34 │ │ checksum += 26 XOR 34 = 56 │ │ │ │ Final checksum = 1531 (0x5FB) │ └─────────────────────────────────────────────────────────────────────┘ │ ▼ ┌─────────────────────────────────────────────────────────────────────┐ │ STEP 5: VALIDATE PASSWORD │ ├─────────────────────────────────────────────────────────────────────┤ │ target_checksum = family_model + 1505 │ │ │ │ if (checksum == target_checksum): │ │ ✓ PASSWORD CORRECT │ │ Display: "Great job" │ │ Display: "Welcome to the program" │ │ Display: "Application finished" │ │ Exit │ │ else: │ │ ✗ PASSWORD INCORRECT │ │ Display: "Try better" │ │ Display: "Exiting the program" │ │ Loop back to input │ │ │ │ Example (your CPU): │ │ target = 26 + 1505 = 1531 │ └─────────────────────────────────────────────────────────────────────┘ ═══════════════════════════════════════════════════════════════════════ SOLUTION ═══════════════════════════════════════════════════════════════════════ For CPU with family_model = 26: Password: AAAAAAAAAAAAAAAAA3 ├─ 17 × 'A' (ASCII 65) └─ 1 × '3' (ASCII 51) Verification: ✓ Checksum calculated: 1531 ✓ Expected checksum: 26 + 1505 = 1531 ✓ VALID! ═══════════════════════════════════════════════════════════════════════ KEY ALGORITHM INSIGHTS: 1. Hardware-Dependent: Password is specific to the CPU it runs on - Different CPUs require different passwords - Uses CPUID instruction for CPU identification 2. Checksum Formula: Σ(family_model XOR (index XOR char)) = family_model + 1505 3. String Obfuscation: - All strings encrypted with XOR 0x27 - Spaces remain unchanged - Decrypted at runtime 4. Anti-Tampering: - CRC32 checksum of PE sections - Background monitoring thread - Critical section protection ═══════════════════════════════════════════════════════════════════════ ```

omar13213 on 2025-10-04 08:56: [Click to reveal]

PL45M4 on 2025-10-05 17:59: Dang, everyone has done a fantastic job of breaking down the key generation algorithm. I was thinking of working on a keygen today but it looks like it's already been taken care of. Any who, I took a similar approach to patching the program. Here's my writeup: https://bobbyhillreverseengineering.blogspot.com/2025/10/patchme-genass3s-patch-protect-lite.html Thank you genass3 for the challenge!

Swoop on 2025-10-06 18:37: Super fun RE challenge. The obfuscations threw me off for a while, but the structure is fair and the assembly details are chef’s kiss. Thanks for a great challenge!

Show all spoilers

You must be logged in to submit a writeup

Solution by lexx on 2025-10-02 20:41:

Download

crackmes.one

crackmes.one

genass3's Patch protect lite